Microsoft Cybersecurity Reference Architectures

The Microsoft Cybersecurity Reference Architectures (MCRA) are the component of Microsoft's Security Adoption Framework (SAF) that describe Microsoft’s cybersecurity capabilities and technologies. The diagrams describe how Microsoft security capabilities integrate with Microsoft platforms and third party platforms like:

  • Microsoft 365
  • Microsoft Azure
  • Third party apps like ServiceNow and Salesforce
  • Third party platforms like Amazon Web Services (AWS) and Google Cloud Platform (GCP)
  • First and third party AI capabilities

Screenshot of some of the diagrams included in the updated Microsoft Cybersecurity Reference Architecture

Download the updated December 2023 version of the MCRA

What does the MCRA include?

The MCRA includes key information about:

  • Antipatterns (common mistakes) and best practices
  • Guiding rulesets for end to end architecture
  • Threat trends, and attack patterns
  • Mapping Microsoft capabilities to organizational roles
  • Mapping Microsoft capabilities to Zero Trust standards
  • Securing privileged access
  • Reference plans in SAF (including example of patching modernization)
  • Prioritizing using attacker return on investment (ROI)
  • ...and more

The MCRA also includes detailed technical diagrams for:

  • Microsoft cybersecurity capabilities
  • Zero trust user access
  • Security operations (SecOps/SOC)
  • Operational technology (OT)
  • Multicloud and cross-platform capabilities
  • Attack chain coverage
  • Infrastructure and Development Security
  • Security organizational functions

How to use the MCRA

We see this resource used for several purposes including

  • Starting template for a security architecture - The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premises, mobile devices, multiple clouds, and IoT / Operational Technology.
  • Comparison reference for security capabilities - Some organizations use this resource to compare Microsoft's recommendations with what they already own and have implemented. Many organizations find that they already own quite a bit of this technology already and weren't aware of it.
  • Learn about Microsoft capabilities - We also see this resource used as a learning tool. In presentation mode, each capability has a "ScreenTip" with a short description of each capability + a link to documentation to learn more.
  • Learn about Microsoft's integration investments - The architecture helps architects and technical teams identify how to take advantage of integration points within Microsoft capabilities and with existing security capabilities.
  • Learn about Cybersecurity - Some folks, particularly people new to cybersecurity, use this resource as a learning tool as they prepare for their first career or a career change.

Next Steps