Português
Español
Definitive Guide 2025: Protect Identities, Email and Devices in Microsoft 365 & Azure
The cloud has blurred the old perimeter walls. Today an attack starts with a phishing email, a leaked password or an unpatched laptop. Microsoft brings together Entra ID, Defender and Intune to implement Zero Trust natively. This guide—updated to April 2025—explains what to do, why it works and links to the official documentation for every step.
Contents
- Zero Trust: foundations and benefits
- Identities: MFA, Passwordless and Risk-Based Access
- Email: Defender for Office 365, DMARC and BEC / QR attacks
- Devices: Intune Suite, EPM and Hotpatch
- Governance & Compliance: Purview, Secure Score and auditing
- License & Add-on Comparison
- 90-Day Checklist → Secure Score ≥ 75 %
- FAQ
- Conclusion
1. Zero Trust — Why the Perimeter Firewall Is No Longer Enough
Key idea: nothing and no one is trusted until they prove it. Every request is re-evaluated in real time, cutting the attack surface.
| Pillar | Microsoft Product | Technical Controls | Tangible Benefit |
|---|---|---|---|
| Identity | Entra ID Protection + Conditional Access | MFA, User / Sign-in Risk, PIM | Instantly blocks stolen credentials |
| Email & Data | Defender for Office 365 + Purview | Safe Links, BEC LLM, Unified DLP | Prevents malware and sensitive-data leaks |
| Devices | Intune Suite + Defender for Endpoint | EPM, ASR, Hotpatch | Fewer local privileges & reboot-free patching |
Why it works: every access combines who you are, which device you use and how much risk you bring; if something looks suspicious, the platform remediates (MFA, block, isolate).
2. Identities — Stop “Password-Spray” Attacks
2.1 MFA & Passwordless: the foundation
- Enable Security Defaults or a Conditional Access policy “MFA for all.”
- Deploy Authenticator Lite in Outlook mobile for friction-free adoption.
- Promote Passkeys and FIDO2 for critical roles.
2.2 Risk-based Conditional Access
Entra ID Protection scores users and sign-ins. Typical policies:
• User Risk ≥ Medium → Secure password reset • Sign-in Risk ≥ Medium → MFA or block
Official guide: Configure risk policies
2.3 PIM: just-in-time privileges
- Make permanent Global Admins eligible instead.
- Require MFA, justification and ticket.
- Automate quarterly Access Reviews.
3. Email — Defender for O365, DMARC, BEC and QR-Phishing
3.1 Defender for Office 365 Plan 2
- Safe Links / Safe Attachments inspect every click. Documentation
- BEC AI (language model) detects fraudulent intent.
- QR Protection scans URLs in embedded QR codes.
3.2 Email authentication
SPF + DKIM + DMARC cut spoofing almost 100 %. Exchange Online already enforces p=reject.
Guide: Configure DMARC
3.3 Attack simulations
Train users with realistic phishing campaigns, including QR templates.
4. Devices — Intune Suite, EPM and Hotpatch
4.1 Endpoint Privilege Management (EPM)
Grant permissions only when and only what is needed. New in 2025: Publisher + Hash rules and Windows on Arm support.
4.2 Hotpatching: reboot-free patches
Windows 11 Enterprise 24H2 applies critical updates with no downtime. Documentation: Hotpatch updates
4.3 Defender for Endpoint + Copilot
ASR, network isolation and AI-guided remediation. Copilot explains incidents and suggests fixes.
5. Governance, Compliance and Data Protection
| Feature | Product | Value |
|---|---|---|
| Sensitivity Labels | Purview IP | Persistent encryption & labeling |
| Unified DLP | Purview DLP | Blocks PCI / PII data |
| Insider Risk | Purview IRM | UEBA and exfiltration alerts |
| Secure Score | Defender Portal | Metric & continuous improvement plan |
6. License & Add-on Comparison
| Security Function | Business Premium | E1 | E3 | E5 | Common Add-ons |
|---|---|---|---|---|---|
| Conditional Access (basic) | ✔ | ✔ | ✔ | ✔ | — |
| ID Protection (risk policies) | — | — | ➕ | ✔ | Entra ID P2 |
| PIM & Access Reviews | — | — | ➕ | ✔ | Entra ID P2 |
| Defender for Office 365 P2 | ➕ | ➕ | ➕ | ✔ | Plan 2 |
| Defender for Endpoint P2 | — | — | ➕ | ✔ | MDE P2 |
| Intune Suite + EPM | ➕ | — | ➕ | ➕ | Intune Suite |
| Purview DLP & IRM | ➕ | — | ➕ | ✔ | Purview Add-ons |
| Copilot for Security | ➕ | ➕ | ➕ | ➕ | Separate license |
Symbols: ✔ = included · — = not available · ➕ = paid add-on.
7. 90-Day Checklist → Secure Score ≥ 75 %
- Days 1-7: Enforce MFA; block IMAP / POP / SMTP Auth.
- Days 8-21: Conditional Access with Medium risk; block anomalous locations.
- Days 22-45: Implement SPF + DKIM + DMARC (p=quarantine).
- Days 46-60: Pilot EPM and Hotpatch with the IT team.
- Days 61-75: Enable “Strict” preset in Defender for Office 365.
- Days 76-90: Purview labels and DMARC
p=reject.
8. Frequently Asked Questions
Do I need Entra ID P2 to use Conditional Access?
No for basic rules; yes for dynamic risk policies and PIM.
Does Hotpatch work on on-prem servers?
In preview via Azure Arc; production currently Azure Autopatch only.
What does Defender for Office 365 Plan 2 add?
Threat Explorer, attack simulation, auto-remediation and advanced threat hunting.
9. Conclusion
Hardening identities, email and devices with the 2024-2025 innovations (risk-based Conditional Access, BEC LLM, EPM and Hotpatch) reduces risk without sacrificing user experience. Follow this guide, review Secure Score weekly and cultivate a culture of continuous improvement.
Need expert help? The Cloud Fighters team designs and deploys these end-to-end architectures. Contact us.