4.2 Defender for Identity, Office 365 & Cloud Apps
Key Takeaways
- Defender for Identity response actions on a user include Disable user, Suspend user, Require sign-in (force password reset), and Mark user as compromised, executed against Microsoft Entra ID / Active Directory
- Threat Explorer (Explorer) in Defender for Office 365 lets analysts hunt delivered email, then soft delete, hard delete, or move messages org-wide as a remediation
- Zero-hour auto purge (ZAP) retroactively removes phishing and malware emails that were already delivered when a verdict later changes
- Attack simulation training launches benign phishing campaigns to measure user risk and assign targeted training, and is part of the response domain
- Defender for Cloud Apps governance actions can suspend an account, revoke OAuth app consent, and quarantine files; app governance adds policy-based control over risky OAuth apps in Microsoft 365
Investigating Identity Threats with Defender for Identity
Microsoft Defender for Identity (MDI) monitors on-premises Active Directory and hybrid identity for attacks like reconnaissance, lateral movement, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and DCSync. Alerts surface in the unified Defender portal and roll into Defender XDR incidents alongside endpoint and email signals.
The user (entity) page shows the identity timeline, related alerts, lateral movement paths, and a risk view. From a user page you take directory-level response actions — these are common SC-200 answers because they stop an attacker who already has valid credentials.
| Action | Effect |
|---|---|
| Disable user | Disables the account in Microsoft Entra ID / Active Directory |
| Suspend user | Temporarily suspends the account |
| Require sign-in (force password reset) | Invalidates current sessions and forces a new password |
| Mark user as compromised | Raises Entra ID user risk to High, triggering risk-based Conditional Access |
Mark user as compromised is the answer when the goal is to drive automatic Conditional Access enforcement (block / require MFA) rather than just locking the account manually.
Email and Collaboration Threats: Defender for Office 365
Microsoft Defender for Office 365 (MDO) protects Exchange Online, SharePoint, OneDrive, and Teams. Its detonation services are Safe Links (time-of-click URL rewriting and detonation) and Safe Attachments (sandbox detonation of attachments).
Threat Explorer (Explorer)
Threat Explorer (also called Explorer, real-time detections in lower plans) is the hunting and remediation surface for email. Analysts pivot by sender, recipient, URL, file hash, campaign, or delivery action, then act on the matching messages.
Remediation actions on email:
- Soft delete — move to Deleted Items / recoverable
- Hard delete — purge (unrecoverable by the user)
- Move to Junk / Inbox
- Submit to Microsoft for analysis
- Trigger investigation (AIR for Office 365)
Zero-Hour Auto Purge (ZAP)
Zero-hour auto purge (ZAP) retroactively neutralizes email that was already delivered when threat intelligence later changes the verdict to malicious or phish. ZAP is the exam answer to "a phishing email was delivered before it was known-bad — how is it removed automatically."
Campaigns and Quarantine
The Campaigns view clusters coordinated phishing/malware mail so you remediate the whole campaign at once. Quarantine holds high-confidence phish and malware; analysts review and release or report from there.
Attack Simulation Training
Attack simulation training (Defender for Office 365 Plan 2) launches benign simulated phishing (credential harvest, malware attachment, link in attachment, drive-by URL, OAuth consent grant) against your own users. It is part of the response domain because it measures and reduces human risk.
- Outputs a compromise rate and identifies repeat clickers
- Auto-assigns targeted training to users who fail
- Supports payload automation and recurring campaigns
Exam framing: attack simulation is measurement and training, not a live attack and not a way to remediate a real incident.
SaaS Threats: Defender for Cloud Apps
Microsoft Defender for Cloud Apps (MDA) is the Cloud Access Security Broker (CASB). It discovers shadow IT, applies session and access controls via Conditional Access App Control, and runs policies over connected SaaS.
Governance (response) actions
| Surface | Governance action |
|---|---|
| User / account | Suspend user, Confirm user compromised, require sign-in |
| File | Quarantine, remove sharing, apply sensitivity label, trash |
| Session | Block download, monitor, enforce read-only (Conditional Access App Control) |
| OAuth app | Revoke app / ban app, disable app |
App Governance
App governance is the MDA capability focused on OAuth apps registered in Microsoft Entra ID that access Microsoft 365 data via Microsoft Graph. It surfaces overprivileged, unused, or anomalous apps and lets you create policies that alert on or automatically disable a risky app — the answer for "a malicious OAuth app is exfiltrating mailbox data; contain it."
# Conceptual app governance policy logic
IF app data usage spikes
AND app has Mail.ReadWrite (app-only) consent
AND app is newly registered / low reputation
THEN raise alert -> optionally: disable the app
How These Stitch Into One Incident
Defender XDR correlation means a single attack — phishing email (MDO) → credential theft (MDI) → token replay against SaaS (MDA) → endpoint payload (MDE) — becomes one incident with a unified attack story. The exam rewards picking the action in the right workload for the right stage: ZAP for the delivered mail, mark-compromised for the identity, revoke OAuth app for the SaaS persistence, isolate for the endpoint.
A phishing email bypassed filtering and was delivered to 200 mailboxes. Hours later, Microsoft threat intelligence reclassifies the embedded URL as malicious. Which Defender for Office 365 capability automatically removes the already-delivered messages?
Defender for Identity detects an account performing DCSync after a confirmed credential theft. The SOC wants Entra ID risk-based Conditional Access to automatically block the user. Which action best achieves this?
A newly registered OAuth application with app-only Mail.ReadWrite consent is reading thousands of mailboxes. Which Microsoft Defender for Cloud Apps capability is purpose-built to detect and automatically disable this risky app?