As you've seen throughout this book, managing access to resources is a key component in making sure your data is secure in the Microsoft 365 platform. The Microsoft 365 platform has several tools and capabilities available to help you to secure your users, data, access, and infrastructure. While configuring the policies is out of scope for the MS-300 exam, it's important to know what features and capabilities can be used and when they might be applicable.
Microsoft recommends configuring policies based on risk profiles. You can use the following table to get an idea of what general policies and protections are available with which products, and for which risk profiles they might be applied:
Risk/Protection Level | Policies | Description | Products or SKUs |
Baseline | Require MFA when sign-in risk is medium or high | Risk-based multi-factor authentication | Azure AD P2 |
Block clients that don't support modern authentication | Legacy auth clients bypass | Azure AD P1 | |
High-risk users must change their passwords | Forces users to change their password when signing in if high-risk activity is detected on their account | Azure AD P2 | |
Define app protection policies | App protection policies limit the movement of data in managed apps | Azure AD P1 or Azure AD P2 | |
Require approved apps | Enforces mobile app protection for phones and tablets | Azure AD P1 or Azure AD P2 | |
Define device compliance policies | Intune enrollment | Azure AD P1 or Azure AD P2 | |
Require compliant PCs | Intune enrollment | Azure AD P1 or Azure AD P2 | |
Sensitive | Require MFA when sign-in risk is low, medium, or high | Risk-based multi-factor authentication | Azure AD P2 |
Require compliant PCs and mobile devices | Enforce Intune management for PCs and phone/tablets | Azure AD P1 or Azure AD P2 | |
Highly regulated | Always require MFA | Always require multi-factor authentication to access services | All Office 365 Plans |
To gain the most flexibility and security in your environment, Microsoft recommends that you subscribe to either the Azure AD P1 or P2 services—either standalone or as part of a suite offering (Enterprise Mobility + Security E3, Enterprise Mobility + Security E5, Microsoft M365 E3, or Microsoft M365 E5).
Microsoft also provides very detailed guidance on configuring and securing core infrastructure (such as Identity or Windows 10 Enterprise), deploying workloads into that secured infrastructure, and then enabling scenarios for your workforce. The following diagram depicts how the core infrastructure lays the foundation for application workloads and user scenarios:
While configuring and deploying the underlying infrastructure that's necessary to empower your organization's workforce is outside the scope of the MS-300 exam, it's important to know that a secure and sustainable environment depends on each of the six foundation components shown in the preceding diagram.