MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx

Público
Microsoft Cybersecurity
Reference Architectures (MCRA)
Plan your end-to-end security
architecture using Zero Trust principles
N
Adoption Framework
April 2025 Release

Público
• Overview of Security Adoption Framework
and end to end cybersecurity architecture
• End to End Security: Consider the whole problem
• Ruthlessly Prioritize: Identify top gaps + quick wins
• Get started: Start somewhere & continuously
improve
• Antipatterns and best practices
• Guiding rules and laws for security
• Diagrams and references
Applying Zero Trust principles
MCRA Agenda
Top End to End Security Challenges
• Incomplete or network-centric architectures
aren’t agile & can’t keep up with continuous
change (security threats, technology platform,
and business requirements)
• Challenges with
• Creating integrated end to end architecture
• Integrating security technologies
• Planning and prioritizing security
modernization initiatives
MCRA is a subset of the full
Security Architecture Design
Session (ADS) module 1 workshop:
Adoption Framework
SAF Overview

Público
Whiteboard – Current Security Architecture
Geography and Cloud Usage
• Where does your organization operate?
• Which workloads are in the cloud?
Which major cloud providers? (SaaS,
PaaS, IaaS)
Business and Technical Drivers
• What is top of mind for business
stakeholders?
• What risks are important to the business?
• Business/technology initiatives driving
change?
• What metrics are important to your
program?
Threats
What types of attacks and
adversaries are top of mind?
Compliance
Large & notable
regulatory
requirements
Architecture, Policy, and Collaboration
Describe how teams work together on end to end security + guiding documents/artifacts
• Enterprise-wide security architecture approach and documentation
• Policy update, monitoring, and related governance processes
• Posture and vulnerability management processes
• Technical collaboration processes (e.g. sharing learnings, joint technical planning,
etc. with security operations, architects, engineers, posture management, governance,
others)
• Differences between on premises vs. cloud processes

Público
Security Adoption Framework (SAF)
Zero Trust security modernization aligned to business goals and risks
End to End Reference Strategy, Architecture, & Implementation using Zero Trust principles
Business Scenarios
Promised Outcomes
Security Disciplines - Reference architectures, plans, and more
Strategy, Integration, and Governance
Access and Identity
Security Operations (SecOps/SOC)
Infrastructure & Development Security
Data Security
Technology
Implementation
Identities
Apps
Data
Infrastructu
re
Network
Endpoints
OT and IoT Security
AI
Artificial
Intelligence
(AI)
I want to rapidly and securely
adopt AI (including protecting
data)
I want people to do their job
securely from anywhere
I want to minimize business
damage from security incidents
I want to identify and protect
critical business assets
I want to continuously improve
my security posture and
compliance

Público
Implementation and
Operation
Architects & Technical
Managers
Technical Leadership
CI
O
CISO
Business
Leadership
CEO
Zero Trust security modernization rapidly reduces organizational risk
Digital
Transformation
Implementation
and Operation
Technical
Planning
Architecture and
Policy
Security
Strategy,
Programs, &
Epics
Business
Transformation
Workshops available in Microsoft Unified
Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.)
Includes
Reference Plans
Access and
Identity
Security
Operations
(SecOps/SOC)
Infrastructure
& Development
Security
Data Security OT and IoT
Security
Technology Implementation & Optimization
> > > > > > > > > > > > > >
Microsoft Cybersecurity Reference Architectures (MCRA)
End to End Security Architecture Using Zero Trust Principles
Security Capability Adoption Planning (SCAP)
Enterprise Security Assessment
CISO Workshop
End-to-end Security Program and Strategy Guidance + Integration with Digital &Cloud TransformationTeams
Security Strategy and Program
Engaging Business
Leaders on Security
We are here

Público
Security must be integrated everywhere
and stay on a journey of continuous improvement
Attackers prefer cheapest and easiest options
…but are often willing to go further and spend more
Security impacting decisions are made by most
roles
• Everybody has security accountabilities and/or responsibilities
• Decision Makers are accountable for security outcomes of their decisions
• Security teams must enable and support all roles across the organization
(including business, engineering, and more)
Continuous improvement, learning, and prioritization are critical to manage this

Público
Common Security Antipatterns - Technical Architecture
Common mistakes that impede security effectiveness and increase organizational risk
Securing cloud like on premises
Attempting to force on-prem controls and
practices directly onto cloud resources
Lack of commitment to lifecycle
Treating security controls and processes as
points in time instead of an ongoing lifecycle
Wasting resources on legacy
Legacy system maintenance and costs draining
ability to effectively secure business assets
Disconnected security approach
Independent security teams, strategies, tech,
and processes for network, identity, devices, etc.
Skipping basic maintenance
Skipping backups, disaster recovery exercises,
and software updates/patching on assets
Artisan Security
Focused on custom manual solutions instead of
automation and off the shelf tooling
Best Practices
Develop and implement an end to end technical security
strategy focused on durable capabilities and Zero Trust
Principles
This workshop helps you define and rapidly improve on best
practices across security including:
• Asset-centric security aligned to business priorities &
technical estate (beyond network perimeter)
• Consistent principle-driven approach throughout security
lifecycle
• Pragmatic prioritization based on attacker motivations,
behavior, and return on investment
• Balance investments between innovation and rigorous
application of security maintenance/hygiene
• ‘Configure before customize’ approach that embraces
automation, innovation, and continuous improvement
• Security is a team sport across security, technology, and
business teams

Público
Attacker Failure + Increased Attacker Cost/Friction
Security Success
Invest intentionally into providing these durable outcomes
Find and kick them out fast
Reduce dwell time (mean time to remediate) with
rapid detection and remediation
Block Cheap and Easy Attacks
Increase cost and friction for well known & proven
attack methods (or easy to block options)
‘Left of Bang’
Prevent or lessen impact of attacks
‘Right of Bang’
Rapidly and effectively manage attacks
Requires end to end collaboration

Público
Improving Resiliency
Enable business mission while continuously increasing security assurances
IDENTIFY PROTECT DETECT RESPOND RECOVER
GOVERN
‘Left of Bang’
‘Right of Bang’
NIST Cybersecurity Framework v2
The job will never be ‘done’ or ‘perfect’, but it’s
important to keep doing (like cleaning a house)

Público
Zero Trust Architecture
Security Posture Management
End to End Security
Enable business mission and increasing security assurances with intentional approach
IDENTIFY PROTECT DETECT RESPOND RECOVER
GOVERN
‘Left of Bang’
‘Right of Bang’
Modern Security Operations (SecOps/SOC)
Access and Identity
Infrastructure & Development Security
IoT and OT Security
Data Security

Público
Attackers choose the path of least cost/resistance
Antipattern: Believing attackers will follow the planned path
Defenders must focus on
A. Strong security controls + effective placement
B. Rapid response to attacks
C. Continuously testing & monitoring controls

Público
Attacker Perspective: shaped by experience & ‘fog of
war’
Attackers use what they see, know, and can guess
Phishing email to admin
Looks like they have
NGFW, IDS/IPS, and DLP
I bet their admins
1. Check email from
admin
workstations
2. Click on links for
higher paying jobs
Low
Found passwords.xls
Now, let’s see if admins
save service account
passwords in a
spreadsheet…
High

Público
Strategically position security investments
Raise cost and friction on attacker’s easiest and highest impact paths
Replace password.xls ‘process’ with
• PIM/PAM
• Workload identities
Sensitive Data Protection & Monitoring
• Discover business critical assets with business, technology, and
security teams
• Increase security protections and monitoring processes
• Encrypt data with Azure Information Protection
Modernize Security Operations
• Add XDR for identity, endpoint (EDR),
cloud apps, and other paths
• Train SecOps analysts on endpoints and
identity authentication flows
Protect Privileged Accounts
Require separate accounts for Admins
and enforce MFA/passwordless
Privileged Access Workstations (PAWs)
+ enforce with Conditional Access
Rigorous Security Hygiene
• Rapid Patching
• Secure Configuration
• Secure Operational Practices

Público
Security is complex and challenging
Infrastructure
Application
Data
People
Attackers have a lot of options
 Forcing security into a holistic
complex approach
 Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies
 Threats – Continuously changing threat landscape
 Security Tools – dozens or hundreds of tools at customers
Must secure across everything
 Brand New - IoT, DevOps, and Cloud services, devices and products
 Current/Aging - 5-25 year old enterprise IT servers, products, etc.
 Legacy/Ancient - 30+ year old Operational Technology (OT) systems
Nothing gets retired!
Usually for fear of breaking
something (& getting blamed)
Hybrid of Everything, Everywhere, All at Once
Attacks can shut all business operations down, creating board level
risk
‘Data swamp’ accumulates
managed data + unmanaged ‘dark’ data

Público
Security is the opposite of productivity Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Compromise
Continuously reduce blast radius and attack surface through prevention and detection/response/recovery
All attacks can be prevented
Shift to Asset-Centric Security Strategy
Revisit how to do access control, security operations, infrastructure and development security, and more
Explicitly Validate Account Security
Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more
Network security perimeter will keep attackers
out
Passwords are strong enough
IT Admins are safe
IT Infrastructure is safe
Goal: Zero Assumed Trust
Reduce risk by finding and removing implicit assumptions of trust
Developers always write secure code
The software and components we use are secure
Plan and Execute Privileged Access Strategy
Establish security of accounts, workstations, and other privileged entities (aka.ms/spa)
Validate Infrastructure Integrity
Explicitly validate trust of operating systems, applications, services accounts, and more
Integrate security into development process
Security education, issue detection and mitigation, response, and more
Supply chain security
Validate the integrity of software and hardware components from open source. vendors, and others
False Assumptions
of implicit or explicit trust
Zero Trust Mitigation
Systematically Build & Measure Trust
With 30+ years of backlog at most organizations, it
will take a while to burn down the backlog of
assumed trust

Público
1. Look End to End: Consider the whole security problem
2. Ruthlessly Prioritize: Identify top gaps + quick wins
3. Get started: Start somewhere and continuously improve
Zero Trust Security Architecture
End to End Prioritized Execution + Continuous Improvement
OBSERVE, ORIENT
DECIDE
ACT
1
2
3
...
Disrupt attacker
return on investment
(ROI)
Leverage reference plans
and architectures
Security is complex
and challenging
Resilience required
across the lifecycle
Focus on prevalent
attacks and use
data
Microsoft Security
Adoption Framework

Público
Guiding Rulesets for End to End Architecture
Zero Trust Commandments
Requirements that represent best practices for a Zero Trust Architecture
(ZTA) and transformation. (The Open Group Standard)
Usage: General planning + Testing whether something is ‘Zero Trust’ or
not
10 Laws of Cybersecurity Risk
Key truths about managing security risk that bust common myths.
Usage: Ensuring security strategy, controls, and risk are managed with
realistic understanding of how attacks, humans, and technology work
Immutable Laws of Security
Key truths about security claims and controls that bust common myths.
Usage: Validating design of security controls, systems, and processes to
ensure they are technically sound

Público
Architecture Diagrams & References
Microsoft Security Capabilities
Zero Trust Adaptive Access
Security Service Edge (SSE)
Build Slide
People
Roles and Risk Management
Infrastructure
Multi-cloud, cross-platform, native controls
Security Operations
(SecOps/SOC)
Operational Technology
(OT)
Industrial Control Systems
Threat Environment
Ransomware/Extortion, Data Theft, and more
Attack Chain
Coverage
aka.ms/MCRA | aka.ms/MCRA-videos | April 2025 Slide notes have speaker notes & change history
Multi-Cloud &
Cross-Platform
Microsoft 365 E5
Journey
Role Mapping
Zero Trust
Development / DevSecOps
Enabling Security & Business Goals
Privileged Access
Device Types
Artificial Intelligence
(AI) and Security
Standards Mapping
Patch
Modernization

Público
Access and Identity Modern Security Operations
(SecOps/SOC)
Infrastructure & Development
Security
Security Adoption Framework
Reduce risk by rapidly modernizing security capabilities and practices
Business and
Security
Integration
Implementation
and Operation
Technical Planning
Architecture and
Policy
Security Strategy,
Programs, and
Epics
Securing Digital
Transformation
Engaging Business
Leaders on Security
Workshops available in the Microsoft Unified catalog
All are holistic for the ‘hybrid of everything’ technical estate (on-premises, multi-cloud, IoT, OT, etc.)
Includes
Reference Plans
CISO Workshop

Público
Where do you want to go next?
Engagements help navigate the vast complexity of security
Capabilities Review
Security Capability Adoption Planning (SCAP)
End to End Security Assessment
Enterprise Security Assessment (ESA)
What do we own? Are we using it?
How are we doing today?
Recommend combination of:
• Context – Strategy/Architecture
• Action – Technical Implementation
Technical Architecture and Planning
Access and
Identity
Modern
Security
Operations
(SecOps/SOC)
Infrastructure
&
Development
Security
Data Security
Microsoft Product and Technology Implementation
Strategic Security Integration
Security
Strategy and
Program
End to End Security
Architecture
Security
Modernization
Journey
Defender
Sentinel
Entra
Intune
Purview
Security Copilot

Público
Let’s get next steps locked in
Capture actions and who follows up on them
# Next Step Point of Contact
1
2
3
4
5

Público
Security Resources
Security Adoption Framework
aka.ms/saf
Security Hub
aka.ms/SecurityDocs
Security Strategy and Program • CISO Workshop – aka.ms/CISOworkshop | -videos • Driving Business Outcomes Using Zero Trust
▪ Rapidly modernize your security posture for Zero Trust
▪ Secure remote and hybrid work with Zero Trust
▪ Identify and protect sensitive business data with Zero Trust
▪ Meet regulatory and compliance requirements with Zero Trust
End to End
Security
Architecture
• Microsoft Cybersecurity Reference Architectures (MCRA)
- aka.ms/MCRA |
-videos
• Zero Trust Workshop - http://aka.ms/ztworkshop
• Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/
ztramp
• Ransomware and Extortion Mitigation - aka.ms/humanoperated
• Backup and restore plan to protect against ransomware -
aka.ms/backup
Secure Access and
Identities
Modern Security
Operations (SecOps/SOC)
Infrastructure &
Development Security
Data Security IoT and OT Security
Product Capabilities
www.microsoft.com/security/business
Security Product Documentation
Azure | Microsoft 365
Microsoft Security Response Center
(MSRC)
www.microsoft.com/en-us/msrc
• Security Development Lifecycle (S
DL
)
• Security Controls
• Microsoft Cloud Security
Benchmark
aka.ms/benchmarkdocs
• Well Architected Framework
(WAF)
• aka.ms/wafsecure
• Azure Security Top 10
• aka.ms/azuresecuritytop10
• Ninja Training
• Defender for Cloud
• MCRA Video
• Infrastructure Security
• Defender for Cloud Documentatio
n
• Securing Privileged Access
(SPA) Guidance
aka.ms/SPA
• Access Control Discipline
• Ninja Training
• Microsoft Defender for Identity
aka.ms/mdininja
• MCRA Video
• Zero Trust User Access
• Microsoft Entra
Documentation
aka.ms/entradocs
• Incident Response - aka.ms/IR
• CDOC Case Study -
aka.ms/ITSOC
• Ninja Training
• Microsoft 365 Defender
aka.ms/m365dninja
• Microsoft Sentinel
aka.ms/sentinelninja
• Microsoft Defender for Office 365
aka.ms/mdoninja
• Microsoft Defender for Endpoint
aka.ms/mdeninja
• Microsoft Cloud App Security
aka.ms/mcasninja
• MCRA Videos
• Security Operations
• SecOps Integration
• Secure data with Zero Trust
• Ninja Training
• Microsoft Purview Information
Protection
aka.ms/MIPNinja
• Microsoft Purview Data Loss
Prevention aka.ms/DLPNinja
• Microsoft Purview Insider Risk
Management
• Insider Risk Management
• Data Security for SOC
aka.ms/NinjaDSforSOC
• Microsoft Purview
Documentation
aka.ms/purviewdocs
• Ninja Training
• Defender for IoT Training
• MCRA Videos
• MCRA Video OT & IIoT Security
• Defender for IoT
Documentation
aka.ms/D4IoTDocs

Público
Key Industry References and Resources
The Open Group
Zero Trust Commandments Standard - https://publications.opengroup.org/c247
Zero Trust Reference Model - https://publications.opengroup.org/s232
Security Principles for Architecture - https://publications.opengroup.org/c246
US National Institute of Standards and Technology (NIST)
Cybersecurity Framework - https://www.nist.gov/cyberframework
Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture
NCCoE Zero Trust Project - https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture
Secure Software Development Framework (SSDF) -
https://csrc.nist.gov/pubs/sp/800/218/final
Cybersecurity and Infrastructure Security Agency (CISA)
Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model
Center for Internet Security (CIS)
CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/

Público
Standards Mapping
Zero Trust Model
The Open Group
Zero Trust Model
NIST
Zero Trust Model
Microsoft
References
Zero Trust Capabilities
The Open Group
Rapidly Report
Regulatory Compliance
SecOps
Terminology
Capabilities
Asset-Centric Security Operations (SecOps/SOC)
Identity and Adaptive Access Management (IAAM)
Microsoft
Mapping
Architecture
Building
Blocks (ABBs)
Capabilities
Microsoft
Mapping
Architecture
Building
Blocks (ABBs)
All capabilities ...mapped to NIST CSF

Público
Asset-Centric Security Operations (ACSO)
ACSO-1
Asset-Centric
Security Operations
ACSO-1.1 - Rapid Incident Response
ACSO-1.2 - Continuous Organizational
Improvement
ACSO-1.3 - Undetected Attack Discovery
ACSO-1.4 - Attack Simulation
ACSO-1.5 - SecOps Data Analysis and Automation
ACSO-1.1.1 - Incident Investigation, Containment, and Remediation
ACSO-1.1.2 - Incident Impact and Root Cause Analysis
ACSO-1.1.3 - Case Management
ACSO-1.1.4 - Major Incident Management
ACSO-1.3.1 - Threat Hunting
ACSO-1.3.2 - Custom Detection Engineering
ACSO-1.4.1 - Simulated Attack Planning
ACSO-1.4.2 - Simulated Attack Execution
ACSO-1.4.3 - Simulated Attack Learnings Integration
ACSO-1.5.1 - Common Attack Technique Detection
ACSO-1.5.2 - Data Aggregation, Storage, Correlation, and Analysis
ACSO-1.5.3 - SecOps Process Automation
ACSO-1.5.4 - Technical Threat Data Integration
ACSO-1.5.5 - SecOps Custom Development
ACSO-1.2.1 - SecOps Continuous Operational Improvement
ACSO-1.2.2 - Threat Intelligence Sharing, Education, and Advocacy
Capabilities

Público
Asset-Centric Security Operations Platform (ACSOP)
Architecture Building Blocks (ABBs)
ACSOP-1
Asset-Centric
Security Operations
Platform
ACSOP-1.1 - SecOps
Core Reactive
Processes
ACSOP-1.2.6 - Attack Simulation Process
ACSOP-1.3 - SecOps
Data Analysis and
Automation Platform
ACSOP-1.1.1 - Incident Investigation and Forensic Analysis Process
ACSOP-1.1.3 - Incident Summarization Process
ACSOP-1.1.4 - Incident Impact and Root Cause Analysis Process
ACSOP-1.1.6 - Operational Excellence Process
ACSOP-1.1.5 - Major Incident Management Process
ACSOP-1.2.2 - Custom Detection Engineering Process
ACSOP-1.3.3 - Extended Detection and Response (XDR)
ACSOP-1.3.4 - Security Information and Event Management (SIEM)
ACSOP-1.3.5 - Security Data Lake
ACSOP-1.3.6 - SecOps Automation Platform (SOAR)
ACSOP-1.3.7 - Technical Anomaly Platform (Machine Learning, RE, etc.)
ACSOP-1.3.8 - Behavior Anomaly Platform (UEBA)
ACSOP-1.3.9 - Threat Intelligence Platform (TIP)
ACSOP-1.2.6.4 - Purple Team Process
ACSOP-1.3.1 - Case Management Platform
ACSOP-1.3.2 - SecOps Business Intelligence (BI) Platform
ACSOP-1.2.5 - SecOps Automation Management Process
ACSOP-1.2.3 - Threat Hunting Process
ACSOP-1.2.4 - Threat Intelligence Development & Dissemination
Process
ACSOP-1.2 - SecOps
Proactive Processes
ACSOP-1.2.6.5 - Red Team Process
ACSOP-1.2.6.6 - Penetration Test Process
ACSOP-1.2.6.3 - Technical Discussion-based
Simulation (Tabletop Exercise) Process
ACSOP-1.2.6.1 - Attack Scenario Planning
Process
ACSOP-1.1.6.2 - SecOps Change Management
Process
ACSOP-1.1.6.1 - SecOps Trend and Pattern
Analysis Process
ACSOP-1.2.6.2 - Identify Friend/Foe (IFF)
Process
ACSOP-1.1.6.3 - Detection Source Management
ACSOP-1.1.1.2 - Technology Team Interaction
Process
ACSOP-1.1.1.1 - User Interaction Process
ACSOP-1.1.6.4 - User Reporting Process
ACSOP-1.2.1 - SecOps Data Management Process
ACSOP-1.2.5.1 - SecOps Custom Development
Process
ACSOP-1.1.5.2 - Business Coordination Process
ACSOP-1.1.5.1 - Technical Coordination Process
ACSOP-1.1.2 - Incident Containment and Asset Recovery Process
ACSOP-1.3.10 - SecOps Generative AI (GenAI) Platform

Público
Enable a Standard Zero Trust Approach
Microsoft Technologies enable Asset-Centric Security Operations Platform (Zero Trust Reference Model)
ABB # Architecture Building Block (ABB) Name Level Microsoft Technology
ACSOP-1.3 SecOps Data Analysis and Automation Platform 2 <All Below>
ACSOP-1.3.1 Case Management Platform 3
Microsoft 365 Defender
Microsoft Sentinel
ACSOP-1.3.2 SecOps Business Intelligence (BI) Platform 3 Microsoft PowerBI
ACSOP-1.3.3 Extended Detection and Response (XDR) 3
Microsoft Defender for Cloud
ACSOP-1.3.4 Security Information and Event Management (SIEM) 3 Microsoft Sentinel
ACSOP-1.3.5 Security Data Lake 3 Microsoft Azure Data Explorer (ADX)
ACSOP-1.3.6 SecOps Automation Platform (SOAR) 3
Microsoft 365 Defender (AutoIR)
Microsoft Sentinel
ACSOP-1.3.7 Technical Anomaly Platform (Machine Learning, RE, etc.) 3
Microsoft Sentinel
ACSOP-1.3.8 Behavior Anomaly Platform (UEBA) 3
ACSOP-1.3.9 Threat Intelligence Platform (TIP) 3
Microsoft Defender Threat Intelligence
Security Copilot
ACSOP-1.3.10 SecOps Generative AI (GenAI) Platform 3 Security Copilot
Note: Security Architecture Design Session (ADS) workshop for Security Operations (SecOps/SOC)
includes guidance for ACSOP-1.1 SecOps Core Reactive Processes and ACSOP-1.2 SecOps Proactive Processes
ABBs

Público
Identity and Adaptive Access Management (IAAM)
Capabilities
IAAM-1
Identity and Adaptive
Access Management
IAAM-1.1 -
Authentication (Known)
IAAM-1.2 - Trust
Validation (Trusted)
IAAM-1.3 -
Authorization (Allowed)
IAAM-1.4 - Identity and
Policy Lifecycle
Management
IAAM-1.2.1 - Subject Security Status Determination
IAAM-1.2.2 - Policy Decisioning
IAAM-1.2.2.3 - Policy Enforcement
IAAM-1.4.3 - Identity & Access Lifecycle
Management
IAAM-1.3.1 - Subject Entitlements to
Workloads/Assets
IAAM-1.2.2.1 - Adaptive Policy Determination For Subjects
IAAM-1.2.2.2 - Adaptive Policy Determination for Sessions
IAAM-1.4.2 - Identity Definition and Assignment
IAAM-1.4.2.1 - Identity authority management
IAAM-1.3.2 - Workload-Specific Access Entitlements
IAAM-1.4.2.2 - User Identity Assignment
IAAM-1.4.2.3 - Device Identity Assignment
IAAM-1.4.2.4 - Application and Services Identity
Assignment
IAAM-1.4.2.5 - Data Identity Assignment
IAAM-1.3.3 - Identity Consent Management
IAAM-1.4.4 - Access Monitoring & Anomaly
Detection IAAM-1.4.2.6 - Ephemeral Identity Definition and
Assignment
IAAM-1.4.2.7 - Other Identity Definition and Assignment
IAAM-1.4.1 - Policy Lifecycle Management

Público
Identity and Adaptive Access Management Platform (IAAMP)
Architecture Building Blocks ( ABBs )
IAAMP-1.2
Adaptive Access
Control Platform
IAAMP-1.2.1 - Adaptive Policy Information Point (PIP)
IAAMP-1.2.3 - Adaptive Policy Enforcement Point (PEP)
IAAMP-1.2.2 - Adaptive Policy Decision Point (PDP)
IAAMP-1.2.4 - Adaptive Policy Manager
IAAMP-1.2.5 - Policy Signal Source
IAAMP-1.3.2 - Identity Lifecycle Management Platform
IAAMP-1.3.7 - Workload Authorization Mechanisms
IAAMP-1.1
Identity and Access
Management
Processes
IAAMP-1
Identity and Adaptive
Access Management
Platform
IAAMP-1.1.1 - Identity lifecycle management Process
IAAMP-1.1.4 - Access Management Operational Excellence
Process
IAAMP-1.1.2 - Access Policy Lifecycle Management Process
IAAMP-1.1.6 - Access Management Integration Process
IAAMP-1.1.4.2 - Access Change Management Process
IAAMP-1.1.4.1 - Access Trend, Pattern, and Problem
Management Process
IAAMP-1.1.4.3 - Access Problem Management Process
IAAMP-1.1.6.1 - Posture Management Integration Process
IAAMP-1.1.6.2 - SecOps Integration Process
IAAMP-1.1.6.3 - Development Integration Process
IAAMP-1.1.6.4 - Infrastructure Integration Process
IAAMP-1.1.6.5 - Data Integration Process
IAAMP-1.3.1 - Identity Provider (IDP)
IAAMP-1.3.6 - Authenticated Network Access Control Platform
IAAMP-1.3.5 - Certificate and Key Management Platform
IAAMP-1.1.5 - Consent Management Lifecycle Process
IAAMP-1.1.2.2 - App access & Consent management
process
IAAMP-1.1.2.1 - Organizational access management
process
IAAMP-1.3
Identity, Key, and
Access Management
Platform
IAAMP-1.3.4 - Personal Data Consent Management Platform
IAAMP-1.1.3 - Identity Protocol management
IAAMP-1.3.3 - Application Consent Management Platform

Público
Enable a Standard Zero Trust Approach
Microsoft Technologies enable Identity & Adaptive Access Management Platform (Zero Trust Reference Model Standard)
ABB Number ABB Level Microsoft Technology
IAAMP-1.2 Adaptive Access Control Platform 2 Microsoft Entra
IAAMP-1.2.1 Adaptive Policy Information Point (PIP) 3
Entra Conditional Access
IAAMP-1.2.2 Adaptive Policy Decision Point (PDP) 3
IAAMP-1.2.3 Adaptive Policy Enforcement Point (PEP) 3
Entra Conditional Access
Entra Private Access / Internet Access
Microsoft Intune
Purview Information Protection & DLP
IAAMP-1.2.4 Adaptive Policy Manager 3 Entra Conditional Access
IAAMP-1.2.5 Policy Signal Source 3
Entra ID / Entra ID Protection
Microsoft Intune
Microsoft 365 – Defender for Endpoint
IAAMP-1.3 Identity, Key, and Access Management Platform 2 Entra ID
IAAMP-1.3.1 Identity Provider (IDP) 3 Entra ID, Active Directory
IAAMP-1.3.2 Identity Lifecycle Management Platform 3 Entra ID Governance
IAAMP-1.3.3 Application Consent Management Platform 3 Entra ID
IAAMP-1.3.4 Personal Data Consent Management Platform 3 Priva Consent Management
IAAMP-1.3.5 Certificate and Key Management Platform
3
Azure Key Vault
Active Directory Certificate Services
Microsoft Identity Manager Certificate Manager
IAAMP-1.3.6 Authenticated Network Access Control Platform
3
Entra Private Access / Internet Access
Azure VPN
IAAMP-1.3.7 Workload Authorization Mechanisms 3 Microsoft Azure

Público
Security Modernization with Zero Trust Principles
Access and Identity
Business Enablement
Align security to the organization’s
mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device,
app, infrastructure, etc.) and plan accordingly
Verify Explicitly
Protect assets against attacker control by explicitly validating that all trust and security
decisions use all relevant available information and telemetry.
Use least privilege access
Limit access of a potentially compromised asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices like adaptive access control.
Infrastructure &
IoT and OT
Security
Modern Security
Data Security

Público
Zero Trust Principles
Use least privilege access
Limit access of a potentially compromised
asset, typically with just-in-time and just-
enough-access (JIT/JEA) and risk-based polices
like adaptive access control.
 Reduces “blast radius“ of compromises
 Reduces “attack surface” of each asset
 Transforms from “defend the network” to “enable secure productivity on any network”
Asset/Node = account, app, device,
VM, container, data, API, etc.
Verify explicitly
Protect assets against attacker control by
explicitly validating that all trust and security
decisions use all relevant available information
and telemetry.
Business Enablement
Align security to the organization’s mission, priorities, risks, and processes
Assume Breach (Assume Compromise)
Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

Público
Key Industry Collaborations
The Open Group
Focused on integration
with business and
IT/Enterprise/Security
architecture
US National Institute of
Standards and
Technology (NIST)
Focused on architecture and
implementation with
available technology
Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and
Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors

Público
Key Zero Trust Models and Architectures
The Open Group
Focused on integration with business
and IT/Enterprise/Security architecture
US National Institute of
Standards and Technology (NIST)
Focused on architecture and
implementation with available technology

Público
Asset Protection
Classification, Protection, Tokenization
Digital Ecosystems
Zero Trust Components
Rapid Threat Detection, Response, and Recovery
Asset-Centric
Security Operations
Clarity, Automation, and Metrics-Driven Approach
Governance
Visibility and Policy
Data/Information
Apps & Systems
Security Zones
Centralized Security
Policy Decisions
Access Control
Identity and Network - Multi-factor Authentication
Threat
Intelligence
</> APIs
Distributed Policy
Enforcement Points (PEPs)
Innovation
Security
Securing
new asset
development

Público
Asset Protection
Classification, Protection, Tokenization
Digital Ecosystems
Microsoft Security Capability Mapping
The Open Group Zero Trust Components
Rapid Threat Detection, Response, and Recovery
Asset-Centric
Security Operations
Clarity, Automation, and Metrics-Driven Approach
Governance
Visibility and Policy
Data/Information
Apps & Systems
Security Zones
Centralized Security
Policy Decisions
Access Control
Identity and Network - Multi-factor Authentication
Threat
Intelligence
Innovation
Security
Securing
new asset
development
Microsoft Entra
Conditional Access
Defender for Endpoint
Endpoint Detection and
Response (EDR)
Intune
Device Management
Microsoft
Sentinel
• Security Information and Event
Management (SIEM)
• Security Orchestration, Automation,
and Response (SOAR)
Microsoft Defender
Defender for Identity Defender for
Cloud
Defender for Cloud
Apps
Defender for
Endpoint
Defender for Office
365
Security telemetry from across the environment
78+ Trillion signals per
day of security context
Microsoft Entra
Conditional Access
Azure Firewall (Illumio
partnership)
Defender for
APIs
GitHub Advanced Security
& Azure DevOps Security
Secure development and
software supply chain
Entra Internet Access
Entra Private Access
Defender for
Cloud
Azure Arc
Microsoft Purview
Microsoft Priva
Distributed Policy
Enforcement Points (PEPs)
Microsoft Entra ID
Entra ID
Governance
ID Protection
Workload ID
Defender for Identity
Microsoft Security
Exposure
Management

Público
Security Analytics
Data Security
Endpoint
Security
User
Device
Mobile
Device
Device
(with SDP Client)
ICAM
IDENTITY
• User
• Device
ACCESS & CREDENTIALS
• Management
• Authentication
(SSO/MFA)
• Authorization
FEDERATION GOVERNANCE
PE/PA
POLICY
Evaluate Access
PEP
GRANT ACCESS
(Micro-
segmentation)
GRANT ACCESS
(SDP)
Protected Resources
CLOUD
APPS & WORKLOADS
ON-PREM
APPS & WORKLOADS
(File Share, Database, Storage, Apps)
SDP (example: TLS Tunnel)
Zero Trust Architecture (ZTA)

Público
Protected Resources
PEP
Data
Securit
y
PE/PA
Security Analytics
ICAM
Identity
• User
• Device
Access &
Credential
Mgmt.
• Authentication
• Authorization
Identity, Credentials, and Access
Management (ICAM)
Federation
Governanc
e
Secure Admin
Workstations
Virtual Desktops
Policy Enforcement / Admin
(PE/PA)
Data Loss
Prevention
(DLP)
Document
Protection
Office
365
Cloud Infra
SQL
DB/Files
Policy
Determine Access
Endpoint Security
Devices
Devices w/
SDP
User
Mobile
Device
Grant Access
Intune
Entra Azure Virtual
Desktop
Windows 365
Cloud Apps
Workloads
Purview
DLP
Purvie
w
Information
Protection
Purvie
w
Mobile App
Mgmt
Defender for
Cloud Apps Information
Protection
Intune Defende
r for
Cloud
Microsoft Zero Trust Capability
Mapping
Key
NIST Sub-Area
• Sub-Area
NIST Area
Microsoft 365
Defender for
Cloud Apps
Defender for Cloud
Microsoft Cloud
Security Benchmark
Defender for
Office 365
3P SaaS
Azure IaaS
Azure Arc
Defender
for
Identity
Intune
VPN Backend Connector
Azure
Automanage
Connector
Microsoft Entra
Conditional Access
Global Secure
Access client
Intune
Device Management
Microsoft Service
Response (EDR)
Microsoft
Sentinel
Management (SIEM)
• Security Orchestration, Automation,
and Response (SOAR)
Microsoft Defender XDR
Purview Azure Arc
Apps
Information
Protection Scanner
Defender Application Guard
Infrastructure & Access
ON-PREM APPS & WORKLOADS
Data
Database Storage
File share
CLOUD APPS & WORKLOADS
Implemented as part of the
NIST ZT Architecture guide (published
August 2024)
Cloud
Defender for Cloud
Apps
Defender for
Endpoint
Defender for Office
365
Security telemetry from across the environment
Entra ID
Entra ID
Governance
Grant Access
Software Defined
Perimeter(SDP)
Policy Enforcement Point
(PEP)
Entra ID
Conditional
Access
Feedback
mechanisms
enable
continuous
improvement

Público
Zero Trust Policies
Evaluation
Enforcement
Threat Protection
Continuous Assessment
Threat Intelligence
Forensics
Response Automation
Identities
Human
Non-human
Endpoints
Corporate
Personal
Public
Private
Network
Apps
SaaS
On-premises
Data
Emails & documents
Structured data
Strong
authentication
Device
compliance
Risk
assessment
Traffic filtering &
segmentation
(as available)
Request
enhancement
Telemetry/analytics/assessment
JIT & Version Control
Runtime
control
Adaptive
Access
Classify,
label,
encrypt
Policy Optimization
Governance
Compliance
Security Posture Assessment
Productivity Optimization
Infrastructur
e
Serverless
Containers
IaaS
PaaS
Internal Sites
Zero Trust
architecture

Público
Zero Trust Policies
Evaluation
Enforcement
Threat Protection
Continuous Assessment
Threat Intelligence
Forensics
Response Automation
Identities
Human
Non-human
Endpoints
Corporate
Personal
Public
Private
Network Apps
SaaS
On-premises
Data
Emails & documents
Structured data
Strong
authentication
Device
compliance
Risk
assessment
Traffic filtering &
segmentation
(as available)
Request
enhancement
Telemetry/analytics/assessment
JIT & Version Control
Runtime
control
Adaptive
Access
Classify,
label,
encrypt
Policy Optimization
Governance
Compliance
Security Posture Assessment
Productivity Optimization
Infrastructur
e
Serverless
Containers
IaaS
PaaS
Internal Sites
Microsoft Entra
Conditional Access
Response (EDR)
Intune
Device Management
Microsoft Sentinel
Management (SIEM)
• Security Orchestration,
Automation, and Response (SOAR)
Microsoft
Defender
Cloud
Defender for Cloud
Apps
Defender for
Endpoint
Defender for Office
365
Azure Networking
Microsoft Purview
Microsoft Priva
Defender for Office
365
Security Exposure
Management
Compliance Manager
GitHub Advanced
Security
Defender for Cloud
Apps
Defender for
APIs
Defender for
Cloud
Azure Arc
Microsoft Entra ID
Entra ID
Governance
ID Protection
Workload ID
Zero Trust
architecture

Público
Managing organizational risk
Organizational Leadership
Market Relevancy
Natural Disasters …
Cybersecurity
Cybersecurity is emerging from IT
as a distinct risk discipline for
business leaders and boards
IT Operations
Organizational & Risk Oversight
Board Management
Organizational Risk Appetite
Business Model and Vision
Competition from startups is
disrupting markets, requiring
businesses to digitally transform

Público
App &
Data
Teams
IoT Security
App Security / DevSecOps
Apps & Data
Data Security
People
Teams
Identity
Teams
IT Operations
Insider Risk
User Education & Awareness
People
Identity & Keys
Administrator
Security
Identity System
Security
Key Management
Endpoint
Security
Mitigate
Vulnerabilities
Infrastructure & Endpoint
Infrastructure &
Network Security
Deploy
Tools
OT Operations
Operational Technology (OT) Security
Leadership and Culture
Risk Management
Policy & Standards
Security Leadership
Information Risk Management
Supply Chain Risk (People, Process, Technology)
Enable Productivity and Security
Stay Agile - Adapt to changes to threat environment,
technology, regulations, business model, and more
Program Management Office (PMO)
Plan (Governance) Run (Operations)
Build
Managing Information/Cyber
Risk
Security responsibilities or “jobs to be done”
Organizational Leadership External
Intelligence Sources
April 2025 - https://aka.ms/SecurityRoles
Threat
Intelligence
Strategic Threat
Insight/Trends
Tactical Threat
Insight/Trends
Posture Management
Monitor & Remediate Risk
(Conditional Access, Secure Score, Sharing
Risks, Threat and Vulnerability Management
(TVM) User & Asset Scores, etc.)
Incident
Management
Incident
Response
Threat
Hunting
Security
Operations
[Center]
(SOC)
Practice
Exercises
Risk
Scenarios
Incident
Preparation
Technical Policy
Authoring
Compliance
Reporting
Architecture &
Risk Assessments
Technical Policy
Monitoring
Privacy &
Compliance
Requirements
Compliance
Management
Requirements
Translation
Technical Risk Management
Security
Architecture
Organizational & Risk Oversight
Board Management
Organizational Risk Appetite
Business Model and Vision

Público
Microsoft security capability mapping
Which roles typically use which capabilities
Access Control Asset Protection
Security Governance
Security Operations
Establish Zero Trust access model to modern and
legacy assets using identity & network controls
Detect, Respond, and Recover from attacks;
Hunt for hidden threats; share threat intelligence
broadly
Protect sensitive data and systems. Continuously
discover, classify & secure assets
Continuously Identify, measure, and manage security
posture to reduce risk & maintain compliance
Identity Admin, Identity Architect,
Identity Security
• Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Conditional Access
• Application Proxy
• External Identities / B2B & B2C
• Internet/Private Access
• Identity Governance
• and more..
• Windows Hello for Business
• Microsoft Defender for Cloud Apps
• Azure Bastion
• Azure Administrative Model
• Portal, Management Groups, Subscriptions
• Azure RBAC & ABAC
Network Security
• Azure Firewall
• Azure Firewall Manager
• Azure DDoS
• Azure Web Application Firewall
• Azure Networking Design
• Virtual Network, NSG, ASG, VPN, etc.
• PrivateLink / Private EndPoint
Endpoint / Device Admin
• Microsoft Intune
• Configuration Management
Data security
• Information Protection
• Data Loss Prevention
People security
• Attack Simulator
Security architecture
• Microsoft Cybersecurity Reference Architecture
https://aka.ms/MCRA
Microsoft
Entra
• Microsoft 365 Lighthouse
• Azure Lighthouse
[multi-tenant]
Security Operations Analyst
• Microsoft Defender for Office 365
• Microsoft Entra Identity Protection
• Microsoft Defender for Cloud
• Microsoft Defender for DevOps
• Microsoft Defender for Servers
• Microsoft Defender for Storage
• Microsoft Defender for SQL
• Microsoft Defender for Containers
• Microsoft Defender for App Service
• Microsoft Defender for APIs
• Microsoft Defender for Key Vault
• Microsoft Defender for DNS
• Microsoft Defender for open-source
relational databases
• Microsoft Defender for Azure
Cosmos DB
• Microsoft Security Copilot
• Microsoft Security Experts
• Microsoft Incident Response
Detection and Response Team (DART)
Posture management,
Policy and standards,
Compliance management
• Secure Score
• Compliance Dashboard
• Azure Security Benchmark
• Azure Blueprints
• Azure Policy
• Microsoft Defender External Attack
Surface Management (MD-EASM)
• Azure Administrative Model
• Portal, Management Groups, Subscriptions
• Azure RBAC & ABAC
• Compliance manager
Microsoft
Purview
Microsoft
Defender
Innovation Security
Integrate Security into DevSecOps
processes. Align security, development,
and operations practices.
Application security and DevSecOps
• (Same as Infrastructure Roles)
• GitHub Advanced Security
• Azure DevOps Security
Infrastructure and endpoint security,
IT Ops, DevOps
(including Azure Arc)
• Azure Blueprints
• Azure Policy
• Azure Firewall
• Azure Monitor
• Azure Web Application Firewall
• Azure DDoS
• Azure Backup and Site Recovery
• Azure Networking Design
• Virtual Network, NSG, ASG, VPN, etc.
• PrivateLink / Private EndPoint
• Azure Resource Locks
Incident preparation
Threat intelligence Analyst
• Microsoft Defender Threat
Intelligence (Defender TI)
OT and IoT Security
• Microsoft Defender for IoT (& OT)
• Azure Sphere
Privacy Manager
• Microsoft Priva
April 2025 – https://aka.ms/MCRA

Público
CE
O
Security accountabilities & responsibilities across the organization
Security Posture Management
 Security Posture Management
 Security Governance & Compliance
Management
Application & Product Development
 Technology Delivery Managers
 Software Testing/Quality Managers
 Software Security Engineers
 Software Developers (including AI)
 Software Testers
 DevOps Leads
 Supply Chain Security
 Internet of Things (IoT)
Other Cross-Functional Disciplines
 Legal Team
 Finance Team
 Procurement & Acquisition
 Human Resources
 Communications / Public Relations
 Organizational Readiness / Training
 Security Operations (SecOps) Managers
 Triage Analyst
 Investigation Analyst (Digital Forensics)
 Reverse Engineering
 Threat Hunting and Detection Engineering
 SecOps Platform and Data Engineering
 Attack Simulation (Red & Purple Teaming)
 Incident Coordination and Management
 Threat Intelligence
Technical Engineering and Operations
 Technology Managers
 Security Managers
 Automation Engineering
 Identity
 Network
 User Endpoints
 User Productivity and Support
 Infrastructure/Platform (Cloud, On-Prem, CI/CD,
etc.)
 Data and Artificial Intelligence (AI)
 Operational Technology (OT)
 Security Engineering
Architects
 Enterprise Architects
 Security Architects
 Infrastructure Architects
 Data and Artificial Intelligence (AI)
Architects
 Access Architects (Identity, Network, App,
etc.)
 Solution Architects
 Software / Application Architects
Business Management and Operations
 Product Line Managers / Directors
 Product Owners
 Business Architects
 Business Analysts
 Information Worker / Frontline Worker
Technical Leadership
 Chief Digital Officer (CDO)
 Chief Information Officer (CIO)
 Chief Technology Officer (CTO)
 Chief Information Security Officer (CISO)
 Software Delivery Vice President (VP)
 Technology Directors
 Security Directors
 Security Strategy, Integration, and
Governance
 Software Development Directors
Organizational Leadership & Oversight
 Member of Board of Directors
 Chief Executive Officer (CEO)
 Chief Financial Officer (CFO)
 Chief Operating Officer (COO)
 Chief Legal Officer (CLO)
 Product and Business Line Leaders
People Security
 Security Education and Engagement
 Insider Risk Management
Security-Adjacent Disciplines
 Chief Security Officer (CSO) and team
 Chief Risk Officer (CRO) and team
 Chief Privacy Officer (CPO) and team
 Data Officer / Data Governance and team
 Compliance and Audit team
 Anti-Fraud Team

Público
Role Example –CEO proposed draft text for security
roles and glossary standard
Chief Executive Officer (CEO) – The CEO establishes the culture and strategic direction of the
organization that guides everyone in the organization on how to prioritize funding, time, and energy across all aspects of the
business, including security risk. The security accountabilities for a CEO include:
 Prioritizing security in the organization’s culture and sponsoring the Zero Trust transformation by embedding security in business decisions at all
levels (which may require shifting revenue vs. risk tradeoffs).
 Establish or correct security accountability structure - The CEO must ensure that anyone making a decision that impacts the organization’s
security risk is accountable for the full consequence of those decisions including the security risk implications of them.
 Position security team as an enabler - The CEO must empower the CISO and security team to provide the required security context to business and
technology roles across the organization (and hold them accountable for this enablement). This includes providing expertise to enable risk
prevention, management of incidents that do happen, and supporting the continuous learning by providing tailored recommendations to avoid or
mitigate future incidents.
 Sponsor or approve security-aware procurement and open source policy - The CEO must ensure that organizational policy requires analyzing the
security characteristics of all new software before the organization commits to purchasing or integrating it into their systems. Any software can
introduce organizational risk if it isn’t properly developed, tested, implemented, and maintained. A security review of software and vendors can
discover and mitigate security risks early and cost-effectively before the organization has invested into product implementation and integration.
This must be applied generally to all procurement because software is included in a high percentage of products purchased by organizations
(including many different types and sizes of equipment). Additionally, most technology and AI projects typically include open source software
that can introduce security risks to the organization (outside of purchasing process)
Without the CEO prioritizing cybersecurity across the organization, the security team is often positioned as a scapegoat,
getting the accountability and blame for security incidents resulting from decisions made by other teams. This causes all non-security roles to lack understanding
and accountability for the security impacts of decisions they make, resulting in higher risk with every decision and action.
This results in more security incidents, higher severity and business impact per incident, inability to accurately judge the organization’s actual risk, inability to
recruit security leaders / professionals, and reduced business agility because security teams often try to slow or block business initiatives for fear of being blamed.
Security
responsibilities/
accountabilities
Consequences of
not doing this (or
well /completely)
The CEO is ultimately accountable for all
organizational assets of all types in
aggregate.
 Standard cybersecurity skills for information workers
 Organizational security threats, risks, and challenges
Asset Scope and
Required Attack
Knowledge

Público
Software as a Service (SaaS)
This is interactive!
1. Present Slide
2. Hover for Description
3. Click for more information
Cybersecurity Reference Architecture
Security modernization with Zero Trust Principles
April 2025 – aka.ms/MCRA
This is interactive!
1. Present Slide
2. Hover for Description
3. Click for more information
Microsoft Purview
Data security, loss prevention (DLP), &
governance across data lifecycle
File Scanner
(on-premises and cloud)
S3
Identity & Access
Microsoft Entra
IoT and Operational Technology (OT) People Security
3rd party IaaS & PaaS
Azure Arc
Intranet
Extranet
Endpoints & Devices Hybrid Infrastructure – IaaS, PaaS, On-Premises
Azure Key Vault
Azure WAF
DDoS Protection
Azure Backup
On Premises Datacenter(s)
Azure Firewall
& Firewall Manager
Attack Simulator Insider Risk Management
Azure Sphere
Compliance Manager
Private Link
Conditional Access – Zero Trust Adaptive Access Control
based on explicit validation users, session, & endpoint integrity
Network protection
Credential protection
Windows 11 & 10 Security
Exploit protection
App control
Full Disk Encryption
Attack surface
reduction
Microsoft Defender for Endpoint
Unified Endpoint Security
Endpoint Data Loss Protection (DLP)
Web Content Filtering
Endpoint Detection & Response (EDR)
Threat & Vuln Management
Defender for Cloud – Cross-Platform, Multi-Cloud XDR
Detection and response capabilities for infrastructure and
development across IaaS, PaaS, and on-premises Communication Compliance
Azure Lighthouse
Defender for Cloud – Cross-Platform Cloud Security Posture Management (CSPM)
Compliance Dashboard
Secure Score
Azure Bastion
Classification
Labels
Information Protection
Advanced eDiscovery
Data Governance
Microsoft Defender for IoT (and OT)
• Asset & Vulnerability
management
• Threat Detection
& Response
• ICS, SCADA, OT
• Internet of Things (IoT)
• Industrial IoT (IIoT)
Security Development Lifecycle (SDL)
Service Trust Portal – How Microsoft secures cloud services
Threat Intelligence – 78+ Trillion signals per day of security context
NGFW
Express Route
Microsoft Azure
Azure Marketplace
VPN & Proxy
Edge DLP
IPS/IDS/NDR
Azure Stack
Microsoft Entra Private
Access & App Proxy
Beyond User VPN
Security Guidance
1. Security Adoption Framework
2. Security Documentation
3. Cloud Security Benchmarks
Security & Other Services
Discover
Protect
Classify
Monitor
Microsoft Security Exposure Management – Provides unified view of security posture + attack surface across organization, enabling you to investigate security insights, identify critical assets, reduce attack surfaces and security risk
Unified Endpoint Management (UEM)
Intune Configuration Manager
Securing Privileged Access – aka.ms/SPA
Microsoft Defender
for Cloud Apps
• App Discovery & Risk Scoring
(Shadow IT)
• Threat Detection & Response
• Policy Audit & Enforcement
• Session monitoring & control
Active Directory
Endpoint
Workstations,
Server/VM,
Containers, etc.
Office 365
Email, Teams,
and more
Cloud
Azure, AWS,
GCP, On Prem
& more
Identity
Cloud &
On-Premises
SaaS
Cloud Apps
Other
Tools, Logs,
& Data
OT/
IoT
devices
Privileged Access Workstations (PAWs) - Secure workstations for administrators, developers, and other sensitive users
Microsoft Entra Internet Access
GitHub Advanced Security & Azure DevOps Security
Secure development and software supply chain
Data
SQL, DLP,
& more
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft
Sentinel
Cloud Native SIEM, SOAR, and UEBA
Managed Security Operations
Using Microsoft Security
Microsoft Security Experts
Defender Experts | Detection and Response Team (DART)
Windows LAPS
Protect Local Admin
Account Credentials
Microsoft Entra PIM
External Identities
Entra ID Protection
Leaked cred protection
Behavioral Analytics
Passwordless & MFA
Passkeys
Hello for Business
ID Governance
FIDO2 Keys
Verified Identity
Microsoft Security Copilot
Privileged Access Management (PAM) Cloud Infrastructure Entitlement Management (CIEM)
Defender for APIs

Público
Cross-cloud and cross-platform
Comprehensive Security, Compliance and Identity capabilities that integrate with your existing solutions
CERTs / ISACs / Others
NIST / CIS / The Open Group / Others Solution Integration and MDR/MSSP Partners
Microsoft Intelligent Security Association Law Enforcement
Industry Partnerships
Microsoft Security, Compliance, and Identity Capabilities
Access Control
Identity and Network
Modern Security Operations
Rapid Resolution with XDR, SIEM, SOAR, UEBA and more
Asset Protection
Information Protection and App Security / DevSecOps
Technical Governance
Risk Visibility, Scoring, and Policy Enforcement
Threat Intelligence – 78+ Trillion signals per day of security context
People Security – User Education/Empowerment and Insider Threats
Security Operations [Center] (SOC) – Reduce attacker time/opportunity to impact business
S3
Operational Technology (OT)
IoT Devices
April 2025
https://aka.ms/MCRA

Público
Multi-Cloud and Cross-Platform Technology
Secure the enterprise you have
Microsoft Purview
Discovery, Classify, Protect, and Monitor across unstructured data (documents, spreadsheets, files, etc.) and structured data (SQL, Databases, etc.) to identify and mitigate critical risks
Information Protection
Identity & Access
Identity Enablement
Access cloud and legacy applications for Enterprise users and
External Identities like Partners (B2B) and Customers/Citizens (B2C)
Identity Security
Zero Trust Access Control using Behavioral Analytics, Threat Intelligence,
and integration of device and app trust signals
Microsoft Entra
formerly Azure AD
Security Operations [Center] (SOC)
Microsoft Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT
• Threat & Vulnerability Management
• Integrated data classification
• Threat analytics on top attacks
• Advanced Detection & Remediation
• Automated Investigation & Remediation
• Advanced Threat Hunting
Microsoft Defender XDR - Extended Detection and
Response
Threat visibility and capabilities tailored to resources
IaaS, PaaS, and On-Premises
• VMs, Servers, App Environments
• Storage and Databases
• Containers and Orchestration
• DevOps, APIs, CI/CD, and more
Microsoft Defender for Endpoint
Unified Endpoint Security
• Endpoint Detection & Response (EDR)
• Data Loss Protection (DLP)
• Web Content Filtering
• Threat & Vuln Management
Microsoft Defender for Cloud Apps
• App Discovery & Risk Scoring (Shadow IT)
• Policy Audit & Enforcement
• Session monitoring & control
• Info Protection & Data Loss Prevention (DLP)
Microsoft Defender for IoT
• Asset &
Vulnerability management
• ICS, SCADA, OT
• Internet of Things (IoT)
• Industrial IoT (IIoT)
Azure Arc Threat Intelligence – 78+ Trillion
signals per day of security context
Operational Technology (OT)
IoT Devices
Microsoft Intune
Unified Endpoint Management (UEM)
PaaS
On-Premises IaaS
S3
April 2025
https://aka.ms/MCRA
Cloud-native application protection platform (CNAPP)
Microsoft Defender (CSPM+CWPP), Azure Security (CSNS), DevSecOps
GitHub Advanced Security – Secure development capabilities Securing components common most enterprise software supply chains

Público
Key cross-platform and multi-cloud guidance
Microsoft Defender for Cloud multicloud
solution
Microsoft Defender for Endpoint – Linux Support
Azure security solutions for AWS
Entra ID identity and access
management for AWS

Público
Multi-cloud & hybrid protection in Microsoft Defender for
Cloud
Secure score Asset management Policy
Threat detection Vulnerability Assessment Application control
Automation SIEM integration Export
Security posture
& compliance
Server protection
(Microsoft Defender for Cloud for VMs)
Automation &
management at scale
Microsoft
Azure
Azure Arc
On-prem
Google
Cloud
Amazon
Web Services

Público
Device Risk
Managed?
Compliant?
Infected with Malware?
…and more
User/Identity Risk
Multi-factor Authentication?
Impossible Travel?
Unusual Locations?
Password Leaked?
…and more
Any apps
and resources
Microsoft 365 apps
and resources
Internet and
SaaS apps
(including AI)
All private apps
Private web apps
Access Management Capabilities
Adaptive Access applying Zero Trust Principles
Legend
Trust Signal Adaptive Access Policy
Threat Intelligence Additional Policy & Monitoring
Decision
based on organizational policy
Signal
to make an informed decision
Enablement and Enforcement
of policy across resources
Integrated Threat
Intelligence
Security Policy
Engine
Organization
Policy
Continuous Risk
Evaluation
Partner
Employee
Customer
Virtual Private Network (VPN)
Legacy technology being retired
Direct Application Access
Core adaptive access policy
Workload
Can be implemented today using Microsoft and partner capabilities
Macro- and Micro-segmentation
Workload isolation using identity,
network, app, and other controls
Remediate
User and
Device Risk
Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure
web gateway (SWG), Cloud Access Security
Broker (CASB), and Firewall-as-a-Service (FWaaS)
Identity Governance
Lifecycle

Público
Device Risk
Managed?
Compliant?
Infected with Malware?
…and more
User/Identity Risk
Multi-factor Authentication?
Impossible Travel?
Unusual Locations?
Password Leaked?
…and more
Any apps
and resources
Microsoft 365 apps
and resources
Internet and
SaaS apps
(including AI)
All private apps
Private web apps
Access Management Capabilities
Adaptive Access applying Zero Trust Principles
Legend
Trust Signal Adaptive Access Policy
Threat Intelligence Additional Policy & Monitoring
Decision
based on organizational policy
Signal
to make an informed decision
Enablement and Enforcement
of policy across resources
Integrated Threat
Intelligence
Security Policy
Engine
Organization
Policy
Continuous Risk
Evaluation
Partner
Employee
Customer
Virtual Private Network (VPN)
Legacy technology being retired
Direct Application Access
Core adaptive access policy
Workload
Can be implemented today using Microsoft and partner capabilities
Macro- and Micro-segmentation
Workload isolation using identity,
network, app, and other controls
Remediate
User and
Device Risk
Microsoft Entra ID
(formerly Azure AD)
Microsoft Defender + Intune
Entra ID Self Service
Password Reset
(SSPR)
Microsoft Entra
Conditional Access
Using Microsoft Technology
Illumio partnership,
LAPS
Additional policy control & monitoring
with Zero Trust Network Access (ZTNA), secure
web gateway (SWG), Cloud Access Security
Broker (CASB), and Firewall-as-a-Service (FWaaS)
Entra Internet Access,
Entra Private Access,
and Partners
Microsoft Threat Intelligence
78+ Trillion signals per day of
security context & Human Expertise
April 2025
https://aka.ms/MCRA
Identity Governance
Lifecycle
Entra ID
Governance

Público
Identity Systems
Attackers have options
to compromise privileged access
A
u
t
h
o
r
i
z
e
d
E
l
e
v
a
t
i
o
n
P
a
t
h
s
User Access
Privileged Access
Account
Devices/Workstations
Intermediaries
Interface
Cloud Service Admin
Identity Systems
Business Critical Systems
Business Critical Assets
Across On-Premises, Cloud, OT, & IoT
Account
Intermediaries
Interface
Potential Attack Surface

Público
Limit and protect pathways to privileged access
Prevention and rapid response
Identity Systems
A
u
t
h
o
r
i
z
e
d
E
l
e
v
a
t
i
o
n
P
a
t
h
s
User Access
Privileged Access
Account
Intermediaries
Interface
Cloud Service Admin
Identity Systems
Business Critical Systems
Business Critical Assets
Across On-Premises, Cloud, OT, & IoT
Account
Intermediaries
Interface
Complete End-to-end approach
Required for meaningful security
End-to-end
Asset Protection also required
Security updates, DevSecOps,
data at rest / in transit, etc.

Público
Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more
Broad Enterprise View
Correlated/Unified
Incident View
Enabling a people-centric function focused rapid remediation of realized risk
Expert Assistance
Enabling analysts with scarce
skills
Deep Insights
Actionable alerts derived from deep
knowledge of assets and advanced
analytics
Raw Data
Security &
Activity Logs
(Case Management
Ensure consistent workflow and measurement of
success
Threat Intelligence (TI)
Critical security context
Security Operations Capabilities
Automation (SOAR)
reduces analyst effort/time per
incident, increasing SecOps capacity
Incident Response/Recovery Assistance
technical, legal, communication, and
other
Managed Detection and Response
Outsourced technical functions
Security Information and Event Management (SIEM)
Hunting + Investigation platform with Automation and Orchestration
(including machine learning (ML), User/ Entity Behavior Analytics (UEBA), & Security
Data Lake)
Information & Data
Applications
(SaaS, AI, legacy, DevOps, and other)
Endpoint
& Mobile
Identity & Access
Management
OT & IoT
Platform as a
Service (PaaS)
Infrastructure & Apps
Networ
k
Extended Detection and Response (XDR)
High quality detection for each asset + investigation remediation capabilities
API integration
Generative AI
Simplifies tasks and performs
advanced tasks through chat
interface
Analysts
and Hunters
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)

Público
Broad Enterprise View
Correlated/Unified
Incident View
Microsoft Reference Architecture
Expert Assistance
Enabling analysts with scarce
skills
Deep Insights
Actionable detections
from an XDR tool with
deep knowledge of
assets, AI/ML, UEBA,
and SOAR
Raw Data
Security &
Activity Logs
(Classic SIEM
(Case Management
Microsoft Threat Intelligence
78+ Trillion signals per day of security
context & Human Expertise
API integration
Legend
Consulting and Escalation
Outsourcing
Native Resource Monitoring
Event Log Based Monitoring
Investigation & Proactive Hunting
Security Operations
SOAR reduces analyst
effort/time per incident,
increasing SecOps
capacity
Security & Network
Provide actionable security
detections, raw logs, or both
Microsoft
Sentinel
Machine Learning (ML) & AI
Behavioral Analytics (UEBA)
Security Data Lake
Security Incident & Event
Management (SIEM)
Security Orchestration, Automation,
and Remediation (SOAR)
Infrastructure & Apps PaaS OT & IoT Identity & Access
Management
{LDAP}
Endpoint
& Mobile
Information
SOAR - Automated investigation and response
(AutoIR)
Defender for Cloud
Containers
Servers
& VMs
SQL
Azure app
services
Network
traffic
Defender for
Endpoint
Defender for
Cloud Apps
Defender for
Office 365
Defender for
Identity
Entra ID
Protection
Managed Security Operations
Microsoft Security Experts
Managed XDR
Managed threat
hunting
Incident response
Formerly Detection &
response team (DART)
Security
Operations
Modernization
Simplifies experience for complex tasks/skills
Align to Mission + Continuously Improve
Measure and reduce attacker dwell time
(attacker access to business assets) via
Mean Time to Remediate (MTTR)
Analysts
and Hunters
Defender for
IoT & OT
Applications
(SaaS, AI, legacy, DevOps, and other)

Público
©Microsoft Corporation
Azure
Operational Technology (OT) Security Reference Architecture
Apply zero trust principles to securing OT and industrial IoT environments
S A F E T Y S Y S T E M S
Purdue Model
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems
Level 0 – Process
Physical machinery
Level 2 – Supervisory Control
Monitoring & Control for discrete
business functions (e.g. production line)
Level 3 – Site Operations
Control & monitoring for physical site
with multiple functions (e.g. plant)
Security Analytics
Purdue Levels 4 + 5 and Zero Trust
Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
• Datacenter Segments – Align network/identity/other
controls to business workloads and business risk
• End user access - Dynamically grant access based on explicit
validation of current user and device risk level
Business Analytics
Confidentiality/Integrity/Availability
• Hardware Age: 5-10 years
• Warranty length 3-5 years
• Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Safety/Integrity/Availability
• Hardware Age: 50-100 years (mechanical + electronic overlay)
• Warranty length: up to 30-50 years
• Protocols: Industry Specific (often bridged to IP networks)
• Security Hygiene: Isolation, threat monitoring, managing vendor
access risk, (patching rarely)
Operational Technology
(OT) Environments
Information Technology
(IT) Environments
IIoT / OT Digital Transformation drivers
• Business Efficiency - Data to enable business agility
• Governance & Regulatory Compliance with safety and other
standards
• Emerging Security Standards like CMMC
Azure Analytics
IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Blended cybersecurity attacks are
driving convergence of IT, OT, and IoT
security architectures and capabilities
Plant security console
(optional)
Sensor(s) +
Analytics
TLS with mutual
authentication
N E T W O R K
T A P / S P A N
April 2025 –
https://aka.ms/MCRA
Microsoft Defender for IoT (and
OT)
 Manager
 Security Console
3rd
party
Analytics
Cloud
Environments
Business Analytics
Business Analytic
Sensor(s)
Cloud Connection (OPTIONAL)
• Native plug-in for Microsoft Defender for IoT
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
Hard Boundary
Physically disconnect
from IT network(s)
Soft(ware) Boundary
People, Process, and Tech (network
+ identity access control, boundary
patching and security hygiene)
Internal
segmentation
As business
processes allow
Isolation and Segmentation
3rd
party
Analytics Microsoft
Sentinel
3rd
party
SIEM
Threat Intelligence – 78+ Trillion
signals per day of security context

Público
Microsoft Security Exposure Management
Unified Threat Detection and Response across IT, OT, and IoT Assets
Incident Response | Automation | Threat Hunting | Threat Intelligence
Microsoft
Sentinel
Cloud Native SIEM, SOAR, and UEBA
Azure Cloud Adoption Framework (CAF)
Guidance on security strategy, planning, roles and responsibilities https://aka.ms/CAF
Zero Trust Access Control
Explicit trust validation for users and devices before allowing
access
Infrastructure Security
Capabilities
Apply Zero Trust principles Infrastructure & Platform as a Service (IaaS & PaaS)
across multi-cloud cross-platform environments
Full Time Employees, Partners,
and/or outsourced providers
Microsoft Entra ID Governance
• Automated User Provisioning
• Entitlement Management
• Access Reviews
• Privileged Identity Management
(PIM)
• Terms of Use
Entra Privileged Identity
Management (PIM)
Entra ID Protection
MFA and Passwordless
Entra MFA
Windows Hello
Existing MFA
Management Plane Security
Platform provided security guardrails, governance, policy, and more
Endpoint logs PIM Logs
Entra ID logs, access logs, alerts, risk
scoring
Privileged Access Workstation (PAW)
Control
Governance &
Policy Enforcement
Preventive Controls
Security Posture
Visibility
Threat Detection & Response
Raw Logs and Signal for
Investigation & Hunting
Microsoft Defender for
Cloud
Azure Policy Role Based Access Control (RBAC)
Azure Blueprints Management Groups
Azure Lighthouse Azure Backup & Site Recovery
Resource Locks
Data Plane Security
Per-Application/Workload Controls
Azure Well Architected
Framework (WAF)
Microsoft Cloud Security
Benchmark (MCSB)
Prescriptive Best Practices and Controls
Internal Communications (East/West) External Communications (North/South)
Network/App Security Groups
API Management
Gateway
Azure DDoS and Web Application Firewall (WAF)
PrivateLink & Service Endpoints
Encryption & Azure Key Vault, Application RBAC Model
Azure Firewall and Firewall Management
Azure DevOps Security
GitHub Advanced Security
Unified Endpoint Management
Intune
Configuration Manager
Azure Bastion
Customers
(and ‘External’ Partners)
Business Users
Developers
App/Service
and Automation
Administrators
API
Application
Workstations
‘Internal’ Access Accounts Access and Privileges Interfaces
Identity Infrastructure Network & ‘External’ Access
Resources
Top 10 Azure Security Best Practices
Entra App Proxy
Defender for DevOps
Conditional Access
Microsoft Defender for Identity
Microsoft Defender
for Endpoint Entra ID Protection
CI/CD Pipeline
Azure Resource
Management (ARM)
Access Applications
Azure Portal
Command Line Interface (CLI)
Automation/API
Microsoft Entra ID
& External Identities
Formerly Azure AD
Active Directory
Azure Sphere
Existing/Other
Internet of Things
(IoT) Devices
Azure IoT Hub
External Identities
On-Premises & Other
Cloud Resources/Data
Azure Resources/Data
Defender for APIs
Microsoft Defender for Cloud - Risk & Regulatory Compliance Reporting
Azure Policy (audit) & Azure resource graph
API
Microsoft Defender for Cloud - Detections across assets and tenants
Application Logs
Azure WAF Alerts
Azure Firewall Alerts
Azure DDOS Alerts
MDCA Alerts
MDCA Logs
• VMs & Tenants (Azure, On-prem, 3rd
party
clouds)
• Containers and Kubernetes
• IoT and Legacy OT Devices (SCADA, ICS, etc.)
• Application Programming Interfaces (APIs)
• CI/CD Pipelines
• Azure SQL & Cosmos DB
• Azure Storage Accounts
• And More…
Microsoft Defender External Attack Surface Management
(EASM)
Network Watcher – IP Flow logs, Packet Capture,
Virtual TAP
Azure activity log Azure Service Diagnostic Logs & Metrics
Microsoft
Security
Copilot

Público
DevSecOps – Agile security for workloads
Architecture & Governance
Security, Compliance, Identity, & Other Standards
Idea Incubation
New Product or Service
Production DevSecOps
Continuous improvement
Developer
BUILD DEPLOY
DESIGN/CODE RUN
Minimum viable product (MVP) for:
• Dev - Business / Technical Requirements
• Sec - Compliance / Security / Safety
• Ops - Quality / Performance / Support
Secure Design Secure Code Secure the Operations
Secure CI/CD Pipeline
First Production Release
Continuous Improvement of DevSecOps Lifecycle
1. MVP definitions – Update minimum requirements for Dev, Sec, and Ops (agility, stability, security, identity standards, and more)
2. Continuously improve process, program, education, tooling, etc. to improve developer productivity, efficiency, security, identity, and more)

Público
It’s bad out there!
For sale in “bad neighborhoods” on the internet
Attacker for hire (per
job)
$250 per job (and up)
Ransomware Kits
$66 upfront
(or 30% of the profit / affiliate model)
Compromised PCs /
Devices
PC: $0.13 to $0.89
Mobile: $0.82 to $2.78
Spearphishing for hire
$100 to $1,000
(per successful account takeover)
Stolen Passwords
$0.97 per 1,000 (average)
(Bulk: $150 for 400M)
Denial of Service
$766.67 per month
Attackers
Other Services
Continuous attack
supply chain innovation
Attacker techniques,
business models, and
skills/technology, are
continuously
evolving
Many attack tools and
tutorials/videos
available for free on
internet

Público
Continuously Evolving Threats
Require consistency, visibility, prioritization, and continuous learning
Attack Chain Models
Consistently describe attacks & techniques
Broad & Deep Visibility
Required across assets & techniques
Ransomware and Extortion
Should influence defense prioritization
• Use MITRE Attack Framework to
evaluate detection coverage and
plan to fill visibility gaps
• Use PETE to describe incidents
simply and consistently (including
to business leaders)
• Ensure you have visibility and
coverage across asset types and
common attack patterns
• Prioritize ransomware defenses
pragmatically
https://aka.ms/humanoperated

Público
ENTER TRAVERSE EXECUTE
OBJECTIVES
PREPARE
Attack Chain Models
Describe stages of an attack
Reconnaissanc
e
Resource
Development
Initial Access
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral
Movement
Command and
Control
Exfiltration
Impact
Delivery Exploitation Installation Command and Control
Reconnaissance Weaponization
Actions on the
Objective
Simple model for business leaders and other non-technical stakeholders
PETE
Detailed model for technical detection coverage assessments and
planning
MITRE ATT&CK
Framework
Legacy Reference Model (missing lateral traversal)
Lockheed Martin Kill Chain

Público
Ransomware and Extortion Attacks
Evolution of ransomware/extortion
Rapidly became top threat to many organizations
Driven by attacker business model evolution
High impact and likelihood attack
High attacker profitability driving massive growth
Common attack pattern has weaknesses
All extortion relies on getting access to assets (via admin privileges)
Ransomware extortion relies on denying recovery (via backups)
Prioritize Defenses
Focus on disrupting attacker motivations and techniques first
aka.ms/HumanOperated

Público
Use Data to Prioritize Practically
Focus on most prevalent of effective and high impact attack techniques (not just attack of the day/week)
1. Prevalent
• Used against you
• Used on similar
organizations
(industry peers,
similar/related data,
etc.)
2. Proven
• Works in the wild
somewhere against
dissimilar
organizations 3. Potential
• Possible but not recently used in active attacks
A bottomless pit, but an expensive one
Attackers have potentially infinite ability to
abuse complex systems, but each new
approach costs time/resources/money or
increased chances for failure/detection.
Security events (and threat intelligence
research) can increase attack technique priority
Common for everyone
1. Phishing
2. Pass the hash/ticket
3. Password spray
4. Password re-use
from known
breaches
Always prioritize critical
business assets and direct
paths to them

Público
Product Name (& Previous Product Names) Product Category(ies) Security Modernization Initiative(s)
Microsoft Defender for Endpoint (MDE)
Formerly Microsoft Defender ATP, Windows Defender ATP,
Windows Defender Antivirus
Endpoint Detection and Response (EDR)
Threat and Vulnerability Management (TVM)
EndpointProtection Platforms (EPP)
• Modern Security Operations
• Infrastructure and Development
• Security Hygiene: Backup and Patching
Microsoft Defender for Identity (MDI)
Formerly Azure ATP
Microsoft Defender for Office (MDO)
Formerly Office 365 ATP
Extended Detection and Response (XDR) • Modern Security Operations
Microsoft Defender for Cloud Apps (MDCA)
Formerly Microsoft Cloud App Security
Cloud App Security Broker (CASB)
• Access and Identity
• Data Security
Entra ID (Formerly Azure AD)
• Multifactor Authentication
• Microsoft Entra Conditional Access
• Self-service password management
• Identity Protection
• Identity Governance
• Privileged Identity Management (PIM)
AccessManagement
Microsoft Purview
• Compliance Management
• Data Lifecycle Management
• eDiscovery and auditing
• Information Protection
• Data Security
Windows 10 & Windows 11
• Windows Hello for Business
• Windows AutoPilot
• Advanced Windows Security
Microsoft Intune Unified EndpointManagement
(UEM) • Access and Identity
What’s in Microsoft 365 E5
Product
Licensing
Details April 2025 – https://aka.ms/MCRA

Público
Infrastructure &
IoT and OT
Security
Modern Security
Data Security
Product Families Enable Modernization Initiatives
Access and Identity
Sentinel
Entra
Intune Priva
Defender Purview
Azure
Security Copilot

Público
Spans on-premises &
multi-cloud
environments
Typical ‘Flat’ Network
Managed CORP
Office Azure
All corporate devices
and access
Privileged Access Workstations
(PAWs)
Open Internet
Provided by someone else

Público
Validated Resource Access
All devices can access internet
Managed and compliant devices
can access corporate resources
Office Azure
Zero Trust
User Access Devices
Managed CORP
Limited general
client access
Spans on-premises & multi-cloud environments
Open Internet
Managed Devices
Security based on explicit validation
of trust signals on any network Managed
Virtual
Desktop
for unmanaged
device scenarios
like BYOD, partners,
and visitors (often
cloud hosted)
– Client Security
Transformation
Managed Internet
Monitored network for validated devices to
communicate peer to peer (patching, collaboration,
etc.)
Unmanaged Internet
Basic network monitoring for guests,
partners, new/unmanaged devices
(PAWs)
Managed devices with strict security enforced
via cloud policy enforcement

Público
Office Azure
Zero Trust
User Access Devices
Managed CORP
Limited general
client access
Open Internet
Managed Devices
Virtual
Desktop
for unmanaged
device scenarios
and visitors (often
cloud hosted)
Managed Internet
etc.)
Unmanaged Internet
(PAWs)
VPN Access
Fallback access + app usage discovery
Microsoft Entra
application proxy
Published Applications
secure access from anywhere
– App Access for
Clients

Público
Specialized Segments
Isolate well-defined life/safety and
business-critical assets (as possible)
Managed
CORP
Office Azure
Zero Trust – Network Segment Transformation
User Access Devices
Open Internet
Managed Devices
Virtual
Desktop
for unmanaged
device scenarios
and visitors (often
cloud hosted)
Managed Internet
etc.)
Unmanaged Internet
(PAWs)
Microsoft Entra
application proxy
Low Impact IoT/OT
Printers, VoIP phones, etc.
Controlled / Sensitive Devices
Business Critical and/or
Legacy/Vulnerable Assets
Sensitive Business Units/Apps
High Impact IoT/OT
IoT/OT With Life/Safety Impact
Don’t Firewall
and Forget

Público
Enterprise Accounts
Privileged Accounts
Specialized Accounts
Anonymous and Consumer
identities
End State - Secure Access and Identity
Full Adaptive Access bridging both worlds and fulfilling Zero Trust and SASE visions
Sanctioned and
Managed Services
Internet and
Unsanctioned/Unmanaged Apps
Private and Managed in
the cloud or on-premises
Differentiated Devices
Differentiated Identities
Differentiated Resources
Network Segments
Grants access based on
explicitly verified trust
and organizational
policy
Sensitive System users,
developers, & admins
Business critical system
users, developers, admins
Partner
Employee
Adaptive
Access Control
Busin
ess
Critic
al
Segm
ent(s)
Sensit
ive
Busine
ss
Units/
Apps
Low
Impa
ct
IoT/O
T
Printe
rs,
VoIP
phon
es,
etc.
High
Impa
ct
IoT/O
T
IoT/
OT
With
Life/S
afety
Impac
t
Privileged Devices
Specialized Devices
Unmanaged devices
BYOD, partners, etc.
Enterprise Devices
Managed
Devices

Público
AI creates multiple security imperatives
Expect, plan for, and
track attacker use of
AI
Provide policy
and education
Adopt AI security
capabilities
Protect AI data
and applications

Público
AI has multiple implications for security
New/different interface Elevates Focus on Data
AI Requires & Accelerates Zero Trust AI Shared responsibility
Requires new
controls
Microsoft Approach

Público
AI increases data security importance and
challenges
AI amplifies existing data security/governance challenges
AI makes data discovery easy, so you must fix any existing issues with data
discovery, classification, & excessive permissions
AI increases value of data
AI relies on data and creates new value from it, increasing urgency to protect
data from attackers trying to steal/resell it
AI introduces new avenue of potential data leakage
Must secure AI applications and models to ensure their design,
implementation, and use don’t allow for unauthorized leakage to internal or
external users

Público
AI Requires New Security Measures
To complement traditional code/data controls (WAF, DLP, etc.)
Classic Application
Components
Artificial
Intelligence (AI)
Components
Predictable Logic
Consistent (deterministic) outcomes
 same results
Dynamic Logic
Variable outcomes
 similar results
• not the same
• not completely different
Precise interruption / redirection
of logic flow
General biases & hallucinations
in outcomes
AI is typically an
application component,
so both defense types
required
Logic
Type
Exploitation &
Mitigation
Running
Multiple Times

Público
AI and Zero Trust have a symbiotic relationship
AI
Zero Trust
AI requires Zero
Trust
AI is data-centric technology
and drives continuous
changes to business,
technology, and security
threats
AI accelerates Zero Trust
AI accelerates learning and
productivity by automating
complex tasks and acting as an
‘on-demand mentor’

Público
AI Shared Responsibility Model
Illustrates which responsibilities are typically performed by an organization
and which are performed by their AI provider (such as Microsoft)
Model Safety & Security Systems
Model Accountability
Model Tuning
Model Design & Implementation
Model Training Data Governance
AI Compute Infrastructure
Shared
IaaS
(BYO
Model)
PaaS
(Azure AI)
SaaS
(Copilot)
Customer
User Training and Accountability
Usage Policy, Admin Controls
Identity, Device, and Access Management
Data Governance
Microsoft
Model
Dependent
AI Platform
AI Usage
AI Application
AI Plugins and Data Connections
Application Design and Implementation
Application Infrastructure
Application Safety Systems

Público
Microsoft Approach
Focused on responsible rapid integration of technology
Prioritize greatest needs
and opportunities for
security
Establish clarity:
Your data is your data
Implement
responsible AI
principles

Público
Key Use Cases
Explore risks
and manage
security
posture
Summarize threat intelligence (TI) for threat actors
Research relevant TI for an artifact to contextualize
an incident or threat, including associated MITRE
ATT&CK techniques, tactics, and procedures (TTPs)
Investigate
and
summarize
incidents
Guidance for incident response, including
directions for triage, investigation, containment,
and remediation. Easily summarize incidents to
enable collaboration, escalation, business impact
analysis, and more.
Reverse engineer attacker scripts to quickly
understand their intent and capabilities
Easily build query-language and task automation
scripts.
Build &
Reverse
engineer
scripts
Manage and
Troubleshoot
Policy and
Controls
Reduce errors that could create operational
disruptions (directly or via incidents) by identifying
conflicting or misconfigured policies. Streamline
policy creation with recommended configurations
Agents perform specific
tasks autonomously

Público
AI Agents Perform Specific Tasks Autonomously
Examples from Microsoft Security Copilot
• Phishing Triage Agent in Microsoft Defender triages phishing alerts with accuracy to identify real
cyberthreats and false alarms. It provides easy-to-understand explanations for its decisions and improves
detection based on admin feedback.
• Alert Triage Agents in Microsoft Purview triage data loss prevention and insider risk alerts, prioritize
critical incidents, and continuously improve accuracy based on admin feedback.
• Conditional Access Optimization Agent in Microsoft Entra monitors for new users or apps not covered
by existing policies, identifies necessary updates to close security gaps, and recommends quick fixes for
identity teams to apply with a single click.
• Vulnerability Remediation Agent in Microsoft Intune monitors and prioritizes vulnerabilities and
remediation tasks to address app and policy configuration issues and expedites Windows OS patches with
admin approval.
• Threat Intelligence Briefing Agent in Security Copilot automatically curates relevant and timely threat
intelligence based on an organization’s unique attributes and cyberthreat exposure.
Agentic AI - AI Agents build on Generative AI and other automation technology to
perform specific tasks without requiring humans to oversee every action they take

Público
Review – Artificial Intelligence
(AI)
• GenAI enables a new interface (natural language)
• Makes technology easier to use and learn
• Enables people to do more advanced tasks
• Critical to adapt quickly to this technology
• Educate on and mitigate attacker use of AI
• Embrace security use of AI
• Protect business use of AI
• Securing AI is a shared responsibility
• Microsoft Approach to AI
• Establish clarity: your data is your data
• Implement responsible AI principles
• Focus initial security priorities on greatest needs
Resources and
References

MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx

More Related Content

What's hot

Similar to MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx

Recently uploaded

MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx

Editor's Notes