This repository contains the take‑home materials, checklists, diagrams, and operational guides from the NCLGISA Spring Symposium session “Blue Team Guide to Defending Your Microsoft 365 Environment for SLED” by Matt Bryson.
SLED organizations (State, Local, and Education) face unique constraints: limited staff, tight budgets, hybrid environments, and sophisticated adversaries. This repo provides practical, actionable tools that can be implemented quickly and scaled sustainably.
/appendices– full technical appendix materials from the talk/checklists– deployable 30‑day minimum viable baseline/config-examples– sample Conditional Access, Intune, Defender, and Sentinel rules/diagrams– architecture diagrams (PNG + draw.io sources)/template– PowerPoint theme, color palette, images, and slide master notes/scripts– PowerShell + KQL snippets for detection and response/references– public links to Microsoft docs used in the presentation
This repo is tailored for:
- County / municipal IT
- Higher ed and K–12
- Agencies operating Microsoft 365 GCC / Commercial / Hybrid
- Teams with 1–5 security staff who need fast, sustainable wins
- Entra identity protection + Conditional Access
- Intune compliance and device health enforcement
- Defender for Office 365 policies
- Defender XDR incident correlation
- Sentinel SIEM/SOAR integration
- Good → Better → Best tiering model
- NIST SP 800‑171 alignment
Pull requests are welcome!
If you adapt these materials for your organization, please consider contributing your improvements back to help other SLED teams.