What is Microsoft EMS?

Microsoft EMS (Enterprise Mobility + Security) is a suite of cloud-based tools that enhance cybersecurity by providing identity management, mobile device and application security, and advanced threat protection. It integrates seamlessly with Microsoft 365 and Azure services.

Key Components of Microsoft EMS

Project Scope and Goals

Objective:

This project aims to enhance an organization’s cybersecurity posture using Microsoft EMS by:

1. Securing identities – Enforce strong authentication and conditional access to prevent unauthorized access.

2. Protecting devices – Apply security policies to managed and unmanaged devices.

3. Defending against threats – Use AI-driven threat detection for rapid response.

4. Ensuring compliance – Enforce data loss prevention (DLP) and regulatory compliance.

Deployment Feasibility – Can It Be Deployed for Free?

Microsoft EMS is a licensed product and requires an EMS E3 or EMS E5 subscription. However:

• Microsoft offers a 90-day free trial of EMS E5 for up to 250 users.

• Azure AD Free offers basic identity and authentication features, but lacks premium security features.

• Microsoft Defender for Endpoint provides limited free protection via Windows Security but requires licensing for full EDR capabilities.

• Using Microsoft Sentinel free tier (5GB daily ingestion for free).

Step-by-Step Deployment Guide

Step 1: Plan and Prepare for EMS Deployment

Tasks:

• Assessing the current IT environment, including Active Directory and cloud usage.

• Defining security policies and compliance requirements.

• Identifying user groups for phased deployment (e.g., Admins, IT, HR).

• Registering for the EMS E5 trial in the Microsoft Admin Center.

Step 2: Implement Azure AD for Identity Security

Tasks:

• Configureing Azure AD Connect to sync on-prem AD users to Azure AD.

• Enable Multi-Factor Authentication (MFA) for all users.

• Set up Conditional Access Policies, e.g.:

  • Block sign-ins from high-risk locations.

  • Require MFA for external users.

• Implement Privileged Identity Management (PIM) to protect admin accounts.

• Use Identity Protection to detect leaked credentials and unusual login behaviors.

Conditional Access Policy: Block High-Risk Sign-Ins

New-AzureADMSConditionalAccessPolicy -DisplayName "Block High-Risk Sign-ins" -Conditions @{
   UserRiskLevels = @("High")
   SignInRiskLevels = @("High")
} -GrantControls @{
   BuiltInControls = @("Block")
}

Step 3: Deploy Microsoft Intune for Endpoint Security

Tasks:

• Enroll Windows, macOS, iOS, and Android devices.

• Enforce device compliance policies, e.g.:

  • Require BitLocker encryption.

  • Block jailbroken/rooted devices.

  • Restrict access to unmanaged devices.

• Deploy Microsoft Defender Antivirus via Intune policies.

• Enable App Protection Policies to secure Office 365 apps on mobile.

Intune Compliance Policy for Windows Devices

New-IntuneDeviceCompliancePolicy -Platform "Windows10" -RequireBitLocker -BlockRootedDevices -MinimumOSVersion "10.0.19044"

Step 4: Enable Microsoft Defender for Endpoint (MDE)

Tasks:

• Onboarding devices to Microsoft Defender for Endpoint.

• Configuring Attack Surface Reduction (ASR) rules.

• Enabling Automated Investigation and Response (AIR) to detect and remediate threats.

• Integrating MDE with Microsoft Sentinel for SIEM visibility.

PowerShell Command to Onboard a Device to MDE

Mdmdiagnosticstool.exe -area DeviceGuard -run -out C:\temp\Defender.xml

Step 5: Secure Cloud Apps with Microsoft Cloud App Security (MCAS)

Tasks:

• Discover and block shadow IT applications.

• Set up real-time threat detection for cloud apps.

• Enforce data loss prevention (DLP) policies, such as:

  • Blocking sensitive data from being shared externally.

  • Detecting and preventing unusual download behaviors.

• Integrate MCAS with Office 365, AWS, and Google Workspace.

MCAS Policy to Detect Mass Downloads

{
  "policyName": "Mass Download Detection",
  "category": "Anomalies",
  "action": "Alert",
  "severity": "High",
  "conditions": {
    "ActivityType": "Download",
    "Threshold": "1000 files in 30 minutes"
  }
}

Step 6: Monitor and Respond to Threats

Tasks:

• Use the Microsoft Security Center to monitor security alerts.

• Enable SIEM integration via Microsoft Sentinel for advanced log analysis.

• Automate threat response using Logic Apps and Playbooks.

Sentinel Query to Detect Unusual Logins

SigninLogs
| where RiskLevel == "High"
| summarize count() by UserPrincipalName, Location, Device

Cost Analysis and Free Deployment Options

Functional Deployment Guide

Step 1: Preparing and Setting Up EMS Licensing

Registering for EMS E5 Trial (90 Days)

1. Signed in to the Microsoft 365 Admin Center:

   • Went to: Microsoft 365 Admin

2. Activatied EMS E5 Trial:

   • Navigated to Billing > Purchase Services

   • Searched for Enterprise Mobility + Security E5

   • Clicked Start Free Trial (Valid for up to 250 users)

3. Assigned EMS Licenses to Users:

   • Went to Admin Center > Users > Active Users

   • Selected users → Click Licenses and Apps

   • Enabled EMS E5 → Click Save Changes

Step 2: Set Up Azure AD for Identity & Access Management

Configured Azure AD Connect (Sync On-Prem Users)

We have an on-prem Active Directory (AD), install Azure AD Connect to sync users:

1. Download Azure AD Connect:

   • Download Link

2. Installed & Configured Sync:

   • Ran AzureADConnect.msi

   • Selected Express Settings (Recommended)

   • Entered On-Prem AD & Azure AD Credentials

   • Enabled Password Hash Sync and Seamless SSO

   • Started Sync Process

Enabled Multi-Factor Authentication (MFA)

1. Go to Azure AD Admin Center:

   • Azure AD Admin

2. Navigate to Security > MFA

3. Enforce MFA for all users:

   • Click Per-user MFA → Select users → Enable

4. Configured MFA methods (Authenticator App, SMS, FIDO2 Keys)

Created a Conditional Access Policy

1. Navigate to Azure AD > Security > Conditional Access

2. Create a new policy:

   • Name: "Block Risky Sign-ins"

   • Assignments → Target All Users

   • Conditions → Risk Level: High Risk

   • Controls → Select Block Access

   • Enabled Policy

PowerShell Command to Enable Conditional Access for High-Risk Logins

New-AzureADMSConditionalAccessPolicy -DisplayName "Block High-Risk Sign-ins" -Conditions @{
   UserRiskLevels = @("High")
   SignInRiskLevels = @("High")
} -GrantControls @{
   BuiltInControls = @("Block")
}

Step 3: Deployed Microsoft Intune for Device Management

Enabled Intune MDM Enrollment

1. Go to Intune Admin Center:

   • Microsoft Intune

2. Enabled MDM Enrollment:

   • Navigated to Devices > Enrollment > MDM Authority

   • Set MDM Authority to Intune

3. Enrolled Devices (Windows, macOS, iOS, Android):

   • Go to Devices > Windows Enrollment > Auto-enrollment

   • Enabled MDM Auto-enrollment for All Users

Created a Compliance Policy for Windows Devices

1. Go to Intune Admin Center

2. Created Compliance Policy:

   • Name: Windows 10 Compliance

   • Require BitLocker Encryption

   • Enforce Windows Defender Antivirus

   • Block Jailbroken/Rooted Devices

3. Assigned Policy to Device Groups

PowerShell Command to Require BitLocker Encryption

New-IntuneDeviceCompliancePolicy -Platform "Windows10" -RequireBitLocker $true

Step 4: Deployed Microsoft Defender for Endpoint (MDE)

Onboarded Devices to Microsoft Defender

1. Go to Microsoft Defender Security Center:

   • Defender for Endpoint

2. Navigated to Settings > Device Management

3. Selected Onboarding Method:

   • Windows 10/11: Group Policy, Intune, SCCM

   • macOS: MDM or script

   • Linux: Install Defender ATP agent

4. Downloaded & Applied Onboarding Script

PowerShell Command to Onboard Windows Device

Mdmdiagnosticstool.exe -area DeviceGuard -run -out C:\temp\Defender.xml

Enabled Attack Surface Reduction (ASR) Rules

1. Go to Intune Admin Center

2. Created Device Configuration Profile

   • Name: "ASR Rules Policy"

   • Platform: Windows 10 and later

   • Configure ASR Rules:

     • Block Office Macros

     • Prevent Credential Theft

     • Block Untrusted Executables

3. Assignd Profile to Device Groups

Step 5: Secure Cloud Applications with Microsoft Cloud App Security (MCAS)

Enabled Cloud App Discovery

1. Go to Microsoft Defender Portal

2. Navigate to Cloud Apps > Cloud Discovery

3. Enable Discovery for Shadow IT

4. Upload Firewall Logs for Analysis

Created a Data Loss Prevention (DLP) Policy

1. Navigate to Compliance > Policies > DLP

2. Create Policy:

   • Name: "Block Sensitive Data Sharing"

   • Apply to OneDrive, SharePoint, Teams

   • Define Rules:

     • Block Credit Card Numbers, SSNs

     • Alert Admin on Unauthorized Sharing

3. Enabled and Applied Policy

Example JSON Policy for MCAS to Detect Mass Downloads

{
  "policyName": "Mass Download Detection",
  "category": "Anomalies",
  "action": "Alert",
  "severity": "High",
  "conditions": {
    "ActivityType": "Download",
    "Threshold": "1000 files in 30 minutes"
  }
}

Step 6: Monitor & Respond to Threats with Microsoft Sentinel

Enabled Sentinel SIEM Integration

1. Go to Azure Portal > Microsoft Sentinel

2. Create a Sentinel Workspace

3. Connect Data Sources:

   • Azure AD Sign-ins

   • Defender for Endpoint Logs

   • Office 365 Logs

Created Sentinel Analytics Rule

1. Navigate to Analytics > Create Rule

2. Rule Type: Scheduled Query

3. Query to Detect High-Risk Logins Kusto Query (KQL) for Sentinel

SigninLogs
| where RiskLevel == "High"
| summarize count() by UserPrincipalName, Location, Device

1. Set Automated Response (Email Alerts, SOAR Playbook)

EMS Deployment Summary

Next Steps:

1. Test the policies on pilot users before full deployment.
2. Regularly review Azure AD Sign-in logs and Defender alerts.
3. Use Microsoft Secure Score to improve security posture.

Automating Incident Response with Microsoft Sentinel & Power Automate (SOAR)

Part 1: Automating Incident Response with Power Automate Playbooks

Step 1: Enabled Microsoft Sentinel Automation

1. Go to Azure Portal > Microsoft Sentinel

2. Navigate to "Automation" > Playbooks

3. Click "Create a Playbook"

   • Name: Auto-Block-High-Risk-Users

   • Select Resource Group

   • Enable Managed Identity

   • Click Create

Step 2: Built a Power Automate Playbook

1. Go to Power Automate:

   • Power Automate Portal

2. Created an Automated Flow:

   • Trigger: "When an incident is created in Sentinel"

   • Condition: If Risk Level == High

   • Action:

     • Send an alert to Security Team (Teams/Email)

     • Block user in Azure AD

     • Log event in Sentinel

Power Automate Workflow

Trigger: "New Incident Created in Microsoft Sentinel"
    Condition: "If Risk Level is High"
        Action 1: "Send Teams Notification to Security Team"
        Action 2: "Disable Azure AD User Account"
        Action 3: "Log Incident in Sentinel for Analysis"

Step 3: Created an Azure AD Block User Action

1. Inside Power Automate Playbook, add a new HTTP Action

2. Configured HTTP Request to Azure AD API:

   • Method: POST

   • URL: https://graph.microsoft.com/v1.0/users/{userID}/accountEnabled

   • Headers:

       {
         "Authorization": "Bearer {Token}",
         "Content-Type": "application/json"
       }
     

   • Body:

       {
         "accountEnabled": false
       }
     

Step 4: Assigned Playbook to Sentinel Incidents

1. Go to Sentinel > Automation > Playbooks

2. Select Playbook: "Auto-Block-High-Risk-Users"

3. Attach it to a Sentinel Analytics Rule (e.g., "Detect Unusual Login Locations")

4. Enable Playbook Execution on Alert Trigger

Part 2: Custom Microsoft Sentinel Queries (KQL)

Step 1: Detected Mass Login Failures (Brute Force Attack)

KQL Query to Detect High Failed Logins

SigninLogs
| where ResultType == "50126"  // Login failures
| summarize failedLogins=count() by UserPrincipalName, bin(TimeGenerated, 15m)
| where failedLogins > 10
| order by failedLogins desc

What This Does:

• Detects users with >10 failed login attempts in 15 minutes

• Helps identify brute force attacks

Step 2: Detect Impossible Travel Logins

KQL Query to Detect Login from Two Countries in <1 Hour

SigninLogs
| summarize loginCount=count(), min(TimeGenerated), max(TimeGenerated) by UserPrincipalName, Location
| where loginCount > 1
| extend timeDiff = datetime_diff('minute', max_TimeGenerated, min_TimeGenerated)
| where timeDiff < 60

What This Does:

• Identifies users logging in from different countries within an hour

• Helps detect account compromise (impossible travel rule)

Step 3: Detect Mass Data Download from OneDrive/SharePoint

KQL Query for Data Exfiltration Detection

CloudAppEvents
| where ActionType == "FileDownloaded"
| summarize downloadedFiles=count() by UserPrincipalName, Device, bin(TimeGenerated, 30m)
| where downloadedFiles > 100
| order by downloadedFiles desc

What This Does:

• Flags users downloading >100 files within 30 minutes

• Helps detect insider threats and data exfiltration

Part 3: Automate Response Actions

Step 1: Auto-Suspend Users on Suspicious Logins

Power Automate HTTP Request to Disable a User

Trigger: "KQL Query Detects Impossible Travel"
    Action: 
        HTTP POST to Microsoft Graph:
            URL: "https://graph.microsoft.com/v1.0/users/{userID}"
            Headers: 
                {
                   "Authorization": "Bearer {Token}",
                   "Content-Type": "application/json"
                }
            Body: 
                {
                   "accountEnabled": false
                }

What This Does:

• If a Sentinel query detects suspicious login, the Playbook automatically disables the user

Step 2: Block IP Address for Attackers

KQL Query to Identify Malicious IPs

SigninLogs
| where ResultType == "50126"
| summarize failedAttempts=count() by IPAddress
| where failedAttempts > 50
| order by failedAttempts desc

Power Automate Action to Block IP

Trigger: "Sentinel Detects Malicious IP"
    Action: 
        HTTP POST to Azure Firewall:
            URL: "https://management.azure.com/subscriptions/{subscriptionID}/resourceGroups/{resourceGroup}/providers/Microsoft.Network/azureFirewalls/{firewallName}/rules/{ruleName}"
            Headers: 
                {
                   "Authorization": "Bearer {Token}",
                   "Content-Type": "application/json"
                }
            Body: 
                {
                   "action": "Deny",
                   "sourceIP": "{IPAddress}"
                }

What This Does:

• Sentinel detects multiple failed logins from malicious IPs

• Playbook automatically blocks the IP in Azure Firewall

End-to-End Security Automation

Next Steps

1. Test Playbooks in a Safe Environment
2. Integrate Playbooks with Microsoft Teams for Alerting
3. Monitor Sentinel Logs for False Positives

Sentinel Dashboards, SOAR Integrations & Fine-Tuning Policies

Now that we’ve set up automated security responses, let’s optimize Sentinel dashboards, integrate SOAR with third-party tools (ServiceNow, Slack, SIEMs), and fine-tune response policies for better incident management.

Part 1: Building Custom Sentinel Dashboards (Advanced KQL Queries & Workbooks)

Microsoft Sentinel provides custom dashboards (Workbooks) to visualize security logs, attack trends, and incident responses. Let’s build an interactive security dashboard to monitor key threats.

Step 1: Created a Custom Sentinel Workbook

1. Go to Azure Portal > Microsoft Sentinel

2. Navigate to Workbooks > Create New Workbook

3. Add Data Source: Click "Add Query" and select Azure AD Sign-ins, Defender for Endpoint, or Office 365 Logs

4. Insert Custom KQL Queries for Real-Time Data Visualization

KQL Query: Detect High-Risk Logins Over Time

SigninLogs
| where RiskLevel == "High"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart

What This Does:

• Generates a time-based graph of high-risk logins

• Helps security teams monitor peak attack hours

KQL Query: Top 10 Users with Failed Logins

SigninLogs
| where ResultType == "50126"
| summarize failedAttempts=count() by UserPrincipalName
| order by failedAttempts desc
| top 10

What This Does:

• Identifies the top 10 users with the most failed logins

• Useful for detecting brute force or password spraying attacks

KQL Query: Data Exfiltration Alerts from OneDrive/SharePoint

CloudAppEvents
| where ActionType == "FileDownloaded"
| summarize downloadCount=count() by UserPrincipalName, bin(TimeGenerated, 30m)
| where downloadCount > 50
| render columnchart

What This Does:

• Shows users downloading over 50 files within 30 minutes

• Helps detect potential insider threats or compromised accounts

Step 2: Customized Dashboard Visualizations

1. Use Pie Charts: User-based attack distribution

2. Use Time Charts: Trending login failures

3. Use Geo Maps: Logins from suspicious countries

4. Save Workbook and Pin to Sentinel Dashboard

Part 2: Integrating Sentinel with SOAR Platforms (ServiceNow, Slack, Other SIEMs)

Step 1: ServiceNow Integration for Incident Management

ServiceNow can be used to automate Sentinel incident ticketing for better security operations.

Power Automate Playbook to Auto-Create ServiceNow Tickets

Trigger: "New High-Risk Incident in Sentinel"
    Action: 
        HTTP POST to ServiceNow API:
            URL: "https://your-instance.service-now.com/api/now/table/incident"
            Headers: 
                {
                   "Authorization": "Basic {encoded_credentials}",
                   "Content-Type": "application/json"
                }
            Body: 
                {
                   "short_description": "High-Risk Login Detected",
                   "description": "Suspicious login detected from {Location}. User: {UserPrincipalName}",
                   "urgency": "High",
                   "assignment_group": "Security Operations"
                }

What This Does:

• If a high-risk login is detected, a ServiceNow ticket is automatically created

• The Security team is notified with user details & login location

Step 2: Slack Integration for Security Alerting

Instead of relying solely on email alerts, integrate Sentinel with Slack for real-time security notifications.

Power Automate Playbook: Send Security Alerts to Slack

Trigger: "High-Severity Incident in Sentinel"
    Action: 
        HTTP POST to Slack Webhook:
            URL: "https://hooks.slack.com/services/{webhook_ID}"
            Headers: 
                {
                   "Content-Type": "application/json"
                }
            Body: 
                {
                   "text": "🚨 *Security Alert*: A suspicious login was detected from {Location}. User: {UserPrincipalName}."
                }

What This Does:

• Sends real-time security alerts to a Slack channel

• Security team can review alerts instantly

Step 3: Integrated Sentinel with External SIEMs

If you’re using Splunk, QRadar, or ArcSight, you can send Sentinel logs to external SIEMs.

Export Sentinel Logs to Splunk

1. Go to Sentinel > Data Connectors > Syslog

2. Enable Log Forwarding to Splunk using Log Analytics Agent

3. Send logs using Kusto Query Language (KQL)

4. Configure Splunk to pull logs using Azure Monitor API

Part 3: Fine-Tuning Sentinel Policies for Better Incident Response

Step 1: Modify Sentinel Analytics Rules to Reduce False Positives

1. Go to Microsoft Sentinel > Analytics

2. Edit Rules That Trigger Too Many Alerts

3. Refine KQL Queries:

   • Exclude known trusted IP addresses

   • Apply threshold conditions to prevent unnecessary alerts

Example: Exclude Trusted IPs from High-Failure Login Alert

SigninLogs
| where ResultType == "50126"
| where IPAddress !in ("192.168.1.1", "10.0.0.1") // Exclude trusted IPs
| summarize failedAttempts=count() by UserPrincipalName
| where failedAttempts > 10

Step 2: Improved Incident Response Time with Playbooks

1. Auto-Escalate Incidents in Sentinel

   • If 3+ failed logins occur within 5 minutes, automatically trigger an incident escalation

2. Trigger Auto-Remediation Playbooks

   • If an account shows signs of compromise (e.g., impossible travel login, mass data download), Sentinel should:

     • Disable the user account

     • Send an alert to SOC

     • Block the attacker’s IP in Azure Firewall

Power Automate Playbook: Auto-Disable User on Account Compromise

Trigger: "Sentinel Detects Suspicious Login"
    Condition: "If login is from an unauthorized country"
        Action 1: "Send Teams Alert"
        Action 2: "Disable Azure AD User"
        Action 3: "Block IP in Firewall"

Final Deployment Checklist

Conclusion

In conclusion, deploying Microsoft EMS (Enterprise Mobility + Security) is a strategic move for organizations aiming to bolster their cybersecurity posture. By integrating advanced tools like Azure AD, Microsoft Intune, Microsoft Defender, and Microsoft Cloud App Security, businesses can effectively manage identities, secure devices, and protect against sophisticated threats. The step-by-step deployment guide provided ensures a comprehensive approach to implementing these solutions, while the automation of incident response through Microsoft Sentinel and Power Automate enhances the efficiency of security operations.

Reference

• Enterprise Mobility + Security documentation : https://learn.microsoft.com/en-us/enterprise-mobility-security/

• Microsoft Intune documentation : https://learn.microsoft.com/en-us/mem/intune/

• Azure Active Directory B2C documentation : https://learn.microsoft.com/en-us/azure/active-directory-b2c/

• Microsoft Defender for Cloud Apps documentation : https://learn.microsoft.com/en-us/defender-cloud-apps/

• Microsoft Defender for Endpoint documentation : https://learn.microsoft.com/en-us/defender-endpoint/

• Microsoft Sentinel documentation : https://learn.microsoft.com/en-us/azure/sentinel/

• Microsoft Power Automate documentation : https://learn.microsoft.com/en-us/power-automate/

• ServiceNow Documentation : https://www.servicenow.com/docs/