NJIT Public KB

Consulting Overview

Mon, 01 Jan 0001 00:00:00 +0000

1. Incident Lifecycle & Decision Logic

1.1. ITIL Fundamentals: The very basics on the ITIL Framework.
1.2. Issue Ownership: Establishing a triage workflow for complex blockers before considering escalation.
1.3. The Escalation Framework: Creating a standardized template for genuine decision points (Context -> Business Impact -> Recommended Options).
1.4. Managing Ambiguity: How to operate when documentation is missing or incomplete.

2. Consulting & Stakeholder Management

2.1. The “Consultant Muscle”: Frameworks for reviewing solution requests against an existing strategy.
2.2. Constructive Pushback: How to confidently say “no” to non-standard approaches while providing technical reasoning and a compliant alternative.
2.3. Advising: Translating complex M365 guardrails into practical “how to do it properly” steps for delivery teams.
2.4. RAID/RAAIDD Logs: Leveraging logs as a technical shield to document risks, decisions, and dependencies for accountability and clear architectural handovers.

Intro to ITIL

Mon, 01 Jan 0001 00:00:00 +0000

ITIL 4 is a globally recognized framework for IT Service Management (ITSM) that focuses on co-creating value with the business through a Service Value System, guiding principles, and continual improvement. It is the most widely adopted guidance for IT Service Management (ITSM) worldwide. In its current iteration, ITIL 4, the framework provides a practical and flexible approach to support organizations in their digital transformation journeys. It shifts the focus from managing isolated IT processes to adopting a holistic, systems-thinking approach that emphasizes the co-creation of value between IT service providers, customers, and other stakeholders.

Intro to PRINCE2

Mon, 01 Jan 0001 00:00:00 +0000

PRINCE2 is a widely used project management method that provides a structured approach to managing projects by dividing it into seven processes. It emphasizes the importance of clear objectives, defined roles and responsibilities, and a focus on progress monitoring and control throughout the project lifecycle.

PRINCE2, an acronym for PRojects IN Controlled Environments, is a globally recognized, structured project management methodology. It provides a process-based approach designed to enhance organization and control within projects, focusing on the effective management of resources and risks. Central to PRINCE2 is its emphasis on product-based planning, meaning the methodology centres on the definition, delivery, and quality of specific project outputs or ‘products’. These products must meet clearly defined quality criteria and contribute to achieving a justified business case, ensuring the project delivers tangible value.

Intro to Scrum

Mon, 01 Jan 0001 00:00:00 +0000

From the official Scrum guide the definition of Scrum is:

…a lightweight framework that helps people, teams and organizations generate value through adaptive solutions for complex problems.

Microsoft 365 Overview

Mon, 01 Jan 0001 00:00:00 +0000

1. M365 Core Services & Architecture

1.1. Exchange Online: Architecture hierarchy, mail flow troubleshooting, shared mailboxes, and hybrid concepts.
1.2. SharePoint Online & OneDrive: Architecture hierarchy, permissions, sprawl management, and sync client troubleshooting.
1.3. Microsoft Teams: Architecture hierarchy, meeting policies, app governance, and standardizing team creation.
1.4. Service-Wide: Troubleshooting issues and data consistency across the ecosystem.

2. Identity & Access (Entra ID)

2.1. Identity & Access Fundamentals: Architecture hierarchy, user and device types, application identity, and cross-tenant relationships.
2.2. Identity Lifecycle: Understanding the flow from HR systems to Active Directory to Entra ID (JML - Joiners, Movers, Leavers).
2.3. Conditional Access (CA): Best practices for CA policies, troubleshooting sign-in logs, and managing exclusions securely.
2.4. Authentication: MFA enforcement, Self-Service Password Reset (SSPR), and modern authentication protocols.

3. Governance & Compliance (Purview)

A guide to Scrum

Mon, 01 Jan 0001 00:00:00 +0000

If you would like to, you can read the official Scrum guide here:

Scrum is a lightweight framework to help teams develop a Product of value via a lean and adaptable approach. The theory behind it is based on the following fundamentals of Scrum:

Intro to ISO 19011

Mon, 01 Jan 0001 00:00:00 +0000

ISO 19011 is an international standard that offers guidelines for auditing management systems. We use these guidelines to audit clients’ information security management systems (like ISO 27001 and other similar frameworks).

Additionally, ISO 19011 can be applied to a variety of other systems, such as quality management systems (ISO 9001) and environmental management systems (ISO 14001). These guidelines are designed to ensure that audits are conducted consistently and effectively, and include:

Intro to ISO 27001

Mon, 01 Jan 0001 00:00:00 +0000

ISO 27001 is an international standard that provides guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)

ISO 27001 is designed to help organisations manage the security of assets such as financial information, intellectual property, employee details, and information entrusted by third parties. The requirements for aligning to this standard are seperated into two components:

Clauses: The ideas/framework for an organisation to follow when managing risks.
Controls: Specific measures an organisation can implement to manage and reduce risks.

When assessing an organisation on their alignment with this standard, the ISO 19011 methodology of Management Systems auditing should be followed.

The 7 Guiding Principles

Mon, 01 Jan 0001 00:00:00 +0000

The 7 Guiding Principles are recommendations that can guide an organization in all circumstances, regardless of changes in its goals, strategies, type of work, or management structure. They are the core messages of ITIL and of service management in general.

1. Focus on value

Explanation: Everything the organization does should link back, directly or indirectly, to value for itself, its customers, and other stakeholders. Value is not just financial; it includes customer experience and user experience.
Application: Understand who the consumers of the service are and what they consider valuable. Map value streams and ruthlessly eliminate activities that do not contribute to value creation. Continuously evaluate whether an action or process is actively delivering or supporting value.

2. Start where you are

Explanation: Do not start from scratch and build something new without considering what is already available to be leveraged. There is often a great deal of value in existing services, processes, programs, projects, and people.
Application: Objectively assess the current state using direct observation and measurement. Identify what works well and can be reused or improved, rather than discarding everything to build from the ground up.

3. Progress iteratively with feedback

Explanation: Resist the temptation to do everything at once. Organize work into smaller, manageable sections that can be executed and completed in a timely manner, making it easier to maintain a sharp focus on each effort.
Application: Use agile methodologies to deliver work in iterations. Continuously gather and respond to feedback from stakeholders before, during, and after each iteration to ensure the work remains focused, relevant, and adaptable to changing circumstances.

4. Collaborate and promote visibility

Explanation: When initiatives involve the right people in the right roles, efforts benefit from better buy-in, more relevance, and increased likelihood of long-term success. Hidden work leads to duplication of effort, risks going unmanaged, and creates a lack of trust.
Application: Break down silos. Ensure that work, progress, and even failures are shared transparently across the organization. Communicate clearly and involve stakeholders at all levels to build trust, share understanding, and make better decisions.

5. Think and work holistically

Explanation: No service, practice, process, department, or supplier stands alone. The outcomes achieved by the service provider and service consumer will suffer unless the organization works on the whole rather than just its individual parts.
Application: Recognize the complexity of the systems involved. Ensure that all Four Dimensions of Service Management are considered in any initiative. Understand how different parts of the organization and external partners interact to co-create value along the entire service value chain.

6. Keep it simple and practical

Explanation: Always use the minimum number of steps needed to accomplish an objective. Outcome-based thinking should be used to produce practical solutions that deliver results without unnecessary bureaucracy.
Application: Eliminate processes, services, actions, or metrics that fail to provide value or produce a useful outcome. If a process, service, action, or metric provides no value, eliminate it. Focus on doing the essentials very well rather than overcomplicating procedures.

7. Optimize and automate

Explanation: Organizations must maximize the value of the work carried out by their human and technical resources. Technology can help organizations scale up and take on frequent, repetitive tasks, freeing human resources for more complex work.
Application: Streamline and optimize processes to make them as efficient as possible before applying automation. Attempting to automate a flawed process will only result in flawed outcomes happening faster. Use human intervention only where it truly adds value, such as in complex decision-making, strategic thinking, or empathetic customer interactions.

In closing

These principles are universally applicable and intended to guide decisions and actions at all levels of the organization. They do not prescribe specific tasks, but rather provide a mindset and culture to support successful service management, agile operations, and the continuous realization of value. When faced with a challenge or decision, practitioners should refer back to these principles to ensure they remain aligned with the core philosophy of ITIL 4.

The 7 Principles

Mon, 01 Jan 0001 00:00:00 +0000

The 7 Principle’s are:

1. Continued Business Justification

Explanation: This principle mandates that a valid, justifiable reason must exist for initiating a project, and this justification must remain valid throughout the project’s entire lifecycle. The core of this justification lies in the project being desirable (benefits outweigh costs and risks), viable (capable of being delivered), and achievable. This rationale is formally documented and maintained in the Business Case.

1.1) Exchange Online

Mon, 01 Jan 0001 00:00:00 +0000

1. Exchange Online Mail Flow Architecture

Understanding the sequence of connectors and filtering layers is critical for troubleshooting delivery and security.

Inbound Connectors: The entry point for mail arriving from third-party security gateways (e.g., Mimecast) or on-premises Exchange servers in a hybrid configuration. These rely on TLS certificate validation or IP whitelisting to establish trust.
Tenant Edge / EOP: The primary hygiene layer where Connection Filtering (IP reputation), Directory Based Edge Blocking (DBEB), and basic Anti-Malware/Anti-Spam scanning occur. Even with an Inbound Connector, EOP will still scan for Malware and High-Confidence Phishing. These are considered “non-negotiable” by Microsoft.
Exchange Transport Rules (ETRs): Custom logic applied after initial hygiene. These rules fire in priority order and can be used for custom routing, disclaimer injection, or bypassing further scanning for trusted internal flows.
Microsoft Defender for Office 365 (MDO): The advanced protection layer including Safe Attachments (sandboxing) and Safe Links (time-of-click verification). This layer also manages Zero-hour Auto Purge (ZAP) to remediate threats post-delivery.
Outbound Connectors: The exit point for mail leaving the tenant destined for specific third-party gateways or on-premises environments. These ensure mail is routed through the correct smarthost rather than directly to the public internet. If the mail returns from the outbound service (e.g. an email signature service), it is treated as a new inbound connection at the edge.
Mailbox Layer: The final delivery point where SCL-based Junk Email filtering and user-defined Inbox Rules are processed.

2. Mail Flow & Routing Troubleshooting

Message Trace: The primary diagnostic tool for mail delivery issues. Use the Exchange Admin Center (EAC) for messages within the last 10 days; use Historical Search for up to 90 days.
Mail Flow Rules (Transport Rules):
- Always verify rule execution order (Priority).
- Ensure “Stop processing more rules” is used deliberately to prevent conflicting actions.
- Test new rules in “Test with Policy Tips” or “Test without Policy Tips” mode before enforcement.
Connectors:
- Validate inbound/outbound connectors for third-party filtering services or on-premises environments.
- Check TLS certificate requirements and IP whitelisting.
Accepted Domains: Verify authoritative vs. internal relay configurations to prevent routing loops.

3. Recipient Management & Governance

Shared Mailboxes:
- Governance: Do not apply licenses to shared mailboxes unless they exceed 50GB or require a continuous In-Place Archive.
- Permissions: Distinguish between FullAccess (read/manage) and SendAs / SendOnBehalf rights. Note that FullAccess does not automatically grant sending rights.
- Automapping: Managed via PowerShell (Add-MailboxPermission -AutoMapping $false if users complain about Outlook client performance issues).
Group Types:
- Distribution Lists (DLs): Legacy broadcast communication. Ensure message approval or sender restrictions are applied to large DLs.
- Microsoft 365 Groups: Modern collaboration tied to SharePoint and Teams. Enforce naming and expiration policies via Entra ID.
Resource Mailboxes: Manage automated booking via Set-CalendarProcessing and configure booking windows and delegate approval.

4. Security, Protection & Authentication

Email Authentication Standards:
- SPF (Sender Policy Framework): Validates outbound sending IPs. Keep DNS lookups under the 10-limit threshold.
- DKIM (DomainKeys Identified Mail): Cryptographic signing of outbound emails. Ensure CNAME records are published and DKIM is enabled in Defender.
- DMARC: Policy enforcement (p=none, quarantine, reject). Review aggregate reports before moving to strict enforcement.
Access Control:
- Verify Basic Authentication is permanently disabled across the tenant.
- Control client access (e.g., POP/IMAP) via Client Access Rules or CAS Mailbox settings.
Protection Policies: Review Anti-Spam, Anti-Phishing, and Anti-Malware policies and manage Safe Links and Safe Attachments.

5. Hybrid Environment Considerations (Enterprise)

Attribute Authority: In an AD-synced environment, Exchange attributes must be managed on-premises via ADUC or an Exchange Management Server.
Routing in Hybrid: Understand the role of the targetAddress (typically alias@tenant.mail.onmicrosoft.com) for routing mail from on-premises to cloud mailboxes.
Cross-Premises Permissions: SendAs and ReceiveAs permissions do not reliably span across on-premises and Exchange Online boundaries; migrations of delegates and shared mailboxes must be batched together.

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module)

Connection: Connect-ExchangeOnline
Diagnostics: Get-MessageTrace -SenderAddress user@domain.com -StartDate (Get-Date).AddDays(-2)
Permissions:
- Get-MailboxPermission -Identity "Shared Mailbox"
- Add-RecipientPermission -Identity "Mailbox" -Trustee "User" -AccessRights SendAs
Mailbox Configuration:
- Set-Mailbox -Identity user@domain.com -HiddenFromAddressListsEnabled $true
- Set-CASMailbox -Identity user@domain.com -ImapEnabled $false -PopEnabled $false

1.1) ITIL Fundamentals

Mon, 01 Jan 0001 00:00:00 +0000

1. Incident vs. Problem Management (The Break-Fix Boundary)

Do not treat every recurring outage as a standalone emergency. As a Consultant, you are expected to elevate the operation from reactive firefighting to proactive root-cause resolution.

Incident Management: The goal is to restore normal service operations as quickly as possible. Workarounds are entirely acceptable here. (e.g., “The user’s Teams desktop app is crashing; clear the cache and have them use Teams on the Web so they can join their current meeting.”)
Problem Management: The goal is to identify the root cause of one or more Incidents to prevent them from happening again. (e.g., “Why are 50 users experiencing Teams desktop crashes after the latest Intune deployment? We need to analyze the deployment logs and correct the packaging.”)
The Consultant Pivot: When you see Helpdesk logging the same Incident multiple times, step in, declare a “Problem,” and lead the root cause analysis.

2. Navigating Change Management (The CAB)

Never walk into a Change Advisory Board (CAB) meeting with a “we’ll figure it out” attitude. You are dealing with business-critical M365 infrastructure. You must accurately classify your changes and prepare the necessary documentation.

1.2) Issue Ownership

Mon, 01 Jan 0001 00:00:00 +0000

1. The Definition of “Ownership”

In a senior role, “owning” an issue does not mean you have to personally execute every fix. It means you own the resolution lifecycle. You are the primary shield protecting the role owner from operational noise.

The Consultant Mindset: You are the investigator, the communicator, and the triage engineer. You only pass the baton when a definitive architectural or financial boundary is hit.
The “Black Hole” Avoidance: Stakeholders escalate when they feel ignored. Ownership means proactively communicating the status (“I have reproduced the issue and am analyzing the Entra logs”) even if you don’t have the fix yet.

2. The Triage Boundary (Own vs. Escalate)

Establish clear rules of engagement for what you resolve independently versus what requires the role owner.

1.2) SharePoint Online and OneDrive

Mon, 01 Jan 0001 00:00:00 +0000

1. SharePoint Hierarchy & Architecture

Modern SharePoint is built on a flat architecture designed for cloud scalability and governance, moving away from the legacy subsite model in favor of independent site collections.

Tenant Boundary: The global container for the organization’s entire SharePoint and OneDrive service.
Hub Sites: The logical “connective tissue” used to group related site collections (e.g., “HR” or “Projects”) to provide shared navigation, branding, and a unified search scope.
Site Collections (The Administrative Unit): These are the primary units of governance. Each collection is an independent boundary for permissions and features, categorized into two primary types:
- Team Sites: Group-connected sites backed by an M365 Group, designed for active internal collaboration with a shared mailbox and Teams integration.
- Communication Sites: Non-group-connected sites intended for broad broadcasting, such as an Intranet homepage or company news.
- Resource Management: Architecture is governed by tenant-level storage limits. Administrators should configure individual site quotas to prevent any single site collection from exhausting the tenant’s total allocation.
Document Libraries: Containers within a site for storing files that can be configured with unique metadata, versioning, and sensitivity labels.
Folders & Files: Individual items stored within libraries. Item-level permissions are possible but discouraged due to administrative overhead.

2. Permissions & Access Control

Governing access requires a balance between external collaboration needs and internal security guardrails.

1.3) Microsoft Teams

Mon, 01 Jan 0001 00:00:00 +0000

1. Microsoft Teams Hierarchy & Architecture

Microsoft Teams serves as a “logical wrapper” or frontend that aggregates data and services from across the Microsoft 365 ecosystem. It does not natively store its own data; instead, it relies on the following underlying architecture:

The M365 Group: The foundational identity and access framework. Creating a Team automatically provisions an M365 Group, which provides a shared Exchange mailbox, calendar, and SharePoint site.
SharePoint Online: Stores all files uploaded within standard and private Team channels. Each Team is connected to a specific SharePoint Site Collection.
OneDrive for Business: Stores files shared during 1:1 or group chats.
Exchange Online: Manages the Team calendar and stores “hidden” copies of all chat messages for compliance, eDiscovery, and search purposes.
- User Mailboxes: Store copies of 1:1 chat and group chat messages.
- M365 Group Mailboxes: Store copies of standard channel messages.
Entra ID: Handles the core user identity, authentication, and the enforcement of naming and expiration policies.

2. Governance & Lifecycle Management

Provisioning Strategy: Enterprise environments often disable self-service Team creation to prevent sprawl. A documented and functional provisioning workflow (e.g., via Power Automate or a custom app) is essential.
Naming Conventions: Enforced via Entra ID (e.g., [Department] - [Project Name]). Blocked word lists should be configured to prevent unauthorized use of terms like “HR” or “Payroll”.
Lifecycle & Expiration: Backed by M365 Groups. Expiration policies (e.g., 365 days) trigger renewal emails to owners. Orphaned Teams must have an escalation path for reassignment or archiving.
Archiving: Preferred over deletion for compliance, archiving makes the SharePoint site read-only and freezes the chat.

3. External Collaboration & Access Types

External Access (Federation): Allows users to find, call, and chat with people in other M365 domains. It does not grant access to channels or files.
Guest Access: Grants external users access to specific Teams, channels, and files via Entra External ID (B2B collaboration). It must be enabled at the Tenant, Group, and Site levels.
Shared Channels (B2B Direct Connect): Allows sharing a single channel with external organizations without adding them as guests. This requires cross-tenant access settings in Entra ID for both inbound and outbound traffic.

4. Meeting, Calling, & Device Policies

Meeting Policies:
- Lobby Management: The safest default is “People in my organization” to ensure external users only bypass the lobby when explicitly desired.
- Recording & Transcription: Controlled via policies. Recordings are saved to OneDrive (for chats) or SharePoint (for channel meetings).
Telephony / Voice: Connectivity models include Calling Plans, Operator Connect, or Direct Routing. Voice routing is traced via the Dial Plan, Voice Routing Policy, PSTN Usage, and Voice Route.
Resource Accounts: Used for Auto Attendants and Call Queues. These require a “Microsoft Teams Shared Devices” or a free “Microsoft Teams Phone Resource Account” license.

5. App Governance & Management

Permission Policies: Control which users can install specific apps. A common enterprise standard is blocking all third-party apps by default until they pass a security review.
Setup Policies: Controls the “Left Rail” (app bar) layout. This is used to pin critical apps like Viva Connections or ServiceNow for specific departments.

6. Troubleshooting & Diagnostics

Call Quality Dashboard (CQD): The primary tool for investigating audio/video issues like jitter or dropped calls.
“New Teams” Client (v2): Built on WebView2 rather than Electron. To clear the cache, delete the contents in %localappdata%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams.
Teams Web App: Using https://teams.microsoft.com/v2/ is the recommended first step to isolate client-side from tenant-side issues.

7. Essential PowerShell Cmdlets (MicrosoftTeams Module)

Connection: Connect-MicrosoftTeams
Team Management:
- Get-Team -User user@domain.com (Finds all Teams a user belongs to).
- Set-Team -GroupId <ObjectID> -Visibility Private.
Policy Assignment:
- Grant-CsTeamsMeetingPolicy -Identity user@domain.com -PolicyName "Restricted Meetings".
Voice Configuration:
- Get-CsOnlineUser -Identity user@domain.com | Format-List LineURI, EnterpriseVoiceEnabled, VoiceRoutingPolicy.

1.3) The Escalation Framework

Mon, 01 Jan 0001 00:00:00 +0000

1. The Trigger Conditions

Do not escalate simply because a problem is difficult; escalate because a boundary has been crossed. The four definitive triggers for escalating to the role owner are:

Architecture/Security Boundary: The solution requires bypassing a baseline Conditional Access policy, changing a tenant-wide sharing setting, or modifying global identity sync rules.
Financial Boundary: The solution requires purchasing net-new licenses (e.g., Entra ID P2, Teams Premium, Power Apps Premium) or Azure consumption resources.
Systemic Outage: A core service degradation affecting a significant portion of the environment (after verifying the Microsoft Service Health Dashboard).
Political Deadlock: A highly-ranked stakeholder refuses the compliant alternative after you have clearly documented the technical and compliance risks.

2. The Standardized Escalation Template

Never forward a messy, 15-reply email chain to the role owner with a note saying “Thoughts?” Package the escalation into a concise, easily digestible format that forces a decision.

1.4) Managing Ambiguity

Mon, 01 Jan 0001 00:00:00 +0000

1. The Consultant’s Mindset

In an enterprise, “lack of documentation” can be the default state, not an exception. You are being paid for your ability to operate in the gray.

The Rule of Assumption: Assume every bizarre, seemingly illogical configuration was put there for a specific, urgent business reason at the time. Do not tear down a fence until you know why it was built, see Chesterton’s Fence.
Investigation over Escalation: Never escalate a ticket to the role owner stating, “I don’t know what this does.” Escalate by stating, “I have traced this undocumented configuration to X, and it appears to impact Y. Should we decommission it?”

2. Forensic Discovery (Your “Hidden” Documentation)

When SharePoint wikis and IT portals are empty, the Microsoft 365 backend logs become your source of truth.

1.4) Service-wide

Mon, 01 Jan 0001 00:00:00 +0000

1. The M365 Group (The Connective Tissue)

The Blast Radius: M365 Groups are the underlying identity and access framework for modern collaboration. Creating a Group automatically provisions an Exchange Mailbox/Calendar, a SharePoint Team Site, a OneNote notebook, and a Planner plan. Adding Teams is an optional overlay.
Deletion & Recovery: Deleting a Team or a Group-connected SharePoint site deletes the entire M365 Group and all associated data across every workload.
- Soft-deleted groups can be restored within 30 days via the Entra ID portal or Exchange Admin Center.
Naming & Expiration Policies: Administered centrally in Entra ID, these policies cascade down. If an M365 Group expires and is not renewed by the owner, all connected services (Teams, SharePoint, Exchange) are deleted.

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule)

Identity Sync (Entra ID to M365): Changes to user attributes (UPN, Name, Title) or Group memberships in Entra ID often take time to reflect across the ecosystem.
- Exchange Online and SharePoint usually update within 15–60 minutes.
- The Microsoft Teams client relies heavily on local caching and can take up to 24–48 hours to fully reflect profile changes or new group access.
Search Indexing: Newly uploaded files in SharePoint/OneDrive or newly created Teams channels are not instantly searchable. Microsoft Search relies on continuous background crawling. If an entire site is missing from search, you can request a re-index via SharePoint Site Settings, but execution time is governed by Microsoft’s backend load.
Offline Address Book (OAB): For users running Outlook in Cached Exchange Mode, new hires or deleted users will not show up in the Global Address List immediately. Force an OAB download via the Outlook Send/Receive tab to isolate sync issues.

3. Microsoft Search & Information Architecture

Security Trimming: Microsoft Search (across Bing for Business, SharePoint, and Teams) is strictly security-trimmed. Users will only see results for files and sites they have explicit permission to access. If a user complains they can’t find a document, it is almost always a permissions issue, not a search engine failure.
Oversharing Risks: Because Search aggregates data across the tenant, poorly permissioned SharePoint sites or over-permissioned Teams channels (e.g., using “Everyone except external users”) will surface sensitive documents in routine employee searches.
Bookmarks & Q&A: Managed via the M365 Admin Center (Search & Intelligence). Use these to promote official company resources (e.g., HR portals, IT Helpdesk) to the top of search results.

4. Licensing & Service Plans

License Composition: Enterprise licenses (E3/E5) are not monolithic; they are bundles of individual “Service Plans” (e.g., Exchange Online Plan 2, SharePoint Plan 2, Sway, Planner, Viva Insights).
Granular Troubleshooting: If a user has an E3 license but cannot access Planner or Stream, check their specific license assignment in Entra ID or the M365 Admin Center. Individual service plans can be toggled off by administrators or group-based licensing policies.
Group-Based Licensing: In an enterprise environment, licenses should never be assigned manually. They must be managed via Entra ID Security Groups. Troubleshooting missing licenses requires checking the user’s group membership and the licensing group’s assignment logs.

5. Essential PowerShell Cmdlets (Microsoft Graph)

The MSOnline and AzureAD modules are deprecated. Microsoft Graph PowerShell is the required standard for cross-platform and identity management.

Key concepts of ISO 19011:2018 video

Mon, 01 Jan 0001 00:00:00 +0000

If you prefer a visual breakdown over reading through documentation, this 10-minute video is the fastest way to get up to speed. It covers the core pillars of ISO 19011:2018, including audit principles and program management, in a concise, easy-to-digest format.

Overview of the ISO 27001 Clauses

Mon, 01 Jan 0001 00:00:00 +0000

The requirements for an organization’s Information Security Management System (ISMS) in ISO 27001 are outlined in Clauses 4 to 10. These clauses are:

Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement

The following is a brief description of each of these clauses.

Clause 4: Context of the organization

An organization’s ISMS needs to document its purpose. It states requirements like:

4.1) The organization needs to identify internal and exteral issues relevant to it and it’s ability to have a successful ISMS.
4.2 a) The organization needs to identify stakeholders.
4.2 b) The organization needs to identify each stakeholder’s needs.
4.3) The scope of the ISMS needs to be defined based on the above and made available as documented information.

Clause 5: Leadership

For an ISMS to be effective it needs support and commitment from top management. It states requirements like:

Scrum Table of Terms

Mon, 01 Jan 0001 00:00:00 +0000

Term	Definition
Product	The output of the project, it is something of value that has clearly defined stakeholders, users and boundaries
Product Goal	The future state of the Product, illustrating what the long-term goal of the Product is
Product Backlog	An evolving and prioritised list of work items that need to be done on to fulfill the Product Goal
Definition of Done	The set of standards that the work on a Product Backlog item must meet to be considered complete
Scrum Team	A small team of people working together on building the Product, working towards the Product Goal
Product Owner	The person accountable for the Product Backlog and ensuring the Product Goal is worked towards
Scrum Master	The person who acting as the coach for the team helps makes sure everyone is working effectively under Scrum
Developers	The people in the Scrum Team completing the work in the Product Backlog
Sprints	Fixed-length blocks of work done on the Product to complete items from the Product Backlog
Sprint Goal	A statement on why the current Sprint is valuable to stakeholders
Sprint Backlog	The selected Product Backlog items for a given Sprint along with the Sprint Goal and the plan for getting the work done within the Sprint
Increment	One or more “Done” work items that are a usable step towards the Product Goal
Scrum Events	Formal Scrum events that happen during every Sprint
Sprint Planning	The first Scrum Event where the Scrum Team establishes the Sprint Goal and Sprint Backlog for the current Sprint
Daily Scrum	A daily Scrum Event where the developers meet to review progress on the Sprint Goal and adapt the Sprint Backlog if required
Sprint Review	The second last Scrum Event where the Scrum Team and the Product stakeholders meet to review Sprint outcomes and the progress towards Product Goal
Sprint Retrospective	The last Scrum Event where the Scrum Team meet and review how the Sprint went

The 4 Dimensions of Service Management

Mon, 01 Jan 0001 00:00:00 +0000

The objective of an organization is to create value for its stakeholders, and this is achieved through the provisioning and consumption of services. To ensure that the Service Value System (SVS) functions properly and efficiently, organizations must consider all aspects of their behavior. In ITIL 4, these are represented by the Four Dimensions of Service Management.

Failing to address all four dimensions adequately can result in services becoming undeliverable, or failing to meet expectations of quality or efficiency.

The 7 Practices

Mon, 01 Jan 0001 00:00:00 +0000

The seven practices provide detailed guidance on how the PRINCE2 principles should be put into practice. In earlier versions they were referred to as ‘Themes’ but have been renamed to ‘Practices’ to better reflect the need for their consistent application rather than being viewed as static topics. Like other elements of PRINCE2, the application of these practices should be tailored to the specific context and complexity of the project.

These practices collectively form the control framework of PRINCE2. They are not merely areas of interest but active management disciplines through which the project manager and the Project Board ensure the project remains aligned with its objectives (Business Case, Quality, Plans), effectively manages uncertainty (Risk, Change), monitors performance against baselines (Progress), and maintains the necessary structure for governance (Organisation). They are the mechanisms that operationalize the principles and enable the structured control central to the PRINCE2 philosophy.

2.1) Identity & Access Fundamentals

Mon, 01 Jan 0001 00:00:00 +0000

1. Identity Hierarchy & Architecture

Entra ID serves as the centralized identity control plane for the Microsoft 365 ecosystem.

The Tenant: The primary boundary for all identity objects and security configurations.
The Identity Plane: Manages the relationship between Users, Devices, and Applications to determine access to resources like SharePoint, Teams, and Fabric.
Object Relationships: Access is typically granted by adding Users or Devices to Groups, which are then assigned permissions to specific resources or applications.

2. Users & Devices (The Core Entities)

User Types:
- Members: Internal accounts, typically synced from on-premises AD, with full directory visibility.
- Guests: External users invited via B2B collaboration; they exist as guest objects in the directory.
- Agents: AI-driven identities assigned a unique Entra Agent ID and their own dedicated M365 resources (Email, OneDrive).
Device States (Trust Signals):
- Entra Registered: Used for BYOD/personal devices; allows for Mobile Application Management (MAM) without full device control.
- Entra Joined: Cloud-native corporate devices fully managed via Intune.
- Hybrid Entra Joined: Legacy domain-joined devices synced from on-premises AD to Entra ID.

3. The Group Ecosystem (Logical Containers)

Distribution Lists (DLs): Legacy, mail-flow only containers; they do not have a Security SID and cannot be used for resource permissions.
Security Groups: The primary tool for assigning permissions and licenses; these are security-principals only and do not have an email address.
Mail-Enabled Security Groups: A “hybrid” container that possesses a Security SID for permissions and an email address for distribution. These are ideal for granting resource access while maintaining a single point of contact for notifications.
Microsoft 365 Groups: The modern “connective tissue” that automatically provisions an Exchange mailbox, SharePoint site, and Teams overlay.
Dynamic Groups: Membership is automatically calculated based on user attributes (e.g., JobTitle -eq "Manager"), ensuring access is updated as users move within the organization.

Source of Authority (SoA) & Management

Synced Groups: If a group is synchronized from on-premises Active Directory, it cannot be edited in Entra ID or the M365 Admin Center. All membership and attribute changes (like email aliases) must occur on-premises.
Cloud-Native Groups: Created and managed entirely within the Entra ID portal or M365 Admin Center.
Writeback: In hybrid environments, certain groups created in the cloud can be “written back” to on-premises AD if the specific synchronization feature is enabled.

4. Application Identity: App Reg vs. Enterprise Apps

Understanding the distinction between these two views of the same application is critical for security governance.

2.1) The Consultant Muscle

Mon, 01 Jan 0001 00:00:00 +0000

1. The Intake Framework (Uncovering the “Why”)

The Golden Rule: Users ask for solutions (e.g., “I need a custom Power Automate flow to break inheritance on 500 folders”). A good Consultant must uncover the requirement (e.g., “We need to securely share specific documents with different external vendors”).
The Triage Questions: Before reviewing any technical solution, establish:
1. Data Classification: What is the sensitivity of the data being handled? (Dictates the required Purview labels and sharing restrictions).
2. Audience & Lifecycle: Who is the audience (Internal vs. B2B Guests), and when does this project end? (Dictates identity lifecycle and M365 Group expiration).
3. Supportability: Who owns this when the project is over? If it requires custom code (e.g., SPFx, complex Power Apps), is there an internal developer team to maintain it?

2. Evaluating Requests Against Existing Governance

The Strategy Alignment Check: You are there to enforce the existing strategy, not invent a new one. Filter requests through these baseline questions:
- Is this out-of-the-box (OOTB)? Always default to native M365 capabilities before approving third-party apps or custom development.
- Does it bypass security controls? (e.g., Requests for service accounts that bypass MFA, or requests to disable DLP for a specific executive).
- Does it scale? (e.g., Manually managing item-level permissions works for 10 files, but fails for 10,000. Pivot the user to a metadata-driven approach or separate Document Libraries).

3. Constructive Pushback (The Art of the Compliant “No”)

The Framework (Acknowledge -> State Risk -> Provide Alternative): Never issue a flat “No.”
- Example Request: “We need a shared mailbox for 50 people.”
- Acknowledge: “I understand the team needs a central place to receive and manage these generic inquiries.”
- State Risk: “However, adding 50 people to a single shared mailbox will cause severe Outlook performance issues, sync delays, and lacks an audit trail of who replied to what.”
- Provide Alternative: “To align with our M365 standards, we should set this up as a Microsoft Teams shared channel or a Group-connected Team site, which is designed for large-scale collaboration.”
Depersonalize the Decision: Reference the policy, not your personal opinion. Use phrases like, “To align with the organization’s Zero Trust framework…” or “Based on the enterprise M365 architectural guardrails…”

4. Practical Translation for Delivery Teams

Avoid “Policy Parroting”: Do not just send delivery teams a link to a 50-page governance PDF.
Provide the “How-To”: Translate the governance into actionable, step-by-step configurations.
- Bad: “Ensure your new SharePoint site complies with the external sharing policy.”
- Good: “When provisioning this site, you must run Set-PnPTenantSite -SharingCapability ExistingExternalUserSharingOnly and assign the ‘Confidential’ sensitivity label to the connected M365 Group.”
Standardized Templates: If you notice delivery teams repeatedly asking the same questions, create a 1-page standard operating procedure (SOP) or a PowerShell snippet they can reuse.

2.2) Identity Lifecycle

Mon, 01 Jan 0001 00:00:00 +0000

1. Source of Authority (SoA) & Synchronization

The Golden Rule of Hybrid: In a directory-synchronized environment Active Directory (On-Premises) is the Source of Authority.
- You cannot edit synced attributes (Name, Manager, Department, ProxyAddresses) directly in Entra ID or the M365 Admin Center. You must modify them on-premises and wait for the sync (or force it).
Sync Engines:
- Entra Connect Sync (formerly AAD Connect): The legacy/standard engine. Syncs every 30 minutes. Requires an on-premises server.
- Entra Cloud Sync: The modern, lightweight agent. Syncs every 2 minutes. Used for disconnected forests or simpler topologies.
Hard vs. Soft Match: When resolving duplicate accounts, understand how Entra ID matches on-premises AD users to cloud users.
- Soft Match: Matches based on UserPrincipalName or Primary SMTP Address.
- Hard Match: Matches based on SourceAnchor (usually the on-premises ObjectGUID converted to a Base64 string called ImmutableID in Entra).

2. The JML Process (Joiners, Movers, Leavers)

Joiners (Onboarding):
- Flow: HR System -> Active Directory -> Entra ID -> Licensing Group -> Mailbox/OneDrive Provisioned.
- Licensing: Never assign licenses directly to the user. Add the user to an Entra ID Security Group configured for Group-Based Licensing.
- Pre-Provisioning: M365 services (like Exchange and OneDrive) do not fully provision until the user is licensed and the backend service registers the license. Do not panic if a mailbox isn’t instantly available after sync.
Movers (Transitions):
- Access Accumulation: The biggest security risk. When users change departments, they often retain their old access.
- Mitigation: Rely on Dynamic Security Groups based on the Department or Title attribute so access is automatically revoked when HR updates the title.
Leavers (Offboarding):
- Standard Enterprise Workflow:
  1. Reset password / scramble on-premises.
  2. Block Sign-in (Entra ID).
  3. Revoke active refresh tokens (Force Sign-out).
  4. Wipe corporate data from personal devices (Intune App Protection) or wipe corporate devices.
  5. Convert to Shared Mailbox and remove M365 license (to free up the license pool while retaining data).
  6. Move user to a disabled OU on-premises (which either syncs as disabled or drops them from sync, depending on scoping rules).

3. Identity Governance & Entitlement Management (Requires Entra ID P2)

Access Packages: Used to bundle resources (SharePoint sites, Teams, Entra Groups, Enterprise Apps) into a single requestable package.
Access Reviews: Automated campaigns asking managers or resource owners to attest to whether users still need access to a specific group or application. Crucial for auditing privileged access.
Privileged Identity Management (PIM):
- Standard users should have zero standing access to admin roles (e.g., Global Admin, Exchange Admin).
- PIM requires admins to “elevate” their access just-in-time (JIT) for a set duration (e.g., 4 hours), requiring MFA and a ticket number for auditing.

4. Dynamic Groups & Attributes

Rule Syntax: Used heavily for automated licensing and app deployment.
- Example: (user.department -eq "Sales") -and (user.accountEnabled -eq true)
Processing Delay: Dynamic group membership is not instant. In a large tenant, it can take anywhere from a few minutes to several hours to recalculate after an attribute change.

5. Essential PowerShell Cmdlets (Microsoft Graph)

Connection: Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
Troubleshooting Sync/Attributes:
- Get-MgUser -UserId user@domain.com -Property OnPremisesSyncEnabled, OnPremisesImmutableId, UserPrincipalName
Offboarding Actions:
- Update-MgUser -UserId user@domain.com -AccountEnabled:$false (Block Sign-in)
- Revoke-MgUserSignInSession -UserId user@domain.com (Kills active sessions across all devices/apps)
Group Management:
- Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" (Lists all dynamic groups)

2.2) Constructive Pushback

Mon, 01 Jan 0001 00:00:00 +0000

1. The Core Framework (ARA)

When pushing back against a misaligned request, never use a flat “No” or cite personal preference. Rely on the Acknowledge -> Risk -> Alternative (ARA) framework to remain collaborative while strictly enforcing governance.

Acknowledge: Validate the underlying business requirement. Users don’t want to break the rules; they just want to solve a workflow problem.
Risk (Objective): Cite the specific enterprise constraint (Security, Governance, Scale, or Cost) that blocks their proposed solution. Depersonalize it (“The framework requires…” not “I won’t let you…”).
Alternative (Compliant): Pivot immediately to the native Microsoft 365 solution that solves their business problem within the guardrails.

2. Common M365 Scenarios & Phrasing Templates

Scenario A: The “VIP Exemption” Request

2.3) Conditional Access

Mon, 01 Jan 0001 00:00:00 +0000

1. Architecture & Core Concepts

The CA Engine: Conditional Access is the zero-trust policy engine of Entra ID. It evaluates Signals (Who, What, Where, Risk), makes a Decision (Block, Grant, Require MFA/Compliance), and applies Enforcement.
Evaluation Logic:
- Policies are evaluated simultaneously, not hierarchically.
- Block trumps all. If Policy A grants access and Policy B blocks access, the user is blocked.
Licensing: Requires Entra ID P1 (minimum) or P2 (for risk-based policies like Identity Protection).

2. Enterprise Baseline Policies (The “Must-Haves”)

Block Legacy Authentication: Blocks protocols that cannot prompt for MFA (e.g., POP, IMAP, older Office clients). This is the single most critical security policy.
Require MFA for All Users: Targets “All Users” and “All Cloud Apps”. (Always utilize exclusions for break-glass accounts).
Require MFA for Azure Management: Specifically targets the “Microsoft Azure Management” app to protect the Azure Portal and PowerShell interfaces.
Device Compliance / Hybrid Joined: For accessing sensitive apps (or all of M365), require the device to be marked as compliant in Intune OR be Hybrid Entra ID Joined.
Risk-Based Policies (If Entra ID P2 is active): Require MFA or password change when User Risk or Sign-in Risk is detected as Medium/High.

3. Governance, Exclusions & Safety Nets

Emergency Access (“Break-Glass”) Accounts:
- Create at least two cloud-only, highly privileged accounts (e.g., bg-admin1@tenant.onmicrosoft.com).
- Exclude these accounts from all Conditional Access policies to prevent tenant-wide lockouts if MFA or federation fails.
- Monitor these accounts aggressively via Log Analytics / Sentinel alerts.
Service Accounts & Exclusions:
- Never use “All Users” without a dedicated exclusion group (e.g., CA-Exclusions-MFA).
- Service accounts that cannot perform MFA must be excluded but should be locked down via other signals (e.g., Named Locations / Trusted IPs).
Report-Only Mode:
- Always deploy new CA policies in Report-Only mode first.
- Let it run for 7-14 days to monitor the Sign-in logs and ensure it doesn’t break legitimate business processes before flipping to “On”.

4. Session Controls & Granular Security

Sign-in Frequency: Forces a user to re-authenticate after a specified period (e.g., 90 days for standard users, 1 hour for risky sign-ins or specific portal access).
Persistent Browser Session: Controls whether users can remain signed in after closing and reopening their browser. Often set to “Never persistent” for shared devices.
App Enforced Restrictions: Integrates with SharePoint Online and Exchange Online to provide limited, web-only access (blocking downloads) when users log in from unmanaged (BYOD) devices.
Authentication Context: Allows applying granular CA policies to specific data within an application. For example, requiring a fresh MFA claim only when a user attempts to access a highly sensitive SharePoint site, even if they are already signed into the tenant.

5. SharePoint Content Protection & SAM

With the SharePoint Advanced Management (SAM) license, Conditional Access can be extended to protect specific SharePoint content rather than the entire service.

2.3) Advising

Mon, 01 Jan 0001 00:00:00 +0000

1. The Translation Framework (Policy vs. Practice)

Delivery teams (Project Managers, Business Analysts, Developers) often view governance as a roadblock because it is written in abstract compliance terms. Your role is to serve as the translator.

The Anti-Pattern: “Your proposed solution violates the Data Handling Standard v2.4. Please revise.”
The Consultant Pattern: “Because this project handles PII, the Data Handling Standard requires us to use a dedicated SharePoint site with the external sharing slider set to ‘New and Existing Guests,’ combined with a 90-day access review policy. Here is how we configure that.”
The Goal: Never make the delivery team guess what the compliant solution looks like.

To avoid designing bespoke solutions for every request, mentally categorize M365 collaboration needs into standardized, pre-approved patterns. When advising, you are simply helping them select the right pattern from the menu.

2.4) Authentication

Mon, 01 Jan 0001 00:00:00 +0000

1. Hybrid Authentication Topologies

Password Hash Synchronization (PHS) + Seamless SSO: The Microsoft-recommended standard for 90% of enterprises. Syncs a hash of the on-premises AD password hash to Entra ID. Provides cloud-auth resilience even if on-premises domain controllers go down.
Pass-Through Authentication (PTA): Validates passwords directly against on-premises Active Directory via lightweight agents. Used when strict security policies prohibit any form of password hash leaving the on-premises network.
Federation (e.g., AD FS, Ping, Okta): Entra ID redirects the authentication request to a third-party Identity Provider (IdP).
- Consultant Note: Many large organizations are actively migrating away from AD FS to PHS/Seamless SSO to reduce infrastructure overhead and mitigate on-premises vulnerabilities.

2. MFA & Modern Authentication Methods

The Authentication Methods Policy: Microsoft has deprecated the legacy per-user MFA portal and legacy SSPR policies. All authentication methods must be managed centrally via the Entra ID > Security > Authentication methods blade.
Method Hierarchy (Weakest to Strongest):
1. SMS / Voice Call: Highly susceptible to SIM swapping. Strongly advocate for deprecation.
2. Microsoft Authenticator (Push): Number Matching is now mandatory globally to prevent MFA fatigue attacks.
3. Phishing-Resistant MFA: FIDO2 Security Keys (YubiKey) and Windows Hello for Business (WHfB). The gold standard for privileged administrative accounts.
System-Preferred Multifactor Authentication: Enable this tenant-wide. If a user has both SMS and the Authenticator app registered, Entra ID will automatically prompt them with the most secure method available.

3. Self-Service Password Reset (SSPR) & Registration

Combined Registration: Users register for both MFA and SSPR in a single workflow (aka.ms/mfasetup).
SSPR Configuration:
- Targeting: Target a specific Entra ID Security Group before rolling out to “All Users.”
- Methods Required: The enterprise standard is requiring 2 methods to reset a password (e.g., Authenticator App + Mobile App Code).
Password Writeback: If the organization is hybrid (using Entra Connect), Password Writeback must be enabled in the sync engine so cloud resets are written back to on-premises Active Directory.

4. Legacy Authentication (A Prime Attack Vector)

What it is: Older protocols (POP3, IMAP4, SMTP Auth, older Office 2013 clients) that cannot interpret Modern Authentication (OAuth 2.0) and therefore bypass MFA.
Remediation:
- Exchange Online has disabled Basic Auth at the tenant level, but it can still be a risk in other areas.
- Explicitly block legacy auth via Conditional Access.
- Exception: SMTP Auth is often still required for on-premises multi-function printers or legacy application relay. Restrict SMTP Auth to specific service accounts and lock those accounts down by IP address in Conditional Access.

5. Troubleshooting & Diagnostics

Sign-in Logs (The Source of Truth):
- Interactive vs. Non-Interactive: Interactive means the user physically typed a password or clicked an MFA prompt. Non-interactive means a client app used a refresh token to get a new access token seamlessly.
Common Error Codes to Memorize:
- 50126: Invalid username or password (Check if the password recently changed on-premises and hasn’t synced, or if PTA agents are down).
- 500121: User didn’t complete the MFA prompt (This error can appear if the user hasn’t completed setting up MFA).
- 50074: Strong authentication is required and the user did not pass the MFA challenge (A Conditional Access policy may have blocked the seamless token and forced an interactive MFA prompt).
- For more: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes.
Entra ID Protection (Risk-Based Auth): If the tenant has Entra ID P2, users flagged with “High User Risk” (e.g., leaked credentials found on the dark web) can be forced to securely reset their password via SSPR before logging in.

6. Essential PowerShell Cmdlets (Microsoft Graph)

Connection: Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "AuditLog.Read.All"
Manage User Authentication Methods:
- Get-MgUserAuthenticationMethod -UserId user@domain.com (Lists registered methods)
- New-MgUserAuthenticationPhoneMethod -UserId user@domain.com -phoneType "mobile" -phoneNumber "+1 5555555555" (Pre-populate phone numbers for users, though Authenticator app is preferred).
Troubleshooting Password Sync:
- Get-MgUser -UserId user@domain.com -Property LastPasswordChangeDateTime (Check when Entra ID thinks the password was last changed).

2.4) RAID/RAAIDD Logs

Mon, 01 Jan 0001 00:00:00 +0000

1. The Definitions

RAID (Project Baseline):
- Risk: Potential future events that could negatively impact the project (e.g., “The upcoming Microsoft API deprecation might break the custom script”).
- Action: Immediate tasks or activities required to maintain momentum.
- Issue: Current, active blockers that are preventing progress (e.g., “The production sync is currently failing”).
- Decision: Formal choices made by stakeholders (e.g., “The Steering Committee approved the use of PHS over PTA”).
RAAIDD (The Enterprise Expansion):
- Assumption: Facts or conditions taken as true without immediate proof (e.g., “Assuming all user devices are already Hybrid-Joined”).
- Dependency: External factors the project requires to succeed (e.g., “The Intune rollout depends on the network team opening firewall port 443”).

2. RAID Logs as a Consultant’s “Shield”

Decision Tracking: Every time a stakeholder chooses a non-standard or “Option B” path (see 2.3), it must be logged. This creates an audit trail that prevents the Consultant from being held liable for security or performance issues resulting from that choice.
Managing Assumptions: As a contractor, you often operate with limited initial data. Explicitly logging Assumptions (e.g., “Assuming the client has E5 licenses for this Purview feature”) allows you to immediately flag a Risk or Issue if that assumption is later proven false.
Impact of Dependencies: In the M365 ecosystem, dependencies are often external (e.g., the Microsoft roadmap or third-party IdPs). Highlighting these early ensures the project timeline reflects reality, not just the delivery team’s optimism.

3. M365 Specific RAID Examples

Risk: “Users might experience Outlook sync delays during the first 48 hours of the shared mailbox migration.”
Issue: “Conditional Access Policy ‘CA001’ is blocking legitimate logins from the New York office.”
Assumption: “Assuming the on-premises Active Directory schema is at the minimum required version for Entra Connect.”
Dependency: “Completion of the Exchange Hybrid setup is dependent on the firewall team publishing the on-premises EWS endpoint.”

4. Best Practices for Maintenance

Centralization: Never keep the log in a private document. Use a Microsoft List within the project’s Team site to ensure real-time visibility and collaborative ownership.
Weekly Rhythm: Review the log during every status meeting. Focus on converting Risks into Actions (mitigation) and closing Issues to prevent them from becoming Decisions (accepting the status quo).
The Handover Value: A comprehensive RAID log is the single most important artifact for a clean offboarding. It ensures the role owner understands not just what is configured, but the historical context of the risks that were identified and the decisions that were made.

5. Essential Tools for RAID Management

Microsoft Lists: The industry standard for RAID logs. Use the “Issue Tracker” template as a baseline and customize it with “Decision” and “Risk” columns.
Microsoft Planner: Ideal for the Action and Issue portions of the log to assign specific tasks to delivery team members with due dates.
Power BI: For large-scale enterprise projects, use Power BI to visualize the “Risk Heatmap” and “Issue Aging” to report to executive stakeholders.

Overview of the ISO 27001 Controls

Mon, 01 Jan 0001 00:00:00 +0000

The Controls, listed in Annex A of ISO 27001 fall into the four groups which are derived from and aligned with Clauses 5 to 8. They are:

Organisational controls
People controls
Physical controls
Technological controls

The following is a brief overview of controls in these groups.

5) Organisational controls

This group consists of 37 controls designed to enable effective management of information security risks. It includes controls related to risk management, incident response planning, information security policies, and the clear definition and assignment of roles and responsibilities.

Scrum in relation to Agile

Mon, 01 Jan 0001 00:00:00 +0000

It is important to know that Scrum is an implementation of Agile principles. While Scrum is indeed a framework (a structured approach with defined roles, artifacts, and processes) Agile however is not. Agile is more of an ideology to adopt and as such, it’s not something that you “do”, but instead Agile shapes the way that you “do”.

Here’s a link to the official Agile Manifesto. There is not much to it, just 4 values and 12 principles.

The 7 Processes

Mon, 01 Jan 0001 00:00:00 +0000

Each process is designed to achieve a specific objective, taking defined inputs (information or products) and transforming them through a series of activities into defined outputs. These processes provide the framework within which the PRINCE2 principles are upheld and the themes are actively applied. There are seven distinct processes in the PRINCE2 model.

The flow between these processes follows a logical progression, often visualized in process model diagrams. A typical project starts pre-project, moves into Starting Up a Project (SU), which triggers Directing a Project (DP) by the Project Board. DP authorizes Initiating a Project (IP). Once initiated, the project moves into delivery stages, cycling between Controlling a Stage (CS) and Managing Product Delivery (MP), with Managing a Stage Boundary (SB) occurring between stages. Finally, Closing a Project (CP) concludes the lifecycle. Detailed diagrams sometimes use color-coding to indicate frequency: blue for processes run once per project (like SU, IP, CP), green for once per stage (like SB), and orange/red for processes run multiple times within a stage (like CS, MP, DP activities).

The Service Value System (SVS)

Mon, 01 Jan 0001 00:00:00 +0000

The ITIL Service Value System (SVS) represents how the various components and activities of the organization work together to facilitate value creation through IT-enabled services. It maps how demand and opportunity are transformed into tangible value for stakeholders.

The SVS ensures that the organization continually co-creates value with all stakeholders through the use and management of products and services. The key inputs to the SVS are opportunity and demand, and the output of the SVS is value.

The seven principles of auditing

Mon, 01 Jan 0001 00:00:00 +0000

The seven principles of auditing are:

Integrity: the foundation of professionalism.

Auditors and those managing audit programmes should perform their work ethically, honestly and responsibly. They should only undertake activities if competent to do so. They should work in an impartial manner and be on the look out for influences that may affect their judgement.

Fair presentation: the obligation to report truthfully and accurately.

The findings of an audit should truthfully and accurately represent what was witnessed during the audit. When a bad example was witnessed, was that in contrast to 10 good examples or 100? Significant obstacles and diverging opinions between the audit team and the entity being audited should be reported.

3.1) Data Loss Prevention

Mon, 01 Jan 0001 00:00:00 +0000

1. Deployment Strategy (The “Crawl, Walk, Run” Approach)

Never Start in Enforcement: Implementing a block policy on day one will halt business operations and generate immediate escalations. Always follow the phased rollout:
1. Test it out (Audit Only): Silently gathers data to show you the baseline of what users are sharing.
2. Test it out with Policy Tips: Audits the data but displays a warning to the user (e.g., “This email contains sensitive data”), educating them without blocking the action.
3. Turn it on right away (Enforcement): Actively blocks or encrypts the data.
Scoping: Policies should ideally be scoped to specific locations (Exchange, SharePoint, OneDrive, Teams, Endpoints). Avoid massive “All Locations” policies with complex rules, as they are notoriously difficult to troubleshoot.

2. Classifying the Data (What are we protecting?)

Sensitive Information Types (SITs): Microsoft provides hundreds of out-of-the-box SITs.
- Local Contexts: For example, if you are Australian, familiarize yourself with Australia Tax File Number (TFN), Australia Medicare Number, and Australia Passport Number.
- Custom SITs: Built using Regular Expressions (Regex) + Keywords + Proximity (e.g., finding a 9-digit number within 50 characters of the word “Account”).
Exact Data Match (EDM): Used to prevent false positives. Instead of looking for any credit card, EDM hashes an export of your actual customer database and only triggers a block if it sees a credit card belonging to a known customer.
Trainable Classifiers: Machine learning models trained on hundreds of sample documents to recognize a type of document (e.g., Source Code, Resumes, Legal Agreements) regardless of specific keywords.

3. Policy Rules & The User Experience

Conditions & Exceptions: The most common enterprise condition is: Content contains [SIT] AND Content is shared [Outside my organization].
Confidence Levels & Instance Counts:
- High Confidence: Requires the data pattern, a keyword, and validation (like a checksum).
- Instance Count: Set thresholds. (e.g., 1-4 credit cards = send a warning. 5+ credit cards = hard block and alert the security team).
User Overrides & Business Justifications: When moving to enforcement, configuring “Allow user to override” is critical. It shifts the liability to the user. They must type a reason (e.g., “Approved by client”) which is logged for the compliance team, preventing the IT Helpdesk from becoming a bottleneck.

4. Endpoint DLP (Securing the Local Device)

Onboarding: Devices must be onboarded to Microsoft Purview (usually done silently via Intune configuration profiles) to read endpoint signals.
Capabilities: Endpoint DLP extends protection beyond the browser. It allows you to block users from:
- Copying sensitive files to USB drives.
- Printing sensitive documents.
- Copying sensitive text to the clipboard.
- Uploading files to unsanctioned cloud storage (e.g., blocking upload to personal Google Drive via Edge/Chrome).

5. Alerts, Triage & Permissions

Role-Based Access Control (RBAC): Being a Global Admin or SharePoint Admin does not grant you access to read the contents of a DLP violation. You must be explicitly assigned the Compliance Data Administrator or Information Protection Investigator role to view the source item in the Content Explorer.
Alert Fatigue: Bundle alerts to prevent overwhelming the SOC. Configure rules to send an alert only when a specific volume is reached (e.g., “Send an alert when 5 activities occur within 60 minutes”).

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement / Security & Compliance)

Note: You must connect to the Security & Compliance center specifically, which is nested within the Exchange module.
Connection: Connect-IPPSSession
Policy Management:
- Get-DlpCompliancePolicy (Lists the high-level policies)
- Get-DlpComplianceRule (Lists the granular rules nested inside the policies)
- Get-DlpSensitiveInformationType -Identity "Australia Tax File Number (TFN)" (View the configuration of a specific SIT)

3.2) Information Protection

Mon, 01 Jan 0001 00:00:00 +0000

1. Information Protection Hierarchy (The Classification Engine)

Microsoft Purview Information Protection relies on a structured hierarchy to identify, classify, and protect data from the ground up.

Level 1: Sensitive Information Types (SITs) & Classifiers: The “What.” These are the technical definitions used to identify sensitive data.
- SITs: Patterns like credit card numbers or tax file numbers identified via Regex and keywords.
- Trainable Classifiers: Machine learning models that recognize document types (e.g., contracts or source code) based on their overall structure.
Level 2: Sensitivity Labels: The “Definition.” This layer defines what happens to the data (e.g., encryption, watermarking). Labels are the metadata tags that users see and apply.
Level 3: Label Policies: The “Who and How.” Policies are used to publish labels to specific users or groups.
- Label Publishing: Makes labels visible for manual application.
- Auto-labeling: Automatically applies labels based on the SITs or Classifiers found in the content.

2. Taxonomy & Deployment Strategy

The Taxonomy: An enterprise should have a simple, universally understood taxonomy, typically consisting of four to five tiers: Public, General/Internal, Confidential, and Highly Confidential.
Default Labels: Applying a default label (e.g., General/Internal) to all new emails and documents is the most effective way to baseline tenant security.
Mandatory Labeling: Forcing users to choose a label before saving or sending data. This requires users to actively categorize their work.

3. Item-Level vs. Container-Level Labels

Item-Level Labels: Applied directly to a file (Word, Excel, PDF) or an email. The protection—such as encryption or watermarks—travels with the file regardless of its location.
Container-Level Labels: Applied to M365 Groups, Teams, or SharePoint Sites.
- They do not automatically encrypt the files inside.
- They control container settings: Privacy (Public vs. Private), External Guest Access, and Unmanaged Device Access (e.g., web-only access).
Default Library Labels: A SharePoint Document Library setting that acts as a “bridge,” automatically applying an Item-Level label to any new or edited file within that specific library.

4. Encryption & Access Control (Azure RMS)

Azure Rights Management (RMS): When a label applies encryption, the document is wrapped in Azure RMS, requiring users to authenticate against Entra ID to open it.
Granular Permissions: Admins can define specific rights, such as View Only, Edit, Print, or Copy.
Co-Authoring: To allow multiple users to edit encrypted documents simultaneously in SharePoint or OneDrive, “Co-authoring for files with sensitivity labels” must be enabled at the tenant level.

5. Auto-Labeling (Requires E5 / Purview Premium)

Client-Side Auto-Labeling: Real-time recommendations or automatic application as a user types sensitive information into Word or Outlook.
Service-Side Auto-Labeling: A background process that scans data at rest in SharePoint, OneDrive, and Exchange.
- Constraint: This process can only handle a maximum of 25,000 files per day per tenant, making it unsuitable for instant remediation of massive legacy migrations.

6. Troubleshooting & Client Behavior

Built-in Labeling: Organizations must use the native labeling capabilities built into M365 Apps; the legacy AIP unified labeling client is deprecated.
Sync Delays: New or updated labels can take up to 24 hours to appear in desktop applications. Users can force a sync by clearing the local cache in %localappdata%\Microsoft\Office\CLP.
PDF Support: Native M365 apps and Adobe Acrobat support reading and applying labels to PDF files.

7. Essential PowerShell Cmdlets (Security & Compliance)

Connection: Connect-IPPSSession
Label & Policy Management:
- Get-Label: Lists all sensitivity labels.
- Get-LabelPolicy: Lists all published policies.
File Diagnostics:
- Unlock-SPOSensitivityLabelEncryptedFile: Allows a compliance admin to strip encryption from a file if the original owner has left the company.

3.3) Data Lifecycle

Mon, 01 Jan 0001 00:00:00 +0000

1. The Core Mechanisms: Policies vs. Labels

This is another critical distinction to explain to stakeholders, similar to Information Protection.

Retention Policies:
- Applied at the container level (e.g., an entire Exchange mailbox, a SharePoint site, all Teams chats).
- Broad and invisible to the end user.
- Example: “Retain all employee OneDrive data for 7 years after they leave, then silently delete it.”
Retention Labels:
- Applied at the item level (a specific Word document or email).
- Visible to the user (can be selected from a dropdown in Office apps).
- Records Management: Labels can declare a document as a “Record.” Once marked as a Record, the document is locked and cannot be edited or deleted by anyone (including Global Admins) until the retention period expires.

2. The Principles of Retention (The Conflict Engine)

In an enterprise, a single document might be subject to multiple conflicting policies (e.g., a 7-year HR retain policy, but a 3-year IT auto-delete policy). Microsoft uses a strict hierarchy to resolve this:

Documented information requirements for ISO 27001

Mon, 01 Jan 0001 00:00:00 +0000

The term "Documented information" is used within ISO 27001:2022 27 times. There is no one correct way to manage your documented information but the following are some key documents you would be expected to maintain.

Document Description Notes

ISMS Manual

A document for defining the scope of the ISMS, who relevant stakeholders are, their needs, and who is responsible for what within the ISMS.

Document	Description	Notes
ISMS Manual	A document for defining the scope of the ISMS, who relevant stakeholders are, their needs, and who is responsible for what within the ISMS.	This is ideal for holding documented information pertaining to: Project Roles and Responsibilities Mon, 01 Jan 0001 00:00:00 +0000 In PRINCE2 a single individual might hold multiple roles (especially in smaller projects), or a single role might be shared by several people, provided accountability is clear and conflicts of interest are avoided. The primary goal is absolute clarity on who is responsible for what, ensuring effective decision-making and communication within a structured framework. Project Management Team Structure PRINCE2 typically defines four levels within and around the project management structure: The 34 Management Practices Mon, 01 Jan 0001 00:00:00 +0000 In previous versions of ITIL, the framework heavily emphasized “processes.” ITIL 4 shifted this focus to Management Practices. A practice is defined as a set of organizational resources designed for performing work or accomplishing an objective. This change reflects the fact that delivering services requires more than just a process flow; it requires considering all Four Dimensions of Service Management (People, Information/Technology, Partners, and Value Streams/Processes). The 34 ITIL management practices are grouped into three distinct categories: The audit process for ISO 19011 Mon, 01 Jan 0001 00:00:00 +0000 Stage 1: Initiate the audit Before doing anything else a team leader needs to be appointed to own and run the audit process. With the team leader chosen the audit team needs to reach out to the client to understand the context of the auditee. At a minimum the following needs to be established: The objective: Why is the audit being done? The scope: What are the boundaries of the audit? (e.g. are only specific locations or specific activities being audited?) The criteria: What requirements are the team auditing against? Before starting the audit get confirmation in writing that the above has been approved by upper management. 4.1) Defender for Office 365 Mon, 01 Jan 0001 00:00:00 +0000 1. Safe Links & Safe Attachments (The Core Shields) Safe Links: Provides time-of-click verification of URLs in emails, Teams messages, and Office apps. URL Rewriting: URLs are wrapped in a Microsoft prefix. If a site is later identified as malicious, the user is blocked from visiting even if they click the link hours or days after receipt. Advanced Settings: Ensure “Wait for URL scanning to complete before delivering the message” is enabled for high-security environments. Safe Attachments: Uses a virtual sandbox environment (detonation chamber) to open attachments and check for malicious behavior before delivery. Dynamic Delivery: The recommended setting for user experience. It delivers the body of the email immediately with a placeholder attachment while scanning occurs, replacing the placeholder once the file is cleared. Block vs. Replace: Avoid “Monitor” in production; use “Block” to prevent delivery entirely or “Replace” to deliver the message without the malicious file. 2. Anti-Phishing & Impersonation Protection Impersonation Detection: Specifically protects high-profile users (C-Suite) and internal domains. User Impersonation: Protects against look-alike names (e.g., “John Doe” using a personal Gmail account). Domain Impersonation: Protects against look-alike domains (e.g., `cont0so.com` vs `contoso.com`). Mailbox Intelligence: Uses AI to learn a user’s frequent contacts. It triggers alerts if an email arrives from a sender who looks like a frequent contact but is not. Safety Tips: Enable visual cues in Outlook (e.g., “This sender is new to you” or impersonation warnings) to provide real-time user education. 3. Automated Investigation and Response (AIR) The Playbook: When a high-confidence phish or malware is detected, Defender can trigger an automated investigation. Investigation Steps: The system automatically analyzes the message, identifies other recipients of the same “campaign,” and checks if the user clicked the link or downloaded the file. Remediation Actions: Pending Approval: AIR will suggest actions (e.g., “Soft delete 15 messages,” “Block the sender,” “Reset user’s password”). 4. Threat Explorer & Campaign Discovery Threat Explorer: The primary hunting tool. Use it to search for all emails from a specific sender IP, sender domain, or containing a specific URL/File Hash. Campaign Views: Aggregates individual phishing attempts into “Campaigns.” This allows you to see the scope of an attack and determine if it was targeted (spear-phishing) or a broad broadcast. Message Header Analysis: Accessible directly within the portal. Check the `X-MS-Exchange-Organization-PCL` (Probability Level) and `SCL` (Spam Confidence Level) to determine why a message was or wasn’t blocked. 5. Attack Simulation Training Purpose: Proactively test user vulnerability to phishing. Templates: Use real-world harvested payloads (e.g., “Password Reset,” “HR Policy Update”) to simulate attacks. Outcome-Based Learning: Automatically assign mandatory training modules (e.g., “How to spot a phish”) to users who fail the simulation by clicking or providing credentials. 6. Essential PowerShell Cmdlets (Security & Compliance) Connection: `Connect-IPPSSession` Safe Links Management: `Get-SafeLinksPolicy` (Lists policies) `Get-SafeLinksRule` (Lists the scoping/priorities of the rules) Safe Attachment Management: `Get-SafeAttachmentPolicy` `Get-SafeAttachmentRule` Investigative Cmdlets: `Get-MalwareFilterPolicy` (Review the anti-malware settings) `Get-PhishFilterPolicy` (Review impersonation and anti-phish settings) 4.2) Defender for Endpoint (MDE) Mon, 01 Jan 0001 00:00:00 +0000 1. Onboarding & Sensor Health Onboarding Methods: In an enterprise environment, use Intune (Configuration Profiles) or Group Policy for automated deployment. Local scripts are available for testing but should be avoided for production scale. Sensor Health Monitoring: Regularly check the “Device Inventory” for devices in an “Inactive” or “No sensor data” state. This usually indicates connectivity blocks to MDE backend URLs or the `SENSE` service being disabled. Offboarding Governance: When a device is decommissioned, it must be offboarded to prevent it from negatively impacting the organization’s exposure score. Note that offboarding scripts have a 30-day expiration period for security reasons. 2. Attack Surface Reduction (ASR) ASR Rules: Implement rules to close common entry points for malware (e.g., “Block credential stealing from the Windows local security authority subsystem”). Phased Rollout: Always deploy ASR rules in Audit Mode first. Use the “Attack Surface Reduction” report in the Defender portal to identify potential business-critical software that would be blocked before switching to Enforcement Mode. Exclusions: Manage ASR exclusions at the policy level rather than globally to maintain a tight security posture. 3. Vulnerability Management (TVM) Exposure Score: Monitor this real-time metric to understand the organization’s current risk level relative to the threat landscape. Security Recommendations: Focus on “Top Security Recommendations” which are prioritized based on active exploits in the wild and the business impact on the tenant. Software Inventory: Use the inventory to track end-of-life (EOL) software and missing patches across Windows, macOS, and Linux endpoints. 4. Detection & Response (EDR) Alert Triage: MDE correlates related alerts into a single Incident, providing a full story of the attack chain. Prioritize incidents over individual alerts. Live Response: A command-line console used to remotely collect forensic data, run scripts, or remediate threats on a compromised endpoint in real-time. Automation Levels: Configure “Device Groups” with specific automation levels (e.g., “Full - remediate threats automatically”) to allow AIR (Automated Investigation and Response) to resolve known threats without manual intervention. 5. Next-Generation Protection (Antivirus) Cloud-Delivered Protection: Must be enabled to provide near-instant protection against new and emerging malware that hasn’t been seen by local signatures yet. Tamper Protection: A critical tenant-wide setting that prevents malicious apps (or local admins) from disabling Microsoft Defender antivirus or EDR sensors. 6. Essential PowerShell Cmdlets (Windows Defender Module) Client Status: `Get-MpComputerStatus` (Verify if real-time protection and MDE sensor are active) Configuration Review: `Get-MpPreference` (View current exclusions and scan schedules) Diagnostic Logging: `Get-MpThreatDetection` (Review a history of threats detected on the local machine) Connectivity Troubleshooting: `Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-ValidateEdgeConnectivity"` (Validates that the device can reach MDE cloud service endpoints) 4.3) Defender for Cloud Apps (CASB) Mon, 01 Jan 0001 00:00:00 +0000 1. Cloud Discovery & Shadow IT Discovery Logs: Ingest traffic logs from network firewalls, proxies, or Defender for Endpoint to identify which cloud apps are being used across the organization. Risk Score: Each discovered app is assigned a score (1–10) based on over 90 risk factors (e.g., regulatory compliance like GDPR/HIPAA, data encryption at rest, and legal terms). Sanctioning vs. Unsanctioning: Sanctioned: Apps approved for corporate use; often integrated via API for deeper visibility. Unsanctioned: Apps explicitly blocked. Integration with Defender for Endpoint allows for automatic blocking of these URLs on managed devices. 2. Conditional Access App Control (Session Controls) The Reverse Proxy: Redirects user traffic through Defender for Cloud Apps in real-time when accessing web applications. This is triggered via a Conditional Access policy with the “Use Conditional Access App Control” session setting. Real-Time Actions: Block Download: Allow users to view sensitive data in the browser but prevent them from downloading it to an unmanaged device. Protect on Download: Automatically apply a Purview sensitivity label (encryption) to a file as it is downloaded from a cloud app. Monitor Activity: Log every action taken within a third-party app (e.g., Salesforce, AWS, or Slack) for audit purposes. 3. App Governance & OAuth Permissions OAuth App Inventory: Tracks which third-party applications have been granted permissions to access M365 data (e.g., “Read your mail” or “Access your files”). Permission Triage: Identify “high-privilege” apps that have not been used in 90 days or apps from unverified publishers. App Governance Add-on: Provides advanced machine learning to detect anomalous app behavior, such as an app suddenly downloading a massive volume of data or sending thousands of emails. 4. Information Protection & DLP Integration API Connectors: Connect Defender for Cloud Apps directly to third-party clouds (Google Workspace, Box, Dropbox) to scan for sensitive data at rest. File Policies: Create policies to automatically apply sensitivity labels or remove public sharing links if a file containing PII is detected in a non-Microsoft cloud environment. Unified Labels: Defender for Cloud Apps natively reads Microsoft Purview sensitivity labels, ensuring a consistent data protection policy regardless of where the file is stored. 5. Threat Detection & Anomaly Policies Impossible Travel: Detects when a user signs in from two geographically distant locations in a timeframe that is physically impossible. Ransomware Detection: Identifies patterns of high-volume file deletions or encryptions within cloud storage. Activity Policies: Custom alerts for specific administrative actions, such as “Multiple failed login attempts to a sanctioned app” or “Creation of a new global admin in a third-party cloud.” 6. Essential PowerShell Cmdlets (Microsoft Graph & API) Note: Most CASB management is performed via the portal or the Cloud App Security API. Management via the Microsoft Graph PowerShell SDK is the modern standard for automation. 4.4) Defender for Identity & XDR Mon, 01 Jan 0001 00:00:00 +0000 1. Microsoft Defender XDR Signal Correlation Architecture Microsoft Defender XDR acts as a unified “brain” that correlates raw signals from individual workloads into a cohesive security narrative. The Signal Sources: Isolated alerts and telemetry are gathered from Defender for Endpoint (MDE), Defender for Office 365 (MDO), Defender for Identity (MDI), and Defender for Cloud Apps (MDA). The Correlation Engine: These signals are fed into a central engine that uses AI and machine learning to group related alerts into a single Incident. Incident Storytelling: This process transforms hundreds of individual alerts into a chronological “story” of an attack, such as a phishing email (MDO) leading to a compromised user (MDI) who then performs lateral movement (MDE) and data exfiltration (MDA). Signal Sharing: Enabling XDR integration allows different products to share risk levels; for instance, a “High Risk” device identified by MDE can automatically trigger a block in Entra ID via Conditional Access. 2. Defender for Identity (MDI) & On-Premises Security The Sensor: Installed directly on Domain Controllers and AD FS servers to parse network traffic (RPC, LDAP, Kerberos) and Windows Events. Detection Categories: Reconnaissance: Enumeration of users/groups and DNS or SMB sessions. Lateral Movement: Pass-the-Ticket, Pass-the-Hash, and malicious service creation. Domain Dominance: Skeleton Key, Golden Ticket, and Malicious Data Protection API (DPAPI) requests. Identity Security Posture (ISPM): Integrated into Microsoft Secure Score to identify vulnerabilities like NTLMv1, unsecure account attributes, and clear-text password exposures. 3. Automated Investigation and Response (AIR) Cross-Product Playbooks: When an incident triggers, AIR executes playbooks that can simultaneously quarantine an email, isolate a device, and disable a compromised user. Evidence & Entity Center: Provides a unified list of files, processes, URLs, and accounts involved, allowing for “one-click” remediation across the environment. Action Center: The single pane of glass used to approve or audit all automated remediation actions. 4. Advanced Hunting (KQL) The Schema: Use Kusto Query Language (KQL) to query raw data across all workloads. `IdentityLogonEvents`: Tracks all authentication attempts across on-prem and cloud. `IdentityDirectoryEvents`: Tracks changes to AD objects like group memberships or password resets. Proactive Hunting: Used to search for “Indicators of Attack” (IoA) that have not yet triggered a formal alert. 5. Microsoft Sentinel Integration SIEM/SOAR Connection: Sentinel provide the broad view across the entire enterprise, including firewalls and multi-vendor logs. Defender XDR Connector: A bi-directional sync ensuring that closing an incident in Sentinel also closes it in the Defender portal, and vice versa. 6. Essential PowerShell & Diagnostic Tools MDI Sensor Management: `Test-MdiSensorApiConnection.ps1` (bundled with the sensor) validates connectivity from the DC to the MDI cloud service. KQL Query Example: `// Find users who had a failed logon followed by a successful one from a different IP IdentityLogonEvents \| where ActionType == "LogonFailed" \| join kind=inner (IdentityLogonEvents \| where ActionType == "LogonSuccess") on AccountObjectId \| where IPAddress != IPAddress1` Health Monitoring: Monitor the portal for “Packet fragmentation” or “Dropped events” which indicate a DC is overloaded or the sensor is misconfigured. Continual Improvement Mon, 01 Jan 0001 00:00:00 +0000 Just as project management frameworks require tailoring to fit the environment, ITIL 4 recognizes that IT service management cannot be static. Organizations must continually adopt and adapt the framework, their services, and their operating models to meet evolving business demands, technological advancements, and external pressures. This adaptability is driven by the concept of Continual Improvement. Continual Improvement happens at all levels of the organization, from strategic executive decisions down to the operational activities of individual teams. It applies to all Four Dimensions of Service Management and all activities within the Service Value Chain. Tailoring PRINCE2 Mon, 01 Jan 0001 00:00:00 +0000 Why Tailor? The primary reason for tailoring is to ensure that the project management method applied is appropriate for the project’s specific circumstances. Applying the full PRINCE2 methodology rigidly, without adaptation (‘robotically’), can lead to unnecessary bureaucracy, especially for smaller or simpler projects. Conversely, insufficient application on complex or high-risk projects can lead to a loss of control. Tailoring aims to strike the right balance, providing adequate governance and control without overburdening the project team, thus making the application of PRINCE2 efficient and relevant. 5.1) Microsoft Intune (Endpoint Management) Mon, 01 Jan 0001 00:00:00 +0000 1. Intune Architecture & Service Flow Microsoft Intune is a cloud-based service that relies on the integration of identity, policy, and local device agents to manage endpoints. Intune Service (Cloud): The central management engine where administrators define configuration, compliance, and application policies. Entra ID (Identity): Serves as the source of truth for the device object. Every managed device must have a record in Entra ID to receive policies based on user or group membership. MDM Channel: The native communication path (Ovirt/WNS) used by the OS to receive standard configuration profiles and compliance checks. Intune Management Extension (IME): A local sidecar service installed on Windows devices to handle complex tasks the native MDM channel cannot, such as Win32 app deployments and PowerShell scripts. Service Flow: The device initiates a check-in → Intune evaluates applicable policies → settings are delivered via the MDM channel or IME → the device executes the settings and reports success or failure back to the portal. 2. Compliance vs. Configuration Policies Compliance Policies: These define the “security floor” for a device, such as requiring BitLocker or a specific OS version. The Signal: Compliance status is a critical signal sent to Entra ID. Conditional Access Integration: If a device is marked non-compliant, Conditional Access can automatically block access to M365 data until the issue is resolved. Configuration Profiles: The primary tool for managing granular settings, often referred to as the “GPO of the cloud”. Settings Catalog: The modern interface for configuring thousands of settings across Windows, macOS, and iOS. Conflict Resolution: If two profiles attempt to set the same value differently, the setting enters a “Conflict” state and is not applied. Compliance policies do not “conflict” in this way; any single failure marks the whole device non-compliant. 3. Device Enrollment & Windows Autopilot The Enrollment Spectrum: BYOD (Registered): Users add a “Work or School account,” typically used for Mobile Application Management (MAM). Corporate (Joined): The device is fully owned and managed by the organization. Windows Autopilot: A suite of technologies used to pre-configure and set up new devices for productive use. Hardware Hash: The unique ID required to register a device with the Autopilot service. Deployment Profiles: Control the Out-of-Box Experience (OOBE), such as forcing a standard user account or skipping privacy settings. Enrollment Status Page (ESP): Tracks the installation of critical apps and profiles before the user reaches the desktop. 4. Mobile Application Management (MAM) vs. MDM MAM-WE (Without Enrollment): Allows IT to protect corporate data inside specific apps (like Outlook or Teams) without managing the entire personal device. App Protection Policies (APP): The core of MAM, used to prevent “Save As” to personal storage, restrict Copy/Paste between corporate and personal apps, and require a separate PIN. App Configuration Policies: Used to pre-configure app settings, such as corporate mail server URLs, to simplify the user setup experience. 5. Endpoint Security Integration Security Baselines: Microsoft-recommended groups of settings that provide a hardened starting point for Windows security. Defender for Endpoint Plug-in: Intune is the primary engine for deploying the MDE sensor and managing Antivirus, Firewall, and EDR settings centrally. Remote Actions: Essential for incident response, including Retire (removes corporate data), Wipe (factory reset), and Sync (forces immediate policy check-in). 6. Troubleshooting & Lifecycle The Company Portal App: The user-facing interface for installing optional apps and checking device compliance. Log Analysis: Local Logs: Win32 app and script failures are logged in `C:\ProgramData\Microsoft\IntuneManagementExtension\Logs`. Portal Logs: The “Troubleshooting + support” blade provides a per-user view of policy and app deployment status. 7. Essential PowerShell Cmdlets (Microsoft.Graph.Intune) Connection: `Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All"` Inventory: `Get-MgUserManagedDevice -UserId user@domain.com` (Lists devices for a specific user). Management Actions: `Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <ID>` (Triggers a forced sync). `Invoke-MgDeviceManagementManagedDeviceRetire -ManagedDeviceId <ID>` (Removes corporate data). 5.2) Microsoft Copilot & AI Agents Mon, 01 Jan 0001 00:00:00 +0000 1. Architecture & The “Oversharing” Risk Microsoft 365 Copilot and its associated agents rely on a “human-led, agent-operated” model grounded in your organizational data. Work IQ: The intelligence layer grounded in personal and work data (emails, chats, meetings) that provides the context for AI reasoning. The Golden Rule: Copilot and Agents never bypass existing permissions; they utilize the Microsoft Graph and Semantic Index to surface data the user already has access to. Oversharing Remediation: Organizations must identify and lock down sites with excessive “Everyone except external users” permissions or broad sharing links before deployment to prevent AI from surfacing sensitive data to unauthorized users. 2. Microsoft 365 Agents & Entra Agent ID Beyond simple chat, Microsoft 365 now supports autonomous and semi-autonomous agents that possess their own organizational identities. 5.3) Power Platform Mon, 01 Jan 0001 00:00:00 +0000 1. Power Platform Hierarchy & Architecture The Power Platform is structured to allow for granular governance and scale across an enterprise tenant. Tenant: The top-level boundary, tied to a single Entra ID tenant. Environments: The primary containers used to store, manage, and share business data, apps, and flows. Solutions: The mechanism for implementing Application Lifecycle Management (ALM); used to package and transport components across environments. Items/Components: The actual tools built by makers, including Power Apps, Power Automate flows, Copilot Studio bots, and Power Pages. Dataverse: The underlying cloud-scale database and security layer that can be provisioned within an environment. Connectors: The bridges that allow apps and flows to interact with data sources (e.g., SharePoint, SQL, or 3rd-party APIs). 2. Environment Strategy The Default Environment: Every tenant has one, which cannot be deleted or disabled. Every user with a license is automatically an Environment Maker here. Best Practice: This environment should be renamed (e.g., “[Company Name] - Personal Productivity”) to signal its use for non-critical, personal apps. Permissions: While everyone can create items, they remain private until explicitly shared with other users. Dedicated Environments (Prod/Dev/Test): These should be created for departmental or enterprise-grade solutions to maintain strict separation. Managed Environments: Provide enhanced governance features, such as sharing limits and usage insights. Note that every user accessing an app in a Managed Environment must have a Premium license. Dataverse Integration: Environments can be provisioned with or without a Dataverse database. Enterprise-grade apps typically require Dataverse for relational data storage and granular security roles. 3. Power Platform Data Loss Prevention (DLP) Connector Categorization: Connectors within a DLP policy are grouped into three distinct buckets: Business: Data can be shared freely between connectors in this bucket (e.g., SharePoint and Outlook). Non-Business (General): Data can be shared between these, but cannot interact with connectors in the Business bucket. Blocked: These connectors are entirely disabled for use within the scoped environments (e.g., social media or personal storage). Policy Scoping: Policies can be applied to “All Environments,” “Multiple Environments,” or used to “Exclude Specific Environments”. Strategy: It is recommended to apply a highly restrictive “Tenant-Wide” policy and create more permissive policies for specifically sanctioned “Project” environments. 4. Licensing & Capacity Standard vs. Premium: Standard: Included with M365 E3/E5 licenses, covering basic connectors like SharePoint, OneDrive, and Outlook. Premium: Required for “Premium” connectors (e.g., SQL, HTTP), On-premises Gateways, and any use of Dataverse. License Types: Per User: Allows a single user to run unlimited apps. Per App: Allows a single user to run one specific app in one specific environment. Capacity Management: Power Platform storage is shared across the tenant and categorized into Database (Dataverse tables), File (attachments), and Log (audit trails). 5. The Center of Excellence (CoE) Starter Kit Purpose: A collection of Microsoft-provided components designed to move administration from reactive to proactive management. Inventory: The kit automatically crawls the tenant to identify every App and Flow, their creators, and usage frequency. Compliance Flow: This can automate governance by emailing makers of “orphaned” apps (where the owner has left) to request business justification or mark them for deletion. 6. On-Premises Data Gateways Function: Enables Power Apps and Power Automate to securely access data residing on-premises, such as SQL Server or local File Shares. Management: Gateways are installed on local servers and managed in “Gateway Clusters” to ensure high availability. Security: The gateway does not bypass underlying permissions; users must still have valid credentials for the data source itself. 7. Essential PowerShell Cmdlets (Microsoft.PowerApps.Administration.PowerShell) Connection: `Add-PowerAppsAccount` Environment Discovery: `Get-AdminPowerAppEnvironment`: Lists all environments. `Get-AdminPowerApp -EnvironmentName <ID>`: Lists all apps in a specific environment. DLP Management: `Get-AdminDlpPolicy` Ownership Reassignment: `Set-AdminPowerAppOwner -AppId <AppID> -EnvironmentName <EnvID> -NewOwner <UserUPN>`: Critical for managing orphaned apps during offboarding. 5.4) Microsoft Fabric Mon, 01 Jan 0001 00:00:00 +0000 1. The Fabric Hierarchy & Architecture Fabric is a data platform service residing within an Entra Tenant. The organizational levels are structured as follows: Tenant: The top-level container for the Fabric service. Capacity: The compute resources within Fabric. A tenant can have multiple capacities, each with a specific location and size. Domains & Subdomains (Optional): Logical groups of Workspaces within a Capacity. Workspaces: Containers for items. Each user has a personal “My Workspace”. Workspaces are attached to a single capacity and require that compute power to function. Items: The building blocks within Workspaces used for data storage and transformation. Lakehouse: Stores structured, semi-structured, and unstructured tables and files. Warehouse: Stores structured transaction tables. Objects: Elements existing within items, such as tables, files, views, and stored procedures. 2. OneLake (The “OneDrive for Data”) OneLake is the unified SaaS data lake for the entire organization, built on Azure Data Lake Storage (ADLS) Gen2. 6.1) VoIP Fundamentals Mon, 01 Jan 0001 00:00:00 +0000 1. The Standard Call Path (The Chain) Understanding the journey of a packet is essential for isolating call drops and audio degradation. This “Chain” connects the internal user to the global telephone network. PSTN (Public Switched Telephone Network): The global collection of interconnected circuit-switched networks. This is the “outside world” where traditional E.164 phone numbers reside. SIP Trunk: A virtual version of an analog phone line. It utilizes the Session Initiation Protocol (SIP) to connect a PBX to the PSTN over an internet connection. SBC (Session Border Controller): The gatekeeper and firewall for VoIP. It sits at the network “border” to manage security, NAT traversal, and protocol translation. PABX / PBX (Private Automatic Branch Exchange): The “brain” of the phone system. It manages internal switching and call routing logic. In the M365 ecosystem, this is replaced by the Microsoft Phone System. IVR (Interactive Voice Response): The automated menu logic (e.g., “Press 1 for Sales”). In Teams architecture, these are configured as Auto Attendants. Call Queues: The logic used to hold callers in a line until an agent is available, typically incorporating Music on Hold (MoH) and specific routing methods (Circular, Longest Idle). Handsets / Endpoints: The physical IP phones or “softphone” clients (the Teams app) where the audio termination occurs. 2. Technical VoIP Vocabulary When troubleshooting with “comms” or telco engineers, the following metrics and terms define the health of the voice stream: 6.2) Teams Calling Mon, 01 Jan 0001 00:00:00 +0000 1. Teams Calling Hierarchy & Architecture Teams Calling (Teams Phone) is a cloud-based private branch exchange (PABX) system that connects the Microsoft Teams client to the Public Switched Telephone Network (PSTN). The PABX Service: Microsoft Phone System provides call control, auto-attendants, call queues, and voicemail. Logical Layers: The Client: Teams app (Desktop, Mobile, or IP Phone) where the user interacts with the dialer. The Signal: SIP signaling traffic always travels to the nearest Microsoft 365 server “front door”. The Media: Voice/Video traffic (SRTP) follows the most direct path between participants or to the PSTN gateway. The Gateway: The bridge to the global telephone network. 2. PSTN Connectivity Models Choosing a connectivity model is the most critical architectural decision for a voice deployment.

This is ideal for holding documented information pertaining to:

Project Roles and Responsibilities

Mon, 01 Jan 0001 00:00:00 +0000

In PRINCE2 a single individual might hold multiple roles (especially in smaller projects), or a single role might be shared by several people, provided accountability is clear and conflicts of interest are avoided. The primary goal is absolute clarity on who is responsible for what, ensuring effective decision-making and communication within a structured framework.

Project Management Team Structure

PRINCE2 typically defines four levels within and around the project management structure:

The 34 Management Practices

Mon, 01 Jan 0001 00:00:00 +0000

In previous versions of ITIL, the framework heavily emphasized “processes.” ITIL 4 shifted this focus to Management Practices. A practice is defined as a set of organizational resources designed for performing work or accomplishing an objective. This change reflects the fact that delivering services requires more than just a process flow; it requires considering all Four Dimensions of Service Management (People, Information/Technology, Partners, and Value Streams/Processes).

The 34 ITIL management practices are grouped into three distinct categories:

The audit process for ISO 19011

Mon, 01 Jan 0001 00:00:00 +0000

Stage 1: Initiate the audit

Before doing anything else a team leader needs to be appointed to own and run the audit process. With the team leader chosen the audit team needs to reach out to the client to understand the context of the auditee. At a minimum the following needs to be established:

The objective: Why is the audit being done?
The scope: What are the boundaries of the audit? (e.g. are only specific locations or specific activities being audited?)
The criteria: What requirements are the team auditing against?

Before starting the audit get confirmation in writing that the above has been approved by upper management.

4.1) Defender for Office 365

Mon, 01 Jan 0001 00:00:00 +0000

1. Safe Links & Safe Attachments (The Core Shields)

Safe Links: Provides time-of-click verification of URLs in emails, Teams messages, and Office apps.
- URL Rewriting: URLs are wrapped in a Microsoft prefix. If a site is later identified as malicious, the user is blocked from visiting even if they click the link hours or days after receipt.
- Advanced Settings: Ensure “Wait for URL scanning to complete before delivering the message” is enabled for high-security environments.
Safe Attachments: Uses a virtual sandbox environment (detonation chamber) to open attachments and check for malicious behavior before delivery.
- Dynamic Delivery: The recommended setting for user experience. It delivers the body of the email immediately with a placeholder attachment while scanning occurs, replacing the placeholder once the file is cleared.
- Block vs. Replace: Avoid “Monitor” in production; use “Block” to prevent delivery entirely or “Replace” to deliver the message without the malicious file.

2. Anti-Phishing & Impersonation Protection

Impersonation Detection: Specifically protects high-profile users (C-Suite) and internal domains.
- User Impersonation: Protects against look-alike names (e.g., “John Doe” using a personal Gmail account).
- Domain Impersonation: Protects against look-alike domains (e.g., cont0so.com vs contoso.com).
Mailbox Intelligence: Uses AI to learn a user’s frequent contacts. It triggers alerts if an email arrives from a sender who looks like a frequent contact but is not.
Safety Tips: Enable visual cues in Outlook (e.g., “This sender is new to you” or impersonation warnings) to provide real-time user education.

3. Automated Investigation and Response (AIR)

The Playbook: When a high-confidence phish or malware is detected, Defender can trigger an automated investigation.
Investigation Steps: The system automatically analyzes the message, identifies other recipients of the same “campaign,” and checks if the user clicked the link or downloaded the file.
Remediation Actions:
- Pending Approval: AIR will suggest actions (e.g., “Soft delete 15 messages,” “Block the sender,” “Reset user’s password”).

4. Threat Explorer & Campaign Discovery

Threat Explorer: The primary hunting tool. Use it to search for all emails from a specific sender IP, sender domain, or containing a specific URL/File Hash.
Campaign Views: Aggregates individual phishing attempts into “Campaigns.” This allows you to see the scope of an attack and determine if it was targeted (spear-phishing) or a broad broadcast.
Message Header Analysis: Accessible directly within the portal. Check the X-MS-Exchange-Organization-PCL (Probability Level) and SCL (Spam Confidence Level) to determine why a message was or wasn’t blocked.

5. Attack Simulation Training

Purpose: Proactively test user vulnerability to phishing.
Templates: Use real-world harvested payloads (e.g., “Password Reset,” “HR Policy Update”) to simulate attacks.
Outcome-Based Learning: Automatically assign mandatory training modules (e.g., “How to spot a phish”) to users who fail the simulation by clicking or providing credentials.

6. Essential PowerShell Cmdlets (Security & Compliance)

Connection: Connect-IPPSSession
Safe Links Management:
- Get-SafeLinksPolicy (Lists policies)
- Get-SafeLinksRule (Lists the scoping/priorities of the rules)
Safe Attachment Management:
- Get-SafeAttachmentPolicy
- Get-SafeAttachmentRule
Investigative Cmdlets:
- Get-MalwareFilterPolicy (Review the anti-malware settings)
- Get-PhishFilterPolicy (Review impersonation and anti-phish settings)

4.2) Defender for Endpoint (MDE)

Mon, 01 Jan 0001 00:00:00 +0000

1. Onboarding & Sensor Health

Onboarding Methods: In an enterprise environment, use Intune (Configuration Profiles) or Group Policy for automated deployment. Local scripts are available for testing but should be avoided for production scale.
Sensor Health Monitoring: Regularly check the “Device Inventory” for devices in an “Inactive” or “No sensor data” state. This usually indicates connectivity blocks to MDE backend URLs or the SENSE service being disabled.
Offboarding Governance: When a device is decommissioned, it must be offboarded to prevent it from negatively impacting the organization’s exposure score. Note that offboarding scripts have a 30-day expiration period for security reasons.

2. Attack Surface Reduction (ASR)

ASR Rules: Implement rules to close common entry points for malware (e.g., “Block credential stealing from the Windows local security authority subsystem”).
Phased Rollout: Always deploy ASR rules in Audit Mode first. Use the “Attack Surface Reduction” report in the Defender portal to identify potential business-critical software that would be blocked before switching to Enforcement Mode.
Exclusions: Manage ASR exclusions at the policy level rather than globally to maintain a tight security posture.

3. Vulnerability Management (TVM)

Exposure Score: Monitor this real-time metric to understand the organization’s current risk level relative to the threat landscape.
Security Recommendations: Focus on “Top Security Recommendations” which are prioritized based on active exploits in the wild and the business impact on the tenant.
Software Inventory: Use the inventory to track end-of-life (EOL) software and missing patches across Windows, macOS, and Linux endpoints.

4. Detection & Response (EDR)

Alert Triage: MDE correlates related alerts into a single Incident, providing a full story of the attack chain. Prioritize incidents over individual alerts.
Live Response: A command-line console used to remotely collect forensic data, run scripts, or remediate threats on a compromised endpoint in real-time.
Automation Levels: Configure “Device Groups” with specific automation levels (e.g., “Full - remediate threats automatically”) to allow AIR (Automated Investigation and Response) to resolve known threats without manual intervention.

5. Next-Generation Protection (Antivirus)

Cloud-Delivered Protection: Must be enabled to provide near-instant protection against new and emerging malware that hasn’t been seen by local signatures yet.
Tamper Protection: A critical tenant-wide setting that prevents malicious apps (or local admins) from disabling Microsoft Defender antivirus or EDR sensors.

6. Essential PowerShell Cmdlets (Windows Defender Module)

Client Status:
- Get-MpComputerStatus (Verify if real-time protection and MDE sensor are active)
Configuration Review:
- Get-MpPreference (View current exclusions and scan schedules)
Diagnostic Logging:
- Get-MpThreatDetection (Review a history of threats detected on the local machine)
Connectivity Troubleshooting:
- Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-ValidateEdgeConnectivity" (Validates that the device can reach MDE cloud service endpoints)

4.3) Defender for Cloud Apps (CASB)

Mon, 01 Jan 0001 00:00:00 +0000

1. Cloud Discovery & Shadow IT

Discovery Logs: Ingest traffic logs from network firewalls, proxies, or Defender for Endpoint to identify which cloud apps are being used across the organization.
Risk Score: Each discovered app is assigned a score (1–10) based on over 90 risk factors (e.g., regulatory compliance like GDPR/HIPAA, data encryption at rest, and legal terms).
Sanctioning vs. Unsanctioning:
- Sanctioned: Apps approved for corporate use; often integrated via API for deeper visibility.
- Unsanctioned: Apps explicitly blocked. Integration with Defender for Endpoint allows for automatic blocking of these URLs on managed devices.

2. Conditional Access App Control (Session Controls)

The Reverse Proxy: Redirects user traffic through Defender for Cloud Apps in real-time when accessing web applications. This is triggered via a Conditional Access policy with the “Use Conditional Access App Control” session setting.
Real-Time Actions:
- Block Download: Allow users to view sensitive data in the browser but prevent them from downloading it to an unmanaged device.
- Protect on Download: Automatically apply a Purview sensitivity label (encryption) to a file as it is downloaded from a cloud app.
- Monitor Activity: Log every action taken within a third-party app (e.g., Salesforce, AWS, or Slack) for audit purposes.

3. App Governance & OAuth Permissions

OAuth App Inventory: Tracks which third-party applications have been granted permissions to access M365 data (e.g., “Read your mail” or “Access your files”).
Permission Triage: Identify “high-privilege” apps that have not been used in 90 days or apps from unverified publishers.
App Governance Add-on: Provides advanced machine learning to detect anomalous app behavior, such as an app suddenly downloading a massive volume of data or sending thousands of emails.

4. Information Protection & DLP Integration

API Connectors: Connect Defender for Cloud Apps directly to third-party clouds (Google Workspace, Box, Dropbox) to scan for sensitive data at rest.
File Policies: Create policies to automatically apply sensitivity labels or remove public sharing links if a file containing PII is detected in a non-Microsoft cloud environment.
Unified Labels: Defender for Cloud Apps natively reads Microsoft Purview sensitivity labels, ensuring a consistent data protection policy regardless of where the file is stored.

5. Threat Detection & Anomaly Policies

Impossible Travel: Detects when a user signs in from two geographically distant locations in a timeframe that is physically impossible.
Ransomware Detection: Identifies patterns of high-volume file deletions or encryptions within cloud storage.
Activity Policies: Custom alerts for specific administrative actions, such as “Multiple failed login attempts to a sanctioned app” or “Creation of a new global admin in a third-party cloud.”

6. Essential PowerShell Cmdlets (Microsoft Graph & API)

Note: Most CASB management is performed via the portal or the Cloud App Security API. Management via the Microsoft Graph PowerShell SDK is the modern standard for automation.

4.4) Defender for Identity & XDR

Mon, 01 Jan 0001 00:00:00 +0000

1. Microsoft Defender XDR Signal Correlation Architecture

Microsoft Defender XDR acts as a unified “brain” that correlates raw signals from individual workloads into a cohesive security narrative.

The Signal Sources: Isolated alerts and telemetry are gathered from Defender for Endpoint (MDE), Defender for Office 365 (MDO), Defender for Identity (MDI), and Defender for Cloud Apps (MDA).
The Correlation Engine: These signals are fed into a central engine that uses AI and machine learning to group related alerts into a single Incident.
Incident Storytelling: This process transforms hundreds of individual alerts into a chronological “story” of an attack, such as a phishing email (MDO) leading to a compromised user (MDI) who then performs lateral movement (MDE) and data exfiltration (MDA).
Signal Sharing: Enabling XDR integration allows different products to share risk levels; for instance, a “High Risk” device identified by MDE can automatically trigger a block in Entra ID via Conditional Access.

2. Defender for Identity (MDI) & On-Premises Security

The Sensor: Installed directly on Domain Controllers and AD FS servers to parse network traffic (RPC, LDAP, Kerberos) and Windows Events.
Detection Categories:
- Reconnaissance: Enumeration of users/groups and DNS or SMB sessions.
- Lateral Movement: Pass-the-Ticket, Pass-the-Hash, and malicious service creation.
- Domain Dominance: Skeleton Key, Golden Ticket, and Malicious Data Protection API (DPAPI) requests.
Identity Security Posture (ISPM): Integrated into Microsoft Secure Score to identify vulnerabilities like NTLMv1, unsecure account attributes, and clear-text password exposures.

3. Automated Investigation and Response (AIR)

Cross-Product Playbooks: When an incident triggers, AIR executes playbooks that can simultaneously quarantine an email, isolate a device, and disable a compromised user.
Evidence & Entity Center: Provides a unified list of files, processes, URLs, and accounts involved, allowing for “one-click” remediation across the environment.
Action Center: The single pane of glass used to approve or audit all automated remediation actions.

4. Advanced Hunting (KQL)

The Schema: Use Kusto Query Language (KQL) to query raw data across all workloads.
- IdentityLogonEvents: Tracks all authentication attempts across on-prem and cloud.
- IdentityDirectoryEvents: Tracks changes to AD objects like group memberships or password resets.
Proactive Hunting: Used to search for “Indicators of Attack” (IoA) that have not yet triggered a formal alert.

5. Microsoft Sentinel Integration

SIEM/SOAR Connection: Sentinel provide the broad view across the entire enterprise, including firewalls and multi-vendor logs.
Defender XDR Connector: A bi-directional sync ensuring that closing an incident in Sentinel also closes it in the Defender portal, and vice versa.

6. Essential PowerShell & Diagnostic Tools

MDI Sensor Management: Test-MdiSensorApiConnection.ps1 (bundled with the sensor) validates connectivity from the DC to the MDI cloud service.

KQL Query Example:

// Find users who had a failed logon followed by a successful one from a different IP
IdentityLogonEvents
| where ActionType == "LogonFailed"
| join kind=inner (IdentityLogonEvents | where ActionType == "LogonSuccess") on AccountObjectId
| where IPAddress != IPAddress1

Health Monitoring: Monitor the portal for “Packet fragmentation” or “Dropped events” which indicate a DC is overloaded or the sensor is misconfigured.

Continual Improvement

Mon, 01 Jan 0001 00:00:00 +0000

Just as project management frameworks require tailoring to fit the environment, ITIL 4 recognizes that IT service management cannot be static. Organizations must continually adopt and adapt the framework, their services, and their operating models to meet evolving business demands, technological advancements, and external pressures. This adaptability is driven by the concept of Continual Improvement.

Continual Improvement happens at all levels of the organization, from strategic executive decisions down to the operational activities of individual teams. It applies to all Four Dimensions of Service Management and all activities within the Service Value Chain.

Tailoring PRINCE2

Mon, 01 Jan 0001 00:00:00 +0000

Why Tailor?

The primary reason for tailoring is to ensure that the project management method applied is appropriate for the project’s specific circumstances. Applying the full PRINCE2 methodology rigidly, without adaptation (‘robotically’), can lead to unnecessary bureaucracy, especially for smaller or simpler projects. Conversely, insufficient application on complex or high-risk projects can lead to a loss of control. Tailoring aims to strike the right balance, providing adequate governance and control without overburdening the project team, thus making the application of PRINCE2 efficient and relevant.

5.1) Microsoft Intune (Endpoint Management)

Mon, 01 Jan 0001 00:00:00 +0000

1. Intune Architecture & Service Flow

Microsoft Intune is a cloud-based service that relies on the integration of identity, policy, and local device agents to manage endpoints.

Intune Service (Cloud): The central management engine where administrators define configuration, compliance, and application policies.
Entra ID (Identity): Serves as the source of truth for the device object. Every managed device must have a record in Entra ID to receive policies based on user or group membership.
MDM Channel: The native communication path (Ovirt/WNS) used by the OS to receive standard configuration profiles and compliance checks.
Intune Management Extension (IME): A local sidecar service installed on Windows devices to handle complex tasks the native MDM channel cannot, such as Win32 app deployments and PowerShell scripts.
Service Flow: The device initiates a check-in → Intune evaluates applicable policies → settings are delivered via the MDM channel or IME → the device executes the settings and reports success or failure back to the portal.

2. Compliance vs. Configuration Policies

Compliance Policies: These define the “security floor” for a device, such as requiring BitLocker or a specific OS version.
- The Signal: Compliance status is a critical signal sent to Entra ID.
- Conditional Access Integration: If a device is marked non-compliant, Conditional Access can automatically block access to M365 data until the issue is resolved.
Configuration Profiles: The primary tool for managing granular settings, often referred to as the “GPO of the cloud”.
- Settings Catalog: The modern interface for configuring thousands of settings across Windows, macOS, and iOS.
- Conflict Resolution: If two profiles attempt to set the same value differently, the setting enters a “Conflict” state and is not applied. Compliance policies do not “conflict” in this way; any single failure marks the whole device non-compliant.

3. Device Enrollment & Windows Autopilot

The Enrollment Spectrum:
- BYOD (Registered): Users add a “Work or School account,” typically used for Mobile Application Management (MAM).
- Corporate (Joined): The device is fully owned and managed by the organization.
Windows Autopilot: A suite of technologies used to pre-configure and set up new devices for productive use.
- Hardware Hash: The unique ID required to register a device with the Autopilot service.
- Deployment Profiles: Control the Out-of-Box Experience (OOBE), such as forcing a standard user account or skipping privacy settings.
- Enrollment Status Page (ESP): Tracks the installation of critical apps and profiles before the user reaches the desktop.

4. Mobile Application Management (MAM) vs. MDM

MAM-WE (Without Enrollment): Allows IT to protect corporate data inside specific apps (like Outlook or Teams) without managing the entire personal device.
App Protection Policies (APP): The core of MAM, used to prevent “Save As” to personal storage, restrict Copy/Paste between corporate and personal apps, and require a separate PIN.
App Configuration Policies: Used to pre-configure app settings, such as corporate mail server URLs, to simplify the user setup experience.

5. Endpoint Security Integration

Security Baselines: Microsoft-recommended groups of settings that provide a hardened starting point for Windows security.
Defender for Endpoint Plug-in: Intune is the primary engine for deploying the MDE sensor and managing Antivirus, Firewall, and EDR settings centrally.
Remote Actions: Essential for incident response, including Retire (removes corporate data), Wipe (factory reset), and Sync (forces immediate policy check-in).

6. Troubleshooting & Lifecycle

The Company Portal App: The user-facing interface for installing optional apps and checking device compliance.
Log Analysis:
- Local Logs: Win32 app and script failures are logged in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
- Portal Logs: The “Troubleshooting + support” blade provides a per-user view of policy and app deployment status.

7. Essential PowerShell Cmdlets (Microsoft.Graph.Intune)

Connection: Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All"
Inventory:
- Get-MgUserManagedDevice -UserId user@domain.com (Lists devices for a specific user).
Management Actions:
- Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <ID> (Triggers a forced sync).
- Invoke-MgDeviceManagementManagedDeviceRetire -ManagedDeviceId <ID> (Removes corporate data).

5.2) Microsoft Copilot & AI Agents

Mon, 01 Jan 0001 00:00:00 +0000

1. Architecture & The “Oversharing” Risk

Microsoft 365 Copilot and its associated agents rely on a “human-led, agent-operated” model grounded in your organizational data.

Work IQ: The intelligence layer grounded in personal and work data (emails, chats, meetings) that provides the context for AI reasoning.
The Golden Rule: Copilot and Agents never bypass existing permissions; they utilize the Microsoft Graph and Semantic Index to surface data the user already has access to.
Oversharing Remediation: Organizations must identify and lock down sites with excessive “Everyone except external users” permissions or broad sharing links before deployment to prevent AI from surfacing sensitive data to unauthorized users.

2. Microsoft 365 Agents & Entra Agent ID

Beyond simple chat, Microsoft 365 now supports autonomous and semi-autonomous agents that possess their own organizational identities.

5.3) Power Platform

Mon, 01 Jan 0001 00:00:00 +0000

1. Power Platform Hierarchy & Architecture

The Power Platform is structured to allow for granular governance and scale across an enterprise tenant.

Tenant: The top-level boundary, tied to a single Entra ID tenant.
Environments: The primary containers used to store, manage, and share business data, apps, and flows.
Solutions: The mechanism for implementing Application Lifecycle Management (ALM); used to package and transport components across environments.
Items/Components: The actual tools built by makers, including Power Apps, Power Automate flows, Copilot Studio bots, and Power Pages.
Dataverse: The underlying cloud-scale database and security layer that can be provisioned within an environment.
Connectors: The bridges that allow apps and flows to interact with data sources (e.g., SharePoint, SQL, or 3rd-party APIs).

2. Environment Strategy

The Default Environment: Every tenant has one, which cannot be deleted or disabled. Every user with a license is automatically an Environment Maker here.
- Best Practice: This environment should be renamed (e.g., “[Company Name] - Personal Productivity”) to signal its use for non-critical, personal apps.
- Permissions: While everyone can create items, they remain private until explicitly shared with other users.
Dedicated Environments (Prod/Dev/Test): These should be created for departmental or enterprise-grade solutions to maintain strict separation.
- Managed Environments: Provide enhanced governance features, such as sharing limits and usage insights. Note that every user accessing an app in a Managed Environment must have a Premium license.
Dataverse Integration: Environments can be provisioned with or without a Dataverse database. Enterprise-grade apps typically require Dataverse for relational data storage and granular security roles.

3. Power Platform Data Loss Prevention (DLP)

Connector Categorization: Connectors within a DLP policy are grouped into three distinct buckets:
1. Business: Data can be shared freely between connectors in this bucket (e.g., SharePoint and Outlook).
2. Non-Business (General): Data can be shared between these, but cannot interact with connectors in the Business bucket.
3. Blocked: These connectors are entirely disabled for use within the scoped environments (e.g., social media or personal storage).
Policy Scoping: Policies can be applied to “All Environments,” “Multiple Environments,” or used to “Exclude Specific Environments”.
- Strategy: It is recommended to apply a highly restrictive “Tenant-Wide” policy and create more permissive policies for specifically sanctioned “Project” environments.

4. Licensing & Capacity

Standard vs. Premium:
- Standard: Included with M365 E3/E5 licenses, covering basic connectors like SharePoint, OneDrive, and Outlook.
- Premium: Required for “Premium” connectors (e.g., SQL, HTTP), On-premises Gateways, and any use of Dataverse.
License Types:
- Per User: Allows a single user to run unlimited apps.
- Per App: Allows a single user to run one specific app in one specific environment.
Capacity Management: Power Platform storage is shared across the tenant and categorized into Database (Dataverse tables), File (attachments), and Log (audit trails).

5. The Center of Excellence (CoE) Starter Kit

Purpose: A collection of Microsoft-provided components designed to move administration from reactive to proactive management.
Inventory: The kit automatically crawls the tenant to identify every App and Flow, their creators, and usage frequency.
Compliance Flow: This can automate governance by emailing makers of “orphaned” apps (where the owner has left) to request business justification or mark them for deletion.

6. On-Premises Data Gateways

Function: Enables Power Apps and Power Automate to securely access data residing on-premises, such as SQL Server or local File Shares.
Management: Gateways are installed on local servers and managed in “Gateway Clusters” to ensure high availability.
Security: The gateway does not bypass underlying permissions; users must still have valid credentials for the data source itself.

7. Essential PowerShell Cmdlets (Microsoft.PowerApps.Administration.PowerShell)

Connection: Add-PowerAppsAccount
Environment Discovery:
- Get-AdminPowerAppEnvironment: Lists all environments.
- Get-AdminPowerApp -EnvironmentName <ID>: Lists all apps in a specific environment.
DLP Management:
- Get-AdminDlpPolicy
Ownership Reassignment:
- Set-AdminPowerAppOwner -AppId <AppID> -EnvironmentName <EnvID> -NewOwner <UserUPN>: Critical for managing orphaned apps during offboarding.

5.4) Microsoft Fabric

Mon, 01 Jan 0001 00:00:00 +0000

1. The Fabric Hierarchy & Architecture

Fabric is a data platform service residing within an Entra Tenant. The organizational levels are structured as follows:

Tenant: The top-level container for the Fabric service.
Capacity: The compute resources within Fabric. A tenant can have multiple capacities, each with a specific location and size.
Domains & Subdomains (Optional): Logical groups of Workspaces within a Capacity.
Workspaces: Containers for items. Each user has a personal “My Workspace”. Workspaces are attached to a single capacity and require that compute power to function.
Items: The building blocks within Workspaces used for data storage and transformation.
- Lakehouse: Stores structured, semi-structured, and unstructured tables and files.
- Warehouse: Stores structured transaction tables.
Objects: Elements existing within items, such as tables, files, views, and stored procedures.

2. OneLake (The “OneDrive for Data”)

OneLake is the unified SaaS data lake for the entire organization, built on Azure Data Lake Storage (ADLS) Gen2.

6.1) VoIP Fundamentals

Mon, 01 Jan 0001 00:00:00 +0000

1. The Standard Call Path (The Chain)

Understanding the journey of a packet is essential for isolating call drops and audio degradation. This “Chain” connects the internal user to the global telephone network.

PSTN (Public Switched Telephone Network): The global collection of interconnected circuit-switched networks. This is the “outside world” where traditional E.164 phone numbers reside.
SIP Trunk: A virtual version of an analog phone line. It utilizes the Session Initiation Protocol (SIP) to connect a PBX to the PSTN over an internet connection.
SBC (Session Border Controller): The gatekeeper and firewall for VoIP. It sits at the network “border” to manage security, NAT traversal, and protocol translation.
PABX / PBX (Private Automatic Branch Exchange): The “brain” of the phone system. It manages internal switching and call routing logic. In the M365 ecosystem, this is replaced by the Microsoft Phone System.
IVR (Interactive Voice Response): The automated menu logic (e.g., “Press 1 for Sales”). In Teams architecture, these are configured as Auto Attendants.
Call Queues: The logic used to hold callers in a line until an agent is available, typically incorporating Music on Hold (MoH) and specific routing methods (Circular, Longest Idle).
Handsets / Endpoints: The physical IP phones or “softphone” clients (the Teams app) where the audio termination occurs.

2. Technical VoIP Vocabulary

When troubleshooting with “comms” or telco engineers, the following metrics and terms define the health of the voice stream:

6.2) Teams Calling

Mon, 01 Jan 0001 00:00:00 +0000

1. Teams Calling Hierarchy & Architecture

Teams Calling (Teams Phone) is a cloud-based private branch exchange (PABX) system that connects the Microsoft Teams client to the Public Switched Telephone Network (PSTN).

The PABX Service: Microsoft Phone System provides call control, auto-attendants, call queues, and voicemail.
Logical Layers:
- The Client: Teams app (Desktop, Mobile, or IP Phone) where the user interacts with the dialer.
- The Signal: SIP signaling traffic always travels to the nearest Microsoft 365 server “front door”.
- The Media: Voice/Video traffic (SRTP) follows the most direct path between participants or to the PSTN gateway.
- The Gateway: The bridge to the global telephone network.

2. PSTN Connectivity Models

Choosing a connectivity model is the most critical architectural decision for a voice deployment.

NJIT Public KB

Consulting Overview

Intro to ITIL

Intro to PRINCE2

Intro to Scrum

Microsoft 365 Overview

A guide to Scrum

Intro to ISO 19011

Intro to ISO 27001

The 7 Guiding Principles

1. Focus on value link

2. Start where you are link

3. Progress iteratively with feedback link

4. Collaborate and promote visibility link

5. Think and work holistically link

6. Keep it simple and practical link

7. Optimize and automate link

In closing link

The 7 Principles

1. Continued Business Justification link

1.1) Exchange Online

1. Exchange Online Mail Flow Architecture link

2. Mail Flow & Routing Troubleshooting link

3. Recipient Management & Governance link

4. Security, Protection & Authentication link

5. Hybrid Environment Considerations (Enterprise) link

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module) link

1.1) ITIL Fundamentals

1. Incident vs. Problem Management (The Break-Fix Boundary) link

2. Navigating Change Management (The CAB) link

1.2) Issue Ownership

1. The Definition of “Ownership” link

2. The Triage Boundary (Own vs. Escalate) link

1.2) SharePoint Online and OneDrive

1. SharePoint Hierarchy & Architecture link

2. Permissions & Access Control link

1.3) Microsoft Teams

1. Microsoft Teams Hierarchy & Architecture link

2. Governance & Lifecycle Management link

3. External Collaboration & Access Types link

4. Meeting, Calling, & Device Policies link

5. App Governance & Management link

6. Troubleshooting & Diagnostics link

7. Essential PowerShell Cmdlets (MicrosoftTeams Module) link

1.3) The Escalation Framework

1. The Trigger Conditions link

2. The Standardized Escalation Template link

1.4) Managing Ambiguity

1. The Consultant’s Mindset link

2. Forensic Discovery (Your “Hidden” Documentation) link

1.4) Service-wide

1. The M365 Group (The Connective Tissue) link

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule) link

3. Microsoft Search & Information Architecture link

4. Licensing & Service Plans link

5. Essential PowerShell Cmdlets (Microsoft Graph) link

Key concepts of ISO 19011:2018 video

Overview of the ISO 27001 Clauses

Clause 4: Context of the organization link

Clause 5: Leadership link

Scrum Table of Terms

The 4 Dimensions of Service Management

The 7 Practices

2.1) Identity & Access Fundamentals

1. Identity Hierarchy & Architecture link

2. Users & Devices (The Core Entities) link

3. The Group Ecosystem (Logical Containers) link

Source of Authority (SoA) & Management link

4. Application Identity: App Reg vs. Enterprise Apps link

2.1) The Consultant Muscle

1. The Intake Framework (Uncovering the “Why”) link

2. Evaluating Requests Against Existing Governance link

3. Constructive Pushback (The Art of the Compliant “No”) link

4. Practical Translation for Delivery Teams link

2.2) Identity Lifecycle

1. Source of Authority (SoA) & Synchronization link

2. The JML Process (Joiners, Movers, Leavers) link

3. Identity Governance & Entitlement Management (Requires Entra ID P2) link

4. Dynamic Groups & Attributes link

5. Essential PowerShell Cmdlets (Microsoft Graph) link

1. Focus on value

2. Start where you are

3. Progress iteratively with feedback

4. Collaborate and promote visibility

5. Think and work holistically

6. Keep it simple and practical

7. Optimize and automate

In closing

1. Continued Business Justification

1. Exchange Online Mail Flow Architecture

2. Mail Flow & Routing Troubleshooting

3. Recipient Management & Governance

4. Security, Protection & Authentication

5. Hybrid Environment Considerations (Enterprise)

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module)

1. Incident vs. Problem Management (The Break-Fix Boundary)

2. Navigating Change Management (The CAB)

1. The Definition of “Ownership”

2. The Triage Boundary (Own vs. Escalate)

1. SharePoint Hierarchy & Architecture

2. Permissions & Access Control

1. Microsoft Teams Hierarchy & Architecture

2. Governance & Lifecycle Management

3. External Collaboration & Access Types

4. Meeting, Calling, & Device Policies

5. App Governance & Management

6. Troubleshooting & Diagnostics

7. Essential PowerShell Cmdlets (MicrosoftTeams Module)

1. The Trigger Conditions

2. The Standardized Escalation Template

1. The Consultant’s Mindset

2. Forensic Discovery (Your “Hidden” Documentation)

1. The M365 Group (The Connective Tissue)

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule)

3. Microsoft Search & Information Architecture

4. Licensing & Service Plans

5. Essential PowerShell Cmdlets (Microsoft Graph)

Clause 4: Context of the organization

Clause 5: Leadership

1. Identity Hierarchy & Architecture

2. Users & Devices (The Core Entities)

3. The Group Ecosystem (Logical Containers)

Source of Authority (SoA) & Management

4. Application Identity: App Reg vs. Enterprise Apps

1. The Intake Framework (Uncovering the “Why”)

2. Evaluating Requests Against Existing Governance

3. Constructive Pushback (The Art of the Compliant “No”)

4. Practical Translation for Delivery Teams

1. Source of Authority (SoA) & Synchronization

2. The JML Process (Joiners, Movers, Leavers)

3. Identity Governance & Entitlement Management (Requires Entra ID P2)

4. Dynamic Groups & Attributes

5. Essential PowerShell Cmdlets (Microsoft Graph)

1. The Core Framework (ARA)

2. Common M365 Scenarios & Phrasing Templates

1. Architecture & Core Concepts

2. Enterprise Baseline Policies (The “Must-Haves”)

3. Governance, Exclusions & Safety Nets

4. Session Controls & Granular Security

5. SharePoint Content Protection & SAM

1. The Translation Framework (Policy vs. Practice)

2. Building the “Pre-Approved Menu” (Architectural Patterns)

1. Hybrid Authentication Topologies

2. MFA & Modern Authentication Methods

3. Self-Service Password Reset (SSPR) & Registration

4. Legacy Authentication (A Prime Attack Vector)

5. Troubleshooting & Diagnostics

6. Essential PowerShell Cmdlets (Microsoft Graph)

1. The Definitions

2. RAID Logs as a Consultant’s “Shield”

3. M365 Specific RAID Examples

4. Best Practices for Maintenance

5. Essential Tools for RAID Management

5) Organisational controls

1. Deployment Strategy (The “Crawl, Walk, Run” Approach)

2. Classifying the Data (What are we protecting?)

3. Policy Rules & The User Experience

4. Endpoint DLP (Securing the Local Device)

5. Alerts, Triage & Permissions

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement / Security & Compliance)