Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD0.12 Module Summary

4-5 hours · Module 0 · Free

Module Summary

This module established the foundation for everything that follows. You now understand what security ownership means for an IT administrator, what attackers target in M365 environments, and what security tools are included in your license sitting unused.

The three attack surfaces — identity, email, and data — map directly to the security controls you’ll configure in the remaining modules. Identity is the perimeter: MFA and conditional access stop 80% of attacks before the attacker can access anything. Email is the delivery mechanism: Defender for Office 365 catches phishing before users see it. Data is the objective: sensitivity labels and DLP limit what an attacker can steal even if they get in.

You learned the difference between security defaults and conditional access — security defaults are the starting point, conditional access is the target state. You identified which of the five admin portals handles which security task, and you now know that the Entra admin center and the Defender portal are where you’ll spend 80% of your security time.

You read your first security alerts in the Defender portal and learned the triage decision: act now (high/critical), investigate within 24 hours (medium), or batch review weekly (low). You understand Secure Score as a prioritisation tool — useful for identifying what to configure next and tracking progress over time, not as an absolute measure of how secure you are.

Northgate Engineering’s baseline — security defaults, no conditional access, no email protection tuning, no device compliance, no monitoring cadence — represents the typical starting point. It’s not a failure. It’s where most organisations are when IT handles security. The improvement sequence (Identity → Email → Devices → Operations) over 10 weeks takes NE from that baseline to a solid security posture with measurable, reportable progress.

What you built

  • The three-category responsibility model: Configure (70% of impact), Monitor (20%), Respond (10%)
  • The M365 attack surface map: Identity → Email → Data
  • The license-to-feature map for E3 and E5
  • The five-portal workflow: Entra, Defender, Intune, Purview, M365 Admin
  • The daily alert triage procedure
  • The monthly Secure Score review template
  • The NE baseline posture assessment
  • The 10-week security improvement plan

What’s next

Module AD1 covers the single highest-impact security control: identity. You’ll build break-glass accounts, deploy MFA through conditional access, block legacy authentication, configure self-service password reset, and learn the 15-minute emergency response for a compromised account. This is the module where the configuration work begins — and where 80% of your security improvement happens.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →