What's New

This page summarizes significant changes between releases. If you've read a previous version and want to know what to revisit, start here.

---

v2026.04.30

Covers Chapters 11, 12, 15, 19, 20, 21 (new), 22, 26, 28, Phase 5 restructure, Purview CAB runbook, and infrastructure.

New Chapter

• Chapter 21: AVD — Privileged Admin Workstation — Using managed identities and phishing-resistant AVD sessions for zero-credential admin operations. Solves the FIDO2 gap in Teams, SharePoint, and Exchange PowerShell modules.

Structural Changes

Phase 5 renamed from "Monitoring" to "Microsoft 365 Security"

• Threat Defense chapter split into two H2 sections:
  • Microsoft 365 Security Configuration — SharePoint Admin Center (unmanaged device access, external sharing), Teams Admin Center (external access, guest access, meeting policies), and Defender for Office 365 policies (Safe Links, Safe Attachments, Impersonation Protection)
  • Security Operations — Attack Simulation Training, Threat Explorer, AIR, Defender for Cloud Apps, Defender for Identity, Unified XDR Incidents View, Advanced Hunting, Secure Score
• SharePoint unmanaged device access documented as the server-side prerequisite for the CA "Use app enforced restrictions" policy — cross-referenced from Conditional Access and the Purview CAB runbook

Major Rewrites

Chapter 20: AVD — Enclave in Existing Tenant

• Replaced Custom Security Attributes with extensionAttribute15 (CSAs not supported on devices in any cloud)
• Replaced authentication context (E5 requirement) with DLP-based data layer (E3-compatible)
• CA policies renumbered: E001/E002/E002b replaced by P004, B009, B010, with optional B011/B012 for E5
• DLP reduced from four policies to three — RMS encryption makes the sharing block policy redundant
• Added E5 vs. E3 assessment: "don't buy E5 for this"
• Sensitivity label renamed to CUI - AVD, merged file and site scopes into single label
• Documented DLP admin exemption (site owners and Global Admins bypass DLP block actions)
• UPN suffix convention changed from -cui to -secure
• FCI user group renamed to AVD-Enclave-FCI-Users-MESG to make the mail-enabled security group requirement explicit in the name
• New-user provisioning procedure expanded: AVD Host Pool Application Group assignment and Virtual Machine User Login RBAC role on the Resource Group, with note that group-level assignment at deployment time collapses these into a single group-add step
• Dedicated CUI account authentication softened from "phishing-resistant only" to "phishing-resistant strongly recommended; Authenticator push permitted with compensating controls"

Chapter 22: Shared PC Mode

• Admin profile deletion exemption via registry-based SID exclusions
• Admin maintenance procedure using PowerShell session overrides
• New section: "Customizing the Default Student Experience" — Intune-managed alternatives to the legacy profile-copy workflow

Significant Updates

Purview CAB Runbook — major expansion

• Phase A rewritten around a wizard-order sensitivity label creation table (GCC High and Commercial tabs) — every wizard setting as a row, every label as a column, walk the wizard top to bottom
• Step A-4 added: enabling co-authoring for encrypted files, including the irreversibility caution and the metadata-compatibility pre-check
• Phase B rewritten around three DLP policy tables: credential alert policies (P0–3), sensitive/highly restricted label external sharing (P4–6), and restricted label external sharing (P7–9)
• Incremental rollout model added: scope Exchange/OneDrive/Teams to EID_Sensitivity_Label_Test_Users and expand after validation; SharePoint uses Simulation mode because SharePoint DLP doesn't support user/group scoping
• Policy modes rationalized: only SharePoint Credential (P2) and Teams Credential (P3) start in Simulation due to credential SIT false-positive risk; all other policies start Enforced
• Sensitive info type corrected from the non-existent "Software Development Credentials" to the All credentials bundled SIT
• DLP action text corrected to match the actual wizard (e.g., "Restrict access or encrypt the content → Block everyone except the content owner, last modifier, and site admin")
• Incident report recipient configuration moved into the rule's Incident reports section (there is no separate global DLP alert destination setting)
• Allowed-domains exception documented correctly as a rule exception (Exceptions → Recipient domain is), not a sub-option of Content is shared
• EID_Sensitivity_Label_Restricted clarified as a Microsoft 365 Group that must be created in the Microsoft 365 admin center (not Entra or Intune); test group scoping DLP policies can be a plain security group

Chapter 12: Phishing-Resistant Authentication

• Reframed from "required" to "strongly recommended and expected by C3PAOs"; Authenticator push permitted as fallback with number matching, additional context, CA sign-in frequency, and SSP documentation
• Added warning covering MFA fatigue and AiTM attack risks specific to the push-only path

Chapter 12: Conditional Access

• TAP issuance: role table distinguishing Authentication Admin, Privileged Authentication Admin, and Global Admin
• TAP recovery requires custom "Phishing-resistant + TAP" auth strength (explicit dependency callout)
• New rollout methodology for existing tenants (report-only → test group → expand) with EID naming convention
• Travel exceptions: replaced user exclusion group with named location procedure
• Break-glass accounts: added RMAU membership requirement
• Excluded phishing-resistant users from standard MFA policies (A001, P001, P002)
• Removed EID_Consultants from device compliance policies — not-in-group is sufficient
• P006: Azure Management API only exists in tenants with Azure subscriptions
• B008: corrected grant control from "authentication strength" to "multifactor authentication"
• Cross-reference added on the app-enforced restrictions policy to the new SharePoint Admin Center configuration section

Chapter 26: Mobile & Endpoint Security

• New "Mobile Enrollment and App Protection" section covering the three postures (Corporate MDM, BYOD MAM, BYOD Work Profile), broker app / Company Portal role matrix per scenario, corporate MDM enrollment flows (ADE, QR, Zero-Touch, Knox, afw#setup), BYOD MAM walkthroughs for iOS (Authenticator broker) and Android (Company Portal installed but not signed in), MAM vs. Work Profile decision table, and end-user communication templates
• Play Integrity clarified: Google "Strong Integrity" enforcement is now live; baseline recommendation added
• OIB import: consolidated into single 8-step flow with consent step and troubleshooting table
• Corrected: OIB ships four compliance policies (was incorrectly documented as zero)
• New Wi-Fi configuration section with department-specific targeting via Intune filters

Chapter 28: Defender for Endpoint

• MDE-attached workstations vs. servers: distinct onboarding paths, licensing, and management portals
• Three-tier policy architecture: OIB (MDM), MDE workstations, MDE servers
• Defender for Cloud vs. Defender portal vs. Intune — which manages what

Chapter 15: Provisioning with Windows Autopilot

• Hybrid Join known issues: DNS resolution, connector timeout, pre-staging conflicts, VPN bootstrap, clock skew
• Clarified netsh Wi-Fi as OOBE-only bootstrapping

Chapter 19: AVD — Dedicated Sovereign Tenant

• Sentinel pricing added to all cost tables (full M365 connector set)

Terminology

• Legacy "Azure AD" references cleaned up where safe (branding references only — registry keys, API names, and UI labels left as-is)

Infrastructure

• Docusaurus upgraded to 3.10 with future.v4 flag and MDX1 compat re-enabled
• Rspack bundler disabled (dev mode crash) — all other v4 performance features active
• All chapter numbers incremented by one from Chapter 21 onward

---

v2026.03.31

Initial release.