John-Luke Peck This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements. This will include a focus on areas where: * Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data * The data & services available were successfully used during response efforts The presentation will highlight: * Lessons learned about Office365/AzureAD and Incident Response * How Office365, AzureAD, and ATP services and data were used in the response efforts * Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs All presented examples and incidents will be de-identified to maintain and protect privacy and operational security. What this is NOT: * A service provider's sales presentation