Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD0.10 What This Course Covers and What It Doesn't

4-5 hours · Module 0 · Free
Operational Objective
Every course needs clear boundaries. Without them, you'll expect this course to teach you things it doesn't cover, or you'll undervalue what it does cover because you're comparing it to a different type of training. This course is designed for IT administrators who manage M365 environments and need practical security skills. It is not designed for experienced SOC analysts, detection engineers, or security architects — Ridgeline has other courses for those roles. This subsection draws the scope boundaries explicitly so you know what you'll learn, what you won't, and where to go next when you want to go deeper.
Deliverable: Clear understanding of the course scope, the boundary between this course and the advanced Ridgeline courses, and the learning path that takes you from IT administrator to security operations professional.
Estimated completion: 15 minutes
THE LEARNER LADDER — WHERE THIS COURSE FITSYOU ARE HEREAdmin to DefenderIT admin · Professional developmentConfigure · Monitor · First responseNEXT STEPM365 Security OperationsSOC analyst · IntermediateInvestigate · Detect · HuntSPECIALISTIR · DE · EI · TH · ESSecurity engineer · AdvancedForensics · Engineering · ArchitectureSUPPORTING COURSES (available at any point)Mastering KQL · Practical GRC · Claude for Security Professionals · SOC OperationsBuild specific skills that enhance any role on the ladder

Figure AD0.10 — The learner ladder. This course (Admin to Defender) is the entry point for IT administrators. The next step is M365 Security Operations for those who want to move into a SOC analyst role. Specialist courses (Incident Response, Detection Engineering, Entra ID Security, Threat Hunting, Endpoint Security) are for experienced security professionals. Supporting courses build specific skills at any level.

What this course covers

This course covers the security controls and operational practices that an IT administrator needs to protect an M365 environment. That means: deploying and managing MFA and conditional access, configuring Defender for Office 365 email protection, building device compliance policies in Intune, understanding and responding to security alerts, basic data protection with sensitivity labels, email authentication (SPF, DKIM, DMARC), incident response at the first-responder level, Secure Score management, and reporting security posture to management.

Every topic is taught from the IT administrator’s perspective. That means practical configuration with step-by-step guidance, blast radius analysis for every control (what breaks when you enable it), exception handling for the situations that generic security training ignores, and operational procedures that fit alongside a full IT workload.

The depth is calibrated for someone who configures and manages security controls, not someone who builds detections, conducts forensic investigations, or architects security programmes. You’ll learn to deploy conditional access — not to build custom KQL detection rules for conditional access bypass. You’ll learn to respond to the first 15 minutes of a compromised account — not to conduct a full forensic timeline reconstruction. You’ll learn to configure email protection — not to reverse-engineer a phishing kit.

What this course doesn’t cover

This course doesn’t teach SOC analyst skills. Investigation methodology, KQL query development, advanced hunting, detection engineering, forensic analysis, and incident response beyond the first 15 minutes are covered by other Ridgeline courses. If you complete this course and want to move into a security operations role, the M365 Security Operations course is the natural next step — it assumes the security environment is already configured (which this course teaches you to do) and focuses on operating within it.

This course doesn’t cover on-premises infrastructure security. Active Directory hardening, Windows Server security, network security, firewall configuration, and physical security are out of scope. The focus is exclusively on the M365 cloud environment. If you have a hybrid environment (which NE does), this course covers the cloud side — the Entra ID Security course covers hybrid identity architecture in depth.

This course doesn’t teach security architecture at the enterprise level. Zero trust design, security programme development, risk frameworks (NIST CSF, ISO 27001), and governance are covered by Practical GRC and the specialist courses. This course teaches you to configure security controls — the architecture courses teach you to design the strategy they fit into.

This course doesn’t cover Sentinel, advanced KQL, or SIEM operations. If you have an E5 license with Sentinel, the M365 Security Operations and Mastering KQL courses cover those capabilities. This course works with E3 and doesn’t assume any SIEM deployment.

What you’ll be able to do after each module

Rather than abstract learning objectives, here are the specific capabilities each module builds — the things you’ll be able to do in your environment the day you complete the module.

After Module AD1 (Securing Identities): you can create conditional access policies, enforce MFA for all users without locking anyone out, block legacy authentication, configure self-service password reset, and respond to a compromised account in under 15 minutes. You’ll have break-glass accounts configured and tested.

After Module AD2 (Protecting Email): you can configure Safe Links and Safe Attachments policies, set up SPF, DKIM, and DMARC records for your domain, tune anti-phishing policies, and investigate a reported phishing email using message trace and the Defender portal.

After Module AD3 (Securing Devices): you can create Intune compliance policies that check encryption, OS version, firewall state, and antivirus status. You can integrate compliance with conditional access to block non-compliant devices. You can handle the user who buys a new laptop and can’t access their email until it meets security requirements.

After Module AD4 (Understanding Alerts): you can work the Defender incident queue confidently, classify alerts, investigate a suspicious sign-in using the sign-in log, and write a clear summary of what happened for your manager.

After Module AD5 (Data Protection): you can apply sensitivity labels to your organisation’s most confidential documents and configure basic DLP policies that prevent accidental external sharing of sensitive data.

After Module AD6 (Incident Response): you can follow a structured procedure when a user reports a phishing email, respond to a compromised account, coordinate with an MSSP or external IR provider, and preserve evidence for investigation.

After Module AD7 (Reporting and Posture): you can produce a quarterly security posture report for management, track Secure Score trends, and make evidence-based recommendations for security budget and resources.

Each of these is a concrete, measurable skill. You’ll know you have the capability because you’ll have done it — in the course exercises first, then in your own environment.

What you can do right now — before finishing this course

You don’t need to complete every module before you start improving your security posture. Some actions are safe to take today, based on what you’ve learned in this module alone.

Today (5 minutes): Navigate to security.microsoft.com → Secure Score and record your current percentage. This is your baseline. You’ll reference this number in every future conversation about security progress.

Today (5 minutes): Navigate to entra.microsoft.com → Roles and administrators → Global Administrator. Count the members. If you see more than four, or accounts belonging to former employees or external consultants, flag those for review. Removing unnecessary admin accounts is a zero-risk, high-impact action.

Today (10 minutes): Navigate to entra.microsoft.com → Monitoring → Sign-in logs. Filter by “Client app” → select legacy protocols (IMAP4, POP3, SMTP, Other clients). If you see results, you have accounts authenticating without MFA protection — even if MFA is enabled. Record which users and which protocols. You’ll need this data when you deploy conditional access in Module AD1.

This week (15 minutes): Configure email notifications for high-severity Defender incidents. Navigate to security.microsoft.com → Settings → Email notifications → Incidents. Create a rule that emails your admin account for High and Critical incidents. This means the portal notifies you instead of requiring you to remember to check it.

This week (30 minutes): Complete the security posture assessment from the Module AD0.8 try-it exercise. Score your environment across the four categories (Identity, Email, Devices, Data & Monitoring). This is the evidence-based starting point that makes the rest of the course immediately relevant to your specific environment.

None of these actions change any configuration or affect any user. They’re read-only assessment and notification setup. But they establish the baseline, the monitoring cadence, and the awareness that everything else builds on.

Compliance Myth: "I need a security certification before I can do security work"
You don't. Certifications validate knowledge. This course builds capability. The controls you configure in this course — MFA, conditional access, email protection, device compliance — are the same controls that certified security professionals deploy. The difference is that you'll deploy them in the context of the environment you already manage, with operational knowledge that a consultant with a certification but no access to your tenant doesn't have. If you want a certification later, the SC-900 (Security, Compliance, and Identity Fundamentals) maps well to this course's content, and the SC-200 (Security Operations Analyst Associate) maps to the M365 Security Operations course that follows.

The path from here

For most people taking this course, the goal is not to become a full-time security professional. It’s to become an IT administrator who can competently manage security alongside their existing responsibilities. This course delivers that outcome. After completing it, you’ll have a properly configured M365 tenant, an operational monitoring cadence, and the ability to handle the most common security incidents your organisation will face.

For those who discover they enjoy security work and want to go deeper, the learning path is clear. The M365 Security Operations course takes you from “I can configure and monitor security” to “I can investigate incidents, build detections, and hunt for threats.” From there, specialist courses in incident response, detection engineering, identity security, threat hunting, and endpoint security build deep expertise in specific domains.

The key insight is that this course isn’t a simplified version of the advanced courses. It covers different skills for a different role. An IT administrator who completes this course is not a junior SOC analyst — they’re a competent security-capable IT administrator. Both roles are valuable. Both are needed. This course makes you excellent at yours.

Decision point

You’ve completed this course and secured your M365 environment. A new employee is hired specifically for a “security analyst” role and asks you to hand off the security work. They have a Security+ certification but no M365 experience. What do you do?

Option A: Hand off everything immediately — they’re the security person now.

Option B: Work alongside them for 4-6 weeks, transferring your operational knowledge of the environment while they build M365-specific skills.

Option C: Keep doing all the security work yourself and have them shadow you.

The correct answer is Option B. Your operational knowledge of the environment — which users cause which problems, which applications break with which policies, which service accounts need which exceptions — is invaluable and can’t be learned from a certification or a course. The new analyst brings security knowledge you don’t have; you bring environmental knowledge they don’t have. The combination is stronger than either person alone. A structured handoff with documented procedures, policy exceptions, and monitoring cadences ensures continuity.

Try it: Define your learning goal

Write down your answer to two questions:

  1. What is your goal for this course? Is it to secure the environment you manage (and keep managing IT alongside security), or is it to transition into a security-focused role? Your answer determines how you use the material — as operational skill for your current role, or as foundation for a career change.

  2. What is the one security gap in your environment that, if closed, would let you sleep better at night? This is your priority. If the answer is “someone could phish our CEO’s credentials and we have no MFA,” that’s Module AD1. If it’s “we keep getting phishing emails and nothing catches them,” that’s Module AD2. If it’s “I don’t know what I’d do if we had a breach,” that’s Module AD7.

Your answer to question 2 tells you which module to focus on most carefully, even though the recommended sequence is to work through them in order.

After completing this course, which of the following tasks falls within your capability?
Building custom KQL detection rules for identity-based attacks in Microsoft Sentinel — No. This is Detection Engineering and Mastering KQL course territory. This course teaches you to configure the controls that generate the telemetry those detections analyse.
Responding to a high-severity alert for a compromised user account by resetting the password, revoking sessions, removing attacker-created inbox rules, and documenting what happened — Correct. This is the first-15-minutes response that this course teaches. It's the highest-impact response action and it's within the scope of an IT administrator with security responsibilities.
Conducting a forensic investigation of an endpoint compromised by malware, including memory analysis and timeline reconstruction — No. This is Practical Incident Response and Endpoint Security territory. This course teaches you to recognise the alert and escalate to someone who does forensic investigation.
Designing a zero trust architecture for a multi-site enterprise with hybrid identity — No. This is security architecture work covered by Entra ID Security and the specialist courses. This course teaches you to implement the conditional access policies that are one component of zero trust.
Operational Artifact — Course Scope and Learning Path Reference
This subsection defines the boundary of what you'll build in this course. Use the learner ladder diagram to set expectations with your manager: "This course makes me competent to configure and manage M365 security. If we need investigation, detection, or forensic capabilities, that requires either additional training or a specialist hire." This boundary prevents scope creep in your role and provides a clear framework for discussing professional development. The learning path from Admin to Defender → M365 Security Operations → Specialist courses is a 12-18 month journey from IT administrator to security professional, if that's the direction you choose.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →