Following on from an earlier post, this post covers the MS365 area of Microsoft certifications and how they may be of relevance from a security perspective.
MS365 Certification options
Compared to other areas considered, MS365 has the fewest certifications available that we can consider.
MS365 study areas are similar to traditional IT, now called "Modern Workplace".
As such, the topics range from users and devices to messaging services.
The main security topics are tied into increasing the MS365 Secure Score, through enabling MFA and securing MS365 online services, as well as organisation's devices.
In the past, there was a large emphasis on Exchange Online (EXO) as well.
I still consider EXO familiarity to be very useful when investigating account compromise.
However, from the certification side, both the messaging and troubleshooting Exchange exams have been retired.
This makes the MS365 area one of the smaller areas - there are only three certifications available that are (a) current, and (b) not focused on Microsoft Teams tasks.
That is, the below are no longer attainable or are about to be retired:
- Microsoft 365 Certified: Exchange Online Support Engineer Specialty (retired July 2023)
- Microsoft 365 Certified: Messaging Administrator Associate (to be retired December 2023)
Whether there hasn't been large enough demand for these, or MS may not wish to invest the resources to rewrite the exams with new Powershell modules (due to retirement of MSOnline modules) isn't clear.
The available certifications are the three listed below (not counting the various Teams-related certifications):
- Microsoft 365 Certified: Fundamentals
- Microsoft 365 Certified: Endpoint Administrator Associate
- Microsoft 365 Certified: Administrator Expert
Analysis
The overall MS365 area is about securing users, not workloads, and the study areas reflect this.
The Fundamentals offering is surprisingly useful, as it covers such topics as Office 365 update strategies.
Endpoint Administrator, while security is a major part of it, is designed to covers Intune and other endpoint management considerations.
Administrator (formerly Enterprise Administrator) is perhaps the most security-focused offering here, with a large section on AzureAD (Entra ID) and related topics.
However, there is no coverage of securing Azure workloads, and the AzureAD coverage is perhaps more focused on security in Identity and Access Administrator Associate, instead (more details here).
In a smaller organisation, the topic coverage is suitable for a small IT team - in a dedicated security function, there is more focused content in either Azure or Security and Compliance areas.
That said, have a look at Exchange Online documentation and prepare and incident response plan for email compromise if you haven't already.