Modern Workplace

Staying Protected

Security Roadmap Course

With our Security roadmap, you will have a comprehensive security solution that protects your business against advanced cyberthreats.

Protected Trust is proud to offer an online self-paced security course.


Course Introduction

Welcome to the Online Course for Office 365 Security Roadmap. This course is designed for Security and Global Administrators in Office 365.  We will instruct and demonstrate how to configure different security policies in your Office 365 tenant.

If you are signed into your tenant and do not see some of the features displayed in this video, please confirm that you have the proper security licensing before proceeding.  

Advanced Threat Protection

Configuring Notifications for Admins and End Users

Before we get started on setting up security policies, first we will show you how to configure notifications.  Whether your organization wishes to have admins alerted for messages quarantined or end-users (or both), we recommend this as the first step.

Anti-Phishing Policy

Microsoft has just released their Security Intelligence Report (SIR), its annual cybersecurity summary, and it reveals phishing is still the most popular way for cyber-criminals to attack, giving security experts everywhere headaches.

In this video we will show you how to prevent phishing attempts inside your organization.

Anti-Malware Policy

Malware is comprised of viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware refers to malware that gathers your personal information, such as sign-in information and personal data, and sends it back to the malware author.

Office 365 has built-in malware and spam filtering capabilities that help protect inbound and outbound messages from malicious software and help protect you from spam. Admins don't need to set up or maintain the filtering technologies, which are enabled by default. However, they can make company-specific filtering customizations in the Exchange admin center (EAC).

Safe Attachments Policy

You can train your employees to be extra vigilant when opening email attachments, but the fact of the matter remains that it only takes one person to mess up once to allow malicious agents into your organization.

In this video, we will show you how to setup an additional layer of protection to prevent employees who open malicious attachments from infecting their systems.

Safe-Links Policy

Phishing emails have become very convincing. No longer are we sent emails from a Nigerian Prince begging us to take his money, but rather we are sent very convincing emails from our banks, restaurants, online media companies, and from the people we work with. As we stated in our Safe-Attachments section, there is only so much training can do to prevent employees from opening malicious attachments and the same goes for employees clicking on a malicious link.

In this video, we demonstrate how to turn on Safe-Links, so that your employees are protected when they click on a link in an email that may not be legitimate.

Anti-Spam Policy

Are you concerned about too much spam in Office 365? Though multiple spam filters are built into your Office 365 service, you may want to change a protection setting to deal with a specific issue in your organization—say you're receiving a lot of spam from a particular sender, for example—or to simply fine tune your settings so that they're tailored to best meet the needs of your organization.

SPF - Sender Policy Framework


Sender Policy Framework (SPF) is a simple email-validation system designed to detect email impersonation. The purpose of an SPF record is to prevent spammer from sending messages with forged ‘From’ addresses at your domain. This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.

Implementing SPF

Protect your customer, your brand, and your business from spoofing and phishing attacks by authenticating your email with SPF. Ready to create an SPF record? Follow these steps to get started.

Collecting Email Services

The first step in implementing SPF is to gather a list of mail servers you use to send email from your domain. Normally organizations send mail from many places. Be sure to include all mail servers used to send mail on your behalf.

Compile Sources into an SPF Record

Once all domains that send mail on your behalf are gathered, you'll need to find each domain's unique IP address or IP range. These addresses will be added as "includes" in your SPF record. Most third party mail services will offer a help article with information regarding mail server IP ranges.

Understanding SPF Records

Understanding the format of SPF records is crucial to ensuring you’re getting the most out of your spam and phishing safeguards. Let’s take a closer look at how SPF records are constructed.

SPF Mechanisms

An SPF record contains multiple mechanisms, or parameters, that dictate it’s behavior. These parameters include:

  • Defining the DNS A record of the target domain.
  • Defining the DNS MX record of the target domain.
  • Defining the IPv4 range of addresses.
  • And much more.

Good SPF Records - Examples

A carefully tailored SPF record will reduce the likelihood of your domain name getting fraudulently spoofed and keep your messages from being flagged as spam before reaching their destination. Here are a few examples of effective, validated SPF records.

Common Mistakes

SPF records can appear fairly simple, but including a multitude of different server configurations can quickly become complicated. Let’s look at a few common mistakes for SPF records.

Validating an SPF Record

Validating an SPF record is an essential part is implementing SPF to prevent possible spam and phishing attacks. This video explains how to properly validate your SPF record with various tools available.

Publishing an SPF Record

Once you created and validated your SPF record, it’s time to begin the publishing process. Once published, mailbox providers will be able to reference the record.

Validating an SPF Record

Validating an SPF record is an essential part is implementing SPF to prevent possible spam and phishing attacks. This video explains how to properly validate your SPF record with various tools available.

Next: DKIM

In this section, we’ve demonstrated how to properly engineer and implement an SPF record to safeguard against spam and phishing attacks. In the next section, we’ll discover how SPF works with DKIM (DomainKeys Identified Mail) to further bolster your secure mail environment.

DKIM - DomainKeys Identified Mail


DKIM, or DomainKeys Identified Mail, adds yet another layer of security to your organization's email ecosystem. In this section we'll explain the value of DKIM, along with steps to implement DKIM for your organization.

Imeplementing DKIM

Implementing DKIM in Office 365 is a fairly straightforward process. Follow these simple steps to get started.

Collecting your Domains

Let's take a closer look at inventorying all of our relevant domains.

NOTE: Be sure to consider ALL domains your organization may send mail from, as this is a commonly overlooked step.

Compiling Sources into a DKIM Record

In this lesson, we’ll take the data that we’ve collected and, using the provided format, create our custom DKIM record.

Publish your DKIM Records

Once our DKIM record has been created, we'll next log into our DNS provider and publish the record for testing and deployment.

Testing your DKIM Records

An important step to enabling DKIM is to ensure that the record has been created correctly and is valid. Follow along as we do a DNS lookup to do so.

Enable DKIM Signing

Once our records have been published and tested to be valid, we will enable DKIM Signing in Office 365.

DKIM - Final Thoughts

That's it! DKIM signing for your emails is now enabled. Most organization's email environments are unique, so ensure that you've followed the proper steps for every domain and third-party service that you utilize to send emails.


Domain-based Message Authentication, Reporting & Conformance


Our final safeguard for defending against potential threats is called DMARC. DMARC uses both SPF and DKIM to validate the "alignment" of a message to control what happens with the result from both tests. This offers an added layer of protection.

How DMARC Works

How exactly does DMARC work? Essentially, a sender’s DMARC record instructs a recipient of next steps (e.g., do nothing, quarantine the message, or reject it) if suspicious email claiming to come from a specific sender is received.

Why Do We Need DMARC?

As SPF may not protect from any and all potential email threats, DMARC offers an additional layer of security by using SPF and DKIM together.

Implementing DMARC - An Overview

Let's look at a brief overview of how to implement DMARC in our environment.

Review - Deploy Both SPF and DKIM

SPF and DKIM MUST be deployed in our environment to enable DMARC. These steps are provided in previous lessons of this course.

Ensuring SPF and DKIM Alignment

Before enabling DMARC signing, we must ensure that SPF and DKIM are properly configured and published.

Publish a DMARC Record

To publish a DMARC record, we must create a new DNS record. Use our example provided as your guideline.

Reviewing DMARC Reports

A great feature of DMARC is the ability to view activity through reports of delivery information. This includes details on SPF and DKIM statuses of related email messages.

Change Record Flag to Quarantine Messages

Once you're confident that DMARC is properly configured, you can now change the DMARC record flag to enable proper reporting of future email messages.

Multi-factor Authentication


Multi-factor Authentication offers an additional layer of security for your users. While using their password to log in, users must additional provide an approval from a personal registered device to further verify their identity.

Getting Started - Modern Authentication

Before setting your users up with Multi-factor Authentication, 'Modern Authentication' must first be enabled in the Office 365 admin center. Modern Authentication offers access to additional security features such as Single Sign-on.

Enable MFA for Individual Users

In this lesson, we'll be manually enabling Multi-factor Authentication for individual users.

Note: Once activated, affected users will be prompted to to begin their setup of Multi-factor Authentication on next login to any Office 365 services.

Link to register your Multi-factor Authentication:

Set up and Sign in as an End User with MFA

Once enabled, end users with Multi-factor Authentication will be prompted on next login to Office 365 to begin the setup process. This includes downloading and setting up the mobile authenticator app.

Enable and Enforce MFA with a Custom Policy

Set up a custom policy to automatically enable Multi-factor Authentication for new users in your organization.


Enforce MFA for Administrators via Policy

In this lesson we'll be creating a custom conditional access policy which enforces Multi-factor Authentication for only our organization administrators. These policies can be created for any type of user roles in Office 365.


Secure Score


Microsoft Office 365's Secure Score is your personal cyber security consultant. Not only does Secure Score's AI review and suggest improvements to your organization's security, but it will also give you step by step instructions on how to implement the suggestions.

Advanced Tips

Custom Company Branding

Let's take a look at using Office 365's custom branding for your environment. Creating a customized login page in Office 365 can help ensure that your users avoid losing login information to potential phishing attacks.

Conditional Access

Yet another must have safeguard, conditional access can help secure the identity of your users by preventing them from logging in from suspicious locations and devices.

Enable Audit Logging

Audit logging in the Office 365 Security & Compliance Center allows you to track most activities of your users such as:

  • Viewing a specific document
  • Deleting items from their mailbox
  • Activities in nearly all Office 365 suites
  • Much more

Follow along to enable your Office 365 audit log.

To enable audit logging:

Audit Log - Examples

Let's take a look at a few examples of audit log searches. Search criteria can range anywhere from file history to any administrative changes within Office 365.

Course Wrap Up

Course Wrap Up

Get a Modern Workplace and keep your company up-to-date, safe and secure...

Bring the best of Microsoft 365 and your employees together with the right tools, new ways to work, all while staying protected.


Schedule an Introduction