Microsoft Security: Architecture, Tools, and Technologies

Microsoft, one of the world’s biggest software vendors and operator of the world’s second-largest public cloud platform, is strongly focused on security. Microsoft has developed a broad range of security tools and technologies that can help organizations secure modern IT environments and transition to a zero trust security model.

We’ll introduce Microsoft’s zero trust security architecture, and review the full scope of Microsoft security products—identity and access management (IAM) solutions including Azure Active Directory, cloud security solutions including Microsoft Defender for Cloud, threat protection solutions including Microsoft 365 Defender, and risk management solutions including Insider Risk Management.

Adopting a Zero Trust Architecture with Microsoft Technology

The proliferation of cloud computing, mobile devices, the Internet of Things (IoT), and bring your own device (BYOD) policies are changing the technological landscape of modern enterprises.

Traditional security architectures rely on virtual private networks (VPNs) and network firewalls but to protect themselves. However, these measures are insufficient for protecting organizations from advanced cyber threats. Although these architectures restrict access to company resources and services, they are unsuitable for employees who need to access applications and resources across network boundaries.

As organizations migrated to the cloud and threats evolved, Microsoft adopted a zero-trust security model.

Zero trust is based on the principle of proven trust—before trusting, you must first verify. This approach removes the inherent trust typical in legacy networks. A zero trust architecture reduces risk in all environments by:

  • Setting up strong authentication

  • Checking device compliance before granting access

  • Ensuring least-privilege access by allowing only explicitly approved resources


Zero trust requires verification of all transactions between systems, including user identity, network, applications, and device. The system must validate a transaction and ensure it is trustworthy before allowing it to proceed. Ideally, a zero trust environment should include the following:

  • Multi-factor authentication (MFA)—use this mechanism to validate and secure identities. It eliminates password expirations and potentially can also eliminate passwords. You can also use biometrics to establish strong authentication for user-backed identities.

  • Device health validation—validate the health of all types of devices. You should also ensure all operating systems meet the minimum required health state before allowing them to access Microsoft resources.

  • Pervasive data and telemetry—use this information to understand your current security state, assess the impact of new controls, correlate data across services and applications, and identify coverage gaps.

  • Least privilege access—use this approach to limit access to the minimum resources (applications, infrastructure, and services) required to perform a job function. Do not use any access solution scoped to specific resources or one that grants broad access without segmentation.


Graphical user interface, application Description automatically generated

Image Source: Microsoft

The diagram above illustrates a simplified reference architecture for Microsoft's approach to zero trust. In this process, the main components are:

  • Microsoft Intune—enables device management and lets you apply device security policy configuration. Intune can also help deploy agents and create policies for Microsoft Defender for Endpoint.

  • Azure Active Directory (Azure AD)—you can use this service and its user and device inventory features. It enables you to set up conditional access to establish device health validation.


Intune helps push device configuration requirements to your managed devices. Next, a managed device generates a health statement. This information is stored in Azure AD. Once a user’s device requests access to a Microsoft resource, Azure AD initiates an authentication exchange process that verifies the device's health state.

Microsoft Identity and Access Management Solutions

Azure Active Directory

Azure AD is a cloud-based identity and access management (IAM) service. It enables users to sign in and access the following resources:

  • External resources—covers Azure portal and Microsoft SaaS applications like Microsoft 365.

  • Internal resources—covers applications on a corporate network and intranet and cloud applications developed by the organization.

Azure Lighthouse

Azure Lighthouse lets organizations manage access for service providers, and let them work independently, without compromising security. Staff can decide who should access an Azure tenant, what they can access within the Azure tenant, and when.

Lighthouse controls access via role-based access control (RBAC), allowing organizations to control who has access, what actions they can take, and what areas of the Azure tenant they have access to.

Identity Governance, Conditional Access and MFA

Azure AD identity governance enables organizations to balance security and employee productivity. It provides the ability to ensure that the right individuals can access the right resources.

These and related Azure AD and Enterprise Mobility + Security features help organizations reduce access risk. They can do this by protecting, monitoring, and auditing access to critical assets. Microsoft Sentinel User Entity and Behavioral Analytics (UEBA) Enrichments analyzes user activities against a dynamically compiled baseline. It covers three dimensions - user activities, device activities, and behavioral profiles - showing the level of risk for each dimension.

Azure AD risk-based policies can leverage this data to automatically respond to risky behaviors. For example, Azure AD Identity Protection policies can automatically block a sign-in attempt or require additional actions, such as an MFA prompt or password change, when an abnormal level of risk is detected.

Microsoft Defender for Identity

This cloud-based solution uses on-premises Azure AD signals to identify and investigate compromised identities, malicious insider activity, and advanced threats.

Microsoft Defender for Identity often supports the efforts of security professionals and SecOps analysts in detecting advanced attacks across hybrid environments. Here are key features:

  • Monitor—the solution employs learning-based analytics to monitor users, activities, and entity behavior.

  • Protect—this solution can protect user identities and credentials stored in Azure AD.

  • Identify and investigate—Microsoft Defender for Identity can identify and investigate suspicious user activity and advanced attacks across the entire kill chain.

  • Insights—the solution provides incident information displayed on a simple timeline to enable fast triaging.

Microsoft Intune

Microsoft Intune is a cloud-based service focused on Mobile Device Management (MDM) and Mobile Application Management (MAM) and integrating with Azure Active Directory or on-premises Active Directory. Organizations can control how devices such as phones, tablets, and laptops are used. Intune can also control applications by configuring specific policies. For example, it can prevent unfamiliar log in locations from being able to access sensitive corporate data.

Intune can:

  • Support multiple mobile environments and securely manage iOS/iPadOS, Android, Windows, and macOS devices.

  • Set up rules and configure settings for accessing data and networks on devices owned by individuals and organizations, including deploying security agents and endpoint policies.

  • Deploy and validate applications locally and on mobile devices.

  • Protect company information by controlling how users access and share it.

  • Make sure devices and apps meet security requirements.


BlueVoyant recommends devices to be enrolled in Intune prior to using an MDR service. Using Intune allows for streamlined patch and upgrade management to deliver better security device enforcement.

Microsoft Cloud Security Solutions

Microsoft Defender for Cloud

Defender for Cloud is a tool for managing security posture and protecting against threats for cloud native microservices and applications. Integrated with Microsoft Defender plans, it provides enhanced cloud resource security and can protect workloads running on Azure, hybrid, and other cloud platforms.

Azure Arc integrates with Defender for Cloud to protect non-Azure resources located on-premises or on other cloud providers, from virtual machines, Kubernetes services and SQL resources.

Defender for Cloud provides a way to bridge other workloads, Defender for Endpoint, and Azure Sentinel. It provides virtual machine extensions, small applications that enable configuration and automation after a deployment. For example, these extensions can install software, deploy anti-virus protection, or run custom scripts. You can use Azure Arc to deploy VM extensions to non-Azure Windows VMs and Linux VMs, enabling a unified, multicloud management experience.

Defender for Cloud provides four key capabilities:

  • Security score—a single score that defines the current security posture. The higher the score, the lower the identified risk level.

  • Security recommendations—customizations and prioritized actions to improve the security posture. Organizations can implement recommendations by following detailed remediation steps. The Fix button can automatically implement many suggestions.

  • Security alerts—Defender for Cloud detects threats to resources and workloads and displays the alerts in the Azure portal. It can also email alerts to relevant people and stream them to SIEM, SOAR, or IT service management solutions.

  • Integrating with Defender for Endpoint - enables monitoring servers alongside traditional IT workstations, to enhance visibility across the enterprise architecture. BlueVoyant recommends using Azure Arc where possible to extend the value of Defender for Endpoint to servers.

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Applications is a CASB, or Cloud Access Security Broker, which supports deployment modes such as API connectors, log collection, and reverse proxy. It provides visibility, data movement control, and analytics to help identify and remediate cyber threats across all Microsoft and third-party cloud services. Microsoft Defender for Cloud Apps sits in between two important job roles. Compliance and Security.

Defender for Cloud Applications natively integrates with Microsoft solutions and is designed for security professionals. It offers easy deployment, innovative automation, and centralized management capabilities.

Related content: Read our guide to Microsoft cloud application security.

Microsoft Sentinel (Azure Sentinel)

Microsoft Sentinel is a scalable, cloud native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. It provides security analytics and threat intelligence in a single solution for attack detection, threat visibility, proactive hunting, and threat response.

Microsoft Sentinel provides a bird's-eye view of the entire enterprise. It can help deal with increasingly sophisticated attacks, increasing alert volumes, and long remediation time frames.

Microsoft Sentinel key capabilities include:

  • Collecting cloud-scale data for every user, device, application, and infrastructure, both on-premises and across multiple clouds.

  • Detecting evasive threats and minimizing false positives using Microsoft analytics and unparalleled threat intelligence.

  • Using artificial intelligence to investigate threats and leverage Microsoft's cybersecurity experience to identify suspicious activity at scale.

  • Quickly responding to incidents with built-in orchestration and common task automation.

Learn more in our detailed guide to Azure Sentinel (Microsoft Sentinel).

Microsoft Threat Protection Solutions

Microsoft 365 Defender

Microsoft 365 Defender is an enterprise defense suite that includes capabilities for pre-breach and post-breach stages. It offers integrated protection against sophisticated attacks by natively coordinating, preventing, detecting, investigating, and responding to threats across applications, identities, endpoints, and email.

This solution helps security professionals aggregate threat signals across products and determine the impact and scope of a threat. It helps them learn how a threat infiltrated the environment, what components the threat affected, and how it is currently affecting the ecosystem. It can also automatically respond to events, attempting to prevent or stop an attack and fix affected endpoints, user identities, and mailboxes.

Learn more in our detailed guide to Microsoft 365 Defender.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an endpoint security platform intended for enterprise networks, helping them prevent, discover, and respond to sophisticated endpoint threats.

Defender for Endpoints uses these technologies built into Microsoft cloud services and Windows 10:

  • Cloud Security Analytics—leveraging big data, machine learning, and Microsoft Optics from the Windows ecosystem and enterprise cloud products like Office 365, behavioral signals provide insight, detection, and recommended response to advanced threats.

  • Threat Intelligence—compiled by the Microsoft Threat Intelligence Center (MSTIC) based on trillions of signals from Microsoft software and services, and enhanced with threat intelligence from partners, this data enables Defender for Endpoint to identify attack tools, techniques, and procedures (TTPs) and generate alerts in response to the sensor data.


Timeline Description automatically generated with low confidence

Image Source: Microsoft

Learn more in our detailed guide to Microsoft Defender for Endpoint

Microsoft Defender for Office 365

This cloud-based email filtering service helps protect against threats targeting email and workplace collaboration tools, such as phishing schemes, malware attacks, and email compromise. It provides capabilities for investigation, hunting, and remediation that support security teams in identifying, prioritizing, investigating, and responding to threats.

Automated Investigation and Response (AIR) empowers security operations teams, enabling automated investigation and response to common known threats. AIR generates suggested remediation actions, and teams only need to approve these steps to respond to detected threats.

Learn more in our detailed guide to Microsoft Defender for Office 365.

Microsoft 365 E5

Microsoft 365 offers a suite of productivity apps. Microsoft 365 E5 is the enterprise-grade version of this suite. In addition to productivity applications, E5 offers Microsoft security, compliance, and analytics technologies. Key features of Microsoft 365 E5 include:

  • Security—integrated and automated security features to protect identities and mitigate threats. Prevents attacks from dealing serious damage.

  • Compliance—manages and secures data by centralizing information protection and compliance capabilities. Minimizes risk and helps organizations comply with regulatory and organizational compliance requirements.

  • Analytics—provides Power BI capabilities to help organizations analyze and gain insights from security data.


Learn more in our detailed guide to Microsoft 365 E5.

Microsoft Risk Management Solutions

Insider Risk Management

Insider Risk Management (IRM) is a Microsoft 365 compliance solution that helps minimize internal risk by enabling detection, investigation, and remediation of malicious or accidental harmful activities.

Organizations can use internal risk policies to define risks, detect risks, handle cases, and optionally escalate cases to Microsoft Advanced eDiscovery. Risk analysts can quickly take the appropriate actions to ensure that users comply with organizational standards.

Communication Compliance

Communication Compliance is Microsoft 365's internal risk solution that helps you minimize communications risk. It allows organizations to detect, capture, and respond to inappropriate messages.

Predefined custom policies allow organizations to search external and internal communications for policy matches and allow reviewers to evaluate them. Reviewers can examine Microsoft Teams, email, Yammer, or scanned third-party communications to ensure they meet the organization's messaging standards.

eDiscovery

Electronic discovery (eDiscovery) involves finding electronic information that can serve as evidence in legal cases. Microsoft 365 offers eDiscovery tools to help you search for content in various systems, including Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and Microsoft 365 Groups.

eDiscovery lets you search sites and mailboxes using the same eDiscovery search and export these results. Additionally, you can use a Core eDiscovery case to identify, hold, and export the content found in sites and mailboxes.