Assessing Microsoft 365 security solutions using the NIST Cybersecurity Framework

This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 security solutions. In this series, you’ll find context, answers, and guidance for deployment and driving adoption within your organization. Check out our last blog New FastTrack benefit: Deployment support for Co-management on Windows 10 devices.

Microsoft 365 security solutions align to many cybersecurity protection standards. One widely-adopted standard is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Developed for the US government, NIST CSF is now also used by governments and enterprises worldwide as a best practice for managing cybersecurity risk. Mapping your Microsoft 365 security solutions to NIST CSF can also help you achieve compliance with many certifications and regulations, such as FedRAMP, and others.

Microsoft 365 security solutions are designed to help you empower your users to do their best work securely, from anywhere and with the tools they love. Our security philosophy is built on four pillars: identity and access management, threat protection, information protection, and security management. Microsoft 365 E5 (see Figure 1.) includes products for each pillar that work together to keep your organization safe.  

Figure 1. The Microsoft 365 security solutions

At the heart of NIST CSF is the Cybersecurity Framework Core – a set of “Functions” and related outcomes for improving cybersecurity (see Figure 2). In this blog, we’ll show you examples of how you can assess Microsoft 365 security capabilities using the four Function areas in the core: Identify, Protect, Detect and Respond.* We’ll also provide practical tips on how you can use Microsoft 365 Security to help achieve key outcomes within each function.

Figure 2. The NIST Cybersecurity Framework Core


“Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”

The purpose of this function is to gain a better understanding of your IT environment and identify exactly which assets are at risk of attack. From there, you can start to align these assets and associated risks to your overall business goals (including regulatory and industry requirements) and prioritize which assets require attention.

For example, the Asset management category is about identifying and managing the data, personnel, devices, and systems that enable an organization to achieve its business purpose in a way that is consistent with their relative importance to business objectives and the organization’s risk strategy.

Microsoft 365 security solutions help identify and manage key assets such as user identity, company data, PCs and mobile devices, and cloud apps used by company employees. First, provisioning user identities in Microsoft Azure Active Directory (AD) provides fundamental asset and user identity management that includes application access, single sign-on, and device management. Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory. (See Figure 3.) This capability allows for a common secure identity for users of Microsoft Office 365, Azure, and thousands of other Software as a Service (SaaS) applications pre-integrated into Azure AD.

Figure 3. Through Azure AD Connect, you can integrate your on-premises directories with Azure Active Directory

Deployment Tip: Start by managing identities in the cloud with Azure AD to get the benefit of single sign-on for all your employees. Azure AD Connect will help you integrate your on-premises directories with Azure Active Directory.


“Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”

The Protect function focuses on policies and procedures to protect data from a potential cybersecurity attack.

Microsoft 365 security solutions support NIST CSF related categories in this function.  For example, the Identity management and access control category is about managing access to assets by limiting authorization to devices, activities, and transactions. Your first safeguard against threats or attackers is to maintain strict, reliable, and appropriate access control. Azure Active Directory Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk (see Figure 4.) Based on these conditions, you can then set the right level of access control. For access control on your networks.

Figure 4. Azure AD Conditional Access evaluates a set of configurable conditions, including user, device, application, and risk

Deployment Tip: Manage access control by configuring conditional access policies in Azure AD. Use conditional access to apply conditions that grant access depending on a range of factors or conditions, such as location, device compliance, and employee need. 


“Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”

The Detect function covers systems and procedures that help you monitor your environment and detect a security breach as quickly as possible.

Microsoft 365 security solutions provide you with solutions that detect and protect against Anomalies and events in real time.  Microsoft 365 security solutions offer advanced threat protection (see Figure 5.), security and audit log management, and application whitelisting to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Microsoft 365 has capabilities to detect attacks across these three key attack vectors:

  • Device-based attacksWindows Defender Advanced Threat Protection provides near-instant detection and blocking of new and emerging threats using advanced file and process behavior monitoring and other heuristics. The Alerts queue shows a list of alerts that are flagged from machines in your network.
  • Email-based attacksOffice 365 Advanced Threat Protection protects your emails, attachments, online storage, files, and environment through a variety of technology, including Safe Attachments, Exchange Online Protection, and rich reporting and tracking insights
  • Identity credential attacksAzure Advanced Threat Protection Azure ATP takes information from logs and network events to learn the behavior of users in the organization and build a behavioral profile about them. Then it detects suspicious activities, searching for malicious attacks, abnormal behavior, and security issues and risks.

Figure 5. Threat detection integrated across Microsoft 365


“Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events”

The Respond Function provides guidelines for effectively containing a cybersecurity incident once it has occurred through development and execution of an effective incident response plan.

Microsoft 365 security solutions directly support the Response Planning category based on a variety of visibility reports and insights. Azure AD Access and Usage reports allow you to view and assess the integrity and security of your organization’s implementation of Azure AD. With this information, you can better determine where possible security risks may lie and adequately plan to mitigate those risks. These reports are also used for event Mitigation including anomaly reports, integrated application reports, error reports, user-specific reports, and activity logs that contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days.  Supporting the Analysis category, Microsoft offers guidance and education on Windows security and forensics to give organizations the ability to investigate cybercriminal activity and more effectively respond and recover from malware incidents.

Want to Learn More?

For more information and guidance on assessing Microsoft 365 security solutions using the NIST CSF, check out the whitepaper.

Deployment Tip: For more help with Microsoft 365 security, consider FastTrack for Microsoft 365. Whether you’re planning your initial Microsoft 365 Security rollout, need to onboard your product, or want to drive end user adoption, FastTrack is your benefit service and is ready to assist you. Get started at FastTrack for Microsoft 365.

* Although Microsoft offers customers some guidance and tools to help with certain the fifth “Recover” function (data backup, account recovery), Microsoft 365 doesn’t specifically address this function. Note also that Microsoft isn’t endorsing this NIST framework – there are other standards for cybersecurity protection – but we find it helpful to baseline against commonly used scenarios.

More blog posts from this series: