AD0.1 You're the Security Team Now

The accidental security professional

Here’s the uncomfortable truth about M365 security in most organisations: the person closest to the security controls is the IT administrator, and the IT administrator has had zero security training. Not because they’re not capable — because nobody offered it. The cybersecurity training market is built for two audiences: complete beginners who need to learn what a firewall is, and experienced security professionals who need advanced detection engineering. The IT administrator who already manages a production M365 tenant but needs to learn how to secure it has almost nothing designed for them.

Five things you can check right now in 10 minutes

Before you read any further, open a browser and verify these five things about your tenant. Each takes under 2 minutes and gives you immediate operational awareness.

Check 1 — How many Global Administrators exist. Open PowerShell and run:

1
2
3

Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
$gaRole = Get-MgDirectoryRole | Where-Object { $_.DisplayName -eq "Global Administrator" }
Get-MgDirectoryRoleMember -DirectoryRoleId $gaRole.Id | Select-Object AdditionalProperties

Count the results. If you see more than four, you have unnecessary privilege exposure. Each Global Administrator account is a tier-zero target — if any one of them is compromised, the attacker owns your entire tenant. Best practice is 2-4: two operational admin accounts and two break-glass emergency accounts.

Check 2 — Is security defaults enabled or conditional access? Navigate to entra.microsoft.com → Identity → Overview → Properties → scroll to “Security defaults.” If it says “Enabled,” you’re on security defaults. If it says “Disabled,” check Protection → Conditional Access → Policies to see if you have conditional access policies configured. If security defaults is disabled AND you have no conditional access policies, your tenant has no MFA enforcement at all — this is the worst possible state.

Check 3 — MFA registration rate. Navigate to entra.microsoft.com → Protection → Authentication methods → Activity. The “Registration” tab shows the percentage of users who have registered for MFA. Below 90% means you have accounts that can be compromised with just a password.

Check 4 — Legacy authentication in use. Navigate to entra.microsoft.com → Monitoring → Sign-in logs. Add a filter for “Client app” and select all legacy options (IMAP4, POP3, SMTP, Other clients). Set the range to 30 days. Any results mean you have authentications bypassing MFA.

Check 5 — Defender incident queue. Navigate to security.microsoft.com → Incidents & alerts → Incidents. Filter by “High” and “Critical.” If you see unresolved incidents, someone should be looking at them. If you’ve never checked this page before, now you know where it is.

Write down the five results. This is your security baseline — the starting point that the rest of this course improves.

That gap is expensive. The default M365 configuration is functional but not secure. Security defaults provide basic MFA coverage but no conditional access, no email protection tuning, no device compliance enforcement, and no monitoring. An IT administrator running a default-configured M365 tenant is operating a production environment where a single phished password gives an attacker full access to email, files, Teams conversations, and SharePoint data — because the controls that would prevent that are sitting in the portal, included in the license, and turned off.

The problem isn’t that M365 is insecure. It’s that the security is opt-in. Microsoft includes powerful security tools in every E3 and E5 license. Conditional access, Defender for Office 365, Entra ID Protection, device compliance, data loss prevention — they’re all there. But they require configuration, and the person who knows the environment well enough to configure them correctly is the IT administrator who hasn’t been taught which ones to turn on first.

Three categories of security work

Security work for an IT administrator falls into three categories, and understanding these categories prevents the most common mistake: trying to do everything at once.

Configure is the first and most impactful category. This is the one-time setup work that turns M365’s included security features from “available” to “active.” Enabling MFA, building conditional access policies, configuring email protection, setting up device compliance, and turning on audit logging. Configuration work delivers roughly 70% of your security improvement, and most of it only needs to be done once with periodic review. This is where this course spends the most time, because the return on investment is highest.

Monitor is the ongoing cadence that catches problems before they become incidents. Checking the Defender portal for alerts, reviewing sign-in logs for anomalies, tracking MFA adoption across the organisation, and watching Secure Score for drift. Monitoring takes about 30 minutes per week once you know what to look at — and most IT administrators don’t currently do it because they don’t know what to look at. This course teaches you what’s worth monitoring and what’s noise.

Respond is what you do when something goes wrong. A user reports a phishing email. An alert fires for impossible travel. Someone’s account shows signs of compromise. Response is the category that feels most intimidating because the stakes are highest, but it’s also the category where you need to do the least — your job is the first 15 minutes of triage and containment, not the full incident investigation. This course teaches you what to do in those 15 minutes, and when to escalate to someone who does this full-time.

The critical insight is the ratio: 70% configure, 20% monitor, 10% respond. Most people who are told “you’re doing security” assume it means spending their day watching alerts and responding to incidents. It doesn’t. It means spending a few weeks configuring the environment properly, then maintaining a light monitoring cadence, and knowing what to do on the rare occasions when something gets through. The configuration work is the force multiplier — it prevents the incidents that would otherwise consume your time.

What you’re responsible for — and what you’re not

Clear boundaries prevent burnout. An IT administrator with security responsibilities is not a SOC analyst, not an incident responder, not a penetration tester, and not a compliance officer. You’re an IT administrator who configures security controls, monitors their effectiveness, and handles the initial response when they fail. That’s a valuable and important role. It’s also a defined and manageable one.

You are responsible for ensuring MFA is deployed and enforced for all users. You are responsible for configuring email protection so phishing doesn’t land unchecked in user inboxes. You are responsible for device compliance policies that ensure endpoints meet basic security standards. You are responsible for monitoring the security alerts in the Defender portal and knowing when to escalate. You are responsible for the first response when a user reports a phishing email or an account compromise.

You are not responsible for reverse-engineering malware. You are not responsible for building a 24/7 monitoring operation. You are not responsible for writing detection rules in KQL. You are not responsible for conducting forensic investigations of compromised endpoints. You are not responsible for penetration testing your own environment. Those are specialist roles — and if your organisation needs them, the right answer is to bring in a specialist, not to add them to your existing workload.

This boundary is not about avoiding work. It’s about focus. An IT administrator who tries to do everything does nothing well. An IT administrator who configures MFA, email protection, and conditional access properly — and then escalates the complex incidents to specialists — has an outsized positive impact on their organisation’s security posture. The configuration work alone prevents 80% or more of the attacks that would otherwise succeed.

The IT admin’s security advantage

You have something that most security professionals lack: you know your environment. You know which users call the helpdesk about MFA. You know which applications break when you change authentication policies. You know which executives use personal devices and which ones have company laptops. You know the service accounts, the shared mailboxes, the conference room accounts, and the legacy applications that can’t handle modern authentication.

This operational knowledge is enormously valuable for security work. Security engineers who deploy conditional access policies without understanding the operational environment break things. IT administrators who deploy the same policies with their operational knowledge break far fewer things — because they know which users and applications need exceptions before they enable enforcement.

The challenge is turning that operational knowledge into security configuration. You know the environment, but you don’t yet know the security controls well enough to configure them correctly. That’s exactly what this course teaches: mapping what you already know about your environment to the security configurations that protect it.

Building the security cadence

Security is not a project. It’s a cadence. Once you’ve done the initial configuration work, you need a sustainable rhythm that doesn’t consume your existing workload. For an IT administrator with dual responsibilities, that rhythm looks like this: 30 minutes every Monday morning reviewing the Defender portal for alerts and checking sign-in activity, 30 minutes on the first of each month reviewing Secure Score changes and MFA adoption rates, and ad-hoc response when alerts fire or users report incidents.

That’s roughly one hour per week plus incident response time. It’s sustainable alongside a full IT workload because the configuration work you’ll do in the first few modules of this course dramatically reduces the number of incidents you’ll need to respond to. MFA alone eliminates the majority of credential-based attacks. Email protection catches most phishing before users see it. Device compliance ensures endpoints meet baseline security standards. The monitoring cadence is light because the controls are doing the heavy lifting.

The mistake IT administrators make is either doing nothing (because security feels too overwhelming to start) or doing everything (because once they start, every recommendation looks critical). The discipline is prioritisation: configure the controls that have the highest impact first, monitor a small number of meaningful indicators, and respond to the alerts that actually require action. This course teaches you which controls, which indicators, and which alerts.