AD1.12 Module Summary

Module Summary

This module covered the single highest-impact security control in your M365 environment: identity. You now understand why identity has replaced the network as the security perimeter, what MFA protects against (99.9% of credential attacks) and what it doesn’t (AiTM, token theft, MFA fatigue), and how to deploy MFA through conditional access without breaking production.

You built three conditional access policies that replace security defaults with deterministic, auditable protection. CA001 enforces MFA for every user on every sign-in. CA002 blocks legacy authentication protocols that bypass MFA entirely. CA003 (in report-only mode) prepares for device compliance enforcement when you reach Module AD4. Together, these three policies close the identity gaps that security defaults leave open.

You handled the exceptions that derail most MFA deployments — executives who refuse phone apps (FIDO2 security keys), shared accounts that can’t do MFA (disable interactive sign-in), service accounts (certificate-based authentication or managed identities), and users without smartphones (FIDO2 keys or Temporary Access Passes). Every exception has a solution that doesn’t require exemption from MFA.

You configured self-service password reset to reduce helpdesk ticket volume by 70-80% while improving security. Password resets now verify identity through MFA methods rather than helpdesk voice verification — eliminating the social engineering vector that attackers exploit.

You learned to read the sign-in log efficiently — the five fields that tell you whether a sign-in is legitimate in 30 seconds, the patterns that indicate compromise, and the weekly review cadence that catches anomalies before they become incidents.

You practised the 15-minute emergency response for a compromised account — revoke sessions, reset password, clean MFA methods, remove inbox rules, revoke OAuth app consents, verify containment. Contain first, investigate second. The golden rule that saves the most time when the clock is ticking.

And you built the quarterly reporting template that translates technical security improvements into business language management can act on — because the best security controls in the world don’t help if nobody knows they exist and nobody funds their maintenance.

What you built

• Three conditional access policies (CA001: MFA, CA002: Legacy auth block, CA003: Device compliance report-only)
• Two break-glass accounts with offline-stored credentials
• MFA exception register with approved solutions per exception type
• Self-service password reset with password writeback and banned password list
• Weekly sign-in log review procedure (10 minutes, four checks)
• Risk detection response procedure (leaked credentials, impossible travel, password spray)
• 15-minute compromised account response card (7 steps, memorised)
• Quarterly identity security report template (4 sections, one page)

What changed at NE

NE’s identity posture moved from 3/10 to 8/10. MFA coverage went from 87% (security defaults, probabilistic) to 100% (conditional access, deterministic). Legacy authentication went from partially blocked to completely blocked. Global Administrator count went from 3 to 2 operational + 2 break-glass. SSPR went from not configured to fully deployed with writeback. Weekly sign-in monitoring went from nonexistent to a structured 10-minute review. Incident response went from “call someone” to a documented 15-minute containment procedure.

What’s next

Module AD2 covers email protection — the second layer of the security improvement sequence. You’ll configure Defender for Office 365 Safe Links and Safe Attachments, set up SPF, DKIM, and DMARC for your domain, and tune anti-phishing policies. With identity secured, email protection reduces the phishing that reaches your users — the delivery mechanism for the attacks that identity controls catch at the authentication layer. Even if a phishing email gets through, MFA and conditional access prevent the attacker from using stolen credentials. But catching the email before the user sees it is better than catching the attacker after they try to sign in.