This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Configure and Analyze Security Reporting” section:
- Monitor and manage device security status using Microsoft Endpoint Manager Admin Center
- Manage and monitor security and dashboards using Microsoft 365 Security Center
Monitor and Manage Device Security Status Using Microsoft Endpoint Manager Admin Center
In the section where we looked at Device and Application Protection we looked at configuring Compliance policies for our devices, we also looked at how we can use compliance as a factor in our Conditional Access policies. We can also use the reporting functionality of the Endpoint Manager Admin Center to view the status of our device estate. To do this, open up the Endpoint Manager Admin Center and open the “Reports” section.
From here, we can see the following default reports available to us:
- Device Compliance – This report shows the compliance status of all devices in the tenancy. We can run reports by status, OS and device ownership.
- Group Policy Analytics (Preview) – This is a preview feature. This report will show us the results of the Group Policy Analytics tool in Endpoint Manager
- Windows Updates (Preview) – This is a preview feature. This report will show us a breakdown of the Windows update progress of our managed Windows devices
- Cloud Attached Devices (Preview) – This is a preview feature. This report will show us the breakdown of where and how our devices are managed in either Intune or ConfigMgr when we use co-management. We see the results broken down by the workload that is managed.
- Microsoft Defender Antivirus – This report shows us the Defender for Endpoint status of our enrolled devices. Showing if any items such as scans are pending. We can also report on the Antivirus agent status and Detected Malware
- Firewall – This report shows us the status of the Windows Firewall across all of our Windows devices
- Endpoint Analytics – This report shows us a breakdown of the analytics and metrics gathered from our devices. Providing insight into improvements that can be made where issues may be occurring
Manage and Monitor Security and Dashboards using Microsoft 365 Security Center
We’ve looked at the Microsoft 365 security Center in a number of posts in this series. It provides an overview of the combined security posture in our environment. On the home page of the Security Center we see a huge amount of information immediately available to us.
From this dashboard we can expand upon the preconfigured reports that have been made available to us by clicking on them, this will bring us to the source of the report. For instance, clicking the “Users at risk” tile will bring us to the Azure AD Risky Users page, while clicking “Privileged OAuth apps” will bring us the the MCAS portal OAuth apps report.
We can also identify behaviour and trends in our environment by using the Advanced Hunting functionality, querying and resolving data from multiple sources across our tenancy, similar to the functionality in MCAS. Advanced Hunting is based on KQL, a reference for using KQL can be found here.
Here we’ve looked at reporting from Endpoint Manager and the Security Center. I’m going to end this post here as in the next post we will be looking at how we can leverage the Security Graph API to surface data from across our environment by using the extremely flexible API to build out our own functions and queries. For more information on the topics in this post, check out the below links: