Professional Documents
Culture Documents
1 Microsoft365 Business Premium Engineering Architecture
1 Microsoft365 Business Premium Engineering Architecture
Productivity and
security
denisebmsft
Contents
Create a communications site 5
Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Infographic: Create a Communications site infographic . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Set it up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Admin settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Microsoft 365 Business Premium – productivity and cybersecurity for small business 8
Cybersecurity playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Next steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1
Make sure your emails look legitimate to others . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Share this infographic with your users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
What’s new in Microsoft 365 Business Premium and Microsoft Defender for Business 37
July 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
March 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
January 2023 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
November 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
July 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
May 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
March 2022 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
See also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3
Security incident management 51
Security defaults 56
Security defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
To enable security defaults (or confirm they’re already enabled) . . . . . . . . . . . . . . . . . . . 57
Conditional Access 57
Conditional Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Next objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4
Protect unmanaged computers with Microsoft 365 Business Premium 62
Windows 10 or 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Windows 10 or 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Turn on device encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Protect your device with Windows Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Turn on Windows Defender Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Use FileVault to encrypt your Mac disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Protect your Mac from malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Turn on firewall protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Next mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Best practices
Include the following elements in a Communications site:
1. Add your logo and colors as a header image and theme.
5
Diagram of a SharePoint Communications page with space for common elements that a campaign would need.
Figure 1: Diagram of a SharePoint Communications page with space for common elements that a campaign
would need.
2. Lead with your strategy, message, important documents, a directory, and FAQ in a Hero web part.
3. Include a CEO or candidate statement to the team in a Text web part.
4. Add events to an Events web part so everyone can see what’s coming up.
5. Add photos that people can use or share to an Image gallery web part.
Set it up
1. Sign in to https://Office.com.
2. In the top-left corner of the page, select the app launcher icon and then select the SharePoint tile. If you
don’t see the SharePoint tile, click the Sites tile or All if SharePoint isn’t visible.
3. At the top of the SharePoint home page, click + Create site and choose the Communication site
option.
Learn all about Communications sites and how to create a communication site in SharePoint Online.
Admin settings
If you don’t see the + Create site link, self-service site creation might not be available in Microsoft 365. To
create a team site, contact the person administering Microsoft 365 in your organization. If you’re a Microsoft 365
admin, see Manage site creation in SharePoint Online to enable self-service site creation for your organization or
Manage sites in the new SharePoint admin center to create a site from the SharePoint admin center.
Next mission
Congratulations — you’ve completed the mission! Now, immediately turn your focus toward protecting the
managed devices for the entire org!
Best practices
1. Create private teams for sensitive information.
2. Create an org-wide team for communication with everyone across your organization.
3. Create teams for specific projects and apply the right amount of protection based on who should be
included.
4. Create specific teams for communication with external partners to keep them separate from anything
sensitive for your business.
For example, a business, legal firm, or healthcare practice might create the following teams:
6
Diagram of a Microsoft Teams window with three separate teams to allow for secure communication and
collaboration within a business.
Figure 2: Diagram of a Microsoft Teams window with three separate teams to allow for secure communication
and collaboration within a business.
Diagram of a Microsoft Teams window with three separate teams to allow for secure communication and
collaboration within a campaign.
Figure 3: Diagram of a Microsoft Teams window with three separate teams to allow for secure communication
and collaboration within a campaign.
1. A business-, firm-, or practice-wide team: This is for everyone to use for day-to-day communications
and work across your business. You can use this team to post announcements or share information of
interest for your whole firm or practice.
2. Individual teams: Set up teams for smaller groups to collaborate about their day to day work.
3. An external communications team or teams: Coordinate with your vendors, partners, or clients
without allowing them into anything sensitive. Set up different channels for specific groups.
And campaigns could create the following teams to communicate and collaborate securely:
1. A campaign Leads team: Set this up as a private team so that only your key campaign members can
access it and discuss potentially sensitive concerns.
2. A general campaign team: This is for everyone to use for day to day communications and work.
Individuals, groups, or committees can set up channels in this team to do their work. For example, the
event planning people can set up a channel to chat and coordinate logistics for campaign events.
3. A partners team: Coordinate with your vendors, partners, or volunteers without allowing them into
anything sensitive.
When you create a team, here’s what else gets created:
• A new Microsoft 365 group
• A SharePoint Online site and document library to store team files
• An Exchange Online shared mailbox and calendar
• A OneNote notebook
• Ties into other Office 365 apps such as Planner and Power BI
Inside Microsoft Teams, you can find:
1. Teams: Find channels to belong to or create your own. Inside channels you can hold on-the-spot meetings,
have conversations, and share files.
2. Meetings: See everything you’ve got lined up for the day or week. Or, schedule a meeting. This calendar
syncs with your Outlook calendar.
3. Calls: In some cases, if your organization has it set up, you can call anyone from Microsoft Teams, even if
they’re not using Microsoft Teams.
4. Activity: Catch up on all your unread messages, @mentions, replies, and more.
Use the command box at the top to search for specific items or people, take quick actions, and launch apps.
Set it up
Create a private team for just the business owner and managers, or campaign manager and candidate like this.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWeqWA]
Create an organization-wide team that everyone in the business or campaign can use to communicate and share
files.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE2GCG9]
Create a team that you share with guests outside your organization, such as for advertising or finances.
7
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]
Learn more about Microsoft Teams at Microsoft Teams technical documentation
Admin settings
[!NOTE] You must be an admin to create an organization-wide team. For more information, see
What is an Admin in Microsoft 365?.
Next objective
Once you complete this objective, you need to securely set up meetings.
What to do How to do it
Fortify your environment (Tasks your admin 1. Sign in and set up your environment.
completes.) Complete the basic setup process for Microsoft 365
Business Premium (or Microsoft 365 for Campaigns).
Add users, assign licenses, and configure your domain
to work with Microsoft 365. Get a quick setup guide
to share with employees.2. Boost your security
protection. Set up critical front-line security
measures to prevent cyberattacks. Set up multi-factor
authentication (MFA), protect your admin accounts,
and protect against malware and other threats. Get
an overview of how to secure unmanaged and managed
devices, and set up your information protection
capabilities.
Train your team.(Tasks everyone does.) 3. Set up unmanaged (BYOD) devices. Set up
all the unmanaged (“bring your own device,” also
referred to as BYOD) devices so they’re used more
safely as part of your ecosystem.4. Use email
securely. Know what to watch for in your email, and
train everyone on the necessary steps to protect
yourself and others from attacks.5. Collaborate and
share securely. Share files with others and
collaborate more securely by using Microsoft Teams,
SharePoint, and OneDrive.
Safeguard managed devices. (Tasks your admin or 6. Set up and secure managed devices. Enroll
security team does.) and secure computers, tablets, and phones so they can
protected from threats.
Completing all six missions is the most effective way to thwart hackers, protect against ransomware, and help
ensure your organization’s future is safeguarded with the best cybersecurity defenses.
Let’s get started!
8
Cybersecurity playbook
The guidance in these missions is based upon the Zero Trust security model, and is summarized in a downloadable
Cybersecurity playbook.
:::image type=“content” source=“media/m365bp-cyber-security-playbook.png” alt-text=“Cybersecurity play-
book. Download this guide.”:::
Next steps
Proceed to Fortify your environment.
9
Guided setup process
Microsoft 365 Business Premium includes a guided setup process, as shown in the following video:
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE471FJ]
10
3. Review the list of results. Select a provider to learn more about their expertise and the services they
provide.
Next objective
Proceed to Boost your security protection.
See also
• Overview of the Microsoft 365 admin center
• Business subscriptions and billing documentation
• Find a Microsoft partner or reseller
11
• Protect passwords: Set passwords to never expire which is more secure and helps prevent work stoppages
(password policy).
• AccountGuard Program Access: Microsoft AccountGuard is a security service offered at no additional
cost to customers in the political space. The service is designed to inform and help these highly targeted
customers protect themselves from cybersecurity threats across their organizational and personal Microsoft
email accounts. View more information at Microsoft AccountGuard.
What does it cost, who needs it, and what is the commitment?
If your campaign qualifies for special pricing, Microsoft 365 for Campaigns costs $5 per user per month.
To protect your campaign, we recommend a license for the candidate, the campaign manager, all senior staff
who are part of the campaign or party, and usually all full-time staff. Certain volunteer employees might also
need a license. In general, assign a license to anyone in your campaign who needs protected email and devices.
There’s no minimum time commitment when you sign up for Microsoft 365 for Campaigns. You can pay monthly
for the licenses you need and stop using the service anytime.
Requirement Description
Subscription Microsoft 365 Business Premium or Microsoft 365 for
Campaigns To start a trial or purchase your
subscription, see the following resources: - Get
Microsoft 365 Business Premium- Get Microsoft 365
for Campaigns
Permissions To complete the initial setup process, you must be a
Global Admin. Learn more about admin roles.
Browser requirements Microsoft Edge, Safari, Chrome or Firefox. Learn
more about browser requirements.
Operating systems (client) Windows: Windows 10 or 11 PromacOS: One of the
three most recent versions of macOS
Operating systems (servers) Windows Server or Linux Server (Requires an
additional license, such as Microsoft Defender for
Business servers.)
[!TIP] For more detailed information about Microsoft 365, Office, and system requirements, see
Microsoft 365 and Office Resources.
12
2. In the browser, go to the Microsoft 365 admin center.
3. Type your username and password. Select Sign in.
4. In the top right of the page, find the Preview on control. Select Preview on so you can use all the
controls described in Boost your security protection for your campaign.
Visual guide: Help protect yourself and your campaign from digital threats
To help your staff learn about steps to protect your campaign from cyber threats, use this downloadable guide:
Image for secure your help protect your campaign info graphic.
PDF | PowerPoint
Next objective
Proceed to set up your security protection.
13
• Malware is malicious software that can be installed on your computer, usually installed after you’ve
clicked a link or opened a document from an email. There are various types of malware (for example,
ransomware, when your computer is taken over), but you don’t want to have any of them.
Best practices
Use the following best practices to help users fend off cyberattacks through email.
Report it
Report any phishing or other scam emails you receive. Select the message, and choose Report message on the
ribbon.
For more information, see reporting junk and phishing emails.
Avoid phishing
• Never reply to an email that asks you to send personal or account information.
• If you receive an email that looks suspicious or asks you for this type of information, never click links that
supposedly take you to a company website
• Never open any file attached to a suspicious-looking email.
• If the email appears to come from a company, contact the company’s customer service via phone or web
browser to see if the email is legitimate.
• Search the web for the email subject line followed by the word hoax to see if anyone else has reported this
scam.
Read about five common types of scams in Deal with abuse, phishing, or spoofing.
Next objective
Once you’ve completed this mission objective, learn about how to send encrypted email.
14
• Create Teams for collaboration.
• Set up meetings.
• Share files and videos.
• Create a communication site.
Once you’ve achieved these objectives, proceed to Set up and secure managed devices.
15
10. On the Review your policy step, review all the settings, make any needed edits, and then choose Create
policy or Update policy.
16
Next steps
Now that you’ve completed your primary missions, take time to set up your response teams and maintain your
environment.
See also
• View and edit device protection policies
• What is Microsoft Defender for Business?
• Best practices for securing Microsoft 365 for business plans
17
Microsoft Intune built-in roles
Built-in roles use pre-defined rules based on common Intune scenarios. Alternatively, custom roles are built upon
rules that are strictly defined by you.
Here are the built-in roles that you can assign:
18
3. All the permissions and scope tags from the original role will already be selected. You can subsequently
change the duplicate role’s Name, Description, Permissions, and Scope (Tags).
4. After you’ve made all the changes that you want, choose Next to get to the Review + create page. Select
Create.
[!Note] To be able to administer Intune you must have an Intune license assigned. Alternatively, you
can allow non-licensed users to administer Intune by setting Allow access to unlicensed admins
to Yes.
19
Related content
About Microsoft 365 admin roles (article)
Assign admin roles (article)
Activity reports in the Microsoft 365 admin center (article)
Managed devices
To protect managed devices, your organization’s IT or security team can:
• Use Windows Autopilot to get a user’s Windows device ready for first use. With Autopilot you
can install business critical apps, apply policies, and enable features like BitLocker before the device is
given to a user. You can also use Autopilot to reset reset, repurpose, and recover Windows devices. To
learn more, see Windows Autopilot.
• Upgrade Windows devices from previous versions of Windows to Windows 10 Pro or
Windows 11 Pro. Before onboarding, Windows client devices should be running Windows 10 Pro or
Enterprise, or Windows 11 Pro or Enterprise. If your organization has Windows devices running Windows
7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles
you to upgrade those devices at no additional cost. To learn more, see Upgrade Windows devices to
Windows 10 or 11 Pro.
• Onboard devices and protect them with mobile threat defense capabilities. Microsoft Defender
for Business is included with Microsoft 365 Business Premium. It includes advanced protection from
ransomware, malware, phishing, and other threats. If you prefer to use Microsoft Intune instead, you can
use Intune to enroll and manage devices. To learn more, see Onboard devices to Microsoft Defender for
Business.
• View and monitor device health in the Microsoft 365 Defender portal (https://security.microso
ft.com). You can view details, such as health state and exposure level for all onboarded devices. You can
also take actions, such as running an antivirus scan or starting an automated investigation on a device
that has detected threats or vulnerabilities. To learn more, see Monitor onboarded devices and Review
detected threats.
For their part in protecting managed devices, users can:
• Use the Microsoft Authenticator app to sign in. The Microsoft Authenticator app works with
all accounts that use multi-factor authentication (MFA). To learn more, see Download and install the
Microsoft Authenticator app.
• Join their devices to your organization’s network. Users can follow a process to register their device,
set up MFA, and complete the sign-in process using their account. To learn more, see Join your work
device to your work or school network.
• Make sure antivirus/antimalware software is installed and up to date on all devices. Once
devices are onboarded, antivirus, antimalware, and other threat protection capabilities are configured for
those devices. Users are prompted to install updates as they come in. To learn more, see See Keep your
PC up to date.
To learn more about protecting managed devices, see Set up and secure managed devices.
Unmanaged devices
To protect unmanaged devices, such as BYOD devices, your organization’s IT or security team can:
20
• Encourage users to keep their antivirus protection turned on and up to date. Devices should
have the latest technology and features needed to protect against new malware and attack techniques.
Microsoft regularly releases security intelligence updates and product updates. To learn more, see Microsoft
Defender Antivirus security intelligence and product updates.
• Consider onboarding unmanaged devices and protecting them with mobile threat defense
capabilities. Or, if you prefer to use Microsoft Intune, you can use Intune to enroll and manage devices.
To learn more, see Onboard devices to Microsoft Defender for Business.
• View and monitor device health in the Microsoft 365 Defender portal (https://security.micro
soft.com). After devices are onboarded to Defender for Business (or Intune), you can view details, such
as health state and exposure level for onboarded devices. You can also take actions, such as running an
antivirus scan or starting an automated investigation on a device that has detected threats or vulnerabilities.
To learn more, see Monitor onboarded devices and Review detected threats.
For their part in protecting unmanaged devices, users can:
• Turn on encryption and firewall protection. Disk encryption protects data when devices are lost or
stolen. Firewall protection helps protect devices from unwanted contact initiated by other computers when
you’re connected to the Internet or a network. To learn more, see Protect unmanaged Windows PCs and
Macs in Microsoft 365 Business Premium.
• Make sure antivirus/antimalware software is installed and up to date on all devices. To learn
more, see Stay protected with Windows Security.
• Keep their devices up to date with operating system and application updates. To learn more,
see Keep your PC up to date.
• Consider allowing their devices to be managed by your security team. Microsoft 365 Business
Premium includes advanced protection from ransomware, malware, phishing, and other threats. To learn
more, select the Managed devices tab (in this article).
To learn more about protecting unmanaged devices, see Set up unmanaged (BYOD) devices.
Next steps
• Set up information protection capabilities
• Set up BYOD devices or Set up and secure managed devices
• Use email securely
• Collaborate and share securely
Tenant administration
Microsoft 365 Business Premium
Maintaining your Microsoft 365 Business Premium environment includes managing user accounts, managing
devices, and keeping things up to date and working correctly. Use this article as an admin guide for your
21
organization.
Many admin tasks can be performed in the Microsoft 365 admin center (https://admin.microsoft.com), although
some tasks, such as adding/removing devices, can be performed in other portals (such as the Microsoft 365
Defender portal or the Microsoft Intune admin center).
If you’re new to Microsoft 365, take a moment to get an Overview of the Microsoft 365 admin center.
General tasks
22
Devices
Domains
General tasks
23
Users, groups, and passwords
Devices
Security administration
Microsoft 365 Business Premium
Security administrators (also referred to as security admins) perform various tasks, such as:
• Defining or editing security policies
• Onboarding or offboarding devices
• Taking steps to protect high-risk user accounts or devices
The following table lists common tasks that security admins typically perform, with links to more detailed
information.
24
Task Description
Manage false positives/negatives A false positive is an entity, such as a file or a process
that was detected and identified as malicious even
though the entity isn’t actually a threat. A false
negative is an entity that wasn’t detected as a threat,
even though it actually is malicious. False
positives/negatives can occur with any threat
protection solution, including Microsoft Defender for
Office 365 and Microsoft Defender for Business, which
are both included in Microsoft 365 Business Premium.
Fortunately, steps can be taken to address and reduce
these kinds of issues. For false positives/negatives on
devices, see Address false positives/negatives in
Microsoft Defender for Endpoint.For false
positives/negatives in email, see the following articles:
- How to handle malicious emails that are delivered to
recipients (False Negatives), using Microsoft Defender
for Office 365- How to handle Legitimate emails
getting blocked (False Positive), using Microsoft
Defender for Office 365
Strengthen your security posture Defender for Business includes a vulnerability
management dashboard that provides you with
exposure score and enables you to view information
about exposed devices and see relevant security
recommendations. You can use your Defender
Vulnerability Management dashboard to reduce
exposure and improve your organization’s security
posture. See the following articles:- Use your
vulnerability management dashboard in Microsoft
Defender for Business- Dashboard insights
Adjust security policies Reports are available so that you can view information
about detected threats, device status, and more.
Sometimes it’s necessary to adjust your security
policies. For example, you might apply strict
protection to some user accounts or devices, and
standard protection to others. See the following
articles: - For device protection: View or edit policies
in Microsoft Defender for Business - For email
protection: Recommended settings for EOP and
Microsoft Defender for Office 365 security
Analyze admin submissions Sometimes it’s necessary to submit entities, such as
email messages, URLs, or attachments to Microsoft for
further analysis. Reporting items can help reduce the
occurrence of false positives/negatives and improve
threat detection accuracy. See the following articles: -
Use the Submissions page to submit suspected spam,
phish, URLs, legitimate email getting blocked, and
email attachments to Microsoft- Admin review for user
reported messages
25
Task Description
Protect priority user accounts Not all user accounts have access to the same company
information. Some accounts have access to sensitive
information, such as financial data, product
development information, partner access to critical
build systems, and more. If compromised, accounts
that have access to highly confidential information
pose a serious threat. We call these types of accounts
priority accounts. Priority accounts include (but aren’t
limited to) CEOs, CISOs, CFOs, infrastructure admin
accounts, build system accounts, and more.See the
following articles: - Protect your administrator
accounts - Security recommendations for priority
accounts in Microsoft 365
Protect high-risk devices The overall risk assessment of a device is based on a
combination of factors, such as the types and severity
of active alerts on the device. As your security team
resolves active alerts, approves remediation activities,
and suppresses subsequent alerts, the risk level
decreases. See Manage devices in Microsoft Defender
for Business.
Onboard or offboard devices As devices are replaced or retired, new devices are
purchased, or your business needs change, you can
onboard or offboard devices from Defender for
Business. See the following articles: - Onboard devices
to Microsoft Defender for Business - Offboard a device
from Microsoft Defender for Business
Task Description
Manage false positives/negatives A false positive is an entity, such as a file or a process
that was detected and identified as malicious even
though the entity isn’t actually a threat. A false
negative is an entity that wasn’t detected as a threat,
even though it actually is malicious. False
positives/negatives can occur with any threat
protection solution, including Defender for Business.
Fortunately, steps can be taken to address and reduce
these kinds of issues. See Address false
positives/negatives in Microsoft Defender for
Endpoint.
26
Task Description
Strengthen your security posture Defender for Business includes a vulnerability
management dashboard that provides you with
exposure score and enables you to view information
about exposed devices and see relevant security
recommendations. You can use your Defender
Vulnerability Management dashboard to reduce
exposure and improve your organization’s security
posture. See the following articles:- Use your
vulnerability management dashboard in Defender for
Business- Dashboard insights
Adjust security policies Reports are available so that you can view information
about detected threats, device status, and more.
Sometimes it’s necessary to adjust your security
policies. For example, you might apply strict
protection to some user accounts or devices, and
standard protection to others. See View or edit
policies in Defender for Business.
Protect high-risk devices The overall risk assessment of a device is based on a
combination of factors, such as the types and severity
of active alerts on the device. As your security team
resolves active alerts, approves remediation activities,
and suppresses subsequent alerts, the risk level
decreases. See Manage devices in Defender for
Business.
Onboard or offboard devices As devices are replaced or retired, new devices are
purchased, or your business needs change, you can
onboard or offboard devices from Defender for
Business. See the following articles: - Onboard devices
to Defender for Business - Offboard a device from
Defender for Business
Security operations
Microsoft 365 Business Premium
If you’re new to Microsoft 365 Business Premium, or if your business doesn’t have a security operations guide
in place yet, use this article as a starting point. If you do already have a security operations guide, review it
against the recommendations in this article.
You can use this guidance to make decisions about security incident priorities and tasks your security team will
perform in the Microsoft Defender portal (https://security.microsoft.com).
Daily tasks
27
Task Description
Check your threat vulnerability management Get a snapshot of threat vulnerability by looking at
dashboard your vulnerability management dashboard, which
reflects how vulnerable your organization is to
cybersecurity threats. A high exposure score means
your devices are more vulnerable to exploitation. 1. In
the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Vulnerability management >
Dashboard.2. Take a look at your Organization
exposure score. If it’s in the acceptable or “High”
range, you can move on. If it isn’t, select Improve
score to see more details and security
recommendations to improve this score. Being aware
of your exposure score helps you to:- Quickly
understand and identify high-level takeaways about
the state of security in your organization- Detect and
respond to areas that require investigation or action to
improve the current state- Communicate with peers
and management about the impact of security efforts
Review pending actions in the Action center As threats are detected, remediation actions come into
play. Depending on the particular threat and how
your security settings are configured, remediation
actions might be taken automatically or only upon
approval, which is why these should be monitored
regularly. Remediation actions are tracked in the
Action center.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Action center.2. Select the Pending
tab to view and approve (or reject) any pending
actions. Such actions can arise from antivirus or
antimalware protection, automated investigations,
manual response activities, or live response sessions.3.
Select the History tab to view a list of completed
actions.
Review devices with threat detections When threats are detected on devices, your security
team needs to know so that any needed actions, such
as isolating a device, can be taken promptly. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Reports > General > Security
report.2. Scroll down to the Vulnerable devices
row. If threats were detected on devices, you’ll see
that information in this row.
Learn about new incidents or alerts As threats are detected and alerts are triggered,
incidents are created. Your company’s security team
can view and manage incidents in the Microsoft 365
Defender portal.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation menu, select Incidents. Incidents are
displayed on the page with associated alerts.2. Select
an alert to open its flyout pane, where you can learn
more about the alert.3. In the flyout, you can see the
alert title, view a list of assets (such as endpoints or
user accounts) that were affected, take available
actions, and use links to view more information and
even open the details page for the selected alert.
28
Task Description
Run a scan or automated investigation Your security team can initiate a scan or an
automated investigation on a device that has a high
risk level or detected threats. Depending on the
results of the scan or automated investigation,
remediation actions can occur automatically or upon
approval.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Assets > Devices.2. Select a device to
open its flyout panel, and review the information that
is displayed.- Select the ellipsis (. . . ) to open the
actions menu.- Select an action, such as Run
antivirus scan or Initiate Automated
Investigation.
Weekly tasks
Task Description
Monitor and improve your Microsoft Secure score Microsoft Secure Score is a measurement of your
organization’s security posture. Higher numbers
indicate that fewer improvement actions are needed.
By using Secure Score, you can: - Report on the
current state of your organization’s security posture.-
Improve your security posture by providing
discoverability, visibility, guidance, and control.-
Compare with benchmarks and establish key
performance indicators (KPIs).To check your score,
follow these steps:1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane choose Secure score. 2. Review and
make decisions about the remediations and actions in
order to improve your overall Microsoft secure score.
29
Task Description
Improve your secure score for devices Improve your security configuration by remediating
issues using the security recommendations list. As you
do so, your Microsoft Secure Score for Devices
improves and your organization becomes more resilient
against cybersecurity threats and vulnerabilities going
forward. It’s always worth the time it takes to review
and improve your score.To check your secure score,
follow these steps: 1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane select Secure score.2. From the
Microsoft Secure Score for Devices card in the
Defender Vulnerability Management dashboard, select
one of the categories. A list of recommendations
related to that category displays, along with
recommendations.3.Select an item on the list to
display details related to the recommendation.4. Select
Remediation options.5. Read the description to
understand the context of the issue and what to do
next. Choose a due date, add notes, and select
Export all remediation activity data to CSV so
you can attach it to an email for follow-up. A
confirmation message tells you the remediation task
has been created.6. Send a follow-up email to your IT
Administrator and allow for the time that you’ve
allotted for the remediation to propagate in the
system.7. Return to the Microsoft Secure Score for
Devices card on the dashboard. The number of
security controls recommendations has decreased as a
result of your actions.8. Select Security controls to
go back to the Security recommendations page. The
item that you addressed isn’t listed there anymore,
which results in your Microsoft secure score improving.
Monthly tasks
Task Description
Run reports Several reports are available in the Microsoft 365
Defender portal (https://security.microsoft.com).1. In
the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Reports.2. Choose a report to review.
Each report displays many pertinent categories for
that report.3. Select View details to see deeper
information for each category.4. Select the title of a
particular threat to see details specific to it.
Run a simulation tutorial It’s always a good idea to increase the security
preparedness for you and your team through training.
You can access simulation tutorials in the Microsoft
365 Defender portal. The tutorials cover several types
of cyber threats. To get started, follow these steps:1.
In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Tutorials.<2. Read the walk-through
for a tutorial you’re interested in running, and then
download the file, or copy the script needed to run the
simulation according to the instructions.
30
Task Description
Explore the Learning hub Use the Learning hub to increase your knowledge of
cybersecurity threats and how to address them. We
recommend exploring the resources that are offered,
especially in the Microsoft 365 Defender and
Endpoints sections.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane, choose Learning hub.2. Select an
area, such as Microsoft 365 Defender or
Endpoints.3. Select an item to learn more about
each concept. Note that some resources in the
Learning hub might cover functionality that isn’t
actually included in Microsoft 365 Business Premium.
For example, advanced hunting capabilities are
included in enterprise subscriptions, such as Defender
for Endpoint Plan 2 or Microsoft 365 Defender, but
not in Microsoft 365 Business Premium. Compare
security features in Microsoft 365 plans for small and
medium-sized businesses.
Task Description
Use the Threat analytics dashboard Use the threat analytics dashboard to get an overview
of the current threat landscape by highlighting reports
that are most relevant to your organization. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Threat analytics to display the Threat
analytics dashboard. The dashboard summarizes the
threats into the following sections:- Latest threats
lists the most recently published or updated threat
reports, along with the number of active and resolved
alerts.- High-impact threats lists the threats that
have the highest impact to your organization. This
section lists threats with the highest number of active
and resolved alerts first.- Highest exposure lists
threats with the highest exposure levels first. The
exposure level of a threat is calculated using two
pieces of information: how severe the vulnerabilities
associated with the threat are, and how many devices
in your organization could be exploited by those
vulnerabilities.3. Select the title of the one you want
to investigate, and read the associated report.4. You
can also review the full Analyst report for more details,
or select other headings to view the related incidents,
impacted assets, and exposure and mitigations.
31
Task Description
Remediate an item Microsoft 365 Business Premium includes several
remediation actions. Some actions are taken
automatically, and others await approval by your
security team.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, go to Assets > Devices.2. Select a device, such
as one with a high risk level or exposure level. A
flyout pane opens and displays more information
about alerts and incidents generated for that item.3.
On the flyout, view the information that is displayed.
Select the ellipsis (. . . ) to open a menu that lists
available actions.4. Select an available action. For
example, you might choose Run antivirus scan,
which will cause Microsoft Defender Antivirus to start
a quick scan on the device. Or, you could select
Initiate Automated Investigation to trigger an
automated investigation on the device.
Source Actions
Automated investigations Quarantine a fileRemove a registry keyKill a
processStop a serviceDisable a driverRemove a
scheduled task
Manual response actions Run antivirus scanIsolate deviceAdd an indicator to
block or allow a file
Live response Collect forensic dataAnalyze a fileRun a scriptSend a
suspicious entity to Microsoft for analysisRemediate a
fileProactively hunt for threats
Daily tasks
32
Task Description
Check your threat vulnerability management Get a snapshot of threat vulnerability by looking at
dashboard your vulnerability management dashboard, which
reflects how vulnerable your organization is to
cybersecurity threats. A high exposure score means
your devices are more vulnerable to exploitation. 1. In
the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Vulnerability management >
Dashboard.2. Take a look at your Organization
exposure score. If it’s in the acceptable or “High”
range, you can move on. If it isn’t, select Improve
score to see more details and security
recommendations to improve this score. Being aware
of your exposure score helps you to:- Quickly
understand and identify high-level takeaways about
the state of security in your organization- Detect and
respond to areas that require investigation or action to
improve the current state- Communicate with peers
and management about the impact of security efforts
Review pending actions in the Action center As threats are detected, remediation actions come into
play. Depending on the particular threat and how
your security settings are configured, remediation
actions might be taken automatically or only upon
approval, which is why these should be monitored
regularly. Remediation actions are tracked in the
Action center.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Action center.2. Select the Pending
tab to view and approve (or reject) any pending
actions. Such actions can arise from antivirus or
antimalware protection, automated investigations,
manual response activities, or live response sessions.3.
Select the History tab to view a list of completed
actions.
Review devices with threat detections When threats are detected on devices, your security
team needs to know so that any needed actions, such
as isolating a device, can be taken promptly. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Reports > General > Security
report.2. Scroll down to the Vulnerable devices
row. If threats were detected on devices, you’ll see
that information in this row.
Learn about new incidents or alerts As threats are detected and alerts are triggered,
incidents are created. Your company’s security team
can view and manage incidents in the Microsoft 365
Defender portal.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation menu, select Incidents. Incidents are
displayed on the page with associated alerts.2. Select
an alert to open its flyout pane, where you can learn
more about the alert.3. In the flyout, you can see the
alert title, view a list of assets (such as endpoints or
user accounts) that were affected, take available
actions, and use links to view more information and
even open the details page for the selected alert.
33
Task Description
Run a scan or automated investigation Your security team can initiate a scan or an
automated investigation on a device that has a high
risk level or detected threats. Depending on the
results of the scan or automated investigation,
remediation actions can occur automatically or upon
approval.1. In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Assets > Devices.2. Select a device to
open its flyout panel, and review the information that
is displayed.- Select the ellipsis (. . . ) to open the
actions menu.- Select an action, such as Run
antivirus scan or Initiate Automated
Investigation.
Weekly tasks
Task Description
Monitor and improve your security score Microsoft Secure Score is a measurement of your
organization’s security posture. Higher numbers
indicate that fewer improvement actions are needed.
By using Secure Score, you can: - Report on the
current state of your organization’s security posture.-
Improve your security posture by providing
discoverability, visibility, guidance, and control.-
Compare with benchmarks and establish key
performance indicators (KPIs).To check your score,
follow these steps:1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane choose Secure score. 2. Review and
make decisions about the remediations and actions in
order to improve your overall Microsoft secure score.
34
Task Description
Improve your secure score for devices Improve your security configuration by remediating
issues using the security recommendations list. As you
do so, your Microsoft Secure Score for Devices
improves and your organization becomes more resilient
against cybersecurity threats and vulnerabilities going
forward. It’s always worth the time it takes to review
and improve your score.To check your secure score,
follow these steps: 1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane select Secure score.2. From the
Microsoft Secure Score for Devices card in the
Defender Vulnerability Management dashboard, select
one of the categories. A list of recommendations
related to that category displays, along with
recommendations.3.Select an item on the list to
display details related to the recommendation.4. Select
Remediation options.5. Read the description to
understand the context of the issue and what to do
next. Choose a due date, add notes, and select
Export all remediation activity data to CSV so
you can attach it to an email for follow-up. A
confirmation message tells you the remediation task
has been created.6. Send a follow-up email to your IT
Administrator and allow for the time that you’ve
allotted for the remediation to propagate in the
system.7. Return to the Microsoft Secure Score for
Devices card on the dashboard. The number of
security controls recommendations has decreased as a
result of your actions.8. Select Security controls to
go back to the Security recommendations page. The
item that you addressed isn’t listed there anymore,
which results in your Microsoft secure score improving.
Monthly tasks
Task Description
Run security reports Several reports are available in the Microsoft 365
Defender portal.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane, select Reports.2. Choose a report to
review. Each report displays many pertinent
categories for that report.3. Select View details to
see deeper information for each category.4. Select the
title of a particular threat to see details specific to it.
Run a simulation tutorial It’s always a good idea to increase the security
preparedness for you and your team through training.
You can access simulation tutorials in the Microsoft
365 Defender portal. The tutorials cover several types
of cyber threats. To get started, follow these steps:1.
In the Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, choose Tutorials.<2. Read the walk-through
for a tutorial you’re interested in running, and then
download the file, or copy the script needed to run the
simulation according to the instructions.
35
Task Description
Explore the Learning hub Use the Learning hub to increase your knowledge of
cybersecurity threats and how to address them. We
recommend exploring the resources that are offered,
especially in the Microsoft 365 Defender and
Endpoints sections.1. In the Microsoft 365 Defender
portal (https://security.microsoft.com), in the
navigation pane, choose Learning hub.2. Select an
area, such as Microsoft 365 Defender or
Endpoints.3. Select an item to learn more about each
concept. Note that some resources in the Learning hub
might cover functionality that isn’t actually included
in Defender for Business. For example, advanced
hunting capabilities are included in enterprise
subscriptions, such as Defender for Endpoint Plan 2 or
Microsoft 365 Defender, but not in Defender for
Business. Compare security features in Microsoft 365
plans for small and medium-sized businesses.
Task Description
Use the Threat analytics dashboard Use the threat analytics dashboard to get an overview
of the current threat landscape by highlighting reports
that are most relevant to your organization. 1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, select Threat analytics to display the Threat
analytics dashboard. The dashboard summarizes the
threats into the following sections:- Latest threats
lists the most recently published or updated threat
reports, along with the number of active and resolved
alerts.- High-impact threats lists the threats that
have the highest impact to your organization. This
section lists threats with the highest number of active
and resolved alerts first.- Highest exposure lists
threats with the highest exposure levels first. The
exposure level of a threat is calculated using two
pieces of information: how severe the vulnerabilities
associated with the threat are, and how many devices
in your organization could be exploited by those
vulnerabilities.3. Select the title of the one you want
to investigate, and read the associated report.4. You
can also review the full Analyst report for more details,
or select other headings to view the related incidents,
impacted assets, and exposure and mitigations.
36
Task Description
Remediate an item Defender for Business includes several remediation
actions. Some actions are taken automatically, and
others await approval by your security team.1. In the
Microsoft 365 Defender portal
(https://security.microsoft.com), in the navigation
pane, go to Assets > Devices.2. Select a device, such
as one with a high risk level or exposure level. A
flyout pane opens and displays more information
about alerts and incidents generated for that item.3.
On the flyout, view the information that is displayed.
Select the ellipsis (. . . ) to open a menu that lists
available actions.4. Select an available action. For
example, you might choose Run antivirus scan,
which will cause Microsoft Defender Antivirus to start
a quick scan on the device. Or, you could select
Initiate Automated Investigation to trigger an
automated investigation on the device.
Source Actions
Automated investigations Quarantine a fileRemove a registry keyKill a
processStop a serviceDisable a driverRemove a
scheduled task
Manual response actions Run antivirus scanIsolate deviceAdd an indicator to
block or allow a file
Live response Collect forensic dataAnalyze a fileRun a scriptSend a
suspicious entity to Microsoft for analysisRemediate a
fileProactively hunt for threats
See also
• Security incident management
July 2023
[!TIP] Read all about the exciting, new capabilities releasing in July 2023 in the Tech
Community blog: New SMB security innovations from Microsoft Inspire 2023.
• Mobile threat defense is rolling out. Mobile threat defense includes operating system-level threat and
vulnerability management, web protection, and app security. It’s not generally available in Defender for
Business and Microsoft 365 Business Premium. Learn more about mobile threat defense.
37
• Automatic attack disruption is rolling out. During an ongoing attack, automatic attack disruption
capabilities swiftly contain compromised devices to help stop lateral movement within the network and
minimize the overall impact of the attack. Automatic attack disruption is included in Defender for Business
and Microsoft 365 Business Premium. Learn more about automatic attack disruption.
• Security summary reports are rolling out. Use these reports to view threats that were prevented by
Defender for Business, Microsoft Secure Score status, and recommendations for improving security. See
Reports in Microsoft Defender for Business.
• Streaming API (preview) is now available for Defender for Business. For partners or customers
looking to build their own security operations center, the Defender for Endpoint streaming API is now in
preview for Defender for Business and Microsoft 365 Business Premium. The API supports streaming of
device file, registry, network, sign-in events and more to Azure Event Hub, Azure Storage, and Microsoft
Sentinel to support advanced hunting and attack detection. See the Microsoft 365 streaming API guide.
• Managed detection and response integration with Blackpoint Cyber. This solution is ideal for
customers who don’t have the resources to invest in an in-house security operations center and for partners
who want to augment their IT team with security experts to investigate, triage, and remediate the alerts
generated by Defender for Business and Business Premium. Learn more bout Blackpoint Cyber.
• Customizable security baselines and configuration drift reports in Microsoft 365 Lighthouse.
For Microsoft Managed Service Providers (MSPs), Microsoft 365 Lighthouse includes security baselines
to deploy a standardized set of configurations to customers’ tenants. Microsoft 365 Lighthouse now lets
MSPs customize baselines based on expertise and tailor them to customers’ unique needs. Learn more
about Microsoft 365 Lighthouse.
• New training resources for Microsoft partners. To provide step-by-step guidance for partners on
how to build services based on critical CIS cybersecurity controls, a Security Managed services kit and a
three-part digital training series are now available. See IT partner resources to help build security
services in the Tech Community blog: New SMB security innovations from Microsoft Inspire 2023.
March 2023
• Mobile threat defense (preview) is added to Defender for Business. The ability to onboard
iOS and Android devices to the standalone version of Defender for Business is now in preview! These
capabilities provide OS-level threat and vulnerability management, web protection, and app security to
help you and employees stay more secure on the go. See Mobile threat defense capabilities in Microsoft
Defender for Business.
• Monthly security summary report (preview) is added to Defender for Business (preview).
The new monthly security summary report shows how secure your organization is across identity, devices,
information, and apps. You can view threats detected (and blocked) by Defender for Business together
with your current status from Microsoft Secure Score. Recommendations to improve your security are also
provided. See Reports in Microsoft Defender for Business.
• Device exposure score is now visible in Microsoft 365 Lighthouse (preview). Microsoft Cloud
Solution Providers (CSPs) who are using Microsoft 365 Lighthouse can now view and manage device
exposure scores across customer tenants. These capabilities enable partners to discover which customers’
devices are at risk because of vulnerabilities. See Overview of the Vulnerability management page in
Microsoft 365 Lighthouse.
January 2023
• Attack surface reduction capabilities are rolling out. Attack surface reduction capabilities in
Defender for Business include attack surface reduction rules and a new attack surface reduction rules
report. Attack surface reduction rules target certain behaviors that are considered risky because they’re
commonly abused by attackers through malware. In the Microsoft 365 Defender portal (https://security.m
icrosoft.com/), you can now view a report showing detections and configuration information for attack
surface reduction rules. In the navigation pane, choose Reports, and under Endpoints, choose Attack
surface reduction rules.
• Default experience for Defender for Business when an enterprise plan is added. Defender for
Business now retains its default experience (simplified configuration and setup) even if an enterprise plan,
such as Defender for Endpoint Plan 2 or Microsoft Defender for Servers Plan 1 or 2 is added. To learn
more, see What happens if I have a mix of Microsoft endpoint security subscriptions?
38
November 2022
• Microsoft Defender for Business servers, a new add-on for Defender for Business, is now generally
available. To learn more, see the following articles:
– How to get Microsoft Defender for Business servers
– Tech Community Blog: Server security made simple for small businesses
• License reporting (preview) in Defender for Business. A new report (rolling out in preview) enables
you to view your Defender for Business license usage. To learn more, see Reports in Microsoft Defender for
Business.
July 2022
• Microsoft Defender for Business servers (preview) is available to customers who have at least one
paid license of Microsoft 365 Business Premium or Defender for Business. See Tech Community blog:
Server protection for small business is now in preview within Microsoft Defender for Business.
May 2022
• Defender for Business (standalone) is now generally available. To learn more, see the following resources:
– Tech Community blog: Introducing Microsoft Defender for Business
– What is Microsoft Defender for Business?
– Get Microsoft Defender for Business
March 2022
• Microsoft 365 Business Premium now includes Defender for Business. To learn more, see Tech
Community blog: New security solutions to help secure small and medium businesses.
See also
What’s new in Microsoft 365 Lighthouse
Next objective
Proceed to install Microsoft 365 Apps.
39
• Automatic onboarding for Windows devices that are already enrolled in Microsoft Intune
• A local script to onboard Windows and Mac devices to Defender for Business (for devices that are not
already enrolled in Intune)
• Onboard mobile devices using the Microsoft Defender app (Mobile threat defense capabilities are now
generally available!)
• Intune for enrolling new devices, including mobile devices (Windows, Mac, iOS, and Android) and then
apply Defender for Business policies to those devices
This article also includes:
• What about servers?
• How to run a detection test on a Windows device
• How to onboard devices gradually
• How to offboard a device if a device is replaced or someone leaves the organization
[!IMPORTANT] If something goes wrong and your onboarding process fails, see Microsoft Defender
for Business troubleshooting.
Use automatic onboarding for Windows devices that are already enrolled in Intune
You can onboard Windows client devices to Defender for Business automatically if those devices are already
enrolled in Intune. Defender for Business detects Windows client devices that are already enrolled in Intune,
and prompts you to choose whether to onboard those devices automatically. Security policies and settings in
Defender for Business are then applied to those devices. We call this process automatic onboarding.
Automatic onboarding helps get your devices protected almost immediately. Note that the automatic onboarding
option applies to Windows client devices only, if the following conditions are met:
• Your organization was already using Intune or Mobile Device Management (MDM) in Intune before you
got Defender for Business (Microsoft 365 Business Premium customers already have Microsoft Intune and
MDM).
• You already have Windows client devices enrolled in Intune.
[!TIP] If you’re prompted to use automatic onboarding, we recommend selecting the “all devices
enrolled” option. That way, when Windows devices are enrolled in Intune later on, they’ll be
onboarded to Defender for Business automatically.
To learn more about automatic onboarding, see Use the wizard to set up Microsoft Defender for Business.
Use a local script to onboard Windows and Mac devices to Defender for Business
You can use a local script to onboard Windows and Mac devices. When you run the onboarding script on a
device, it creates a trust with Azure Active Directory (if that trust doesn’t already exist), enrolls the device in
Intune (if it isn’t already enrolled), and then onboards the device to Defender for Business. You can onboard up
to 10 devices at a time using the local script.
See Onboard devices to Microsoft Defender for Business for detailed instructions.
40
See Device enrollment in Microsoft Intune.
Offboard a device
If you want to offboard a device, use one of the following procedures:
1. In the navigation pane, choose Settings, and then choose Endpoints.
2. Under Device management, choose Offboarding.
3. Select an operating system, such as Windows 10 and 11, and then, under Offboard a device, in the
Deployment method section, choose Local script.
4. In the confirmation screen, review the information, and then choose Download to proceed.
5. Select Download offboarding package. We recommend saving the offboarding package to a removable
drive.
6. Run the script on each device that you want to offboard. Need help with this task? See the following
resources:
• Windows devices: Offboard Windows devices using a local script
• Mac: Uninstalling on Mac
[!IMPORTANT] Offboarding a device causes the devices to stop sending data to Defender for Business.
However, data received prior to offboarding is retained for up to six (6) months.
41
Choose Users and then Active users in the left nav.
Figure 4: Choose Users and then Active users in the left nav.
Next objective
Set up protection for your Windows devices.
42
Create a user account for yourself
If you’re an admin, you’ll need a user account for regular work tasks, such as checking mail. Name your accounts so
that you know which is which. For example, your admin credentials might be similar to Alice.Chavez@Contoso.org,
and your regular user account might be similar to Alice@Contoso.com.
To create a new user account:
1. Go to the Microsoft 365 admin center and then choose Users > Active users in the left nav.
2. On the Active users page, select Add a user at the top of the page, and on the Add a user panel,
enter the name and other information.
3. In the Product Licenses section, select the check box for Microsoft 365 Business Premium (no
administrative access).
4. In the Optional settings section, leave the default radio button selected for User (no admin center
access).
5. Finish and review your settings and select Finish adding to confirm the details.
Additional recommendations
• Before using admin accounts, close out all unrelated browser sessions and apps, including personal email
accounts. You can also use in private, or incognito browser windows.
• After completing admin tasks, be sure to sign out of the browser session.
Next objective
Increase threat protection for Microsoft 365 Business Premium
43
1. Review and apply preset security policies for email and collaboration
Your subscription includes preset security policies that use recommended settings for anti-spam, anti-malware,
and anti-phishing protection. By default, built-in protection is enabled; however, consider applying standard or
strict protection for increased security.
:::image type=“content” source=“media/m365bp-presetsecuritypolicies.png” alt-text=“Screenshot of preset
security policies.”:::
[!NOTE] Preset security policies are not the same thing as security defaults. Typically, you’ll be
using either security defaults or Conditional Access first, and then you’ll add your security policies.
Preset security policies simplify the process of adding your security policies. You can also create
optional custom security policies (if needed).
[!TIP] You can specify the users, groups, and domains to receive preset policies, and you can define
certain exceptions, but you cannot change the preset policies themselves. If you want to use different
settings for your security policies, you can create your own custom policies to suit your company’s
needs.
44
How do I assign preset security policies to users?
[!IMPORTANT] Before you begin, make sure you have one of the following roles assigned in Exchange
Online (which is included in your subscription):
• Global Administrator
• Organization Management
• Security Administrator
To learn more, see Permissions in Exchange Online and About admin roles.
To assign preset security policies, follow these steps:
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Go to Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies
in the Templated policies section. (To go directly to the Preset security policies page, use https:
//security.microsoft.com/presetSecurityPolicies.)
3. On the Preset security policies page, in either the Standard protection or Strict protection section,
select Manage Protection Settings.
4. The Apply Standard protection or Apply Strict protection wizard starts in a flyout. On the
EOP protections apply to page, identify the internal recipients that the policies apply to (recipient
conditions):
• Users
• Groups
• Domains
Click in the appropriate box, start typing a value, and then select the value that you want from the results.
Repeat this process as many times as necessary. To remove an existing value, select the Remove icon
next to the value.
For users or groups, you can use most identifiers (name, display name, alias, email address, account name,
etc.), but the corresponding display name is shown in the results. For users, type an asterisk (*) by itself
to see all available values.
To specify an exclusion, select the Exclude these users, groups, and domains checkbox, and then
specify users, groups, or domains to exclude.
When you’re finished, select Next.
5. On the Defender for Office 365 protections apply to page to identify the internal recipients that the
policies apply to (recipient conditions). Specify users, groups, and domains just like what you did in the
previous step.
When you’re finished, click Next.
6. On the Review and confirm your changes page, verify your selections, and then select Confirm.
[!TIP] To learn more about assigning preset security policies, see the following articles: - Use
the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users -
Recommended settings for email and collaboration content (Microsoft 365 Business Premium includes
Exchange Online Protection and Microsoft Defender for Office 365 Plan 1)
45
Default alert policies included with Microsoft 365.
3. Adjust sharing settings for SharePoint and OneDrive files and folders
By default, sharing levels are set to the most permissive level for both SharePoint and OneDrive. We recommend
changing the default settings to better protect your business.
1. Go to Sharing in the SharePoint admin center, and sign in with an account that has admin permissions
for your organization.
2. Under External sharing, specify the level of sharing. (We recommend using Least permissive to
prevent external sharing.)
3. Under File and folder links, select an option (such as Specific people). Then choose whether to grant
View or Edit permissions by default for shared links (such as View).
4. Under Other settings, select the options you want to use.
5. Then choose Save.
[!TIP] To learn more about these settings, see Manage sharing settings.
46
Screenshot of showing external calendar sharing as not allowed.
6. Create additional security policies for email and collaboration (if needed)
The preset security policies described earlier in this article provide strong protection for most businesses. However,
you’re not limited to using preset security policies only. You can define your own custom security policies to suit
your company’s needs.
Use our quick-start guide, Protect against threats, to get started creating your own custom policies. The guidance
not only walks you through how to set up your own security policies, it also provides recommended settings to
use as a starting point for:
• Antimalware protection
• Advanced antiphishing protection
• Antispam protection
• Safe Links and Safe Attachments
Next objectives
Proceed to:
• Secure managed and unmanaged devices
• Protect all email
47
• Collaborate and share securely
Next steps
• Manage devices in Microsoft Defender for Business
• Set up a security operations process.
• Learn about security incident management.
• Learn how to maintain your environment.
48
Types of remediation actions
Your subscription includes several different types of remediation actions for detected threats. These actions
include manual response actions, actions following automated investigation, and live response actions.
The following table lists remediation actions that are available:
Source Actions
Automated investigations - Quarantine a file - Remove a registry key - Kill a
process - Stop a service - Disable a driver - Remove a
scheduled task
Manual response actions - Run antivirus scan - Isolate device - Add an
indicator to block or allow a file
Live response - Collect forensic data - Analyze a file - Run a script -
Send a suspicious entity to Microsoft for analysis -
Remediate a file - Proactively hunt for threats
Action Description
Configure protection Your threat protection policies need to be configured.
Select the link to go to your policy configuration
page.Need help? See Manage device security with
endpoint security policies in Microsoft Intune.
Update policy Your antivirus and real-time protection policies need
to be updated or configured. Select the link to go to
the policy configuration page.Need help? See Manage
device security with endpoint security policies in
Microsoft Intune.
Run quick scan Starts a quick antivirus scan on the device, focusing
on common locations where malware might be
registered, such as registry keys and known Windows
startup folders.
Run full scan Starts a full antivirus scan on the device, focusing on
common locations where malware might be registered,
and including every file and folder on the device.
Results are sent to Microsoft Intune.
Update antivirus Requires the device to get security intelligence updates
for antivirus and antimalware protection.
49
Action Description
Restart device Forces a Windows device to restart within five
minutes.IMPORTANT: The device owner or user
isn’t automatically notified of the restart and could
lose unsaved work.
View and manage threat detections in the Microsoft 365 Defender portal
1. Go to the (Microsoft 365 Defender portal) and sign in.
2. In the navigation pane, choose Threat Analytics to see all the current threats. Threads are categorized
by threat severity and type.
3. Click on a threat to see more details about the threat.
4. In the table, you can filter the alerts according to a number of criteria.
Action Description
Restart Forces a Windows device to restart within five
minutes.IMPORTANT: The device owner or user
isn’t automatically notified of the restart and could
lose unsaved work.
Quick Scan Starts a quick antivirus scan on the device, focusing
on common locations where malware might be
registered, such as registry keys and known Windows
startup folders. Results are sent to Microsoft Intune.
Full Scan Starts a full antivirus scan on the device, focusing on
common locations where malware might be registered,
and including every file and folder on the device.
Results are sent to Microsoft Intune.
Sync Requires a device to check in with Intune. When the
device checks in, the device receives any pending
actions or policies assigned to the device.
Update signatures Requires the device to get security intelligence updates
for antivirus and antimalware protection.
50
See also
Best practices for securing Microsoft 365 for business plans
Overview of Microsoft Defender for Business (Defender for Business is rolling out to Microsoft 365 Business
Premium customers, beginning March 1, 2022)
51
Use Compliance Manager to get started
:::image type=“content” source=“./media/m365bp-compliancemanager.png” alt-text=“Screenshot of Compliance
Manager in Microsoft 365 Business Premium.”:::
Microsoft 365 Business Premium includes Compliance Manager, which can help you get started setting up your
compliance features. Such features include data loss prevention, data lifecycle management, and insider risk
management, to name a few. Compliance Manager can save you time by highlighting recommendations, a
compliance score, and ways to improve your score.
Here’s how to get started:
1. Go to https://compliance.microsoft.com and sign in.
2. In the navigation pane, choose Compliance Manager.
3. On the Overview tab, review the information. Select an item or link to view more information, or to take
actions, such as configuring a data loss prevention (DLP) policy. For example, in the Solutions that
affect your score section, you might select the link in the Remaining actions column.
:::image type=“content” source=“./media/m365bp-compliancesolutions.png” alt-text=“Screenshot of Solu-
tions That Affect Your Score pane.”:::
That action takes you to the Improvement actions tab, which is filtered for the item you selected. In
this example we’re looking at DLP policies to configure.
:::image type=“content” source=“./media/m365bp-dlppoliciestoconfigure.png” alt-text=“Screenshot of
DLP policies to configure.”:::
4. On the Improvement actions tab, select an item. In our example, we’ve selected Create customized
DLP policies or personally identifiable information. A page loads that provides more information
about the policy to configure.
:::image type=“content” source=“./media/m365bp-dlppolicyinfo.png” alt-text=“Screenshot of information
about DLP policy for customer content.”:::
Follow the information on the screen to set up your DLP policy.
For more information about compliance features in Microsoft 365 for business, see Microsoft Purview documen-
tation.
52
1. Learn about data loss prevention.
2. Get started with the default DLP policy.
Next steps
• Set up BYOD devices or Set up and secure managed devices
• Use email securely
• Collaborate and share securely
53
• Dedicated protection updates are based on machine learning, human and automated big-data analysis, and
in-depth threat resistance research.
To learn more about malware and Microsoft Defender Antivirus, see the following articles:
• Understanding malware & other threats
• How Microsoft identifies malware and potentially unwanted applications
• Next-generation protection in Windows 10
• If you’ve secured your Windows 10 devices and enrolled them in Intune, and your organization has 800 or
fewer devices enrolled, you’ll see threat detections and insights in the Microsoft 365 admin center on the
Threats and antivirus page, which you can access from the Microsoft Defender Antivirus card on
the Home page (or from the navigation pane by selecting Health > Threats & antivirus).
If your organization has more than 800 devices enrolled in Intune, you’ll be prompted to view threat
detections and insights from Microsoft Intune instead of from the Threats and antivirus page.
[!NOTE] The Microsoft Defender Antivirus card and Threats and antivirus page are
being rolled out in phases, so you may not have immediate access to them.
In most cases, users don’t need to take any further action. As soon as a malicious file or program is detected on
a device, Microsoft Defender Antivirus blocks it and prevents it from running. Plus, newly detected threats are
added to the antivirus and antimalware engine so that other devices and users are protected, as well.
If there’s an action a user needs to take, such as approving the removal of a malicious file, they’ll see that in
the notification they receive. To learn more about actions that Microsoft Defender Antivirus takes on a user’s
behalf, or actions users might need to take, see Protection History. To learn how to manage threat detections as
an IT professional/admin, see Review detected threats and take action.
To learn more about different threats, visit the Microsoft Security Intelligence Threats site, where you can
perform the following actions:
• View current information about top threats.
• View the latest threats for a specific region.
• Search the threat encyclopedia for details about a specific threat.
54
Related content
Secure Windows devices (article)
Evaluate Microsoft Defender Antivirus (article)
How to turn on real-time and cloud-delivered antivirus protection (article)
How to turn on and use Microsoft Defender Antivirus from the Windows Security app (article)
How to turn on Microsoft Defender Antivirus by using Group Policy (article)
How to update your antivirus definitions (article)
How to submit malware and non-malware to Microsoft for analysis (article)
Add a domain
When you try or buy Microsoft 365 Business Premium, you have the option of using a domain you own, or
buying one during the sign-up process.
[!NOTE] If you purchased a new domain when you signed up, your domain is all set up and you can
move to Add users and assign licenses. Go to the admin center(https://admin.microsoft.com).
1. From the admin center menu, choose Setup to start the wizard.
2. Select Set up email with a custom domain and then, Use a domain you already own such as
contoso.com.
3. Follow the rest of the steps in the wizard to complete the process.
[!Important] If you purchased a domain during the sign-up, you will not see the Add a domain
step here. Go to Add users instead.
4. Follow the steps in the wizard to create DNS records at any DNS hosting provider for Office 365 that
verifies you own the domain. If you know your domain host, see Add a domain to Microsoft 365.
5. If your hosting provider is GoDaddy or another host enabled with domain connect, you’ll be asked to sign
in and let Microsoft authenticate on your behalf automatically.
55
Onboard and protect devices
Microsoft 365 Business Premium includes Defender for Business, a new security solution to protect devices. See
Onboard devices to Microsoft Defender for Business.
1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in.
2. Go to Assets > Devices. If Defender for Business isn’t already set up, you will be prompted to run the
setup wizard.
3. Onboard devices.
4. Review your security policies.
See also
• Microsoft 365 Business Premium - cybersecurity for small business
• What is Microsoft Defender for Business?
Security defaults
Security defaults
Security defaults were designed to help protect your company’s user accounts from the start. When turned on,
security defaults provide secure default settings that help keep your company safe by:
• Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party
application using OATH TOTP.
• Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical
roles and tasks.
• Disabling authentication from legacy authentication clients that can’t do MFA.
56
• Protecting admins by requiring extra authentication every time they sign in.
MFA is an important first step in securing your company, and security defaults make enabling MFA easy to
implement. If your subscription was created on or after October 22, 2019, security defaults might have been
automatically enabled for you—you should check your settings to confirm.
[!TIP] For more information about security defaults and the policies they enforce, see Security defaults
in Azure AD.
Conditional Access
Conditional Access
If your company or business has complex security requirements or you need more granular control over your
security policies, then you should consider using Conditional Access instead of security defaults to achieve a
similar or higher security posture.
Conditional Access lets you create and define policies that react to sign-in events and request additional actions
before a user is granted access to an application or service. Conditional Access policies can be granular and
specific, empowering users to be productive wherever and whenever, but also protecting your organization.
Security defaults are available to all customers, while Conditional Access requires one of the following plans:
• Azure Active Directory Premium P1 or P2
• Microsoft 365 Business Premium
• Microsoft 365 E3 or E5
• Enterprise Mobility & Security E3 or E5
If you want to use Conditional Access to configure policies, see the following step-by-step guides:
• Require MFA for administrators
• Require MFA for Azure management
• Block legacy authentication
• Require MFA for all users
• Require Azure AD MFA registration - Requires Azure AD Identity Protection, which is part of Azure
Active Directory Premium P2
To learn more about Conditional Access, see What is Conditional Access? For more information about creating
Conditional Access policies, see Create a Conditional Access policy.
[!NOTE] If you have a plan or license that provides Conditional Access but haven’t yet created any
Conditional Access policies, you’re welcome to use security defaults. However, you’ll need to turn off
security defaults before you can use Conditional Access policies.
57
Next objective
Protect your administrator accounts in Microsoft 365 Business Premium
58
Diagram of an email with callouts for labels and encryption.
See also
Activate Windows
Microsoft 365 for business training videos
Best practices
Before individuals send email with confidential or sensitive information, they should consider turning on:
• Encryption: You can encrypt your email to protect the privacy of the information in the email. When
you encrypt an email message, it’s converted from readable plain text into scrambled cypher text. Only the
recipient who has the private key that matches the public key used to encrypt the message can decipher
the message for reading. Any recipient without the corresponding private key, however, sees indecipherable
text. Your admin can define rules to automatically encrypt messages that meet certain criteria. For
instance, your admin can create a rule that encrypts all messages sent outside your organization or all
messages that mention specific words or phrases. Any encryption rules will be applied automatically.
• Sensitivity labels: If your organization requires it, you can set up sensitivity labels that you apply to
your files and email to keep them compliant with your organization’s information protection policies. When
you set a label, the label persists with your email, even when it’s sent — for example, by appearing as a
header to your message.
Set it up
If you want to encrypt a message that doesn’t meet a pre-defined rule or your admin hasn’t set up any rules,
you can apply a variety of different encryption rules before you send the message. To send an encrypted message
from Outlook 2013 or 2016, or Outlook 2016 for Mac, select Options > Permissions, then select the protection
option you need. You can also send an encrypted message by selecting the Protect button in Outlook on the
web. For more information, see Send, view, and reply to encrypted messages in Outlook for PC.
Admin settings
You can learn all about setting up email encryption at Email encryption in Microsoft 365.
59
Automatically encrypt email messages
Admins can create mail flow rules to automatically protect email messages that are sent and received from
a campaign or business. Set up rules to encrypt any outgoing email messages, and remove encryption from
encrypted messages coming from inside your organization or from replies to encrypted messages sent from your
organization.
You create mail flow rules to encrypt email messages with Microsoft Purview Message Encryption. Define mail
flow rules for triggering message encryption by using the Exchange admin center (EAC).
1. In a web browser, using a work or school account that has been granted global administrator permissions,
sign in.
2. Choose the Admin tile.
3. In the Admin center, choose Admin centers > Exchange.
For more information, see Define mail flow rules to encrypt email messages.
Next mission
If you’ve gotten this far, you’ve successfully completed another mission, so congratulations! There’s no time
to rest on our successes, so let’s get right to setting up a safe and secure environment in which the team can
collaborate safely.
60
iPhone
Watch a short video on how to set up Microsoft 365 Apps on iOS devices with Microsoft 365 for business.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWee2n]
If you found this video helpful, check out the complete training series for small businesses and those new to
Microsoft 365.
Go to App store, and in the search field type in Microsoft Outlook.
:::image type=“content” source=“media/ios-app-store.png” alt-text=“Go to the iPhone App Store.”:::
Tap the cloud icon to install Outlook.
:::image type=“content” source=“media/install-outlook.png” alt-text=“Tap the cloud icon to install Outlook.”:::
When the installation is done, tap the Open button to open Outlook and then tap Get Started.
:::image type=“content” source=“media/get-started-outlook.png” alt-text=“Screenshot of Outlook with Get
Started button.”:::
Enter your work email address on the Add Email Account screen > Add Account, and then enter your
Microsoft 365 for business credentials > Sign in.
:::image type=“content” source=“media/sign-in-m365account.png” alt-text=“Sign in to your work account.”:::
If your organization is protecting files in apps, you’ll see a dialog stating that your organization is now protecting
the data in the app and you need to restart the app to continue to use it. Tap OK and close Outlook.
:::image type=“content” source=“media/outlook-protected.png” alt-text=“Screenshot that shows your organiza-
tion is now protecting your Outlook app.”:::
Locate Outlook on the iPhone, and restart it. When prompted, enter a PIN and verify it. Outlook on your
iPhone is now ready to be used.
:::image type=“content” source=“media/set-pin.png” alt-text=“Set a PIN to access your organization’s data.”:::
Follow these links for additional information on how to:
• Install Microsoft 365 Apps: Install Office on your PC or Mac
• Install other apps: Project, Visio, or Skype for Business
Next objective
Set up protection for unmanaged devices.
Android
Watch a video about installing Outlook and Office on Android devices.
[!VIDEO https://www.microsoft.com/videoplayer/embed/ecc2e9c0-bc7e-4f26-8b14-91d84dbcfef0]
If you found this video helpful, check out the complete training series for small businesses and those new to
Microsoft 365.
To begin setup on your Android phone, go to the Play Store.
:::image type=“content” source=“media/aos-play-store.png” alt-text=“On the Android home screen, tap Play
Store.”:::
Enter Microsoft Outlook in the Google Play search box and tap Install. Once Outlook is done installing, tap
Open.
:::image type=“content” source=“media/aos-install-outlook.png” alt-text=“Tap Open to open Outlook app.”:::
In the Outlook app, tap Get Started, then add your Microsoft 365 for business email account > Continue,
and sign in with your organization credentials.
:::image type=“content” source=“media/aos-outlook-signin.png” alt-text=“Sign in using your account for
Microsoft 365.”:::
In the dialog that states you must install the Intune Company Portal app, tap Go to store.
61
:::image type=“content” source=“media/intune-portal-app.png” alt-text=“Get the Intune Company Portal
app.”:::
In Play Store, install Intune Company Portal.
:::image type=“content” source=“media/intune-app-google-play-store.png” alt-text=“Install button for Intune
Company Portal in Google Play Store.”:::
Open Outlook again, and enter and confirm a PIN. Your Outlook app is now ready for use.
:::image type=“content” source=“media/aos-outlook-pin.png” alt-text=“Set your PIN for Outlook on Android.”:::
For additional details and information:
• Set up mobile devices: Microsoft 365 mobile setup - Help
• Set up email in Outlook: Windows or Mac
• Upgrade users to the latest Microsoft 365 Apps
For additional details and information:
• Set up mobile devices: Microsoft 365 mobile setup - Help
• Set up email in Outlook: Windows or Mac
• Upgrade users to the latest Microsoft 365 Apps
Follow these links for additional information on how to:
• Install Microsoft 365 Apps: Install Office on your PC or Mac
• Install other apps: Project, Visio, or Skype for Business
Next objective
Set up protection for unmanaged devices.
Windows 10 or 11
Windows 10 or 11
Turn on device encryption
Device encryption is available on a wide range of Windows devices and helps protect your data by encrypting it.
If you turn on device encryption, only authorized individuals will be able to access your device and data. See
turn on device encryption for instructions.
If device encryption isn’t available on your device, you can turn on standard BitLocker encryption instead.
(BitLocker isn’t available on Windows 10 Home edition.)
62
Protect your device with Windows Security
If you have Windows 10 or 11, you’ll get the latest antivirus protection with Windows Security. When you start
up Windows 10 for the first time, Windows Security is on and actively helping to protect your PC by scanning
for malware (malicious software), viruses, and security threats. Windows Security uses real-time protection to
scan everything you download or run on your PC.
Windows Update downloads updates for Windows Security automatically to help keep your PC safe and protect
it from threats.
If you have an earlier version of Windows and are using Microsoft Security Essentials, it’s a good idea to move
to Windows Security. For more information, see help protect my device with Windows Security.
Next mission
Okay, mission complete! Now, let’s work on securing the email system against phishing and other attacks.
Mac
Mac
Use FileVault to encrypt your Mac disk
Disk encryption protects data when devices are lost or stolen. FileVault full-disk encryption helps prevent
unauthorized access to the information on your startup disk. See use FileVault to encrypt the startup disk on
your Mac for instructions.
Next mission
Okay, mission complete! Now, let’s work on securing email usage against phishing and other attacks.
63
About the default device protection policies
Microsoft 365 Business Premium includes two main types of policies to protect your organization’s devices:
• Next-generation protection policies, which determine how Microsoft Defender Antivirus and other
threat protection features are configured.
• Firewall policies, which determine what network traffic is permitted to flow to and from your organization’s
devices.
These policies are part of Microsoft Defender for Business, included in your Microsoft 365 Business Premium
subscription. Information is provided for working with policies in the Microsoft 365 Defender portal or in the
Microsoft Intune admin center.
64
• Firewall settings
After you have specified your next-generation protection settings, choose Next.
7. On the Review your policy tab, review the general information, targeted devices, and configuration
settings.
• Make any needed changes by selecting Edit.
• When you’re ready to proceed, choose Update policy.
65
• Disk encryption
• Firewall
• Endpoint detection and response
• Attack surface reduction
• Account protection
3. Specify the following properties:
• Platform: Choose the platform for which you’re creating the policy. The available options depend
on the policy type you select.
• Profile: Choose from the available profiles for the platform you selected. For information about the
profiles, see the dedicated section in this article for your chosen policy type.
Then select Create.
4. On the Basics page, enter a name and description for the profile, then choose Next.
5. On the Configuration settings page, expand each group of settings, and configure the settings you want to
manage with this profile. Then select Next.
6. On the Assignments page, select the groups that will receive this profile. For more information on
assigning profiles, see Assign user and device profiles. Then select Next.
7. On the Review + create page, when you’re done, choose Create. The new profile is displayed in the list
when you select the policy type for the profile you created.
Manage conflicts
Many of the device settings that you can manage with Endpoint security policies are also available through other
policy types in Intune. These other policy types include device configuration policies and security baselines.
Because settings can be managed through several different policy types or by multiple instances of the same
policy type, be prepared to identify and resolve policy conflicts for devices that don’t adhere to the configurations
you expect.
Security baselines can set a non-default value for a setting to comply with the recommended configuration that
baseline addresses.
Other policy types, including the endpoint security policies, set a value of Not configured by default. These
other policy types require you to explicitly configure settings in the policy.
Regardless of the policy method, managing the same setting on the same device through multiple policy types,
or through multiple instances of the same policy type can result in conflicts that should be avoided.
If you do run into policy conflicts, see Troubleshooting policies and profiles in Microsoft Intune.
66
See also
Manage endpoint security in Microsoft Intune
Best practices for securing Microsoft 365 for business plans
Next objective
Set up and manage device groups.
Best practices and Microsoft 365 Business Microsoft 365 Business Microsoft 365 Business
capabilities Premium Standard Basic
1. Use multi-factor :::image type=“content” :::image type=“content” :::image type=“content”
authentication (MFA), source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
also known as two-step 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
verification. See Turn on 049224df0795.png” 049224df0795.png” 049224df0795.png”
multi-factor alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
authentication.
- Security defaults :::image type=“content” :::image type=“content” :::image type=“content”
(suitable for most source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
organizations) 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Conditional Access (for :::image type=“content”
more stringent source=“../media/d238e041-
requirements) 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
2. Set up and protect :::image type=“content” :::image type=“content” :::image type=“content”
your administrator source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
accounts. See Protect 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
your admin accounts. 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
67
Best practices and Microsoft 365 Business Microsoft 365 Business Microsoft 365 Business
capabilities Premium Standard Basic
3. Use preset security :::image type=“content” :::image type=“content” :::image type=“content”
policies to protect source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
email and 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
collaboration content. 049224df0795.png” 049224df0795.png” 049224df0795.png”
See Review and apply alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
preset security policies.
- Anti-spam, :::image type=“content” :::image type=“content” :::image type=“content”
anti-malware, and source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
anti-phishing protection 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
for email 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Advanced anti-phishing, :::image type=“content”
spoof settings, source=“../media/d238e041-
impersonation settings, 6854-4a78-9141-
Safe Links, and Safe 049224df0795.png”
Attachments for email alt-text=“Included”:::
and Office documents
4. Protect all devices, :::image type=“content”
including personal and source=“../media/d238e041-
company devices. See 6854-4a78-9141-
Secure managed and 049224df0795.png”
unmanaged devices. alt-text=“Included”:::
- Microsoft 365 Apps :::image type=“content” :::image type=“content”
(Word, Excel, PowerPoint, source=“../media/d238e041- source=“../media/d238e041-
and more) installed on 6854-4a78-9141- 6854-4a78-9141-
users’ computers, phones, 049224df0795.png” 049224df0795.png”
and tablets alt-text=“Included”::: alt-text=“Included”:::
- Windows 10 or 11 Pro :::image type=“content”
Upgrade from Windows 7 source=“../media/d238e041-
Pro, Windows 8 Pro, or 6854-4a78-9141-
Windows 8.1 Pro 049224df0795.png”
alt-text=“Included”:::
- Advanced threat :::image type=“content”
protection for users’ source=“../media/d238e041-
computers, phones, and 6854-4a78-9141-
tablets 049224df0795.png”
alt-text=“Included”:::
5. Train everyone on :::image type=“content” :::image type=“content” :::image type=“content”
email best practices. source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
See Protect yourself 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
against phishing and 049224df0795.png” 049224df0795.png” 049224df0795.png”
other attacks. alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Anti-spam, :::image type=“content” :::image type=“content” :::image type=“content”
anti-malware, and source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
anti-phishing protection 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
for email 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Advanced threat :::image type=“content”
protection for email and source=“../media/d238e041-
Office documents 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
6. Use Microsoft :::image type=“content” :::image type=“content” :::image type=“content”
Teams for source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
collaboration and 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
sharing. 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
68
Best practices and Microsoft 365 Business Microsoft 365 Business Microsoft 365 Business
capabilities Premium Standard Basic
- Microsoft Teams for :::image type=“content” :::image type=“content” :::image type=“content”
communication, source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
collaboration, and sharing 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Safe Links & Safe :::image type=“content”
Attachments with source=“../media/d238e041-
Microsoft Teams 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
- Sensitivity labels for :::image type=“content”
meetings to protect source=“../media/d238e041-
calendar items, Microsoft 6854-4a78-9141-
Teams meetings, and chat 049224df0795.png”
alt-text=“Included”:::
- Data Loss Prevention in :::image type=“content”
Microsoft Teams to source=“../media/d238e041-
safeguard company data 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
7. Set sharing settings :::image type=“content” :::image type=“content” :::image type=“content”
for SharePoint and source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
OneDrive files and 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
folders. 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Safe Links and Safe :::image type=“content”
Attachments for source=“../media/d238e041-
SharePoint and OneDrive 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
- Sensitivity labels to :::image type=“content”
mark items as sensitive, source=“../media/d238e041-
confidential. etc. 6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
- Data Loss Prevention to :::image type=“content”
safeguard company data source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
8. Use Microsoft 365 :::image type=“content” :::image type=“content”
Apps on devices source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
- Outlook and :::image type=“content” :::image type=“content” :::image type=“content”
Web/mobile versions of source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
Microsoft 365 Apps for all 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
users 049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Microsoft 365 Apps :::image type=“content” :::image type=“content”
installed on users’ devices source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”:::
69
Best practices and Microsoft 365 Business Microsoft 365 Business Microsoft 365 Business
capabilities Premium Standard Basic
- Employee quick setup :::image type=“content” :::image type=“content” :::image type=“content”
guide to help users get set source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
up and running 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
9. Manage calendar :::image type=“content” :::image type=“content” :::image type=“content”
sharing for your source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
business. 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Outlook for email and :::image type=“content” :::image type=“content” :::image type=“content”
calendars source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
049224df0795.png” 049224df0795.png” 049224df0795.png”
alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
- Data Loss Prevention to :::image type=“content”
safeguard company data source=“../media/d238e041-
6854-4a78-9141-
049224df0795.png”
alt-text=“Included”:::
10. Maintain your :::image type=“content” :::image type=“content” :::image type=“content”
environment by source=“../media/d238e041- source=“../media/d238e041- source=“../media/d238e041-
performing tasks, such asl 6854-4a78-9141- 6854-4a78-9141- 6854-4a78-9141-
adding or removing users 049224df0795.png” 049224df0795.png” 049224df0795.png”
and devices. See Maintain alt-text=“Included”::: alt-text=“Included”::: alt-text=“Included”:::
your environment.
70
Diagram of a Microsoft Teams window, showing Files tab and Get link on the menu.
Figure 9: Diagram of a Microsoft Teams window, showing Files tab and Get link on the menu.
Best practices
Follow these best practices for your online meetings:
• Schedule your online meetings right in Microsoft Teams. You can choose a team and channel, and Teams
will invite the participants in that team or channel automatically.
• Need an impromptu meeting? If you’re in a one-on-one chat, choose Meet now to start a video or audio
call with the person you’re chatting with.
Schedule a meeting
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOhP]
Join a meeting
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FYWn]
Learn more about meeting in Microsoft Teams:
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWeokQ]
Next objective
After this mission objective is accomplished, learn to securely share files and videos
Best practices
Ensure your users use these methods to share files and videos securely:
1. Store files in Microsoft Teams or SharePoint, and make sure that only the people who need access to those
files have them.
2. When you want to share, don’t attach files to an email. Instead, choose Get link from Microsoft Teams or
SharePoint and send the link in email.
3. To share a file externally, add the user as a guest to your team, or use SharePoint to get a secure link to
share just that file.
4. Use Microsoft Stream to host videos you want your campaign to see.
5. Use Microsoft Teams or SharePoint to store video files you need your team to collaborate on or share.
Set up
Members of the organization can create a team, and add guests like advertisers or financing partners to it, with
the following steps.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]
To share a secure link with a guest, without using Microsoft Teams, follow these steps.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RE22Yf0]
71
To create and share videos, follow these steps.
[!VIDEO https://www.microsoft.com/videoplayer/embed/RWrv0F]
Download an infographic in PDF or PowerPoint to get a quick overview of ways to share your files.
An illustration of sharing files with different users.
Next objective
Upon completion of this objective, create a communication site for your team.
72
Next steps
1. Get either Microsoft 365 Business Premium or Microsoft 365 for Campaigns, and start the setup process.
2. Set up your security capabilities.
3. Help everyone Set up unmanaged (BYOD) devices, Use email securely, and Collaborate and share securely.
4. Set up and secure managed devices
73