Microsoft Defender for Endpoint Web Content Filtering – Administration, Limitations, and User Experience

Microsoft Defender for Endpoint Web Content Filtering – Administration, Limitations, and User Experience

Historically, one of the big features missing "out of the box" with MDATP was web content filtering.  Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it.  They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering.  Higher lever stakeholders often listed the ability to block…
Sign In to Azure AD Using Google with Azure AD External Identities

Sign In to Azure AD Using Google with Azure AD External Identities

External Identities is a new public preview feature of Azure AD which allows external users to authenticate with a non-Microsoft account such as their Google or Facebook identity.  This has been available in Azure AD B2C for some time, but that solution is really targetted at highly customised applications with potentially millions of users.  External Identities opens up that idea to you ordinary Azure AD tenant so that any SAML or WS-Fed IdP can…
The Differences Between (and History of) the Microsoft 365 Security Centre, Compliance Centre, and Security & Compliance

The Differences Between (and History of) the Microsoft 365 Security Centre, Compliance Centre, and Security & Compliance

There are currently three separate admin consoles in Microsoft 365 for administrators to view or configure security and compliance policies, alerts, and reports.  Believe it or not, this is down from four at the peak of just-tell-me-where-to-go-to-do-this.  This doesn't even include consoles such as Microsoft Cloud App Security (MCAS).  The direction things are heading is good, as I'll explain in this blog, but the situation does highlight Microsoft's relatively new culture and position of…
Hybrid Azure AD Join + Intune Enrollment – Prerequisites Checklist and Process Flow

Hybrid Azure AD Join + Intune Enrollment – Prerequisites Checklist and Process Flow

I'm a simple person, and sometimes it just helps to have a checklist to refer to when you're troubleshooting rather than navigating the sparse pages of docs.microsoft.com.  In this blog, I  explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!)  There are no screenshots and it's not a click-by-click:…
Microsoft 365 Updates from Build 2020

Microsoft 365 Updates from Build 2020

Build 2020 had some nice bits of M365 related news.  Microsoft deserves commendation for sticking to the schedule and pulling this off (remotely) during the COVID-19 lockdown - Apple has delayed WWDC and Google just gave up on I/O.  I've summarised (bullet points!) my favourite updates below.  I will update it I find I've missed something good. Azure AD Publisher Verification lets developers verified through the Microsoft Partner Center stick a verified badge on…
Register Domain-Joined Computers as Devices – The Redundant and Broken Hybrid Azure AD Join GPO

Register Domain-Joined Computers as Devices – The Redundant and Broken Hybrid Azure AD Join GPO

The group policy object Register domain-joined computers as devices, or Automatically workplace join client computers in older templates, was previously a requirement for enabling Hybrid Azure AD Join.  After configuring Azure AD Connect and your Seamless SSO GPOs, this had to be enabled. Since Windows 10 1607 ("Anniversary Update"), in Azure AD Connect environments, on-premises Active Directory joined computers become Azure Active Directory registered when a synchronised user signs in to a synchronised computer;…
Connect a Work or School Account – MDM vs. MAM in Self Enrolment

Connect a Work or School Account – MDM vs. MAM in Self Enrolment

A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect. What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership.  For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win.  The opposite is true of corporate devices. Intune devices are considered personal by default…
Windows Information Protection (WIP) App Protection Policies: Protected and Exempt; Denied and Allowed – What Do They Mean?

Windows Information Protection (WIP) App Protection Policies: Protected and Exempt; Denied and Allowed – What Do They Mean?

One of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps:  what's the exact difference between a protected app and an exempt app; and what does allow or deny exactly do for both of those? A recap on some terminology before explaining what-does-what. Targeted apps are ones the WIP service will implement controls over. Unenlightened apps cannot differentiate between work and personal data.  They have no…
Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)

Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)

Unified labels refer to a movement whereby Azure Information Protection (AIP) labels are now being replaced by sensitivity labels.  Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new Microsoft 365 Security Centre, with several other benefits beyond the scope of this post. With this change comes a new AIP client, called the unified labeling client, that replaces the old one, now called the classic…
Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix ‘Not Applicable’ Status)

Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix ‘Not Applicable’ Status)

Intune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done.  If you don't follow these steps, you will receive the status of Not applicable in the Intune client apps user and device install status pages. Prerequisite: This only works with…