- - NOCSH

- - Ent_O365

- - Strat_O365_Enterprise

- - M365-security-compliance

- - MET150

- - Strat_O365_Enterprise

- - seo-marvel-apr2020

-description: "Summary: Planning and implementation guidance for fast-moving organizations that have an increased threat profile."

-# Microsoft Security Guidance for Political Campaigns, Nonprofits, and Other Agile Organizations

-**Applies to**

- **Summary:** Planning and implementation guidance for fast-moving organizations that have an increased threat profile.

-If your organization is agile, you have a small IT team, and your threat profile is higher than average, this guidance is designed for you. This solution demonstrates how to quickly build an environment with essential cloud services that include secure controls from the start. This guidance includes prescriptive security recommendations for protecting data, identities, email, and access from mobile devices.

-## Security solution guidance

-This guidance describes how to implement a secure cloud environment. The solution guidance can be used by any organization. It includes extra help for agile organizations with BYOD access and guest accounts. You can use this guidance as a starting-point for designing your own environment. We welcome your feedback at [CloudAdopt@microsoft.com](mailto:CloudAdopt@microsoft.com).

-****

-|Item|Description|

-|||

-|**Microsoft Security Guidance for Political Campaigns** <br> [:::image type="content" source="../media/d370ce28-ca40-4930-9a2c-907312aa06c8.png" alt-text="Thumbnail for mini poster about security guidance.":::](https://download.microsoft.com/download/B/4/D/B4D520C3-4D0C-4B4D-BFB9-09F0651C2775/MSFT_Cloud_architecture_security%20for%20political%20campaigns.pdf) <br> [PDF](https://download.microsoft.com/download/B/4/D/B4D520C3-4D0C-4B4D-BFB9-09F0651C2775/MSFT_Cloud_architecture_security%20for%20political%20campaigns.pdf) \| [Visio](https://download.microsoft.com/download/B/4/D/B4D520C3-4D0C-4B4D-BFB9-09F0651C2775/MSFT_Cloud_architecture_security%20for%20political%20campaigns.vsdx)|This guidance uses a political campaign organization as an example. Use this guidance as a starting point for any environment.|

-|**Microsoft Security Guidance for Nonprofits** <br> [:::image type="content" source="../media/e4784889-1c69-4067-9a8f-31d31d1eceea.png" alt-text="Thumbnail for security guidance download.":::](https://download.microsoft.com/download/9/4/3/94389612-C679-4061-8DF2-D9A15D72B65F/Microsoft_Cloud%20Architecture_Security%20for%20Nonprofits.pdf) <br> [PDF](https://download.microsoft.com/download/9/4/3/94389612-C679-4061-8DF2-D9A15D72B65F/Microsoft_Cloud%20Architecture_Security%20for%20Nonprofits.pdf) \| [Visio](https://download.microsoft.com/download/9/4/3/94389612-C679-4061-8DF2-D9A15D72B65F/Microsoft_Cloud%20Architecture_Security%20for%20Nonprofits.vsdx)|This guide is slightly revised for nonprofit organizations. For example, it references Office 365 Nonprofit plans. The technical guidance is the same as the political campaign solution guide.|

-|

-## See Also

-[Microsoft cloud for IT architects illustrations](../solutions/cloud-architecture-models.md)

-The **Contributors** tab in the case is where risk analysts and investigators can add other reviewers to the case. Be default, all users assigned the **Insider Risk Management Analysts** and the **Insider Risk Management Investigators** roles are listed as contributors for each active and closed case. Only users assigned the **Insider Risk Management Investigators** role have permission to view files and messages in the Content explorer.

-Role-based access control (RBAC) grants access to resources or information based on user roles. Access to customer tenant data and settings in Lighthouse is restricted to specific roles from the Cloud Solution Provider (CSP) program. To set up RBAC roles in Lighthouse, we recommend using Granular Delegated Admin Privileges (GDAP) to implement granular assignments for users.

-In addition, each MSP customer tenant must qualify for Lighthouse by meeting the following requirements:

-## Requirements for enabling user management

-For customer data to show up in reports on user management pages, including Risky users, Multifactor authentication, and Password reset, customer tenants must have licenses for Azure Active Directory Premium P1 or later. Azure AD Premium P1 is included with Microsoft 365 Business Premium and Microsoft 365 E3.

-## Requirements for enabling threat management

-> [!NOTE]

-> If you're using a non-Microsoft antivirus solution and not Microsoft Defender Antivirus, Microsoft Defender Antivirus is disabled automatically. When you uninstall the non-Microsoft antivirus solution, Microsoft Defender Antivirus is activated automatically to protect your Windows devices from threats.   

- - Must have delegated (DAP) or granular delegated (GDAP) admin privileges set up for the Managed Service Provider (MSP)

- - Must have at least one Microsoft 365 Business Premium or Microsoft 365 E3 license

-**Resolution:** The following table describes the different tenant statuses that require action and explains how to resolve them.<br><br>

-This article lists new and updated articles in the [Microsoft Managed Desktop documentation](index.yml). "Updated" articles have had material additions or corrections--minor fixes such as correction of typos, style, or formatting issues are not listed. You can always view the history of specific commits (including details of any changes) by visiting the [repo on GitHub](https://github.com/MicrosoftDocs/microsoft-365-docs/tree/public/microsoft-365/managed-desktop).

- > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: 'B95E2E21D5A93E0AC88BA401ACB20E5F721727B409D4186147C8D17468185583'.

-LYou can learn about and also build out this Microsoft Defender XDR solution in steps that are distributed through the rest of this series:

-There are two common ways to do this next step in evaluation. This series assumes you already have a production Microsoft 365 tenant, and will activate E5 trial licenses to evaluate Microsoft 365 Defender in *the current environment*. An in-place evaluation will let you keep any security methods with the purchase of licenses after the evaluation period.

-Or return to the Overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

-Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery ΓÇôEntries "*.fabrikam.com" -ExpirationDate 9/11/2021

-Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery ΓÇôEntries "*.fabrikam.com" -ExpirationDate 9/11/2021

-The automated investigationΓÇÖs email analysis identifies email clusters using attributes from the original email to query for emails sent and received by your organization. This is similar to a security operations analyst would hunt for the related emails in Explorer or Advanced Hunting. Several queries are used to identify matching emails because attackers typically morph the email parameters to avoid security detection. The clustering analysis performs these checks to determine how to handle emails involved in the investigation:

-Email clustering analysis via similarity and malicious entity queries ensures that email problems are fully identified and cleaned up, even if only one email from an attack gets identified. You can use links from the email cluster details side panel views to open the queries in Explorer or Advanced Hunting to perform deeper analysis and change the queries if needed. This capability enables manual refinement and remediation if you find the email clusterΓÇÖs queries too narrow or too broad (including unrelated emails).

-The investigation email analysis calculates email threats and locations at the time of the investigation to create the investigation evidence and actions. This data can get stale and outdated when actions outside of the investigation affect the emails involved in the investigation. For example, security operations manual hunting and remediation may clean up emails included in an investigation. Likewise, deletion actions approved in parallel investigations or Zero-hour auto purge (ZAP) automatic quarantine actions may have removed emails. In addition, delayed detections of threats after email delivery may change the number of threats included in the investigationΓÇÖs email queries/clusters.

-Modern cloud services that use OAuth 2.0 for authentication traditionally rely on access token expiration to revoke a user accountΓÇÖs access. In practice, this means even if an administrator revokes a user accountΓÇÖs access, the user will still have access until the access token expires, which for Microsoft 365 by default, used to be up to an hour after the initial revocation event took place.

-Conditional access evaluation for Microsoft 365 and Azure Active Directory (Azure AD) proactively terminates active user sessions and enforces tenant policy changes in near real time instead of relying on access token expiration. Azure AD notifies continuous access evaluation-enabled Microsoft 365 services (such as SharePoint, Teams, and Exchange) when the user account or tenant has changed in a way that requires reevaluation of the user accountΓÇÖs authentication state.

-For clients that donΓÇÖt support continuous access evaluation, the access token lifetime to Microsoft 365 remains as one hour by default.

-Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to an organizationΓÇÖs technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.

- Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.

- - If you are applying multiple filters, they are applied in ΓÇÿANDΓÇÖ mode and you can use the advanced filter to change it to ΓÇÿORΓÇÖ mode.

-

-When there's a problem delivering an email message that you sent, Microsoft 365 or Office 365 sends an email to let you know. The email you receive is a delivery status notification, also known as a DSN or bounce message. The most common type is called a non-delivery report (NDR) and they tell you that a message wasn't delivered. In certain situations, Microsoft must conduct additional investigations against traffic from your IP, and if youΓÇÖre receiving the NDR code 5.7.511, you **will not** be able to use the delist portal.

-

-> 550 5.7.511 Access denied, banned sender[xxx.xxx.xxx.xxx]. To request removal from this list, forward this message to delist@messaging.microsoft.com. For more information, go to https://go.microsoft.com/fwlink/?LinkId=526653.

-

-In the email to request removal from this list, provide the full NDR code and IP address. Microsoft will contact you within 48 hours with the next steps.

-

-The delisting form for **Outlook.com, the consumer service** can be found [here](https://support.microsoft.com/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75). Be sure to read the [FAQ](https://sendersupport.olc.protection.outlook.com/pm/troubleshooting.aspx) first for *submission* direction.

- - **Messages that contain attachments or URLs**

- - **Detonated messages**

-|[](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-groups.pdf) <br/> [PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/msft-m365-groups.pdf) \| [Visio](https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/raw/live/Enterprise/downloads/msft-m365-groups.vsdx) <br> Updated May 2020|These illustrations detail the different types of groups, how these are created and managed, and a few governance recommendations.|

-|[ <br>Updated September 2021| The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>