[{"content":"What This Tests This post verifies three Phase 1 requirements before the final commit:\nCONT-04 — Chroma github-dark syntax highlighting renders inline colour styles CONT-05 — Hugo native Table of Contents generates a #TableOfContents element SEO-04 — og:title and twitter:card meta tags appear in \u0026lt;head\u0026gt; (requires params.env: production) PowerShell Code Block The following PowerShell uses the Microsoft Graph module to retrieve a user — confirming the highlighter handles cmdlet names, parameters, and pipe operators:\nGet-MgUser -UserId \u0026#34;user@campbell.scot\u0026#34; | Select-Object DisplayName, UserPrincipalName Python Code Block A simple typed Python function — confirming the highlighter handles type annotations and f-strings:\ndef hello(name: str) -\u0026gt; str: return f\u0026#34;Hello, {name}\u0026#34; Table of Contents Check This section exists to give the ToC enough headings to render a navigation element. PaperMod uses UseHugoToc: true to delegate ToC generation to Hugo\u0026rsquo;s built-in .TableOfContents, which requires at least two headings at the configured depth.\nSubheading One First sub-section — present to trigger multi-level ToC nesting.\nSubheading Two Second sub-section — together with Subheading One, ensures the ToC list has multiple entries.\n","permalink":"https://campbell.scot/post/test-syntax-and-toc/","summary":"\u003ch2 id=\"what-this-tests\"\u003eWhat This Tests\u003c/h2\u003e\n\u003cp\u003eThis post verifies three Phase 1 requirements before the final commit:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCONT-04\u003c/strong\u003e — Chroma \u003ccode\u003egithub-dark\u003c/code\u003e syntax highlighting renders inline colour styles\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCONT-05\u003c/strong\u003e — Hugo native Table of Contents generates a \u003ccode\u003e#TableOfContents\u003c/code\u003e element\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSEO-04\u003c/strong\u003e — \u003ccode\u003eog:title\u003c/code\u003e and \u003ccode\u003etwitter:card\u003c/code\u003e meta tags appear in \u003ccode\u003e\u0026lt;head\u0026gt;\u003c/code\u003e (requires \u003ccode\u003eparams.env: production\u003c/code\u003e)\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"powershell-code-block\"\u003ePowerShell Code Block\u003c/h2\u003e\n\u003cp\u003eThe following PowerShell uses the Microsoft Graph module to retrieve a user — confirming the highlighter handles cmdlet names, parameters, and pipe operators:\u003c/p\u003e","title":"Test: Syntax Highlighting and Table of Contents"},{"content":"When we talk about Microsoft 365 security, we are talking about two things:\nSecuring Microsoft 365 the platform, such as Exchange Online, SharePoint Online, Microsoft 365 Copilot; ensuring they are hardened and monitored in proportion to risk appetite. Using Microsoft 365 security tooling, such as Defender, Purview, Entra, and Intune; ensuring they are deployed, well configured, and you\u0026rsquo;re not paying for capabilities gathering dust. The latter can be used to achieve the former, as well as other (non-Microsoft 365) platforms. For example, using Defender for Endpoint on a Linux server in AWS, or using Entra for single sign on to Salesforce.\nGiven its omnipresence in enterprise IT, Microsoft 365 security\u0026rsquo;s vastness (and value) needs to be front-of-mind for all tenant administrators.\nThe Essential 10 is my pragmatic collection of key considerations organizations should prioritize to harden Microsoft 365. By prioritizing these cyber defences, organizations will reduce the likelihood of security incidents, the blast radius when incidents occur, and, as a byproduct, mature and more fully leverage their Microsoft 365 licensed solutions such as Defender XDR, Entra, Intune, and Purview.\nThe Threatscape Essential 10 was previously published at Threatscape, after baking it into our security posture management service, and I reshare below for reach.\n1. Defend against token theft and user compromise User compromise, often by token theft but also compromised authentication methods, is a common initial access technique. Attackers can exploit stolen Entra tokens to gain unauthorized access to Microsoft 365 and other Entra apps, bypassing authentication requirements. This can lead to the adversary commanding control of the compromised identity, and consequent risks such as exfiltration, lateral movement, establishing persistence, and so on. This attack vector is often facilitated by phishing, malware, social engineering, or leaked credentials. The likelihood of such attacks is high, given the increasing prevalence of phishing toolkits, adversary in the middle (AiTM), and financial incentives.\nEssential recommendations for this consideration include, but aren’t limited to:\nBlock legacy authentication everywhere. Require phishing-resistant MFA using Conditional Access authentication strengths. Prefer Windows Hello for Business, Passkeys (FIDO2), or certificate-based authentication. Require specific device states such as compliant devices, including Defender for Endpoint device risk using Entra Conditional Access to reduce risk of infostealers. For sensitive apps and unmanaged or risky devices, where supported, leverage token protection, shorter sign-in frequency, and never persist browser sessions. Control access based on risk signals using Entra ID Protection. Control guest access including limitations on default reconnaissance capabilities and leveraging cross-tenant access settings. Figure 1. Token theft is topical, but it\u0026rsquo;s worth noting \u0026ldquo;plain ol\u0026rsquo;\u0026rdquo; MFA defends against the overwhelming majority of attacks. Expect the \u0026lt;3% of attacks based on token theft to rise as deprecation of legacy authentication and mandatory MFA force adversaries to move beyond password spray and brute force.\n2. Defend against unmanaged or risky devices Unmanaged devices are those not controlled by IT, such as BYOD assets. These, or managed but poorly maintained risky devices, can introduce posture vulnerabilities, making it easier for attackers to exploit weaknesses. For example, these devices may lack proper security hardening and tooling, making them susceptible to malware, data breaches, and unauthorized access. The prevalence of bring-your-own-device (BYOD) expectations and remote work increases the likelihood of such risks.\nEssential recommendations for this consideration include, but aren’t limited to:\nFor the highest level of security, allow only organization owned and Intune compliant devices access using Entra Conditional Access. Where BYOD is required, leverage app protection policies to control data exfiltration paths and app access with conditional launch. For unmanaged device scenarios, introduce guardrails around accidental data exfiltration or access from outdated devices using Conditional Access App Control and Defender for Cloud Apps. Identify devices with device discovery in Defender for Endpoint/Defender Vulnerability Management, bringing them under management where possible or monitoring vulnerabilities with Enterprise IoT security. Consider VDI implementations such as Azure Virtual Desktop and Windows 365. 3. Defend against data exfiltration We define data exfiltration as the unauthorized transfer of data beyond organizational control. This can lead to significant breaches, such as the unauthorized exposure of sensitive information, credentials, and other valuable secrets. The risk of data exfiltration is particularly significant for organizations handling large volumes of confidential data stored in Microsoft 365 or Entra apps as they often support access from any device and any location, given the nature of SaaS. Attackers may use various methods, such as malware, insider threats, or compromised accounts, to exfiltrate data; and insiders may accidentally cause data exfiltration events if not following sanctioned data flows, BYOD compromise, or other similar scenarios. The prevalence of data breaches and the high value of sensitive information make this a critical area to defend against, especially since data exfiltration is one of the primary objectives of most attackers.\nEssential recommendations for this consideration include, but aren’t limited to:\nArchitect Purview Data Loss Prevention policies for Exchange, SharePoint, OneDrive, Teams, endpoints, and any other available resources. Apply sensitivity labels with encryption and ideally auto-labelling. Implement Purview Insider Risk Management to detect and respond to potential malicious insiders, including with connectors to other resources such as HR apps. Control access from unmanaged devices by leveraging Entra Conditional Access, Defender for Cloud Apps, and Intune enrolment restrictions and app protection policies. Harden endpoints to defend against data loss, such as with BitLocker device encryption and device control in Defender for Endpoint. Use Purview Data Lifecycle Management to remove stale data, de-risking the volume of data that may be exfiltrated. 4. Defend against business email compromise Business email compromise (BEC) is a type of attack where adversaries leverage email to conduct fraudulent activities. This can result in financial loss, data breaches, and reputational damage. BEC attacks are often targeted and can involve social engineering tactics to deceive employees into transferring funds or sharing sensitive information. Security researchers have observed generative AI being used to improve efficacy of such attacks (by, for example, better tuning emails and profiling victims). These attacks often differ from general anti-spam defences insofar as adversaries can leverage “known good” infrastructure or other compromised accounts to spread their malicious email.\nEssential recommendations for this consideration include, but aren’t limited to:\nImplement DNS email security capabilities such as SPF, DKIM, and DMARC. Leverage preset security policies (standard/strict) in Defender for Office 365, customizing where required, to enforce capabilities such as anti-phishing, anti-malware, anti-spam, Safe Links, and Safe Attachments. Avoid bypasses by preventing authentication to shared mailboxes and limiting the mailbox auditing bypass setting. Disable auto-forwarding externally except by exception, with alerts on suspicious inbox rules. Minimize security exceptions such as trusted IPs, domains, or emails and, where required, leverage lifecycle capabilities such as the tenant allow/block list. Extend similar defences to Teams by controlling external messaging and phishing settings. 5. Defend against app-to-app access and consent risk App-to-app access and consent risk concerns OAuth permissions, either delegated or application types. In short, the risk that apps connected to Entra/Microsoft 365 may pose based on their permissions to access data. Malicious applications may gain unauthorized access to sensitive data through user or admin consent, where attackers trick users into granting permissions to malicious apps, leading to data breaches and unauthorized access. The likelihood of such attacks is high, given the increasing use of third-party applications and the complexity of managing app permissions. One must also consider supply chain compromise, where a previously trusted app is being exploited by adversaries. Ensuring that only trusted applications can interact with organizational data, and continually attesting that trust, is essential to mitigate this risk.\nEssential recommendations for this consideration include, but aren’t limited to:\nDisable broad user consent and enable an admin consent workflow, requiring permission reviews and verified publishers where possible. Replace app secrets and legacy service accounts with managed identities or certificates, and alert on expiring credentials, reducing risks of exposed or weak passwords (including those synced from on-premises). Adhere to least privilege permissions, granting only the permissions required to achieve the apps’ objectives, and ensure lifecycle management exists for sanctioned apps. Leverage Conditional Access for workload identities to block service principles based on risk or unauthorized IP use. Enable Defender for Cloud Apps’ app governance capability for continuous monitoring and anomaly detection. Use Defender for Cloud Apps’ connected apps capability to conduct SaaS Security Posture Management (SSPM) assessments to proactively harden SaaS. Figure 2. With rare exception, you want Do not allow user consent configured in Entra\n6. Defend against endpoint risks Endpoint risks involve vulnerabilities and threats targeting devices used to access organizational resources. These risks include malware (of many types, including infostealers and ransomware) and other threats that can compromise the security of endpoints. The prevalence of endpoint attacks is high, though modern endpoint protection platforms can offer robust defences. While identity is often described as the new security perimeter, protecting endpoints is crucial to protecting those identities and preventing attacks.\nEssential recommendations for this consideration include, but aren’t limited to:\nOnboard all devices to Defender for Endpoint for the highest levels of visibility. Use cloud delivered protection and block at first sight in Defender Antivirus to protect against emerging threats. Enforce attack surface reduction rules, exploit protection, network protection, and potentially unwanted app protection to minimize risk of exploitation. Enforce tamper protection as part of defence in depth measures to restrict even administrator bypasses. Implement operating system security baselines such as the OpenIntuneBaseline or Microsoft Security Baseline. Leverage hypervisor-protected code integrity capabilities such as Credential Guard or, for the highest levels of protection, application control. 7. Defend against excessive privileges Excessive privileges can lead to unauthorized access and potential misuse of sensitive data and systems. Attackers may exploit privileged accounts to gain access to critical resources, leading to data breaches and other security incidents. The likelihood of such attacks is significant, given the high value of privileged accounts and the potential impact of their compromise. Managing and monitoring privileged access is essential to reduce the risk of threats and ensure that only authorized personnel have access to critical resources.\nEssential recommendations for this consideration include, but aren’t limited to:\nUse Entra Privileged Identity Management for all admin roles, including requiring reauthentication and MFA on activation, ideally coupled with privileged access workstations. This does not negate the need for separate, dedicated administrator accounts and scope admins with Entra administrative units so role assignments are limited to specific users, groups, or devices. Use Entra ID Governance entitlement management and access reviews to control the lifecycle of identities and access, from provisioning to ongoing adjustments and decommissioning (joiners/movers/leavers). Implement least privileged principles when granting access, by identifying the absolute minimum level of access required and granting only that. On endpoints, control local admin permissions through Entra device settings, Local Administrator Password Solution, and Intune Endpoint Privilege Management. Where supported, leverage in-app RBAC such as Exchange Online, Purview, and Defender XDR’s unified RBAC model to achieve the most specific level of permissions. Ensure integration of third-party applications with Entra using SSO, to centralize secure modern identity. 8. Defend against hybrid identity attack paths Integrating ‘on-premises’ Active Directory with Entra in a hybrid environment can create potential vulnerabilities that attackers may exploit to gain unauthorized access to both on-premises and cloud resources. The significance of this risk lies in the interconnected nature of hybrid environments, where a compromise in one system can see lateral movement to the other, leading to broader security breaches. That is compounded by the reality of how Active Directory is targeted and often the weakest point for massive compromise. Given the prevalence of hybrid environments in many organizations, defending against hybrid threats is crucial to ensure the security and integrity of both on-premises and cloud-based resources.\nEssential recommendations for this consideration include, but aren’t limited to:\nWith Defender for Identity, leverage action accounts and Defender XDR integration to automatically remediate risky accounts, while pro-actively monitoring security assessments and lateral movement paths to understand Active Directory weaknesses. Prefer password hash sync as the authentication solution instead of more limited options such as Active Directory Federation Services and pass-through authentication. Treat the Entra Connect server as a critical asset, of the highest tier level, and with the access restrictions that come of such tiering; or, where possible, prefer Entra Cloud Sync. Deprecate the use of Seamless SSO, which is a legacy solution for devices that do not support Entra registration, but can be exploited by adversaries. Do not sync privileged Active Directory accounts to Entra and vice versa. Strengthen access to domain controllers with a tiering strategy and privileged accessed workstations. 9. Defend against AI-driven threats AI-driven threats relate to the risks associated with the use of generative artificial intelligence, whether sanctioned or unsanctioned (shadow AI/shadow IT), including services like Microsoft 365 Copilot and third-party AI applications. The significance of this risk lies in the potential for AI to be misused or exploited, leading to data breaches, unauthorized access, and other security incidents. AI can be leveraged by attackers to enhance the speed and sophistication of their attacks, and evade traditional security measures, such as with prompt injections. The rapidly evolving nature of AI, with continually changing and sometimes inherent risks, makes it a critical area to defend against.\nEssential recommendations for this consideration include, but aren’t limited to:\nAdhere to least privileged principles for data stores used by Microsoft 365 Copilot, such as SharePoint Online, Teams, OneNote, OneDrive for Business, and Microsoft 365 in general. Use Microsoft Defender for Cloud Apps’ cloud discovery capability to discover AI app usage, assess risk, and control access. Track risky AI usage with Purview Communication Compliance and Insider Risk Management. Use Purview DSPM for AI to prevent unintended data leaks, including both Copilot and third-party AIs such as ChatGPT. User Purview Data Loss Prevention and sensitivity labels to control Copilot access to highly sensitive material. Manage who can access Copilot agents and leverage the agent inventory to assign sanctioned agents. Figure 3. The 2025 Digital Defence Report does a nice job of visualising the different types of AI threat: usage, app lifecycle, and platform.\n10. Defend against visibility gaps Visibility gaps in Microsoft 365 can leave organizations vulnerable to undetected threats, unauthorized activities, configuration weaknesses, and incident response difficulties. Without comprehensive logging and monitoring, it becomes challenging to identify, investigate, and respond to security incidents in a timely manner. Ensuring robust visibility and logging across your Microsoft 365 environment is crucial for maintaining a strong security posture.\nEssential recommendations for this consideration include, but aren’t limited to:\nEnable the unified audit log, including non-default logs, in Microsoft Purview to capture and retain audit logs, including using retention policies to protect logs Improve Entra’s built-in logging and retention by configuring diagnostic settings to collect logs and metrics. Onboard devices to Purview Data Loss Prevention and use the Purview browser extension to track activities Configure the Microsoft Information Protection Scanner for on-premises file shares to discover sensitive data Use Microsoft Defender for Cloud Apps to monitor SaaS app (including Microsoft 365) usage and configuration, detect anomalies, and gain visibility into shadow IT. As broadly as possible, deploy Defender XDR workloads such as Defender for Endpoint and Identity to centralize records for advanced hunting. Conclusion No single checklist eliminates all risk, but these considerations represent the core steps. They have been built to align security capabilities, and defenders should adopt the Essential 10 as a standard Microsoft 365 security awareness guide and use it to drive their security program.\n","permalink":"https://campbell.scot/microsoft-365-the-essential-10-security-considerations/","summary":"\u003cp\u003eWhen we talk about Microsoft 365 security, we are talking about two things:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eSecuring Microsoft 365 \u003cem\u003ethe platform\u003c/em\u003e, such as Exchange Online, SharePoint Online, Microsoft 365 Copilot; ensuring they are hardened and monitored in proportion to risk appetite.\u003c/li\u003e\n\u003cli\u003eUsing Microsoft 365 \u003cem\u003esecurity tooling\u003c/em\u003e, such as Defender, Purview, Entra, and Intune; ensuring they are deployed, well configured, and you\u0026rsquo;re not paying for capabilities gathering dust.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe latter can be used to achieve the former, as well as other (non-Microsoft 365) platforms. For example, using Defender for Endpoint on a Linux server in AWS, or using Entra for single sign on to Salesforce.\u003c/p\u003e","title":"Microsoft 365: The Essential 10 Security Considerations"},{"content":"April 1, 2024, seen the release of Microsoft Copilot for Security to general availability (GA). It is a generative AI solution integrating with Defender XDR, Entra, Purview, and Intune. Just over a month later, it\u0026rsquo;s time to write down some thoughts.\nIn cybersecurity, we face the challenge of scarce resources — time, finances, attention, will — to identify, protect, and respond to threats and vulnerabilities.\nThere\u0026rsquo;s an old joke. One economist asks another, \u0026ldquo;How\u0026rsquo;s your wife?\u0026rdquo;. The other economist replies, \u0026ldquo;Compared to what?\u0026rdquo;\nTo properly answer the question “How’s Copilot for Security?”, we need to think similarly: “How’s Copilot for Security compared to the alternatives that consume the similar resources to achieve similar ends?”\nThis article is an attempt to get you thinking about that question.\nFirst, I’ll explain costs, because as touched on earlier, everything goes back to cost.\nThen, a first run through my experience of using Copilot for Security so you can see how it performs against tasks you may attempt. My area of focus mostly pre-incident security: architecture, gap analysis, etc. Copilot for Security is marketed as solution for “end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management” [ref], so this use case is in scope, albeit not one that occupies most of the material I\u0026rsquo;ve seen online.\nPart of the feedback I\u0026rsquo;ve heard is generative AI is all about how good your prompt skills are, and Mona Ghadiri has contributed thoughts regarding how to get better at this.\nFinally, concluding thoughts — current state, how you should approach a purchasing decision, and thoughts for the future of Copilot — will wrap up this article.\nCosting Copilot for Security Copilot for Security (sometimes referred to as just Copilot) is not licensed, rather it is billed as a resource. That’s because Copilot consumes a new type of Azure resource: the Security Compute Unit (SCU). SCUs are an abstraction of the compute resource required to power Copilot. At time of release and writing, one SCU costs 4USD/hour.\nFigure 1 – Security Compute Units in the Azure portal\nUnlike how you may deallocate an Azure virtual machine to reduce cost, there is currently no native way to deprovision SCUs when not in use. You would have to delete the Azure resource instead, which means recreating it when required again. In one scenario I did this, it took a long time from recreating the compute capacity to Copilot allowing me to run prompts again.\nMicrosoft recommend customers have three SCUs. Were these to run 24x7, it would cost over 100,000USD/year.\nBut how do I know how many SCUs I need running?\nThis isn’t easy to initially predict. There is no mapping of number of prompts to SCU consumption because even similar AI prompts may not reliably use the same level of compute resource. After some use, you can leverage the Copilot Usage monitoring page to roughly anticipate how many SCUs you consume, and therefore the reservations required, and costs associated.\nFigure 2 – Usage monitoring in Copilot for Security\nWhen considering costs for Copilot, we must consider all features, beyond the obvious generative AI. Purchasing SCUs also unlocks Microsoft Defender Threat Intelligence (MDTI). MDTI is targeted at SOCs and MSSPs — which may tell you about the target audience for Copilot — and is a paid threat intelligence offering above the threat analytics feature licensed with Microsoft Defender for Endpoint (MDE) Plan 2. MDTI provides data regarding attack groups and tools, indicators of compromise, and integration of these with Microsoft Defender XDR and Sentinel (and now, Copilot).\nHands on experience with Copilot for Security Let’s run through a few things I threw at Copilot for Security to see how it performed. If you’ve followed me on X/Twitter, you may have seen the spoilers for this.\nWhen you first start Copilot in securitycopilot.microsoft.com, you choose/create an Azure resource group for the SCU resource, seen in Figure 1. Copilot provisions with two RBAC roles: contributors and owners. By default, Global Administrators and Security Administrators (Entra roles) are owners. Everyone is a contributor by default. This means everyone can use Copilot provided they already have sufficient permission. For example, it won’t supersede a standard user’s permissions; you’ll still need permission in Defender XDR, Purview, and so on.\nStill, you may want to reduce the scope from everyone. You cannot throttle Copilot per-user, so while determining your average SCU requirements, or at least in your pilot phase, I would recommend controlling access to the contributor role with an Entra group.\nFigure 3 – Copilot role-based access control\nThe figures displayed so far are all from securitycopilot.microsoft.com, also known as the standalone experience. This is a UI dedicated to prompting for the data that Copilot can query. There are also embedded experiences which are on the traditional portals of Entra, Defender XDR, Purview, and Intune. The embedded experience is similar to Copilot as you’d experience it in Microsoft 365 apps and Edge; pop ups and panes over the pages you’re used to.\nIn the standalone experience, you’re greeted by Daily tips. The first I ever seen reminded me of generative AI’s propensity to hallucinate (politely described as fabricate in most AI services): “Fact-check, fact-check, fact-check. To catch Copilot’s fabrications, try probing the references it cites. Even those might be made up. Quotes? Same. Dates? Yep.”\nFigure 4 – Daily tip in Copilot for Security\nIt’s a valid, important, but also subtly droll. Have you ever been quoted over $100,000/year in another cybersecurity resource (tool or employee), and the very first thing you’re told is to not trust the validity of its output?\nDaily tip acknowledged, the first actual prompt Copilot is tested against my tenant is “In Entra ID, how many of my users have added a FIDO2 security key authentication method?”\nFigure 5 – Copilot for Security’s prompt dialogue\nThe prompt wasn’t clear enough, I’m told, so I try another that leans on Defender XDR and Intune: “Can you let me know all the devices used by Ruairidh Campbell in Intune and/or Defender, and any vulnerabilities those devices have based on Defender Vulnerability Management data?”\nFigure 6 – Testing Copilot for Security to query Defender and Intune inventory\nI’m told there as six associated devices, but the response then goes on to only show four of those. There is no information about the vulnerabilities.\nLet’s see if a third test will improve our initial impressions. Maybe if it won’t acknowledge Defender Vulnerability Management, it will acknowledge the MDTI we’re now getting: “Based on Microsoft Defender Threat Intelligence, what are the main risks you perceive for my tenant, and what would be the best use of my time for defending against those main risks?”\nFigure 7 – Security for Copilot suggests malvertising is the main risk in a tenant\nCopilot suggests malvertising is the biggest risk I face despite, as it goes on to explain, my tenant having zero misconfigured, vulnerable, or impacted assets and devices. It’s a downright bizarre recommendation for a human to suggest as the biggest risk, but even based on machine-driven data, there are no metrics that suggest it should be assumed the biggest risk by Copilot.\nThinking back to the daily tip, I ask it to justify its answer, and try to lead the witness: “Why did you suggest malvertising, when I have zero impacted, misconfigured, or vulnerable devices? Are there any others, such as maybe AITM or token theft that may be more important or likely?”\nFigure 8 – Copilot for Security identifying tenant threats\nCopilot this time suggests the Fortinet FortiClient is a potential threat: there are three misconfigured devices. Interestingly I do not have this installed on any devices, so while the misconfiguration may be related it is unlikely to be a high priority item, at least as it relates to this CVE.\nIn the next prompt, if Copilot is asked write me a KQL query to identify requests to the domain http://twitter.com in Defender logs, it uses the UrlClickEvents table and provides a button to Go hunt in Microsoft 365 Defender (the old name for Microsoft Defender XDR).\nFigure 9 – Copilot for Security generating KQL\nFair enough. One of the things you need to be when prompting any AI system is specific as possible. So in the absence of which specific type of request, it has made an assumption I only care about Defender for Office 365 safe links clicks. Ideally, it would have assumed all types and also given me endpoint visits. So, I ask it for those.\nFigure 10 – Copilot for Security generating more KQL\nUnfortunately, that doesn’t return any results because it didn’t trim the http:// prefix; doing this manually made it work. So, it provided a good start.\nIf you ask the free Microsoft Copilot (formerly under the Bing branding), the same thing, you get a different KQL result because it only projects the most relevant columns.\nFigure 11 – KQL generation in the free Microsoft Copilot\nWhen I returned to Copilot sometime later, I asked some more detection and response type questions. When asked how to identify SharpHound activity in MDE, it provided a query that likely wouldn’t achieve the intended objective.\nFigure 12 – Copilot for Security suggesting a SharpHound activity query\nOne of the highly marketed features of Copilot for Security is its ability to translate scripts to natural language. This would be great, as it can take a long time to understand exactly what a script, obfuscated or just complicated, is doing. In my experience, Copilot for Security continually timed out with a PowerShell example I commonly use. After four or five attempts, I gave up.\nFigure 13 – Copilot for Security analyses an obfuscated script\nBecause I’m interested in value for money, I return to the free Microsoft Copilot and copy and paste the same script. It immediately responds, with some good info, albeit not quite hitting the nail on the head. Still, this was free and gave me something where the paid Copilot for Security gave me nothing.\nFigure 14 – Microsoft Copilot translating an obfuscated script to natural language\nI ask if it can help me hunt for any user activity of any kind that is outside the UK and on a non compliant device. I’m not a KQL expert, but I don’t think its suggestion will get me far.\nFigure 15 – Copilot for Security generating KQL to hunt\nA heavily marketed area I have success with is testing is the natural language summarisation of Microsoft Defender XDR incidents. They were easy to read and accurate.\nFigure 16 – Copilot incident summary in Microsoft Defender XDR\nRight, you’ve seen my results. Maybe some of the less ideal results were the result of poor prompting, so one thing that comes to mind is how can a SOC optimise their prompts to get the best out of Copilot? For that, Mona Ghadiri has helped contribute to this post in the next section.\nMona’s prompt recommendations T9 texting vs keyboard texting I have seen a lot of classes on how to learn prompting or prompt engineering, and I decided that instead of taking a class, I would take notes as I learned and share them with you. My first thought honestly was prompt creation feels like T9 texting and charged per letter like we did back in 2004. However, its not like that at all. The opportunity is the closer we stay to a formula, the more predictive costs can be and it can be easier to judge what makes a good vs. bad prompt. We don’t have to be as reductive as what happened with T9 texting at all!\nBe Formulaic! Microsoft says start with this kind of formulaic approach to prompt engineering.\nWhat I realized as I was learning is this lends itself very well to is variable based thinking, just like we do in code. What if instead of trying to build out multiple prompts from scratch, we treat each prompt like security as code and coded it with variables instead of hard coding in the prompts themselves, and as we want to make more, we make child versions or add additional variables or exclusions as we see fit?\nThis solved a few problems for us:\nVersioning/continuous improvement was way easier Applying the same prompt to different user spaces was much easier Engineers could grab the latest prompt they needed instead of hand developing new prompts which was an unpredictable cost per user. I couldn’t get to a cost per prompt quite yet, but I am in a month or so going to have much better predictive metrics around usage. There are other things I learned are worth considering when building a prompt/prompt library:\nThere is a trade-off between complexity and processing time and customers want to be able to quantify that somehow Most of the Microsoft out of the box queries are between 4 and 7 prompts. These prompts generally can execute in a timely fashion, but is dependent on SCUs you have applied. When you are only using out of the box prompts, cost estimation is easier, but quality of answer is less customizable Defining and refining prompts in real time when you need it is quite difficult and can be costly, its better to define 2-4 custom ones and then roll them out for general usage like a development sprint Sticking to a methodical formula based prompt workflow meant we could better predict costs. Concluding thoughts Security isn’t easy, and hiring experienced personnel isn’t cheap. AI — across vendors — is promoted as a way of reducing costs and overhead because, otherwise, there’s no point. In the case of Copilot for Security, we therefore can only assess is it worth it based on the cost and efficiency improvements.\nThe current suggested model which expects, at a minimum, 1 SCU to run 24/7 sets the cost benchmark at around 35,000USD. Or, based on the recommended 3 SCUs, comes to nearer 100,000USD. Those are high benchmarks and may be challenging to justify, at least compared to the other cyber defence spend. You might be able to afford a new member of staff (a full grown human being!) or invest in a project to harden your environment, like Application Control or tiering or ongoing posture management. There’s a lot you could do with six figures.\nBut, it doesn’t have to cost you 100,000+ USD. Thanks to the Azure resource based nature of it, you can experiment at low cost to start. You could delete the SCU resource in Azure entirely and recreate when needed. This manual on-demand model makes more sense: when a requirement for Copilot arises, that’s when we spend, likely saving a lot of money. An issue I had with this was that when adding additional SCU due to hitting the limits, I had delays of 15+ minutes before I could run prompts again. If using Copilot for time critical scenarios, like incident response, that could get stressful. There is no native way of performing on-demand provisioning and deprovisioning (down to or up from 0), but community members have developed solutions.\nThere are at least two questions we must consider with any product or service purchasing decision, including Copilot:\nWhat alternatives — proven, ideally — may better improve my intended outcomes at similar costs. If a vendor, provider, or reseller evangelises a solution, how specifically are they using it or suggest it can help, and what real world evidence have they provided for those specifics? You know your environment, resources, budget, skill, requirements, and similar variables better than a generic recommendation can apply to. You need to make up your own mind for if Copilot for Security is right for you, now, given its strengths and weaknesses. But please just apply the above two questions at all points of your thought process.\nLong term, I’m a Copilot for Security optimist. When (and I’m assuming it’s when) it can be provisioned and billed on-demand and start to reason over wider data in the Microsoft Graph, I think it’ll be a game changer. Or alternatively, licensed like Copilot for Microsoft 365 so that costs are predictive. Gap analysis, joining dots, attack path identification: these are all challenging across Entra, Intune, Defender, and Purview. As the run through demonstrated, it’s not quite there yet with identifying gaps (the example of users without a registered security key failed), but when we get to that point, you could get a huge return on your investment compared to the time/cost of scripting or manually assessing. And that— proactive identification and minimisation of weakness — is what moves your security needle.\n","permalink":"https://campbell.scot/thoughts-on-copilot-for-securitys-early-days/","summary":"\u003cp\u003eApril 1, 2024, seen the release of Microsoft Copilot for Security to general availability (GA). It is a generative AI solution integrating with Defender XDR, Entra, Purview, and Intune. Just over a month later, it\u0026rsquo;s time to write down some thoughts.\u003c/p\u003e\n\u003cp\u003eIn cybersecurity, we face the challenge of scarce resources — time, finances, attention, will — to identify, protect, and respond to threats and vulnerabilities.\u003c/p\u003e\n\u003cp\u003eThere\u0026rsquo;s an old joke. One economist asks another, \u0026ldquo;How\u0026rsquo;s your wife?\u0026rdquo;. The other economist replies, \u0026ldquo;Compared to what?\u0026rdquo;\u003c/p\u003e","title":"Thoughts on Copilot for Security’s Early Days"},{"content":"Finally, it\u0026rsquo;s time for a refresh. It\u0026rsquo;s been a while! Due to personal circumstances, I haven\u0026rsquo;t been able to keep the Ultimate Comparison of MDE by OS updated. I\u0026rsquo;ve had time to dive into the changes since v5 and it\u0026rsquo;s really been amazing to see MDE grow in scope.\nWhat is MDE and why do we need an \u0026lsquo;ultimate comparison\u0026rsquo;? Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with the broader Microsoft Defender XDR and is available for almost any OS you\u0026rsquo;ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It\u0026rsquo;s not always intuitive, and you may be in for some surprises. Hence by I began the Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you\u0026rsquo;re getting and what you need to go start implementing if you haven\u0026rsquo;t already.\nChange log for this release February 2024\u0026rsquo;s release, version 6, has the following changes and updates:\nAdded the Block Webshell creation for Servers ASR rule Added performance mode for Microsoft Defender Antivirus on Windows 11 Dev Drive Added contain user and device from the network Added forcibly release device from isolation (script) Added Windows Subsystem for Linux (WSL) 2 Added privacy controls for iOS and Android Added optional permissions and disable web protection for iOS and Android Added troubleshooting mode for macOS Added deception capabilities Added contextual file and folder exclusions Added tamper protection for exclusions Updated antivirus scan and device isolation for macOS and Linux which are now supported directly from device actions; previously required live response Renamed Security Management to Security settings management and added support for Linux and macOS Clarified restrict app execution support (thanks 25004 on GitHub) Clarified selective isolation support MDE\u0026rsquo;s continued growth\nSince starting the Ultimate Comparison of MDE Features by OS in summer 2021, over thirty new capabilities and features have been added! That doesn\u0026rsquo;t even include the expansion of existing features from Windows to macOS and Linux.\nA few other points Always looking for feedback and things I\u0026rsquo;ve missed. Sometimes features get updated but don\u0026rsquo;t make the docs or change logs. If you find any, let me know! I am particularly interested in any Linux and macOS goodies. Specifically\u0026hellip;\nI hear Tamper protection for Linux is available but never seen this used in the wild and documentation is scarce so would love feedback from anyone who\u0026rsquo;s got more info! Not mentioned in the comparison because I group all Linux into one category but ICYMI, MDE supports Mariner 2, Alma 9.2+, and Rocky 8.7+ as of 5 February 2024. Obligatory disclaimers This is provided without warranty and only my best effort. This stuff isn\u0026rsquo;t always obvious in the documentation, so expect updates to refine accuracy over time. Where I have used a green check ✓ to note support, this doesn\u0026rsquo;t mean all versions of that OS, but it does mean all MDE-supported versions of that OS or if Microsoft just hasn\u0026rsquo;t been clear about which version is needed. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. Similarly, Linux is complicated. In some cases, the learn.microsoft.com pages just say Windows 10 with no specific information about versions. You may also find some features are in preview mode. If in doubt, ask me or look up the docs. I have gone by what the docs say. Mostly. If there are conflicting docs, I go with the most conservative option (looking at you, Device Control, which has conflicting info about Windows Server support). Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren\u0026rsquo;t officially listed in Microsoft\u0026rsquo;s docs (this was before the unified solution became available). The point is: the docs don\u0026rsquo;t always reflect what really works. I\u0026rsquo;ve stuck to the docs because if you ever need support, that\u0026rsquo;s what you\u0026rsquo;ll have to help. In some cases, the docs say nothing about the OS version required, so I\u0026rsquo;ve had to figure it out myself or make a presumption based on other information (the new MDVM capabilities are a good example of this). If you notice any errors or have suggestions for improvement, let me know! Download You can download it below.\nExcel PDF Image Or check it out in this (compressed and squashed) image below.\n","permalink":"https://campbell.scot/feb-2024-ultimate-comparison-of-defender-for-endpoint-features-by-os/","summary":"\u003cp\u003eFinally, it\u0026rsquo;s time for a refresh.  It\u0026rsquo;s been a while!  Due to personal circumstances, I haven\u0026rsquo;t been able to keep the Ultimate Comparison of MDE by OS updated.  I\u0026rsquo;ve had time to dive into the changes since v5 and it\u0026rsquo;s really been amazing to see MDE grow in scope.\u003c/p\u003e\n\u003ch2 id=\"what-is-mde-and-why-do-we-need-an-ultimate-comparison\"\u003eWhat is MDE and why do we need an \u0026lsquo;ultimate comparison\u0026rsquo;?\u003c/h2\u003e\n\u003cp\u003eMicrosoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities.  It integrates with the broader Microsoft Defender XDR and is available for almost any OS you\u0026rsquo;ll find in an enterprise.  This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS.  It\u0026rsquo;s not always intuitive, and you may be in for some surprises.  Hence by I began the \u003cstrong\u003eUltimate Comparison of Defender for Endpoint Features by OS\u003c/strong\u003e up to date to keep you aware of what you\u0026rsquo;re getting and what you need to go start implementing if you haven\u0026rsquo;t already.\u003c/p\u003e","title":"[Updated Feb 2024] Ultimate Comparison of Defender for Endpoint Features by OS"},{"content":"Best efforts have been taken to keep this accurate, but Microsoft\u0026rsquo;s documentation is imperfect and the information is spread across multiple doc sets.\nLegend Symbol Meaning ✓ Supported on all currently supported versions of that OS in the current Microsoft documentation (unless otherwise noted) 1709+ (version value) Minimum OS version/build explicitly called out in the current Microsoft documentation Preview Documented by Microsoft as preview support, not general availability (blank) Not supported or not documented as supported License Meaning P1+P2+MDB Available in Microsoft Defender for Endpoint Plan 1, Plan 2, and Microsoft Defender for Business P2+MDB Available in Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business P1+P2 Available in Microsoft Defender for Endpoint Plan 1 and Plan 2, but not Microsoft Defender for Business P2 Requires Microsoft Defender for Endpoint Plan 2 and isn\u0026rsquo;t currently documented for Microsoft Defender for Business Add-on Requires the Microsoft Defender Vulnerability Management add-on or Microsoft Defender for Servers license Current support notes Windows 7 SP1 and Windows Server 2008 R2 require 64-bit (x64) architecture. Windows Server 2012 R2 and Windows Server 2016 support shown here depends on the modern unified solution where Microsoft documents that requirement. macOS support is limited to the three most recent major releases; as of April 2026 that means macOS 26 (Tahoe), macOS 15 (Sequoia), and macOS 14 (Sonoma). Mobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+. In Defender for Business, Windows Server and Linux support assumes the relevant server entitlement where Microsoft requires it (for example Defender for Business servers or Defender for Servers). Some Defender for Business capabilities rely on Intune or Jamf for policy delivery even when the feature itself is included. Advanced hunting in this matrix means the built-in Microsoft Defender portal experience. Defender for Business can export raw data by using the streaming API, but that isn\u0026rsquo;t the same entitlement. Blank cells are intentional and reflect unsupported or not-currently-documented support at this matrix granularity. Feature Comparison Attack surface reduction Feature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS ASR rules Block abuse of exploited vulnerable signed drivers Protect against vulnerable signed drivers that allow kernel access and system compromise. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Block Adobe Reader from creating child processes Prevents payloads breaking out of Adobe Reader. P1+P2+MDB 1809+ ✓ ✓ ✓ ✓ Block all Office applications from creating child processes Prevents Word, Excel, PowerPoint, OneNote, and Access creating child processes. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Block credential stealing from LSASS Prevents untrusted processes accessing LSASS directly. P1+P2+MDB 1803+ ✓ ✓ ✓ ✓ Block executable content from email client and webmail Prevents Outlook and popular webmail providers launching scripts or executable files. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Block executable files from running unless they meet a prevalence, age, or trusted list criterion Using cloud-delivered protection, block executables depending on various reputational metrics. P1+P2+MDB 1803+ ✓ ✓ ✓ ✓ Block execution of potentially obfuscated scripts Identifies and blocks script obfuscation with suspicious properties. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Block JavaScript or VBScript from launching downloaded executable content Prevents JavaScript or VBScript fetching and launching executables. P1+P2+MDB 1709+ ✓ ✓ Block Office applications from creating executable content Prevents the Office suite from saving executable content to disk. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Block Office applications from injecting code into other processes Prevent attempts to migrate code into another process in Word, Excel, and PowerPoint. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Block Office communication applications from creating child processes In Outlook and other supported Office communication apps, prevent child processes being created. P1+P2+MDB 1809+ ✓ ✓ ✓ ✓ Block persistence through WMI event subscription Prevent C2 abuse of WMI to attain device persistence. P1+P2+MDB 1903+ ✓ ✓ Block process creations originating from PSExec and WMI commands Prevents PSExec or WMI created processes from running, as is common in lateral movement techniques. Not compatible with Configuration Manager. P1+P2+MDB 1803+ ✓ ✓ ✓ ✓ Block rebooting machine in Safe Mode Prevents commands such as bcdedit and bootcfg from restarting a device into Safe Mode. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ Block untrusted and unsigned processes that run from USB Executable files on USB drives or SD cards are prevented from executing unless trusted or signed. P1+P2+MDB 1803+ ✓ ✓ ✓ ✓ Block use of copied or impersonated system tools Blocks executable files identified as copies or impostors of Windows system tools. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ Block Webshell creation for Servers For the Exchange server role only, block web shell script creation. P1+P2+MDB ✓ ✓ ✓ Block Win32 API calls from Office macros Protects against Office VBA Win32 API calls, mostly found in legacy macros. P1+P2+MDB 1709+ ✓ ✓ Use advanced protection against ransomware Using cloud-delivered protection heuristics, if a lower reputation file resembles ransomware and has not been signed, it is blocked. P1+P2+MDB 1803+ ✓ ✓ ✓ ✓ ASR rules in warn mode if supported by rule Allow users to override ASR blocked events. Microsoft currently documents warn mode support on Windows 10 version 1809 or later. P1+P2+MDB 1809+ Exploit protection Successor to Enhanced Mitigation Experience Toolkit (EMET) with protection against over twenty exploit types. P1+P2 1709+ ✓ ✓ Web protection Web threat protection and web content filtering. Linux support is currently documented as preview. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ ✓ ✓\nAMD64 Network protection Extends web threat and custom network indicator enforcement beyond Microsoft browsers to OS traffic and supported third-party browsers. Linux support is currently documented as preview. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ ✓ ✓\nAMD64 Controlled folder access Ransomware protection where protected folders are specified, and only allow-listed applications may make modifications to them. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ Device control – removable storage protection Block the use of unauthorised removable storage media based on properties such as vendor ID, serial number, or device class. P1+P2+MDB ✓ ✓ Device control – removable storage access control Audit and control read/write/execute operations on removable storage media based on properties similar to removable storage protection. P1+P2+MDB ✓ ✓ Device control – device installation Control the installation of specific devices, e.g. block all except allowed or vice-versa. P1+P2+MDB ✓ ✓ Device control – printer protection Block the use of unauthorised print devices based on vendor ID and product ID. P1+P2+MDB 1809+ Endpoint protection platform Feature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS Microsoft Defender Antivirus (MDAV) / Next-Generation Protection Core antimalware engine that provides behaviour-based, heuristic, and real-time AV protection; powers next-generation protection features in addition to standard signature-based detections. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ System Centre Endpoint Protection (SCEP) / Microsoft Antimalware for Azure (MAA) Down-level operating systems do not have the modern built-in antivirus platform, however Microsoft\u0026rsquo;s antimalware platform is still available through channels such as SCEP and MAA. P1+P2+MDB ✓ ✓ ✓ Only if not using unified agent Preventative antivirus (not \u0026ldquo;next-generation protection\u0026rdquo;) Traditional antivirus protection on down-level platforms that do not run the modern MDAV next-generation client. P1+P2+MDB ✓ ✓ ✓ Block at first sight Block execution for up to 60 seconds while cloud reputation is checked for executables carrying mark-of-the-web metadata. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ Cloud-delivered protection Sends metadata to the cloud protection service to determine if a file is safe based on machine learning and Intelligent Security Graph. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ Tamper protection Blocks uninstallation and other defense-evasion techniques on supported desktop and server platforms. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ Tamper protection for exclusions Extends tamper protection to MDAV exclusions but only if DisableLocalAdminMerge is enabled, the device is Intune/ConfigMgr managed, and exclusions are managed by Intune. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ Contextual file and folder exclusions Refine the scope of exclusions by controlling how they apply based on scan type, trigger, process, and/or file/folder. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ Potentially unwanted app protection Blocks software that isn\u0026rsquo;t necessarily malicious but is otherwise undesirable, such as advertising injectors and cryptominers. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ Passive mode If third-party endpoint protection is also running, the antimalware engine doesn\u0026rsquo;t provide preventative real-time protection but can still scan on-demand and be supplemented by EDR in block mode. P1+P2+MDB ✓\nAutomatic ✓\nManual ✓\nManual ✓\nManual ✓\nManual ✓\nManual Custom file indicators Custom block or allow controls on the endpoint based on file hashes and supported certificate/file indicators. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ Custom network indicators Custom block or allow controls based on public IPs, URLs, and domains. On mobile, Microsoft currently documents URL/domain indicators only. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓\nAMD64 URL/domain only URL/domain only Windows Defender Firewall with Advanced Security (WFAS) Control the inbound and outbound network traffic allowed on the device based on the type of network connected, as well as other controls such as IPsec. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Troubleshooting mode Instead of excluding a device from tamper protection to test problems, troubleshooting mode allows temporary local admin overrides and diagnostic collection. P1+P2 21H2+ ✓ ✓ ✓ ✓ ✓ Performance mode For Dev Drive, reduce the performance hit real-time protection has by performing scans asynchronously rather than synchronously. P1+P2+MDB Win 11 Host firewall reporting Dedicated reporting available in the Microsoft Defender portal about inbound, outbound, and app-based connections. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ Custom data collection Expand the default telemetry collection scope to support specialised threat hunting and security monitoring needs. P2 Preview Preview Preview Preview Preview Investigation and response Feature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS Alerts Detected threats or potential malicious activity that should be reviewed, presented with a story, affected assets, and details. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Incidents Aggregation of alerts with the same attack techniques or attributed to the same attacker. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Device groups Control RBAC permissions to devices and alerts, auto-remediation levels, and web content filtering. One device belongs to one group. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Device tags Create logical group affiliation for filtering, reporting, and automatic device group membership. One device can have many tags. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Advanced hunting Kusto query language (KQL) based tool for exploration of raw data across Microsoft Defender, including custom detection rules. Data collection is supported on all platforms below except Android and iOS. P2 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ EDR in block mode Remediates malicious artifacts in post-breach detections, including if third-party AV is in use and MDAV is in passive mode. P2+MDB ✓ ✓ ✓ ✓ ✓ Automated investigation and response (AIR) Uses inspection algorithms based on security analyst processes to examine and take configurable remedial action. P2+MDB 1709+ ✓ ✓ ✓ ✓ File response actions Feature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS Stop and quarantine file Stop any running processes and quarantine the file, unless signed by Microsoft. P1+P2 1703+ ✓ ✓ ✓ ✓ Automatically collect file for deep analysis Executes the file in a cloud environment and reports on behaviours such as contacted IPs, files created on disk, and registry modifications. P2 ✓ ✓ ✓ ✓ ✓ ✓ ✓ Download quarantined file Download a zipped version of a file quarantined by Microsoft Defender Antivirus if it was collected under your sample submission policy. P2 1703+ Device response actions Feature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS Run antivirus scan Initiates a full or quick scan even if the device is in passive mode. P1+P2+MDB 1709+ ✓ ✓ ✓ ✓ 101.98.84+ 101.98.84+ Restrict app execution Implements a code-integrity policy limiting files to those signed by Microsoft. P2 1709+ ✓ ✓ Isolate from the network (full) Limits network connectivity on the endpoint to only the Defender for Endpoint service. P1+P2+MDB 1703+ ✓ ✓ ✓ ✓ ✓ ✓ Isolate from the network (selective) Limits network connectivity on the endpoint to Defender for Endpoint and selected Microsoft 365 communication apps. P1+P2+MDB 1703+ ✓ ✓ ✓ ✓ 101.98.84+ Forcibly release from isolation Download a device-unique release script from the portal to end device isolation locally, for devices that have become unresponsive while isolated. Requires Windows 10 21H2 or Windows 11 21H2 with specific KBs. P2+MDB 21H2+ Isolation exclusions Designate applications or processes that maintain network connectivity while the device is isolated. Package Family Name (PFN) exclusion type requires Win 10 22H2+, Win 11 22H2+, or Win Svr 2025. P1+P2 1703+ ✓ ✓ ✓ ✓ ✓ Contain device from the network Block inbound and outbound communication with an unmanaged MDE-discovered device; enforcement is applied by onboarded devices running Windows 10 or Windows Server 2019+. P2 ✓ ✓ ✓ Contain IP addresses Automatically block inbound and outbound communications with an IP address associated with an undiscovered or non-onboarded device via automatic attack disruption. Enforcement is documented on onboarded devices running Windows 10, Windows 11, WS2012 R2, or WS2016. Currently in preview. P2 Preview Preview Preview Contain user from the network Blocks an identity on onboarded devices from inbound risky traffic such as RPC, SMB, and RDP. Currently triggered automatically only, via automatic attack disruption or predictive shielding. P2+MDB Sense 8740+ ✓ ✓ ✓ ✓ GPO hardening Temporarily prevents new Group Policy Objects from being applied to a high-risk device as part of predictive shielding. Currently in preview. P2 Preview Preview Preview Safeboot hardening Enforces stricter boot settings on a high-risk device as part of predictive shielding. Currently in preview. P2 Preview Preview Preview Live response Establishes a remote shell connection to the endpoint to collect forensics, run scripts, analyse threats, and threat hunt. P2+MDB 1709+ ✓ ✓ ✓ ✓ ✓ ✓ Live response library management Centralised view to upload, manage, and review the scripts and files available for use in live response sessions. P2+MDB 1709+ ✓ ✓ ✓ ✓ ✓ ✓ Collect an investigation package Builds a zip file with forensic information such as installed programs, autoruns, processes, SMB sessions, and system info. P2 1703+ ✓ ✓ ✓ ✓ ✓ ✓ Microsoft Defender Vulnerability Management Features in this section are now accessible via Exposure Management in the Microsoft Defender portal.\nFeature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS OS vulnerabilities Informs MDVM recommendations and weaknesses based on operating system vulnerabilities. P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Software product vulnerabilities Informs MDVM recommendations and weaknesses based on individual software vulnerabilities; not limited to Microsoft apps. P2+MDB ✓ ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ OS configuration assessment Informs MDVM recommendations based on system settings for the OS itself. P2+MDB ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Software controls configuration assessment Informs MDVM recommendations based on alignment with control standards. P2+MDB ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Software product configuration assessment Informs MDVM recommendations based on app configurations. P2+MDB ✓ 1709+ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Device discovery Endpoints passively or actively collect events and extract device information (basic mode) or actively probe observed devices (standard mode; default). This refers to OSs that can perform discovery. P2+MDB 1809+ ✓ ✓ Software usage insights In the software inventory, find software usage statistics such as median usage over 30 days. P2+MDB ✓ Security baseline assessments (add-on license) Assess devices against security benchmarks such as CIS and STIG. Add-on ✓ ✓ ✓ ✓ ✓ Firmware assessments (add-on license) Informs MDVM recommendations based on hardware and firmware vulnerabilities. Firmware (BIOS) vulnerability assessment is Windows-only; hardware inventory data is collected cross-platform. Note: processor and BIOS data is not reported on macOS devices with M1 or M2 processors. Add-on ✓ ✓ ✓ ✓ ✓ ✓ ✓ Block vulnerable applications (add-on license) Temporarily block or warn on launch all known vulnerable versions of an application until the remediation request is completed. Add-on ✓ ✓ ✓ ✓ ✓ ✓ Browser extensions (add-on license) Report installed browser extensions and their permission risk in the Microsoft Defender inventory page. Add-on ✓ ✓ ✓ ✓ ✓ Certificate inventory (add-on license) Report certificates in the local machine store in the Microsoft Defender inventory page. Windows-only (reads from the local machine certificate store). Add-on ✓ ✓ ✓ ✓ ✓ Mobile Threat Defense Mobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+.\nFeature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS Microsoft Tunnel Integration with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. P1+P2 ✓ ✓ Jailbreak / root detection Detects jailbroken iOS/iPadOS devices and rooted Android devices. Android root detection is currently documented as preview. Defender for Business currently documents jailbreak detection on iOS only. P1+P2+MDB Preview ✓ Mobile application management (MAM) support Supports Conditional Access and app protection policy risk signals without requiring full MDM enrollment. P1+P2 ✓ ✓ Potentially unwanted or malicious app scanning Uses signatures and machine learning heuristics to protect against unsafe apps and files. Microsoft currently documents this capability on Android. P1+P2+MDB ✓ Phishing protection Protects against potentially malicious web traffic in browsers, email, apps, and messaging apps. P1+P2+MDB ✓ ✓ Privacy controls Lets admins and end users configure what threat-report data is shared from enrolled or unenrolled devices. P1+P2 ✓ ✓ Optional permissions and disable web protection Allows reduced mobile permissions and optional disabling of web protection at the cost of protection coverage. P1+P2 ✓ ✓ Mobile network protection Protection against rogue Wi-Fi and certificate-related network threats on supported mobile platforms. P1+P2+MDB ✓ ✓ Onboarding and management Feature Description License Win 7 SP1 Win 8.1 Win 10/11 Win Svr 2008 R2 Win Svr 2012 R2 Win Svr 2016 Win Svr 2019/2022 Win Svr 2025 macOS Linux Android iOS Microsoft Monitoring Agent (MMA) required Windows OSs without EDR capabilities built in require MMA installed with a workspace ID and key specified from the portal. P1+P2 ✓ ✓ ✓ Only if not using unified agent Only if not using unified agent \u0026lsquo;Unified solution\u0026rsquo; agent available The modern unified solution is available for Windows Server 2012 R2 and 2016, providing the full MDE client stack including EDR on these operating systems. P1+P2+MDB ✓ ✓ Defender deployment tool Lightweight self-updating onboarding tool that bundles the onboarding package, handles prerequisites, and automates migrations. Windows 7 SP1 and WS2008 R2 receive a limited Defender endpoint security solution (Preview), not full MDE parity. Defender for Business is currently documented for the Linux Server preview only. P1+P2+MDB Preview 1809+ Preview ✓ ✓ ✓ ✓ Preview Security Management for MDE Manage configuration using Endpoint Manager admin centre without enrolling the device in MDM. Also known as MDE Attach. P1+P2+MDB ✓ ✓ ✓ ✓ ✓ ✓ ✓ Windows Subsystem for Linux (WSL) 2 Using a plug-in, WSL 2.0.7+ is available in Defender inventory as a Linux device separate from the Windows host. P2 Win 10 2004+ / Win 11 Microsoft Defender for Cloud (Microsoft Defender for Servers) MDE is included as part of the Microsoft Defender for Servers licensing in Defender for Cloud. Using Azure Arc, it can be extended to systems not hosted in Azure. Add-on Enterprise Multi-Session ✓ ✓ ✓ ✓ ✓ ✓ Microsoft Intune Microsoft\u0026rsquo;s MDM service and can be used for onboarding supported OSs. P1+P2+MDB ✓ ✓ ✓ ✓ Microsoft Configuration Manager On-premises endpoint and server management solution. P1+P2 ✓ ✓ ✓ ✓ ✓ ✓ Jamf Pro Alternative MDM for macOS. P1+P2+MDB ✓ Puppet / Ansible / Chef Scalable automation and orchestration platforms for Linux. P1+P2+MDB ✓ ","permalink":"https://campbell.scot/mde-feature-comparison/","summary":"\u003cp\u003eBest efforts have been taken to keep this accurate, but Microsoft\u0026rsquo;s documentation is imperfect and the information is spread across multiple doc sets.\u003c/p\u003e\n\u003ch2 id=\"legend\"\u003eLegend\u003c/h2\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eSymbol\u003c/th\u003e\n \u003cth\u003eMeaning\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003e✓\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eSupported on all currently supported versions of that OS in the current Microsoft documentation (unless otherwise noted)\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003e1709+\u003c/strong\u003e (version value)\u003c/td\u003e\n \u003ctd\u003eMinimum OS version/build explicitly called out in the current Microsoft documentation\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003ePreview\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eDocumented by Microsoft as preview support, not general availability\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cem\u003e(blank)\u003c/em\u003e\u003c/td\u003e\n \u003ctd\u003eNot supported or not documented as supported\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eLicense\u003c/th\u003e\n \u003cth\u003eMeaning\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eP1+P2+MDB\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eAvailable in Microsoft Defender for Endpoint Plan 1, Plan 2, and Microsoft Defender for Business\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eP2+MDB\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eAvailable in Microsoft Defender for Endpoint Plan 2 and Microsoft Defender for Business\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eP1+P2\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eAvailable in Microsoft Defender for Endpoint Plan 1 and Plan 2, but not Microsoft Defender for Business\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eP2\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eRequires Microsoft Defender for Endpoint Plan 2 and isn\u0026rsquo;t currently documented for Microsoft Defender for Business\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eAdd-on\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eRequires the Microsoft Defender Vulnerability Management add-on or Microsoft Defender for Servers license\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"current-support-notes\"\u003eCurrent support notes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eWindows 7 SP1 and Windows Server 2008 R2 require 64-bit (x64) architecture.\u003c/li\u003e\n\u003cli\u003eWindows Server 2012 R2 and Windows Server 2016 support shown here depends on the modern unified solution where Microsoft documents that requirement.\u003c/li\u003e\n\u003cli\u003emacOS support is limited to the three most recent major releases; as of April 2026 that means macOS 26 (Tahoe), macOS 15 (Sequoia), and macOS 14 (Sonoma).\u003c/li\u003e\n\u003cli\u003eMobile support currently requires Android 11.0+ and iOS/iPadOS 16.0+.\u003c/li\u003e\n\u003cli\u003eIn Defender for Business, Windows Server and Linux support assumes the relevant server entitlement where Microsoft requires it (for example Defender for Business servers or Defender for Servers).\u003c/li\u003e\n\u003cli\u003eSome Defender for Business capabilities rely on Intune or Jamf for policy delivery even when the feature itself is included.\u003c/li\u003e\n\u003cli\u003eAdvanced hunting in this matrix means the built-in Microsoft Defender portal experience. Defender for Business can export raw data by using the streaming API, but that isn\u0026rsquo;t the same entitlement.\u003c/li\u003e\n\u003cli\u003eBlank cells are intentional and reflect unsupported or not-currently-documented support at this matrix granularity.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"feature-comparison\"\u003eFeature Comparison\u003c/h2\u003e\n\u003ch3 id=\"attack-surface-reduction\"\u003eAttack surface reduction\u003c/h3\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eFeature\u003c/th\u003e\n \u003cth\u003eDescription\u003c/th\u003e\n \u003cth\u003eLicense\u003c/th\u003e\n \u003cth\u003eWin 7 SP1\u003c/th\u003e\n \u003cth\u003eWin 8.1\u003c/th\u003e\n \u003cth\u003eWin 10/11\u003c/th\u003e\n \u003cth\u003eWin Svr 2008 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2012 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2016\u003c/th\u003e\n \u003cth\u003eWin Svr 2019/2022\u003c/th\u003e\n \u003cth\u003eWin Svr 2025\u003c/th\u003e\n \u003cth\u003emacOS\u003c/th\u003e\n \u003cth\u003eLinux\u003c/th\u003e\n \u003cth\u003eAndroid\u003c/th\u003e\n \u003cth\u003eiOS\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eASR rules\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock abuse of exploited vulnerable signed drivers\u003c/td\u003e\n \u003ctd\u003eProtect against vulnerable signed drivers that allow kernel access and system compromise.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock Adobe Reader from creating child processes\u003c/td\u003e\n \u003ctd\u003ePrevents payloads breaking out of Adobe Reader.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1809+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock all Office applications from creating child processes\u003c/td\u003e\n \u003ctd\u003ePrevents Word, Excel, PowerPoint, OneNote, and Access creating child processes.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock credential stealing from LSASS\u003c/td\u003e\n \u003ctd\u003ePrevents untrusted processes accessing LSASS directly.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1803+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock executable content from email client and webmail\u003c/td\u003e\n \u003ctd\u003ePrevents Outlook and popular webmail providers launching scripts or executable files.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\u003c/td\u003e\n \u003ctd\u003eUsing cloud-delivered protection, block executables depending on various reputational metrics.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1803+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock execution of potentially obfuscated scripts\u003c/td\u003e\n \u003ctd\u003eIdentifies and blocks script obfuscation with suspicious properties.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock JavaScript or VBScript from launching downloaded executable content\u003c/td\u003e\n \u003ctd\u003ePrevents JavaScript or VBScript fetching and launching executables.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock Office applications from creating executable content\u003c/td\u003e\n \u003ctd\u003ePrevents the Office suite from saving executable content to disk.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock Office applications from injecting code into other processes\u003c/td\u003e\n \u003ctd\u003ePrevent attempts to migrate code into another process in Word, Excel, and PowerPoint.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock Office communication applications from creating child processes\u003c/td\u003e\n \u003ctd\u003eIn Outlook and other supported Office communication apps, prevent child processes being created.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1809+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock persistence through WMI event subscription\u003c/td\u003e\n \u003ctd\u003ePrevent C2 abuse of WMI to attain device persistence.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1903+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock process creations originating from PSExec and WMI commands\u003c/td\u003e\n \u003ctd\u003ePrevents PSExec or WMI created processes from running, as is common in lateral movement techniques. Not compatible with Configuration Manager.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1803+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock rebooting machine in Safe Mode\u003c/td\u003e\n \u003ctd\u003ePrevents commands such as \u003ccode\u003ebcdedit\u003c/code\u003e and \u003ccode\u003ebootcfg\u003c/code\u003e from restarting a device into Safe Mode.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock untrusted and unsigned processes that run from USB\u003c/td\u003e\n \u003ctd\u003eExecutable files on USB drives or SD cards are prevented from executing unless trusted or signed.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1803+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock use of copied or impersonated system tools\u003c/td\u003e\n \u003ctd\u003eBlocks executable files identified as copies or impostors of Windows system tools.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock Webshell creation for Servers\u003c/td\u003e\n \u003ctd\u003eFor the Exchange server role only, block web shell script creation.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock Win32 API calls from Office macros\u003c/td\u003e\n \u003ctd\u003eProtects against Office VBA Win32 API calls, mostly found in legacy macros.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eUse advanced protection against ransomware\u003c/td\u003e\n \u003ctd\u003eUsing cloud-delivered protection heuristics, if a lower reputation file resembles ransomware and has not been signed, it is blocked.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1803+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eASR rules in warn mode if supported by rule\u003c/td\u003e\n \u003ctd\u003eAllow users to override ASR blocked events. Microsoft currently documents warn mode support on Windows 10 version 1809 or later.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1809+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eExploit protection\u003c/td\u003e\n \u003ctd\u003eSuccessor to Enhanced Mitigation Experience Toolkit (EMET) with protection against over twenty exploit types.\u003c/td\u003e\n \u003ctd\u003eP1+P2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eWeb protection\u003c/td\u003e\n \u003ctd\u003eWeb threat protection and web content filtering. Linux support is currently documented as preview.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eAMD64\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eNetwork protection\u003c/td\u003e\n \u003ctd\u003eExtends web threat and custom network indicator enforcement beyond Microsoft browsers to OS traffic and supported third-party browsers. Linux support is currently documented as preview.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eAMD64\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eControlled folder access\u003c/td\u003e\n \u003ctd\u003eRansomware protection where protected folders are specified, and only allow-listed applications may make modifications to them.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDevice control – removable storage protection\u003c/td\u003e\n \u003ctd\u003eBlock the use of unauthorised removable storage media based on properties such as vendor ID, serial number, or device class.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDevice control – removable storage access control\u003c/td\u003e\n \u003ctd\u003eAudit and control read/write/execute operations on removable storage media based on properties similar to removable storage protection.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDevice control – device installation\u003c/td\u003e\n \u003ctd\u003eControl the installation of specific devices, e.g. block all except allowed or vice-versa.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDevice control – printer protection\u003c/td\u003e\n \u003ctd\u003eBlock the use of unauthorised print devices based on vendor ID and product ID.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1809+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"endpoint-protection-platform\"\u003eEndpoint protection platform\u003c/h3\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eFeature\u003c/th\u003e\n \u003cth\u003eDescription\u003c/th\u003e\n \u003cth\u003eLicense\u003c/th\u003e\n \u003cth\u003eWin 7 SP1\u003c/th\u003e\n \u003cth\u003eWin 8.1\u003c/th\u003e\n \u003cth\u003eWin 10/11\u003c/th\u003e\n \u003cth\u003eWin Svr 2008 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2012 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2016\u003c/th\u003e\n \u003cth\u003eWin Svr 2019/2022\u003c/th\u003e\n \u003cth\u003eWin Svr 2025\u003c/th\u003e\n \u003cth\u003emacOS\u003c/th\u003e\n \u003cth\u003eLinux\u003c/th\u003e\n \u003cth\u003eAndroid\u003c/th\u003e\n \u003cth\u003eiOS\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003eMicrosoft Defender Antivirus (MDAV) / Next-Generation Protection\u003c/td\u003e\n \u003ctd\u003eCore antimalware engine that provides behaviour-based, heuristic, and real-time AV protection; powers next-generation protection features in addition to standard signature-based detections.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eSystem Centre Endpoint Protection (SCEP) / Microsoft Antimalware for Azure (MAA)\u003c/td\u003e\n \u003ctd\u003eDown-level operating systems do not have the modern built-in antivirus platform, however Microsoft\u0026rsquo;s antimalware platform is still available through channels such as SCEP and MAA.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003eOnly if not using unified agent\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003ePreventative antivirus (not \u0026ldquo;next-generation protection\u0026rdquo;)\u003c/td\u003e\n \u003ctd\u003eTraditional antivirus protection on down-level platforms that do not run the modern MDAV next-generation client.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eBlock at first sight\u003c/td\u003e\n \u003ctd\u003eBlock execution for up to 60 seconds while cloud reputation is checked for executables carrying mark-of-the-web metadata.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eCloud-delivered protection\u003c/td\u003e\n \u003ctd\u003eSends metadata to the cloud protection service to determine if a file is safe based on machine learning and Intelligent Security Graph.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eTamper protection\u003c/td\u003e\n \u003ctd\u003eBlocks uninstallation and other defense-evasion techniques on supported desktop and server platforms.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eTamper protection for exclusions\u003c/td\u003e\n \u003ctd\u003eExtends tamper protection to MDAV exclusions but only if DisableLocalAdminMerge is enabled, the device is Intune/ConfigMgr managed, and exclusions are managed by Intune.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eContextual file and folder exclusions\u003c/td\u003e\n \u003ctd\u003eRefine the scope of exclusions by controlling how they apply based on scan type, trigger, process, and/or file/folder.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003ePotentially unwanted app protection\u003c/td\u003e\n \u003ctd\u003eBlocks software that isn\u0026rsquo;t necessarily malicious but is otherwise undesirable, such as advertising injectors and cryptominers.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003ePassive mode\u003c/td\u003e\n \u003ctd\u003eIf third-party endpoint protection is also running, the antimalware engine doesn\u0026rsquo;t provide preventative real-time protection but can still scan on-demand and be supplemented by EDR in block mode.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eAutomatic\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eManual\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eManual\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eManual\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eManual\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eManual\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eCustom file indicators\u003c/td\u003e\n \u003ctd\u003eCustom block or allow controls on the endpoint based on file hashes and supported certificate/file indicators.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eCustom network indicators\u003c/td\u003e\n \u003ctd\u003eCustom block or allow controls based on public IPs, URLs, and domains. On mobile, Microsoft currently documents URL/domain indicators only.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003cbr\u003eAMD64\u003c/td\u003e\n \u003ctd\u003eURL/domain only\u003c/td\u003e\n \u003ctd\u003eURL/domain only\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eWindows Defender Firewall with Advanced Security (WFAS)\u003c/td\u003e\n \u003ctd\u003eControl the inbound and outbound network traffic allowed on the device based on the type of network connected, as well as other controls such as IPsec.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eTroubleshooting mode\u003c/td\u003e\n \u003ctd\u003eInstead of excluding a device from tamper protection to test problems, troubleshooting mode allows temporary local admin overrides and diagnostic collection.\u003c/td\u003e\n \u003ctd\u003eP1+P2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e21H2+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003ePerformance mode\u003c/td\u003e\n \u003ctd\u003eFor Dev Drive, reduce the performance hit real-time protection has by performing scans asynchronously rather than synchronously.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003eWin 11\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eHost firewall reporting\u003c/td\u003e\n \u003ctd\u003eDedicated reporting available in the Microsoft Defender portal about inbound, outbound, and app-based connections.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eCustom data collection\u003c/td\u003e\n \u003ctd\u003eExpand the default telemetry collection scope to support specialised threat hunting and security monitoring needs.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"investigation-and-response\"\u003eInvestigation and response\u003c/h3\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eFeature\u003c/th\u003e\n \u003cth\u003eDescription\u003c/th\u003e\n \u003cth\u003eLicense\u003c/th\u003e\n \u003cth\u003eWin 7 SP1\u003c/th\u003e\n \u003cth\u003eWin 8.1\u003c/th\u003e\n \u003cth\u003eWin 10/11\u003c/th\u003e\n \u003cth\u003eWin Svr 2008 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2012 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2016\u003c/th\u003e\n \u003cth\u003eWin Svr 2019/2022\u003c/th\u003e\n \u003cth\u003eWin Svr 2025\u003c/th\u003e\n \u003cth\u003emacOS\u003c/th\u003e\n \u003cth\u003eLinux\u003c/th\u003e\n \u003cth\u003eAndroid\u003c/th\u003e\n \u003cth\u003eiOS\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003eAlerts\u003c/td\u003e\n \u003ctd\u003eDetected threats or potential malicious activity that should be reviewed, presented with a story, affected assets, and details.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eIncidents\u003c/td\u003e\n \u003ctd\u003eAggregation of alerts with the same attack techniques or attributed to the same attacker.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDevice groups\u003c/td\u003e\n \u003ctd\u003eControl RBAC permissions to devices and alerts, auto-remediation levels, and web content filtering. One device belongs to one group.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDevice tags\u003c/td\u003e\n \u003ctd\u003eCreate logical group affiliation for filtering, reporting, and automatic device group membership. One device can have many tags.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eAdvanced hunting\u003c/td\u003e\n \u003ctd\u003eKusto query language (KQL) based tool for exploration of raw data across Microsoft Defender, including custom detection rules. Data collection is supported on all platforms below except Android and iOS.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eEDR in block mode\u003c/td\u003e\n \u003ctd\u003eRemediates malicious artifacts in post-breach detections, including if third-party AV is in use and MDAV is in passive mode.\u003c/td\u003e\n \u003ctd\u003eP2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eAutomated investigation and response (AIR)\u003c/td\u003e\n \u003ctd\u003eUses inspection algorithms based on security analyst processes to examine and take configurable remedial action.\u003c/td\u003e\n \u003ctd\u003eP2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"file-response-actions\"\u003eFile response actions\u003c/h3\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eFeature\u003c/th\u003e\n \u003cth\u003eDescription\u003c/th\u003e\n \u003cth\u003eLicense\u003c/th\u003e\n \u003cth\u003eWin 7 SP1\u003c/th\u003e\n \u003cth\u003eWin 8.1\u003c/th\u003e\n \u003cth\u003eWin 10/11\u003c/th\u003e\n \u003cth\u003eWin Svr 2008 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2012 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2016\u003c/th\u003e\n \u003cth\u003eWin Svr 2019/2022\u003c/th\u003e\n \u003cth\u003eWin Svr 2025\u003c/th\u003e\n \u003cth\u003emacOS\u003c/th\u003e\n \u003cth\u003eLinux\u003c/th\u003e\n \u003cth\u003eAndroid\u003c/th\u003e\n \u003cth\u003eiOS\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003eStop and quarantine file\u003c/td\u003e\n \u003ctd\u003eStop any running processes and quarantine the file, unless signed by Microsoft.\u003c/td\u003e\n \u003ctd\u003eP1+P2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1703+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eAutomatically collect file for deep analysis\u003c/td\u003e\n \u003ctd\u003eExecutes the file in a cloud environment and reports on behaviours such as contacted IPs, files created on disk, and registry modifications.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eDownload quarantined file\u003c/td\u003e\n \u003ctd\u003eDownload a zipped version of a file quarantined by Microsoft Defender Antivirus if it was collected under your sample submission policy.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1703+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"device-response-actions\"\u003eDevice response actions\u003c/h3\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eFeature\u003c/th\u003e\n \u003cth\u003eDescription\u003c/th\u003e\n \u003cth\u003eLicense\u003c/th\u003e\n \u003cth\u003eWin 7 SP1\u003c/th\u003e\n \u003cth\u003eWin 8.1\u003c/th\u003e\n \u003cth\u003eWin 10/11\u003c/th\u003e\n \u003cth\u003eWin Svr 2008 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2012 R2\u003c/th\u003e\n \u003cth\u003eWin Svr 2016\u003c/th\u003e\n \u003cth\u003eWin Svr 2019/2022\u003c/th\u003e\n \u003cth\u003eWin Svr 2025\u003c/th\u003e\n \u003cth\u003emacOS\u003c/th\u003e\n \u003cth\u003eLinux\u003c/th\u003e\n \u003cth\u003eAndroid\u003c/th\u003e\n \u003cth\u003eiOS\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003eRun antivirus scan\u003c/td\u003e\n \u003ctd\u003eInitiates a full or quick scan even if the device is in passive mode.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e101.98.84+\u003c/td\u003e\n \u003ctd\u003e101.98.84+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eRestrict app execution\u003c/td\u003e\n \u003ctd\u003eImplements a code-integrity policy limiting files to those signed by Microsoft.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eIsolate from the network (full)\u003c/td\u003e\n \u003ctd\u003eLimits network connectivity on the endpoint to only the Defender for Endpoint service.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1703+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eIsolate from the network (selective)\u003c/td\u003e\n \u003ctd\u003eLimits network connectivity on the endpoint to Defender for Endpoint and selected Microsoft 365 communication apps.\u003c/td\u003e\n \u003ctd\u003eP1+P2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1703+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e101.98.84+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eForcibly release from isolation\u003c/td\u003e\n \u003ctd\u003eDownload a device-unique release script from the portal to end device isolation locally, for devices that have become unresponsive while isolated. Requires Windows 10 21H2 or Windows 11 21H2 with specific KBs.\u003c/td\u003e\n \u003ctd\u003eP2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e21H2+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eIsolation exclusions\u003c/td\u003e\n \u003ctd\u003eDesignate applications or processes that maintain network connectivity while the device is isolated. Package Family Name (PFN) exclusion type requires Win 10 22H2+, Win 11 22H2+, or Win Svr 2025.\u003c/td\u003e\n \u003ctd\u003eP1+P2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1703+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eContain device from the network\u003c/td\u003e\n \u003ctd\u003eBlock inbound and outbound communication with an unmanaged MDE-discovered device; enforcement is applied by onboarded devices running Windows 10 or Windows Server 2019+.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eContain IP addresses\u003c/td\u003e\n \u003ctd\u003eAutomatically block inbound and outbound communications with an IP address associated with an undiscovered or non-onboarded device via automatic attack disruption. Enforcement is documented on onboarded devices running Windows 10, Windows 11, WS2012 R2, or WS2016. Currently in preview.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eContain user from the network\u003c/td\u003e\n \u003ctd\u003eBlocks an identity on onboarded devices from inbound risky traffic such as RPC, SMB, and RDP. Currently triggered automatically only, via automatic attack disruption or predictive shielding.\u003c/td\u003e\n \u003ctd\u003eP2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003eSense 8740+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eGPO hardening\u003c/td\u003e\n \u003ctd\u003eTemporarily prevents new Group Policy Objects from being applied to a high-risk device as part of predictive shielding. Currently in preview.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eSafeboot hardening\u003c/td\u003e\n \u003ctd\u003eEnforces stricter boot settings on a high-risk device as part of predictive shielding. Currently in preview.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003ePreview\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eLive response\u003c/td\u003e\n \u003ctd\u003eEstablishes a remote shell connection to the endpoint to collect forensics, run scripts, analyse threats, and threat hunt.\u003c/td\u003e\n \u003ctd\u003eP2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eLive response library management\u003c/td\u003e\n \u003ctd\u003eCentralised view to upload, manage, and review the scripts and files available for use in live response sessions.\u003c/td\u003e\n \u003ctd\u003eP2+MDB\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1709+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003eCollect an investigation package\u003c/td\u003e\n \u003ctd\u003eBuilds a zip file with forensic information such as installed programs, autoruns, processes, SMB sessions, and system info.\u003c/td\u003e\n \u003ctd\u003eP2\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e1703+\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e✓\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003ctd\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch3 id=\"microsoft-defender-vulnerability-management\"\u003eMicrosoft Defender Vulnerability Management\u003c/h3\u003e\n\u003cp\u003e\u003cem\u003eFeatures in this section are now accessible via \u003cstrong\u003eExposure Management\u003c/strong\u003e in the Microsoft Defender portal.\u003c/em\u003e\u003c/p\u003e","title":"MDE Feature Comparison by OS"},{"content":"Defender for Cloud Apps (MDA) is such a hidden gem. When talking with Microsoft 365 E5 customers, it\u0026rsquo;s amazing how few of them really grab MDA and squeeze all they can out of it. It\u0026rsquo;s often classified as a cloud access security broker (CASB) but that\u0026rsquo;s an oversimplication: the product can do so much more such as SaaS security posture management (SSPM) and, most topical in light of recent events, OAuth app governance.\nThis blog is part of a series on common Microsoft 365 security mistakes. View the previous blogs here: remember to add any extra blogs\nConditional Access – Common Microsoft 365 Security Mistakes Series Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series Exchange Online Protection \u0026amp; Defender for Office 365 – Common Microsoft 365 Security Mistakes Series Microsoft Defender Vulnerability Management – Common Microsoft 365 Security Mistakes Series Entra ID Protection – Common Microsoft 365 Security Mistakes Series Only using MDE for continuous cloud discovery text\nNot connecting your SaaS/IaaS as connected apps text\nNot adjusting policies based on false positive noise text\nNot leveraging advanced hunting integration text\nPoorly defined session policies text\nConclusion text\n","permalink":"https://campbell.scot/microsoft-defender-for-cloud-apps-common-microsoft-security-mistakes-series/","summary":"\u003cp\u003eDefender for Cloud Apps (MDA) is such a hidden gem. When talking with Microsoft 365 E5 customers, it\u0026rsquo;s amazing how few of them really grab MDA and squeeze all they can out of it. It\u0026rsquo;s often classified as a cloud access security broker (CASB) but that\u0026rsquo;s an oversimplication: the product can do so much more such as SaaS security posture management (SSPM) and, most topical in light of \u003ca href=\"https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\"\u003erecent events\u003c/a\u003e, OAuth app governance.\u003c/p\u003e","title":"Microsoft Defender for Cloud Apps - Common Microsoft 365 Security Mistakes Series"},{"content":"Signals from across Microsoft\u0026rsquo;s services and ecosystems inform Entra ID Protection to detect risk. The risk detections can alert administrators or, better still, combine with other Entra and Defender XDR capabilities to perform remediation and prevention. The most obvious example of this may be preventing a risky sign in. Contrary to popular understanding, not all of Entra ID Protection\u0026rsquo;s detections are limited to the Entra ID P2 license: the nonpremium risks listed here don\u0026rsquo;t require P2.\nNote: Microsoft Entra ID Protection was previously known as Azure AD Identity Protection.\nI\u0026rsquo;ve conducted hundreds of Microsoft 365 and Entra ID tenant assessments over the years, and recommended ID Protection in just about all of them. Trends of common mistakes start to become apparent in configuration, response, and admins misunderstanding the capabilities themselves.\nThis is part of a series on common Microsoft 365 security mistakes. View the previous blogs here:\nConditional Access – Common Microsoft 365 Security Mistakes Series Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series Exchange Online Protection \u0026amp; Defender for Office 365 – Common Microsoft 365 Security Mistakes Series Microsoft Defender Vulnerability Management – Common Microsoft 365 Security Mistakes Series Requiring password reset on passwordless users A common Entra ID Protection policy is to require high risk users reset their password. This is coupled with password writeback for hybrid users, and a new preview allows on-prem password changes to reset the risk score too.\nAlthough the reasons for specific risk level (low, medium, high) are a bit abstract, it means an increasing probability the account is compromised. Since removed, the documentation used to advise a high user risk was associated with the Leaked credentials risk so we can assume it\u0026rsquo;s still one of the reasons. Hence the idea of forcing a password change after satisfying MFA. Admins usually enforce this with a Conditional Access rule.\nIf you have a passwordless this scenario could catch you out:\nUser is passwordless from day one, using a temporary access pass to register a FIDO2 security key User becomes high risk (in addition to Entra ID Protection doing it, Microsoft Defender XDR can flag users as high risk if they are marked as compromised) User authenticates with their FIDO2 security key User is required to reset their password When this high risk user signs in, they won\u0026rsquo;t know their password (if you\u0026rsquo;ve been a good passwordless admin and not given them it), so will fail the reset and not be able to proceed.\nAs an alternative, you could create an Entra ID group of your passwordless users and exclude them from any reset password policies. You may want to have a block policy instead which will be a little clearer to the end user when they hit the failed sign-in.\n\u0026lsquo;Confirm sign-in safe\u0026rsquo; doesn\u0026rsquo;t inform future detections Here\u0026rsquo;s a mistake I made until recently. Let\u0026rsquo;s run through the scenario.\nYou sign into an Azure VM with a static public IP Entra ID Protection flags it as medium risk (unfamiliar sign-in properties) A Conditional Access policy blocks the medium risk sign-in An admin marks the risky sign-in as confirmed safe sign-in in Entra ID Protection Can you now sign in under the same circumstances?\nIf you, intuitively, thought \u0026ldquo;yes\u0026rdquo;, the next screenshot might drag you back to reality.\nI expected the system to \u0026ldquo;learn\u0026rdquo; that marking a risky sign-in as confirmed safe would inform future risk assessments. If it was marked risky due to the sign-in properties, then an admin confirmed thise properies as safe, why wouldn\u0026rsquo;t it inform future risk determinations?\nJef Kazimer (who you need to follow ASAP for fantastic community contributions!) kindly pointed out to me that the documentation confirms it:\nIf you have a scenario like the above, your only option is some kind of exclusion (or adding the IP as trusted in this example). Not ideal, but I\u0026rsquo;m hopeful the wording of \u0026ldquo;today\u0026rdquo; in the above means we can expect improvements in the future.\nPolicies don\u0026rsquo;t need to be one-size fits all This is a mistake I see throughout Microsoft 365 and Entra ID regarding security controls. You\u0026rsquo;ll see it coming up in many of the Common Microsoft 365 Security Mistakes Series blogs. If you can limit something to a group, you can refine it and have different rules for different scenarios. Sounds obvious, but it\u0026rsquo;s often overlooked in practice.\nRather than using the User risk policy or Sign-in risk policy pages in the Identity Protection page, if you use Conditional Access to manage authentication restrictions based on Entra ID Protection risk, you can have a harder policy for privileged users than standard users. Here\u0026rsquo;s some illustrations.\nFor standard users, block acess if the user is high risk. For executive team users, block access if the user is medium risk or greater. For users with privileged role access such as Global Administrator, block access if the user is low risk or greater. With each lower risk threshold, you increase the amount of overhead: the risk and response to authentications that you want to allow. But this is the trade-off you may want to make based on risk appetite and so on.\nIf you take anything away from this point, it\u0026rsquo;s not that I want you to go really aggressive and only tolerate low or lower risk authentication; it\u0026rsquo;s that I want you to not make excuses for not at least starting with Entra ID Protection. Using scopes, you can start small with quick wins and build up your use as your confidence grows.\nExcluding guests from user risk policies Earlier, I covered the mistake of taking a one-size fits all approach to Entra ID Protection; better scope policies depending on user, risk appetite, and so on. A mistake you want to avoid on the opposite side of the coin is blanket exclusion of guests for Entra ID Protection.\nA common reason for excluding guests from Entra ID Protection policies is that you can\u0026rsquo;t control their account credentials, which are \u0026ldquo;homed\u0026rdquo; in the source tenant, and therefore you cannot enforce password resets or dismiss a user-level risk to allow authentication (sign-in risk, meanwhile, is based on the tenant they\u0026rsquo;re authenticating against, i.e. yours). If a policy tries to force a password reset, it\u0026rsquo;s just replaced by a block.\nThe logic goes: I don\u0026rsquo;t want my guests to get locked out and affect our productivity, therefore we can\u0026rsquo;t enforce user-based risk policies.\nI get it. But let\u0026rsquo;s remind ourselves that in most guest access scenarios, you have far less oversight and control over the security of that user, their device, and therefore the session. It\u0026rsquo;s possible, but rare, that customers check for the device compliance of a guest. Overwhelmingly, we just let them in with no attestation about device security. So, my logic goes: if anything, we should be more aggressive with Entra ID Protection policies for guests.\nThis won\u0026rsquo;t be one you can go gung-ho into, but something to consider.\nWatch out for audit retention gotchas The retention period of Entra ID logs varies by license level, but risky users never expire.\nThis means at the free level, you\u0026rsquo;ll only see seven days of risk-sign ins. Entra ID P1 bumps this up to 30 days, and Entra ID P2 goes to 90 days. Unfortunately, this cannot back-date if you upgrade licenses. For example, if you have an incident then decide to buy P1/P2 to get more data, that won\u0026rsquo;t help.\nWhere this can also sting is if you\u0026rsquo;ve never investigated Entra ID Protection, then decide to pick it up. Entries in the Risky users page are not affected by the retention periods, but the data you need to investigate may be. For example, the Risk last updated field can be beyond your log retention and you may not be able to follow up with a comprehensive investigation into other Entra ID logs such as Risky sign-ins or Risk detections.\nTo avoid that problem, keep on top of risk investigations and/or export your data to another solution such as Log Analytics or Sentinel. Defender XDR\u0026rsquo;s maximum retention period of 180d may help, but not with advanced hunting.\nBonus: watch your check boxes! This one\u0026rsquo;s pretty small, so consider it a bonus heads up. When targetting risk using Conditional Access, the risk levels do not mean \u0026ldquo;greater than or equal to\u0026rdquo;. So, if you only tick Low as a condition, you are not targetting Medium or High.\nConclusion Entra ID Protection is a very useful tool in your defense strategy. There have been lots of incidents I\u0026rsquo;ve seen that could have been completely prevented were it configured appropriately, or at least monitored. I even struggled to keep this article down to five mistakes, as there are others that may bite you! In addition to avoiding the traps in this article, start giving Entra ID Protection a deep dive, so that you understand what it\u0026rsquo;s capable of and its nuances.\n","permalink":"https://campbell.scot/entra-id-protection-common-microsoft-365-security-mistakes-series/","summary":"\u003cp\u003eSignals from across Microsoft\u0026rsquo;s services and ecosystems inform Entra ID Protection to detect risk. The risk detections can alert administrators or, better still, combine with other Entra and Defender XDR capabilities to perform remediation and prevention. The most obvious example of this may be preventing a risky sign in. Contrary to popular understanding, not all of Entra ID Protection\u0026rsquo;s detections are limited to the Entra ID P2 license: the nonpremium risks listed \u003ca href=\"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#sign-in-risk-detections\"\u003ehere\u003c/a\u003e don\u0026rsquo;t require P2.\u003c/p\u003e","title":"Entra ID Protection - Common Microsoft 365 Security Mistakes Series"},{"content":"It\u0026rsquo;s a trope in IT circles: users forget their passwords. The greater your scale, the more time this can occupy with tickets, service desk calls, and so on. If you use Microsoft Entra ID (previously Azure Active Directory), self service password reset (SSPR) is a capability that can help reduce this overhead. SSPR offers a user-driven admin-less approach, where users verify they are authorised to reset forgotten passwords then can do so.\nAdministrators and security teams can understandably and rightfully be cautious enabling SSPR. It\u0026rsquo;s a very useful service, so this blog covers five common mistakes you\u0026rsquo;ll want to avoid, based on what I\u0026rsquo;ve seen during tenant assessments.\nThis blog is part of a series on common Microsoft 365 security mistakes. View the previous blogs here:\nConditional Access – Common Microsoft 365 Security Mistakes Series Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series Exchange Online Protection \u0026amp; Defender for Office 365 – Common Microsoft 365 Security Mistakes Series Microsoft Defender Vulnerability Management – Common Microsoft 365 Security Mistakes Series Mistake #1 text\nMistake #2 text\nMistake #3 text\nMistake #4 text\nMistake #5 text\nConclusion text\n","permalink":"https://campbell.scot/entra-self-service-password-reset-common-microsoft-security-mistakes-series/","summary":"\u003cp\u003eIt\u0026rsquo;s a trope in IT circles: users forget their passwords. The greater your scale, the more time this can occupy with tickets, service desk calls, and so on. If you use Microsoft Entra ID (previously Azure Active Directory), \u003cstrong\u003eself service password reset\u003c/strong\u003e (SSPR) is a capability that can help reduce this overhead. SSPR offers a user-driven admin-less approach, where users verify they are authorised to reset forgotten passwords then can do so.\u003c/p\u003e","title":"Entra Self Service Password Reset - Common Microsoft 365 Security Mistakes Series"},{"content":"Microsoft Defender Vulnerability Management (MDVM) is an often overlooked service that can be licensed standalone or is included in other Microsoft Defender licenses. In my experience, I\u0026rsquo;ve never seen it licensed standalone, but customers with Defender for Endpoint (MDE) P2, Defender for Servers (MDS) P1, and Defender for Business (MDB) benefit from it\u0026rsquo;s core capabilities. In addition to the core capabilities, add-on capabilities are available in the standalone license, Defender for Servers P2, or as an upgrade to the P1 licenses.\nIf you successfully integrate MDVM with your operations, it can provide huge value to reducing your attack surface, staying on top of weaknesses, managing inventory, and preventing threats before they actualise. So, to help you achieve that, in this blog, I\u0026rsquo;ll cover five mistakes I see folks who are licensed to MDVM make.\nThis blog is part of a series on common Microsoft 365 security mistakes. View the previous blogs here:\nConditional Access – Common Microsoft 365 Security Mistakes Series Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series Exchange Online Protection \u0026amp; Defender for Office 365 – Common Microsoft 365 Security Mistakes Series Device values not leveraged Device values are important for well managed MDVM operations, but also benefit and are core to MDE response. But that benefit only comes if you use them!\nDevice values can be low, normal, or high and set using the Microsoft Defender XDR portal at security.microsoft.com/machines (one at a time or select multiple) or using the MDE API.\nYou may want to roughly translate low, normal, and high to the tiered access model or enterprise access model.\nFrom an MDVM perspective, some benefits of managing device values include:\nFiltering your advanced hunting queries so you can customise detection rules. This is the AssetValue in the DeviceInfo table Filtering the device assets list. I don\u0026rsquo;t see it as option for asset rules management to create a dynamic tag based on value, but hopefully soon. Weighting the exposure score (software and firmware updates, upgrades, EOLs). If a normal device weights 1, low devices weigh 0.75, so your score doesn\u0026rsquo;t increase as much. High value devices have a dynamic weight based on 10% of your total devices. As an example, a tenant with 1200 devices will have a high value weight of 120. That would increase to 130 if the number of devices grew to 1300. So you can see how significantly high value devices affect exposure score! Ultimately, more easily prioritising your remediation activities. Not assessing the real risk of a recommendation The following point is true for any kind of vulnerability scanning service.\nWhen you first start onboarding devices into MDVM, the Security recommendations page will light up like a Christmas tree. Security recommendations are plain-language advisories based on OS and software configuration changes; software/firm updates, upgrades, or EOLs; or other endpoint weaknesses that may require investigation.\nFor most environments, this creates necessary work because those weaknesses should be addressed. In some cases, it may produce unnecessary or at least low-priority work.\nRecommendations are weighted with an impact score, lack a business context that you as the environment administrator will need to ascertain. I often see is folks with too much of a \u0026ldquo;gotta catch \u0026rsquo;em all\u0026rdquo; approach and spend time on items that aren\u0026rsquo;t worth the squeeze. As an example, in the real world, Enable \u0026lsquo;Block third party cookies\u0026rsquo; may just be a waste of your time; so don\u0026rsquo;t get obsessive about ticking every box.\nAlso consider the real-world requirements for CVEs to be exploited. Generally, multiple failures must align for adversaries to be successful. This is particularly the case for out of date software MDVM warns you about. You should absolutely keep software as up to date as possible, but practically, you\u0026rsquo;ll need to prioritise packaging, testing, and deploying things unless using a service like the awesome Patch My PC.\nTake the example of this recommendation to update KeePass.\nWe\u0026rsquo;re busy, so want to know the real risk before we spend more time. Heading into the Associated CVEs tab, you can view the vulnerability description. In our Keepass example, CVE-2023-24055 actually requires the endpoint itself to be compromised with the adversary having access to the app\u0026rsquo;s configuration files, followed by the victim opening their database after the configuration file tampering (a cool POC can be found here).\nIn the real world, usually a serious chain of events must line up, often with mitigating factors preventing it (endpoint protection software, identity defences, etc). So ask yourself: how likely is this, and should I prioritise other concerns?\nFor the avoidance of mischaracterising this mistake: you absolutely should be updating apps as widely and quickly as possible. Having worked in and with all sorts of overwhelmed IT teams, I just want to encourage you to think, assess, prioritise based on real likelihood of damage, and take it easy on yourself if you can\u0026rsquo;t get everything done at lightning pace.\nNot reviewing the software evidence This follows on from the last mistake and recommendation as it will help you identify the reality of risks. The existence of an executable associated with a vulnerable app can be enough to trigger a vulnerable component warning, even if it\u0026rsquo;s not properly installed.\nHeading to the Evidence tab of software and vulnerable components against a device, you can see the paths (file, registry) that allowed the MDVM detection. For example, in the screenshot below you can see patcher.jar associated with Log4j listed as a vulnerable component.\nWhile the detection is accurate, investigation adds more context: it\u0026rsquo;s saved to a user\u0026rsquo;s OneDrive, in a folder with installation files, rather than actually being installed. If I\u0026rsquo;m prioritising vulnerability management, I would rather it wasn\u0026rsquo;t there, but I can probably find more important things to spend time on.\nMoral of this mistake: the software evidence tab is there to help you understand how MDVM picked up on something and potentially explain confusing situations or help you get to the bottom of real-risk assessment.\nNot leveraging Microsoft Defender for Servers P2 MDVM\u0026rsquo;s add-on license includes extra goodies that you don\u0026rsquo;t get as standard with MDE P2. I help a lot of customers review their environments and figure out what they\u0026rsquo;re paying for but not leveraging, and many don\u0026rsquo;t realise the add-on for MDVM is included in their Defender for Servers P2 license.\nThe add-on license provides a lot of useful capabilities, but two stick out for servers: baseline assessments and certificate inventories.\nThe security baseline assessments allow you to check an endpoint\u0026rsquo;s adherence to benchmarks such as CIS, Microsoft\u0026rsquo;s Security Baselines, or STIG. In environments that try to stick to these frameworks, it provides validation.\nCertificate inventories provide insight into all certificates on the endpoint. At a minimum, you can leverage it to keep on top of infrastructure management by seeing expired or soon-to-expire certificates. Better still, you can identify those which may have suspicious (due to rarity) private CAs, or other qualities such as short key lengths and weak algorithms.\nYou\u0026rsquo;re paying for the add-on as part of MDS P2, why not use it?\nFocusing only on exposure score recommendations and not Microsoft Secure Score There are too many scores in the Microsoft ecosystem. Defender for Cloud has a secure score in portal.azure.com. Entra ID has the Identity Secure Score in entra.microsoft.com. Over in security.microsoft.com, there\u0026rsquo;s the Secure Score, Secure Score for Devices, and the exposure score. I think there\u0026rsquo;s a Microsoft Adoption/Productivity Score too, but I just can\u0026rsquo;t take it anymore.\nThe mistake this point refers to is focusing only on endpoint vulnerabilities, as surfaced primarily in MDVM\u0026rsquo;s dashboard by the exposure score.\nI know it\u0026rsquo;s confusing having so many \u0026lsquo;scores\u0026rsquo; in one Defender portal, so let me make it clear: work with the Microsoft Secure Score, found at security.microsoft.com/securescore. The benefit to this is its centralisation: in addition to the endpoint weaknesses MDVM discovers, the Microsoft Secure Score incorporates other service recommendations. It pulls in SaaS security from Defender for Cloud Apps, identity security from Entra ID and Defender for Cloud Apps, and more\nConclusion Deploying MDVM is the easy part. Other than the dedicated scanner, you\u0026rsquo;re good to go as long as MDE is properly deployed. The hard part is operations: taking that new tool and translating it into something you manage as part of business as usual. Hopefully, avoiding the mistakes in this article will help you.\n","permalink":"https://campbell.scot/microsoft-defender-vulnerability-management-common-microsoft-365-security-mistakes-series/","summary":"\u003cp\u003eMicrosoft Defender Vulnerability Management (MDVM) is an often overlooked service that can be licensed standalone or is included in other Microsoft Defender licenses. In my experience, I\u0026rsquo;ve never seen it licensed standalone, but customers with Defender for Endpoint (MDE) P2, Defender for Servers  (MDS) P1, and Defender for Business (MDB) benefit from it\u0026rsquo;s \u003cem\u003ecore capabilities\u003c/em\u003e.  In addition to the core capabilities, \u003cem\u003eadd-on capabilities\u003c/em\u003e are available in the standalone license, Defender for Servers P2, or as an upgrade to the P1 licenses.\u003c/p\u003e","title":"Microsoft Defender Vulnerability Management - Common Microsoft 365 Security Mistakes Series"},{"content":"Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) are the email and collaboration security services native to Microsoft 365. EOP is included at all levels of licensing for Exchange Online, with MDO bringing additional security capabilities to license levels such as Business Premium, Microsoft 365 E3, and Microsoft 365 E5.\nIn this blog, I\u0026rsquo;ll review five of the most common security mistakes I see in tenants regarding EOP and MDO. Realistically, this list could go to fifty mistakes, but I\u0026rsquo;ll focus on ones I think you can quickly convert into quick wins or just may have never crossed your mind.\nIt\u0026rsquo;s not new and flashy, but email remains a battleground for defender. For example, Abnormal reports that YoY, business email compromise (BEC) has increased 55%. Therefore, it\u0026rsquo;s important to minimize the number of mistakes in your environment, to keep that attack surface as low as possible, while hopefully making life easier for users.\nThis blog is part of a series on common Microsoft 365 security mistakes. View the previous blogs here:\n5 Common Conditional Access Mistakes 5 Common Privileged Identity Management (PIM) Mistakes Let\u0026rsquo;s crack on with reviewing common Microsoft 365 email security mistakes.\nExclusions are not fine-grained There are a ton of ways to create exclusions for inbound email filtering: mail flow rules, anti-spam policy, Tenant Allow/Block List (TABL), connection filter policy, and more. Most commonly, exclusions will allow either an email address or domain a spam filtering bypass.\nIn EOP, inbound email is given a spam confidence level (SCL) which is set as a header for the email. Values 5-9 mean spam of varying degree of confidence based on reasons such as DNS authentication failure, known spam patterns, etc. As an administrator, if you set up a skip spam policy, it sets the SCL to -1 (minus one) so that any spam rules are ignored.\nExclusions are a reality of security software. False positives are a thing (albeit often caused by sender misconfiguration, like bad SPF/DKIM settings). What you want to avoid are overly simplistic and broad scoped exclusions.\nFor example, in the default anti-spam policy ( Anti-spam inbound policy (Default)), I often find common domains listed: your company\u0026rsquo;s domain, partner companies\u0026rsquo; domains, and consumer domains such as outlook.com.\nIf the default policy is your only policy, or you are applying the same type of exclusion to another wide-reaching policy, you are risking an adversary completely bypassing controls that would otherwise protect them. The attacker could provision email sending infrastructure, use the allow-listed domain, and sending phishing emails or other threats. (Important note: you cannot bypass malware determinations, even by setting SCL -1).\nSimilar is true of the Connection filter policy, which is one of the first inbound checks email has an is based on IP allow/block lists. Just because you trust the IP now doesn\u0026rsquo;t mean you can always trust it. This is particularly the case for external parties. Just don\u0026rsquo;t do it: find the root cause and tackle that.\nLet\u0026rsquo;s assume a domain is always failing anti-spam checks. Here\u0026rsquo;s some thoughts on the best way to create exclusions in a way that can reduce risk.\nUse specific and full email addresses instead of entire domains, if possible. Use mail flow rules that also confirm known markers. For example, set the SCL to -1 for a specific domain when SPF/DMARC/DKIM pass, and/or if from a known IP. The tenant allow/block list forces matching sending infrastructure for spoofed senders but not quite to the same level as mail flow rules. I use TABL re-actively and mail flow rules proactively as a longer term tool. Check across your infrastructure (all anti-malware/spam/phishing policies, TABL, mail flow rules, connection filter) for historic exclusions that may no longer be required. Unused domains are not protected by DNS authentication If you own domains but don\u0026rsquo;t send email from them, you should still use DNS authentication to let recipients know that no email received from those domains are authorized and should be treated as spam. I see lots of companies who own (park) domains and maybe even register them with Microsoft 365, but don\u0026rsquo;t then have any controls for them.\nFor SPF, you should be creating a record which trusts no servers:\nv=spf1 -all For DMARC, set the record to reject all (100%) of failures. This is the default, but I like it explicitly laid out for visability:\nv=DMARC1; p=reject; pct=100; While the above entirely relies on the recipient infrastructure, it goes a long way. Allowing end-users to control anti-spam bypasses EOP has the concept of a safelist collection that is enabled out the box. This allows users to control their own junk email settings, similar to other email vendors such as Mimecast with their managed senders feature. If you\u0026rsquo;ve ever right clicked an email in Outlook and managed the Junk Email Options, you\u0026rsquo;ve been managing the safelist collection.\nIn the example above, you can see the safelist collection has allowed a user to give an anti-spam bypass to the entire gmail.com domain. While it can help users get the job done, the safelist collection by default allows users to bypass your administrator defined rules, effectively getting the SCL -1 rule for email addresses they define rather than you the security administrator.\nAs an admin, you can use Set-MailboxJunkEmailConfiguration to manage the safelist collection per mailbox, either by editing it or disabling it entirely ( -Enabled $false). You can\u0026rsquo;t disable it tenant-wide, so use a recurring PowerShell script to sweep up any new/edited mailboxes.\nSafe Attachments dynamic delivery can cause end user problems Defender for Office 365 Plan 1 unlocks the Safe Attachments capability. This uses a sandbox environment for email attachments to \u0026lsquo;detonate\u0026rsquo; them, and review the consequences of that detonation on the sandbox. If there is nothing suspicious, the attachment is delivered.\nThis adds a small overhead to inbound email delivery, growing as the size of the attachment grows.\nTo mitigate concerns administrators may have about slowing email delivery, Microsoft provide the Dynamic Delivery action. For Exchange Online mailboxes, this allows the email message to be delivered as normal, but the attachment only has a preview version, with the full version later \u0026lsquo;injected\u0026rsquo; into the email.\nI don\u0026rsquo;t recommend using Dynamic Delivery. Instead, stick with Block mode. One of the reasons I don\u0026rsquo;t recommend it is down to the end-user experience. Let\u0026rsquo;s take the example of an inbound Excel file that gets the preview version attached. The recipient very quickly forwards the email on to someone else. The recipient of the forwarded email will not get the full file, only the temporary placeholder. Queue support calls in 3\u0026hellip; 2\u0026hellip; 1\u0026hellip;.\nTreating email security as one size fits all The last common mistake we\u0026rsquo;ll cover is how uniform everything is in a lot of huge tenants I review. I will always advocate simplification of security architecture, but simplicity is good until it isn\u0026rsquo;t. EOP and MDO are highly flexible and you can target different levels of protection (and exclusions/bypasses) to different folks, based on the risk and business need. This is useful and important for any large environment\nLet\u0026rsquo;s explain this with some examples:\nIf you have a partner company domain you really need to make sure always bypasses anti-spam, does it have to apply to the whole tenant? Use mail flow conditions to refine it only to recipients who depend on communication with that domain. If you don\u0026rsquo;t want to allow users the ability to manage their safelist collection, do you need to apply this to the whole organization? Depending on your scale and other factors, it may add just too much to your central IT burden. One option - the merits can be debated - is you allow users who do well in attack simulation training permission to manage their own, but not others. You may decide the preset standard protection policy is a good baseline for your tenant. But this doesn\u0026rsquo;t mean every user has to be treated equally. You\u0026rsquo;ll have users that are higher risk, such as executives, privileged users, or others with access to sensitive resources. Why not target strict protection policies at those users, while allowing less risky users a lower degree of protection? Conclusions The moral of this common mistake article can be summarized as: target and refine your policies so that anything increasing the attack surface is minimized, and anything reducing the attack surface is maximized. Don\u0026rsquo;t accept the defaults (looking at you, safelist collections), and target the standard/strict protection policies to folks depending on their risk.\n","permalink":"https://campbell.scot/exchange-online-protection-defender-for-office-365-common-microsoft-365-security-mistakes-series/","summary":"\u003cp\u003eExchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) are the email and collaboration security services native to Microsoft 365. EOP is included at all levels of licensing for Exchange Online, with MDO bringing additional security capabilities to license levels such as Business Premium, Microsoft 365 E3, and Microsoft 365 E5.\u003c/p\u003e\n\u003cp\u003eIn this blog, I\u0026rsquo;ll review five of the most common security mistakes I see in tenants regarding EOP and MDO. Realistically, this list could go to fifty mistakes, but I\u0026rsquo;ll focus on ones I think you can quickly convert into quick wins or just may have never crossed your mind.\u003c/p\u003e","title":"Exchange Online Protection \u0026 Defender for Office 365 - Common Microsoft 365 Security Mistakes Series"},{"content":"Entra ID\u0026rsquo;s P2 license (previously Azure AD Premium P2) unlocks the Privileged Identity Management (PIM). PIM is part of broader identity governance features, and is most known for enabling just-in-time admin rights. For example, you are eligible to become an administrator for a maximum of X hours, at which point the permissions expire and you need to reactivate.\nThis blog covers five of the common misconfigurations and misunderstandings I see with customers. Intuitive as PIM may appear, there are some gotchas you need to be aware of. It is a follow up from my previous Conditional Access – Common Microsoft 365 Security Mistakes Series article.\n\u0026lsquo;Require Azure MFA\u0026rsquo; probably isn\u0026rsquo;t giving you the security you think it is When configuring PIM for a role, in addition to specifying how long activation lasts, you can require Azure MFA.\nThe assumption that most folks have here - rightly so - is the activating user will be prompted to respond to MFA on each activation, but this isn\u0026rsquo;t the case. When PIM requires Azure MFA, it will not prompt the user if this has previously been satisfied. This is consistent with most of Entra ID (including Conditional Access), but not widely understood with most customers.\nLet\u0026rsquo;s explain with an example.\n1. The eligible user signs in to the Entra admin center. A Conditional Access policy requires Azure MFA for this account, so the eligible user responds to the prompt on their phone at time of sign-in.\n2. The eligible user heads to My roles and clicks Activate for the role.\n3. The eligible user activates their role, but is not prompted for MFA, despite the setting On activation, require Azure MFA being enabled for the role.\nOther than (usually) not being the expected behavior (but by design), this can be a security risk depending if you don\u0026rsquo;t have some of the mitigations explained later in this article.\nWhat\u0026rsquo;s the security risk, specifically? Token theft, primarily. A type of attack that\u0026rsquo;s on the rise, based on data in the Microsoft Digital Defense Report (2023).\nMalware or adversary-in-the-middle (AiTM) attacks can compromise (steal) your tokens, including the fact MFA has been satisfied.\nTo simplify the explanation, think back to step 1 earlier. Entra ID provided the eligible user a token that includes a claim that MFA was satisfied. Think of it like a pass being issued with a check mark against the \u0026ldquo;provided MFA\u0026rdquo; field. If the token is stolen, so is the MFA check. For the duration of that token\u0026rsquo;s validity, the thief gets the MFA claim too.\nSo, should you not bother with requiring MFA on PIM activation? Absolutely not. If the session has expired, this will prompt for MFA. That\u0026rsquo;s important because the stolen token may not be used by the adversary immediately, and if used after its lifetime, will require MFA. This is a good case for using Conditional Access to enforce things like the following for your eligible users, particularly for privileged roles:\nSet the sign-in frequency (SIF) to as low a value as tolerable ( reference). Do not allow persistent sessions ( reference). Ideally, use an IP-based location requirement (block any other IPs) with strict location enforcement. Unlike geo-based requirements, IP requirements are supported by continuous access evaluation for near real-time revocation when it changes ( reference). The next logical question follows: can we force require MFA, despite existing MFA claim validity? Just about, using authentication contexts, which is covered next.\nFurther reading: see these excellent blogs by Fabian Bader, Jan Bakker, and Jeffrey Appel for deep dives into token theft, specifically using AiTM tools.\nNot using authentication context In the last mistake, you learned that requiring Azure MFA on activation is an important control but with some shortcomings. Here\u0026rsquo;s a way we can improve on it.\nAuthentication context in Entra ID is a flexible capability for enforcing another Conditional Access policy. Normally, Conditional Access policies only apply at the time of authentication to a cloud app. Think of authentication context as a way to apply another Conditional Access requirement within the cloud app.\nThe authentication context itself is just a tiny object you create in Entra admin center | Conditional Access | Authentication contexts. It only has a name and description.\nYou then follow this up by creating a Conditional Access policy that\u0026rsquo;s required whenever the authentication context is invoked by the app (in our case, PIM).\nContinue to build the CA policy based on the security you want for the PIM activation. For example\u0026hellip;\nif you only want someone to become a Global Admin from a known corporate IP, you could set up a block rule that includes all locations except that IP. if you want to require a third-party MFA solution (e.g. Symantec VIP, Duo, etc), use authentication strength requirements if you want to enforce use of a privileged access workstation, use filter for devices In my example for this blog, I\u0026rsquo;m just going to require a FIDO2 security key, which isn\u0026rsquo;t an explicit option in out-the-box PIM settings (only Azure MFA is).\nBetter yet\u0026hellip; keep in mind what you\u0026rsquo;re protecting against (each org. will have different threat tolerances, etc). An IP based restriction is potentially the best for token theft mitigation. However, using a FIDO2 requirement, if the stolen token only satisfied Azure MFA, this would require \u0026ldquo;step-up\u0026rdquo;.\nBut\u0026hellip; using only a FIDO2 example, what if the attacker simply registers their security key against the compromised account? Each time you register a security key, you need to perform 2FA again, even if a CA policy previously required it*. Let\u0026rsquo;s assume that fails: there\u0026rsquo;s a good argument for requiring specific AAGUIDs either for registration or the authentication strength. Conditional Access could also enforce additional requirements for the Register security information action.\n*There is a 15 minute exception to this: registering a new sign-in method only force-prompts for MFA again after at least 15 minutes from original MFA claim. Gee, isn\u0026rsquo;t there a lot to think about in this Entra ID security puzzle 😵‍💫\nNow we\u0026rsquo;ve got a Conditional Access policy in place for when the authentication context is invoked, we can head back to Edit role settings in PIM.\nWhen setting up PIM roles, instead of On activation, require Azure MFA, you can choose On activation, require Microsoft Entra Conditional Access authentication context (try saying that quickly 5 times).\nNow, if an administrator (or compromised token) only previously satisfied Azure MFA, it will force them to also require a security key (or any of the other examples discussed earlier).\nIs there more we can still do? Nothing\u0026rsquo;s perfect, but let\u0026rsquo;s consider one more mitigation against undesirable or malicious PIM elevations, and a common mistake associated with it.\nNot appropriately requiring approval to activate When helping customers with PIM, I often see the Require approval to activate option\u0026hellip;\nOverused. Need to create a Microsoft 365 Group? Need approval. Need to view billing statements? Need approval. Need to release an email from quarantine? Need approval. Underused. Goes hand-in-hand with general overpermissioning admins (Is that word? I feel like that should be a word). Want to PIM-up and get God mode via Global Administrator? Go for it, level-one-service-desk-person-who-just-needed-user-admin. Misunderstood. Why is this capability preferable, in some regards, to both requiring Azure MFA or authentication context? Or at least complement those? Look, if you want the overhead and general annoyance with requiring an approval flow to do everything, go for it. But, there is approval-fatigue in the same way there is MFA fatigue. Are you really checking the person who just Teams\u0026rsquo;d you to ask for approval is a legitimate user? You ideally want a balance, which for me is based on how privileged the role is.\nThis takes me to the misunderstanding of the real benefit to requiring approval. It\u0026rsquo;s great for internal legitimate administrative control to either enforce or audit least privilege (and potentially block changes outside of windows, etc). What it\u0026rsquo;s really great for, however, is a security boundary that protects compromised accounts.\nThink about it. Previously, you learned that requiring MFA isn\u0026rsquo;t token theft proof. Depending on your authentication context and its strength, that might not help either. But requiring approval with a real and enforced approval process is token theft proof. Let\u0026rsquo;s run it through:\n1. An eligible admin account is compromised. Either only requiring single-factor authentication or with a stolen MFA claim.\n2. The compromised eligible admin has no standing permissions. Really all they can do is head to the PIM page and request permissions (they likely can perform read-only reconnaissance too, depending on other Entra ID config).\n3. The compromised eligible admin fails your validation process for requests, and you identify the breach. Not a great situation but could have been a lot worse.\nThis illustrates both the value of not inducing approval fatigue by requiring it constantly, and requiring it for highly privileged roles. There\u0026rsquo;s one really important thing you need to avoid though, coming up next.\nNo mitigation against role lockouts If you\u0026rsquo;re in the Entra ID world and doing good stuff like Conditional Access, you\u0026rsquo;ll probably be aware of the emergency access or \u0026ldquo;break glass\u0026rdquo; account concept. There\u0026rsquo;s several ways to address emergency access accounts, but the most common is:\nOne or more (ideally) accounts added to an \u0026rsquo;emergency access\u0026rsquo; group This group is excluded from all Conditional Access policies The users or group is assigned Global Admin rights (or other permissions that would help resolve the lockout). The point of this PIM mistake is you need to implement this to protect PIM roles too. If you\u0026rsquo;re already doing the above, you\u0026rsquo;re fine for this mistake. If you\u0026rsquo;re not, consider the following scenario:\n1. You require approval for all admin activation. The activation must be approved by other eligible admins; a common scenario I\u0026rsquo;ve seen based on two-keyed lock ideas.\n2. You are trying to follow recommend practice by having only a few global admins. Let\u0026rsquo;s say you\u0026rsquo;ve got three. One is active (not you) and the other two are eligible. This scenario would be worse with only two.\n3. Of your three global admins, one is on holiday (unreachable), and the other is sick (unreachable). In a worse (but true) example, two of the eligible admins immediately exit the business. All that\u0026rsquo;s left is you (eligible only).\n4. You try to PIM-up. Because you required approval from administrators who are no longer with the business, you can\u0026rsquo;t activate the role.\n5. Worse still, when you reach out to those unavailable admins, they can\u0026rsquo;t log in because they deleted MFA from their phone or otherwise CA prevents them.\nPoint is: always have a highly-monitored but available break-glass admin account with active, not eligible-with-approval, assignments, to avoid scenarios like this. You won\u0026rsquo;t find a perfect solution, but you can find ones that are less bad!\nThis oversight brings us to the last mistake (for this blog, anyway!) often seen.\nNot protecting non-Entra or non-Azure resources with PIM for Groups When setting up PIM, out the box you can enable and configure it for Microsoft Entra roles (e.g. global admin, security admin, Exchange admin) or Azure resources (e.g. resource groups).\nThis leaves a gap for areas that don\u0026rsquo;t fall under their scope, most commonly other Microsoft 365 RBAC roles:\nMicrosoft Defender XDR RBAC roles (previously known as Microsoft 365 Defender), including Defender for Identity and Defender for Endpoint Exchange Online role based permissions, such as Recipient Management or View-Only Organization Management Microsoft Purview roles, such as eDiscovery Manager or the Azure Information Protection super user Non-Microsoft privileges, such as admin roles in things like ERP, CRM, HR, finance, or other business apps. For the above examples, it\u0026rsquo;s common to see the gap not addressed, with permanent standing access instead of PIM benefits like just-in-time, authentication context, or approval processes.\nWhat can address all of the above is PIM for Groups, previously known as privileged access groups (PAGs). W\nWith PIM groups, you can layer PIM ontop of anything that supports Microsoft 365 or security groups. For either ownership or membership of the group, you can make sure there\u0026rsquo;s no standing access. Instead, you activate PIM to get those, with all the same benefits like just-in-time.\nLet\u0026rsquo;s illustrate the use case with an example: your ERP system uses Entra SSO, and you want to manage the ERP system\u0026rsquo;s admins with PIM.\n1. You create a security group with no members, and assign this group the admin role in your app.\n2. You add assignments to the group, which keeps the admins from having standing membership to the group, but they can jump in and out of membership by activating PIM\n3. The eligible admin can head to My roles | Groups and click Activate to become a just-in-time member of the group, similar to other admin roles.\n4. Because the group has admin rights in your app, the user inherits those, but they\u0026rsquo;re governed in line with the group\u0026rsquo;s activation criteria.\nIn the screenshots above, you can see how the user activates to become an ERP system admin, despite PIM, Entra, or Azure having no concept of that system\u0026rsquo;s administrative function. All you need is group support.\nThis fact that PIM for Groups allows PIM-management for anything that supports groups means you can get creative. In the last screenshot, you\u0026rsquo;ll see the example of temporary exclusions to Conditional Access policies.\nTo summarize this last mistake, PIM for Groups allows you to minimize access and gaps across your environment, not just what may appear obvious at first glance.\nConclusion Let\u0026rsquo;s make it clear: PIM is an essential tool in securing Entra, and even other services, as established with our last point. That said, there is no perfect tool and we need to consider additional security defenses in combination with out-the-box PIM, such as Conditional Access, authentication contexts, IP-based restrictions, real-human verification.\nIf you\u0026rsquo;ve just got your hands on Entra ID P2, PIM is likely one of the first new toys you\u0026rsquo;ll play with, but mistakes can be made, and hopefully this blog will help you avoid some of them.\n—————————————————–\nThis is the second in a series of blogs on Microsoft 365 security mistakes I commonly see in the field. In the first entry, we covered Conditional Access. Coming up will be similar posts for Microsoft Defender for Endpoint/Cloud Apps/Office 365/Identity, Exchange Online Protection, and more. If there’s a specific product or service you want me to cover, hit me up on LinkedIn or Twitter/X.\n","permalink":"https://campbell.scot/pim-common-microsoft-365-security-mistakes-series/","summary":"\u003cp\u003eEntra ID\u0026rsquo;s P2 license (previously Azure AD Premium P2) unlocks the Privileged Identity Management (PIM). PIM is part of broader \u003cem\u003eidentity governance\u003c/em\u003e features, and is most known for enabling just-in-time admin rights. For example, you are \u003cem\u003eeligible\u003c/em\u003e to become an administrator for a maximum of \u003cem\u003eX\u003c/em\u003e hours, at which point the permissions expire and you need to reactivate.\u003c/p\u003e\n\u003cp\u003eThis blog covers five of the common misconfigurations and misunderstandings I see with customers. Intuitive as PIM may appear, there are some gotchas you need to be aware of. It is a follow up from my previous \u003ca href=\"/conditional-access-common-microsoft-365-security-mistakes-series/\"\u003eConditional Access – Common Microsoft 365 Security Mistakes Series\u003c/a\u003e article.\u003c/p\u003e","title":"Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series"},{"content":"Conditional Access (CA) is front and center of any attempt to secure Microsoft 365. If you\u0026rsquo;ve spent any time securing your tenant and Entra resources, you\u0026rsquo;ll know what Conditional Access is by now, so we\u0026rsquo;ll assume at least a level 200 understanding, skip the introduction, and instead dive into the most common mistakes I see when helping folks out with it.\nThese aren\u0026rsquo;t listed in any particular order, and the devil\u0026rsquo;s in the details, so make sure you read the full post instead of just skimming the bullet points! There are also way more than five mistakes you can make with Conditional Access, but let\u0026rsquo;s start with these.\nExclusions and access gaps aren\u0026rsquo;t minimized with additional policies A bit like the \u0026ldquo;death and taxes\u0026rdquo; joke, exclusions are inevitable at some point for any Conditional Access administrator. Putting aside the egregious exclusions to require MFA for users who kick and scream loudly about it, you\u0026rsquo;ll have legitimate scenarios that just don\u0026rsquo;t work with an exclusion. But consider this rule for CA policy design: all exclusions should have a supplementary policy to minimize that exclusion.\n\u0026ldquo;Huh?\u0026rdquo;\nLet\u0026rsquo;s explore this with an example.\nYou\u0026rsquo;ve got a CA policy which requires administrators can only authenticate on a compliant device. Great fundamental policy everyone should look at, because it provides some protection against Adversary in the Middle (AiTM) phishing attacks, and from administrators\u0026rsquo; privileged access on unmanaged devices.\nBut, what if your admins in scope of this policy need to authenticate to a device that cannot be compliant? There\u0026rsquo;s a few scenarios that might happen: Windows Server access is the easy example.\nSo you add an exclusion: John Doe\u0026rsquo;s admin account doesn\u0026rsquo;t need added a compliant device so that he can sign in to a Windows Server to activate app X.\nDepending on how the rest of your CA policies are enabled, this exposes you to some risks:\nWill I remember to remove the exclusion? Could the admin now log into their personal (unmanaged, unmonitored, potentially insecure) devices? It\u0026rsquo;s scenarios like this we want a follow up policy to minimize the risk.\nIn our example, what could a follow up policy look like, and how could we design and manage it?\nFirstly, we know the admin won\u0026rsquo;t need the exclusion for long. Therefore, rather than exclude the admin directly, let\u0026rsquo;s exclude a Privileged Identity Management (PIM) protected group, previously known as a privileged access group (now called PIM for Groups). This allows us to (a) have an approval process and (b) have a time restriction for automatic removal of the exclusion.\nSo far so good. We\u0026rsquo;ve minimized the risk of forgetting to remove the exclusion. But what about the risk of logging into devices we don\u0026rsquo;t want them to?\nThis is where the follow up policy comes into play. We target the policy at the excluded group, then make additional requirements. For example, now that you don\u0026rsquo;t need a compliant device, you do need to authenticate from the public IP of our data centre. You could even use something like Authentication Methods to require certificate based auth. Or both.\nPoint being, we keep narrowing and narrowing and narrowing the scope of allowable activity. First, the user could authenticate on any unmanaged device. Then, we limited it to two hours. Then, we limited it only to our known IPs. We could go further, all depending on what other CA policies permit or don\u0026rsquo;t.\nOther examples I often see and how you would potentially minimize them:\nWeb apps on unmanaged Windows and macOS will be allowed, routed through Defender for Cloud Apps\u0026rsquo; reverse proxy to block downloads. This is a great setup because you can stop data exfiltration while accommodating BYOD. But\u0026hellip; do you really need to allow all your users BYOD web app access? Do you need to allow them access to all cloud apps this way? Consider implementing multiple policies that combine to only allow the users who need BYOD access, and only to the apps they need, such as Office 365, but maybe not your admin portals. Consider further using access packages and entitlement management for time-bound and request-only BYOD access, for scenarios such as temporary access while the corporate device is fixed. Guest access is allowed in the tenant. Nothing wrong with this and each tenant is different, but consider targeting policies to your guests with explicit blocks on apps they\u0026rsquo;ll never need; or flipping it on its head and blocking all apps except their known-required apps. Even consider different rules for different personas of guest - does a guest who only access SharePoint sites really need theoretical permission to all cloud apps? Also consider that every time you use Include conditions, you\u0026rsquo;re de-facto excluding all other conditions. For example, if you set up MFA for all users but only include the Windows device platform, you are excluding MFA for all users on all other platforms. It\u0026rsquo;s for this reason it\u0026rsquo;s critical that as soon as you refine the scope of a policy, either by include or exclusion, there are additional policies targeting those gaps.\nLocation based policies don\u0026rsquo;t consider VPNs Some folks scoff away the idea of using country-based named locations in Conditional Access policies. I get why, because it\u0026rsquo;s not rocket science to bypass it. But I still encourage their use. They tackle the low hanging fruit, call upon adversaries to (albeit slightly) increase the cost of attack, and protect you from those no-brainer scenarios. Really, after they\u0026rsquo;re breached, do you want to be the person answering the CEO\u0026rsquo;s question of \u0026ldquo;\u0026hellip; and why didn\u0026rsquo;t we block access from countries we don\u0026rsquo;t have staff?\u0026rdquo;. If you\u0026rsquo;re going down this route, you\u0026rsquo;ll usually create a named location of where you do business and block all authentication except from that location. If you don\u0026rsquo;t do remote work and/or have a public IP/range, even better.\nBack to country-based authentication. Two obvious bypasses are spinning up a VM/VPS in the allowed region, or using an anonymous IP address from a consumer VPN (ExpressVPN, if you\u0026rsquo;re reading, hit me up for that sponsorship deal).\nWhile Entra ID Protection (previously Azure AD Identity Protection) has anonymous IP address detection calculated in real-time, these only feed into the risk score and we cannot specifically select them: there\u0026rsquo;s no CA option for blocking anonymous IP addresses, it\u0026rsquo;s just abstracted into the risk score which makes it a bit black-box and unpredictable. Entra ID Protection also wouldn\u0026rsquo;t have a specific detection for using a VPS.\nThere\u0026rsquo;s one option that can help. It\u0026rsquo;s not perfect, but let\u0026rsquo;s check it out: Microsoft Defender for Cloud (MDA) access policies.\nMDA integrates with Conditional Access via a capability called Conditional Access App Control. Essentially, we use the Session settings in Conditional Access to hand over the session to MDA, which has its own policy engine, driven by access policies, and powered by a reverse proxy.\nIn the two policy examples below, we can explicitly block any IPs that MDA recognizes as anonymous, cloud providers, brute force, or otherwise unwanted.\nNow when the user authentications from (in the example below) an Azure virtual machine or anonymous VPN, they\u0026rsquo;re blocked (presuming MDA recognizes the IP as such, which it\u0026rsquo;s pretty good at).\nNo or poor break glass/emergency access account setup Emergency access accounts are fundamental to Conditional Access, but it\u0026rsquo;s surprising how many tenants don\u0026rsquo;t set them up.\nLook at it like this: in 30 seconds or less, Conditional Access give you the power to lock every single user our of your tenant, including you and all other admins. The reality is, configuring Conditional Access is a high-risk activity that should only be done by folks adequately trained in it\u0026hellip; who aren\u0026rsquo;t in a rush and make mistakes.\nThinking about emergency access, you have a few design choices:\nOne or more accounts excluded from all CA policies, usually via an Entra group. The accounts are Global Admins (so they can reverse any lock-outs) and given super duper passwords, and you may even want to split those passwords out physically so that one half of a password is kept by user A/site A; and the other half by user B/site B. The logic here is if we\u0026rsquo;re not requiring strong authentication, we want physical hurdles in the way. This is the most common way of managing emergency access. You can supplement it by having a script that confirms the emergency access accounts are always applied to your CA policies, in case you forget or they\u0026rsquo;re removed. If you still (understandably) want emergency access accounts to require strong authentication, you could exclude them from all CA policies except one policy specifically for them that requires FIDO2. Why FIDO2? Why not Azure MFA? There are service dependencies in Azure authentication and, depending on the type of risk you want to protect against, if the Azure MFA service goes down, you won\u0026rsquo;t get SMS or Authenticator app MFA, but FIDO2 should still work, based on the linked Microsoft documentation. Just make sure those FIDO2 keys are available and tested. Instead of using standard accounts, use service principles and API access. The service principle has API permission to reverse any lock-outs, either specifically to edit CA policies, or other permissions such as managing group access to then exclude from Conditional Access. The advantage here is you can do it passwordless and minimize standing global admins. The negative is in the heat of the moment, depending on skills and general fumbling around, this may not be the fastest way. I don\u0026rsquo;t believe any of these are the right way and others are the wrong way. They cater to different risk models and acceptance levels. But please, whatever you do, have an emergency access plan, test it, and set up auditing for when it\u0026rsquo;s used.\nUnprotected Conditional Access groups For #4 on this list I was torn between a few things, but this is one I\u0026rsquo;ve been exploring the most lately.\nConditional Access is going to be responsible for a lot of your security controls. By scoping its policies to different groups, you control things such as who needs MFA, what the strength of that MFA should be, the devices a user can authenticate from, the allowed locations\u0026hellip; you get the picture. Important stuff.\nNow consider who can manage these policies. Folks with the Security Administrator and Conditional Access Administrator role are obvious. But really, we\u0026rsquo;re talking about Groups Administrator too, right? This role can lead to a lot of problems because it\u0026rsquo;s not considered a privileged role, but in your tenant it might be the keys to managing privileged access, security exceptions, or other significant attack paths.\nGroups Administrator isn\u0026rsquo;t privileged for good reason: there\u0026rsquo;s another role called Privileged Role Administrator which is meant to be the keys to managing privileged access, such as adding users to a group with Global Admin rights. So why am I calling out Groups Administrator? Because, by default, your Entra groups aren\u0026rsquo;t privileged. You need to make them role assignable at the time of creation.\nWhen a group is role assignable, you can give it Entra admin roles, but you don\u0026rsquo;t need to. Just being role assignable means I need privileged access beyond Group Administrator to manage it: Global Admin or Privileged Role Administrator. So, if you\u0026rsquo;re managing access to sensitive resources with Conditional Access, you might want to consider this option. It does have draw backs: it\u0026rsquo;s got to be static, so it doesn\u0026rsquo;t scale well, but that\u0026rsquo;s by design.\nYou can also consider an additional guardrail: the new restricted management admin units function can be applied to groups, blocking potentially even privileged administrators from tampering with the groups. However, it\u0026rsquo;s not resistant to a global admin deleting the admin unit, so think of this as more of a tool to protect you from accidents.\nNo architectural framework leads to gaps and complex management You\u0026rsquo;ve just got Entra, and you know you need to start enforcing MFA, blocking unauthorized devices, and a bunch of other stuff. You head into the Conditional Access policies page, and start creating policies or using Microsoft\u0026rsquo;s own policy templates. Before long, your list of policies starts to look like this.\nAt first, this is fine. But scale it out over a few thousand users, a few hundred apps, and several years. Invariably, this leads to inconsistent policy application, gaps, and a really really difficult to manage Conditional Access system. In short, it\u0026rsquo;s the lack of up front architecture and design is usually the root cause of all the previous common mistakes.\nPoint being: you need a design. I\u0026rsquo;m a huge fan - borderline Oblivion adoring fan style - of Claus Jespersen\u0026rsquo;s Conditional Access for Zero Trust framework. With a focus on understanding personas and their access to resources, couple with a smart naming convention and granular options, it makes long-term management of Conditional Access simpler to manage, troubleshoot, and scale.\n---\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;\nThis is the first in a series of blogs on Microsoft 365 security mistakes I commonly see in the field. Coming up will be similar posts for Microsoft Defender for Endpoint/Cloud Apps/Office 365/Identity, Exchange Online Protection, Privileged Identity Management, and more. If there\u0026rsquo;s a specific product or service you want me to cover, hit me up on LinkedIn or Twitter/X.\n","permalink":"https://campbell.scot/conditional-access-common-microsoft-365-security-mistakes-series/","summary":"\u003cp\u003eConditional Access (CA) is front and center of any attempt to secure Microsoft 365. If you\u0026rsquo;ve spent any time securing your tenant and Entra resources, you\u0026rsquo;ll know what Conditional Access is by now, so we\u0026rsquo;ll assume at least a level 200 understanding, skip the introduction, and instead dive into the most common mistakes I see when helping folks out with it.\u003c/p\u003e\n\u003cp\u003eThese aren\u0026rsquo;t listed in any particular order, and the devil\u0026rsquo;s in the details, so make sure you read the full post instead of just skimming the bullet points! There are also \u003cem\u003eway\u003c/em\u003e more than five mistakes you can make with Conditional Access, but let\u0026rsquo;s start with these.\u003c/p\u003e","title":"Conditional Access - Common Microsoft 365 Security Mistakes Series"},{"content":"In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings.\nIn this blog, we\u0026rsquo;ll look at what that change is, why it was necessary, initial impressions, and what you might want to do next.\nHistoric management architecture needed simplifying MDE (and it\u0026rsquo;s Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint protection platforms as being, well, a bit weird in terms of management architecture. With most platforms, you get a central admin console which pushes out endpoint settings. Think scan schedules, quarantine rules, exclusions, CPU throttling, etc. MDE/MDAV, on the other hand, instead relied on an external management tool such as Intune (MDM), Configuration Manager, or Group Policy.\nThis caused confusion in a few ways:\nSettings that achieved the same thing had different names in different management engines. For example, Configuration Manager and Intune refer to the exact configurations differently. This made know exactly what to choose difficult. How did you know which management tool to use? Suppose you have all three options. Which is better? Over time, settings were added to one management tool but not others. Intune, as you might expect, was the general direction of travel. The narrative of extended detection and response (XDR) was centralized incident response\u0026hellip; but we\u0026rsquo;re juggling all these different systems! As a half-way step to centralizing management and not having all these different ways, Microsoft introduced Security Management for MDE. This capability, also known as MDE Attach, allowed you to manage non-Intune devices in the Endpoint Security blade of the Intune admin centre. For example, you could manage server settings. To begin with, there was the requirement for these devices to either by hybrid Azure AD joined or Azure AD joined, which was a requirement to build the trust relationship with the service but not ideal.\nBut now, we can see the real direction of travel: no need for Intune, no need for GPOs, and no need for Azure AD joins.\nCentralized management, all in Microsoft 365 Defender portal Intuitively, you can now manage antivirus settings in security.microsoft.com. This is the Microsoft 365 Defender portal, also sometimes called the Security Centre.\nHeading to Endpoints | Configuration management | Endpoint security policies, you\u0026rsquo;ll now find your existing Intune policies, and the ability to create news natively in the Microsoft 365 Defender portal.\nAt time of writing, during preview, you can only create Antivirus policies (no ASR, for example) in the portal, but it\u0026rsquo;s clear where things are heading. Expect the remaining policy types to become available over time. You can click Create new policy to start a new policy (which are still applied to AAD groups; not device groups like a lot of Defender portal settings) or you can even edit an Intune-created policy in the portal, as depicted in the next screenshot.\nIn the first screenshot, you\u0026rsquo;ll note there are different Policy types and Policy categories. As explained, we can only create Antivirus profiles for now, but you can click into non-Antivirus policies and view their settings and deployment status. So far I\u0026rsquo;ve found it a bit buggy. For example, I can see all the settings in an ASR policy, but only Controlled Folder Access in the per-settings client status.\nBitLocker also doesn\u0026rsquo;t show all settings and how they\u0026rsquo;ve applied (successfully or not), but you can see the image below for an example of how useful this will be after preview: a security engineer can very quickly see settings and their status without fumbling through Intune and figuring out which policy to check (and note they can quickly pivot to Intune if needed using View in Intune.\nIt\u0026rsquo;s all very exciting for us Defender geeks who\u0026rsquo;ve been desperate for a long time for a single pane of management.\nWhat\u0026rsquo;s next, and important considerations The introduction of this centralized management location in the Microsoft 365 Defender coincides with the announcement of the removal of the prerequisite that Security Management for MDE/MDE Attach (the precursor to this, as explained earlier in the article) no longer requires hybrid Azure AD join or Azure AD join. All of this is great news: HAADJ and AADJ, if not already in place, introduced yet another thing to consider in MDE deployments - so the simplification is good.\nImportantly, if you previously used Security Management for MDE with Intune, you may have targeted policy to dynamic Azure AD groups - these will need changed if you used the attribute managementType to build groups for either MDEManaged or MDEJoined.\nIn line with this announcement, these tags are being replaced by just MicrosoftSense. Looking back up at the screenshots, you\u0026rsquo;ll see mdm and microsoftSense as the values in the Target column: mdm being driven by the MDM service on the device; microsoftSense being driven by the MDE service itself, independently of MDM (though the provisioning of a new microsoftSense policy is also applicable to MDM.\nTherefore, update your dynamic Azure AD groups to use the new microsoftSense and the deviceType values that match your requirements (eg WindowsServer).\nIf you want to dig deeper into Microsoft 365 Defender configuration\u0026hellip; \u0026hellip; do I have the book for you! Mastering Microsoft 365 Defender is my new book, written along with Viktor Hedberg. We go wide across all of Microsoft 365 Defender, including MDE, but also Defender for\u0026hellip; Office 365, Identity, Cloud Apps, and Microsoft Defender Vulnerability Management. You\u0026rsquo;ll find a ton of guidance on which settings to use and why, as well as general design choices and using M365D to respond to threats. You can preorder/buy it here: packt.link/Ru.\nFollow the blog, campbell.scot, as well as following me on Twitter ( @rucam365) and LinkedIn ( linkedin.com/in/rlcam) to keep up to date with more changes to Microsoft 365 Defender. As the product never stays still, any changes you need to know about from the book, I\u0026rsquo;ll try to keep you updated!\n","permalink":"https://campbell.scot/microsoft-improves-and-simplifies-defender-for-endpoint-management-capabilities/","summary":"\u003cp\u003eIn one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings.\u003c/p\u003e\n\u003cp\u003eIn this blog, we\u0026rsquo;ll look at what that change is, why it was necessary, initial impressions, and what you might want to do next.\u003c/p\u003e\n\u003ch2 id=\"historic-management-architecture-needed-simplifying\"\u003eHistoric management architecture needed simplifying\u003c/h2\u003e\n\u003cp\u003eMDE (and it\u0026rsquo;s Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint protection platforms as being, well, a bit \u003cem\u003eweird\u003c/em\u003e in terms of management architecture. With most platforms, you get a central admin console which pushes out endpoint settings. Think scan schedules, quarantine rules, exclusions, CPU throttling, etc. MDE/MDAV, on the other hand, instead relied on an external management tool such as Intune (MDM), Configuration Manager, or Group Policy.\u003c/p\u003e","title":"Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities"},{"content":"Conditional Access is the most important security feature you will configure in Azure AD. You need to get this right, or most other things don\u0026rsquo;t even matter.\nCompared to on-premises AD, which requires line of sight to a domain infrastructure often limited to physical or VPN access, Azure AD is wide open by default. Users can authenticate from anywhere, on any device.\n","permalink":"https://campbell.scot/stop-making-these-conditional-access-mistakes/","summary":"\u003cp\u003eConditional Access is the most important security feature you will configure in Azure AD. You need to get this right, or most other things don\u0026rsquo;t even matter.\u003c/p\u003e\n\u003cp\u003eCompared to on-premises AD, which requires line of sight to a domain infrastructure often limited to physical or VPN access, Azure AD is wide open by default. Users can authenticate from anywhere, on any device.\u003c/p\u003e","title":"Stop Making These Conditional Access Mistakes"},{"content":"Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with Microsoft 365 Defender (the broader XDR platform) and is available for almost any OS you\u0026rsquo;ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It\u0026rsquo;s not always intuitive, and you may be in for some surprises. I try to keep this Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you\u0026rsquo;re getting and what you need to go start implementing if you haven\u0026rsquo;t already.\nFebruary 2023\u0026rsquo;s release, version 5, follows up on my August 2022 release of the comparison.\nWhat\u0026rsquo;s new?\nClarified a few points about Device Control (see below disclaimers for more info) Clarified network protection on mobile support Added macOS and Linux support for file indicators Added Windows Server 2012 R2 and 2016 support for troubleshooting mode (thanks Stefan Schörling MVP) Added Windows Server 2016 support for downloading quarantined files (thanks Stefan Schörling MVP) Added firmware assessments in Microsoft Defender Vulnerability Management (add-on license needed) Added security baseline assessments in Microsoft Defender Vulnerability Management (add-on license needed) Added software usage insights in Microsoft Defender Vulnerability Management Added software product vulnerabilities for iOS in Microsoft Defender Vulnerability Management Removed references for Microsoft Endpoint Manager, which has been renamed Intune Updated supported capabilities of Security Management for MDE to include ASR rules Updated wording of Microsoft Defender for Servers to clarify Linux onboards in passive mode by default Obligatory disclaimers:\nThis is provided without warranty and only my best effort. This stuff isn\u0026rsquo;t always obvious in the documentation, so expect updates to refine accuracy over time. Where I have used a green check ✓ to note support, this doesn\u0026rsquo;t mean all versions of that OS, but it does mean all MDE-supported versions of that OS or if Microsoft just hasn\u0026rsquo;t been clear about which version is needed. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. Similarly, Linux is complicated. In some cases, the learn.microsoft.com pages just say Windows 10 with no specific information about versions. You may also find some features are in preview mode. If in doubt, ask me or look up the docs. For the most part, I have gone by what the docs say. If there are conflicting docs, I go with the most conservative option (looking at you, Device Control, which has conflicting info about Windows Server support). Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren\u0026rsquo;t officially listed in Microsoft\u0026rsquo;s docs (this was before the unified solution became available). The point is: the docs don\u0026rsquo;t always reflect what really works. I\u0026rsquo;ve stuck to the docs because if you ever need support, that\u0026rsquo;s what you\u0026rsquo;ll have to help. In some cases, the docs say nothing about the OS version required, so I\u0026rsquo;ve had to figure it out myself or make a presumption based on other information (the new MDVM capabilities are a good example of this). If you notice any errors or have suggestions for improvement, let me know! You can download it below.\nExcel PDF Image Or check it out in this (probably compressed and squashed) image below.\n","permalink":"https://campbell.scot/mde-comparison-feb-2023/","summary":"\u003cp\u003eMicrosoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities.  It integrates with Microsoft 365 Defender (the broader XDR platform) and is available for almost any OS you\u0026rsquo;ll find in an enterprise.  This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS.  It\u0026rsquo;s not always intuitive, and you may be in for some surprises.  I try to keep this \u003cstrong\u003eUltimate Comparison of Defender for Endpoint Features by OS\u003c/strong\u003e up to date to keep you aware of what you\u0026rsquo;re getting and what you need to go start implementing if you haven\u0026rsquo;t already.\u003c/p\u003e","title":"[Feb 2023] Ultimate Comparison of Defender for Endpoint Features by OS"},{"content":"This is the updated \u0026ldquo;matrix\u0026rdquo; of OS supported for the almost 80 features, services, and important components that make up Microsoft Defender for Endpoint. This follows up on my March 2022 release of the comparison.\nWhat\u0026rsquo;s new?\nNow available in Excel format, which was the biggest request :) Added the new Microsoft Defender Vulnerability Management capabilities (add-on license required) Added macOS tamper protection support Added macOS network and web protection Added iOS and Android\u0026rsquo;s mobile network protection Added Linux cloud-delivered protection support Added Windows troubleshooting mode Added macOS, iOS, and Android support for network indicators of compromise Updated host firewall reporting supported OSs Updated attack surface reduction (ASR) rule supported Windows and Windows Server versions Updated block at first sight (BAFS) supported OSs (thanks Polle Vanhoof + Thomas Verheyden) Updated Windows Server support for indicators of compromise (thanks Polle Vanhoof + Thomas Verheyden) Removed preview references for the unified agent for Windows Server 2012 R2 and 2016 Obligatory disclaimers:\nThis is provided without warranty and only my best effort. This stuff isn\u0026rsquo;t always obvious in the documentation, so expect updates to refine accuracy over time. Where I have used a green check ✓ to note support, this doesn\u0026rsquo;t mean all versions of that OS, but it does mean all MDE-supported versions of that OS. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. Similarly, Linux is complicated. If in doubt, ask me or look up the docs. For the most part, I have gone by what the docs say. Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren\u0026rsquo;t officially listed in Microsoft\u0026rsquo;s docs (this was before the unified solution became available). The point is: the docs don\u0026rsquo;t always reflect what really works. I\u0026rsquo;ve stuck to the docs because if you ever need support, that\u0026rsquo;s what you\u0026rsquo;ll have to help. In some cases, the docs say nothing about the OS version required, so I\u0026rsquo;ve had to figure it out myself or make a presumption based on other information (the new MDVM capabilities are a good example of this). If you notice any errors or have suggestions for improvement, let me know! You can download it below.\nExcel PDF Image Or check it out in this (probably compressed and squashed) image below.\n","permalink":"https://campbell.scot/mde-comparison-august-2022/","summary":"\u003cp\u003eThis is the updated \u0026ldquo;matrix\u0026rdquo; of OS supported for the almost 80 features, services, and important components that make up Microsoft Defender for Endpoint. This follows up on my March 2022 release of the comparison.\u003c/p\u003e\n\u003cp\u003eWhat\u0026rsquo;s new?\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eNow available in Excel format, which was the biggest request :)\u003c/li\u003e\n\u003cli\u003eAdded the new Microsoft Defender Vulnerability Management capabilities (add-on license required)\u003c/li\u003e\n\u003cli\u003eAdded macOS tamper protection support\u003c/li\u003e\n\u003cli\u003eAdded macOS network and web protection\u003c/li\u003e\n\u003cli\u003eAdded iOS and Android\u0026rsquo;s mobile network protection\u003c/li\u003e\n\u003cli\u003eAdded Linux cloud-delivered protection support\u003c/li\u003e\n\u003cli\u003eAdded Windows troubleshooting mode\u003c/li\u003e\n\u003cli\u003eAdded macOS, iOS, and Android support for network indicators of compromise\u003c/li\u003e\n\u003cli\u003eUpdated host firewall reporting supported OSs\u003c/li\u003e\n\u003cli\u003eUpdated attack surface reduction (ASR) rule supported Windows and Windows Server versions\u003c/li\u003e\n\u003cli\u003eUpdated block at first sight (BAFS) supported OSs (thanks Polle Vanhoof + Thomas Verheyden)\u003c/li\u003e\n\u003cli\u003eUpdated Windows Server support for indicators of compromise (thanks Polle Vanhoof + Thomas Verheyden)\u003c/li\u003e\n\u003cli\u003eRemoved preview references for the unified agent for Windows Server 2012 R2 and 2016\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eObligatory disclaimers:\u003c/p\u003e","title":"Ultimate Comparison of Defender for Endpoint Features by OS [Updated August 2022]"},{"content":"It\u0026rsquo;s been about 5 months since I last updated my comparison of Defender for Endpoint features by OS. This is a \u0026ldquo;matrix\u0026rdquo; of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.\nThree months later, it\u0026rsquo;s overdue an update. So here it is :) I\u0026rsquo;ve also decided to rename it to The Ultimate Comparison of MDE Features by OS\u0026hellip; because renaming\u0026rsquo;s what we do, right?\nChanges include but aren\u0026rsquo;t limited to\u0026hellip;\nAdded passive mode for Windows Server 2012 R2/2016 (unified agent), macOS, and Linux. Removed qualifiers for Windows Server 2012 R2/2016 features that need the unified agent. You should be deploying this anyway. If in doubt, if it\u0026rsquo;s a Windows 10 or Server 2019 feature, it needs the unified agent. Similarly, removed a number of mentions that things are in preview. Renamed Azure Defender for Microsoft Defender for Cloud + Microsoft Defender for servers Defender for Cloud replaces Azure Defender Defender for servers is a feature of Defender for Cloud that includes Defender for Endpoint for servers plus loads more like JIT access to VMs Chef for Linux added Cloud delivered protection for macOS. Who knew!? Security Management added. This lets you manage config in Endpoint Manager, just like Intune, but without needing to Intune enrol. It\u0026rsquo;s the future! Debian, iOS, and Android TVM support added. macOS and Linux live response capabilities added, including isolation, investigation packages, and scan initiation Tamper protection for iOS and Android was added. Not really the same as TP for Windows, but it\u0026rsquo;s the name that\u0026rsquo;s been chosen. This informs device compliance if the app hasn\u0026rsquo;t protected the device in a week. Removed Windows Server SAC from the comparison because\u0026hellip; did anyone really care? Trying to simplify things. Clarified device discovery can be standard (active) or basic (passive) and added Windows Server 2019+ Added host firewall reporting I have had requests to include the distinctions between license SKUs: Defender for Business, Plan 1, and Plan 2. I thought about this and did draft a version with it but, frankly, I want to stay away from licensing. That\u0026rsquo;s not the intent of this project. Might have another similar comparison in the future but it\u0026rsquo;s not as simple as features by OS as some features don\u0026rsquo;t care about OS e.g. P2\u0026rsquo;s threat analytics.\nStill on the to-do list is improved management of this on GitHub with markup format and Excel + CSV. I\u0026rsquo;ve been occupied with the upcoming book every spare minute that isn\u0026rsquo;t family life. I\u0026rsquo;ll get to it. If anyone can talk me through making a markup table in GitHub, hit me up to speed things up!\nAnd the obligatory disclaimers\u0026hellip;\nThis is provided without warranty and only my best effort. This stuff isn\u0026rsquo;t always obvious in the documentation, so expect updates to refine accuracy over time. Where I have used a green check ✓ to note support, this doesn\u0026rsquo;t mean all versions of that OS, but it does mean all MDE-supported versions of that OS. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. Similarly, Linux is complicated. If in doubt, ask me or look up the docs. For the most part, I have gone by what the docs say. Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren\u0026rsquo;t officially listed in Microsoft\u0026rsquo;s docs (this was before the unified solution became available). The point is: the docs don\u0026rsquo;t always reflect what really works. I\u0026rsquo;ve stuck to the docs because if you ever need support, that\u0026rsquo;s what you\u0026rsquo;ll have to help. In some cases, the docs say nothing about the OS version required, so I\u0026rsquo;ve had to figure it out myself or make a presumption based on other information (for example, Server SAC versions response actions, by looking at the LTSC version supported). If you notice any errors or have suggestions for improvement, let me know! You can download it below.\nPDF Image Or check it out in this (probably compressed and squashed) image below.\nLet me know any feedback you have!\n","permalink":"https://campbell.scot/march-22-defender-for-endpoint-feature-comparison/","summary":"\u003cp\u003eIt\u0026rsquo;s been about 5 months since I last updated my comparison of Defender for Endpoint features by OS.  This is a \u0026ldquo;matrix\u0026rdquo; of the \u003cem\u003etons\u003c/em\u003e of features, services, and important components that make up Microsoft Defender for Endpoint.\u003c/p\u003e\n\u003cp\u003eThree months later, it\u0026rsquo;s overdue an update.  So here it is :)  I\u0026rsquo;ve also decided to rename it to The Ultimate Comparison of MDE Features by OS\u0026hellip; because renaming\u0026rsquo;s what we do, right?\u003c/p\u003e","title":"Updated March 2022: Ultimate Comparison of Defender for Endpoint Features by Operating System"},{"content":"I recently read through an excellent article by Mandiant, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM. This group appeared on most IT pro\u0026rsquo;s radar because of their SolarWinds\u0026rsquo; software supply chain. You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds\u0026rsquo; Orion IT software was \u0026ldquo;trojanised\u0026rdquo; via an attack on their software supply chain. Orion is (probably now \u0026ldquo;was\u0026rdquo;) used by enterprise customers to monitor their servers, network, etc, so not only was SolarWinds compromised, so too potentially were its customers.\nNote NOBELIUM is Microsoft\u0026rsquo;s assigned name for this advanced persistent threat, but other vendors will use different names.\nAs I scrolled down the report, in the back of my head I\u0026rsquo;m thinking things like \u0026quot; XYZ in Defender could have stopped that\u0026quot;, or \u0026ldquo;wouldn\u0026rsquo;t have happened if they\u0026rsquo;d ABC\u0026rsquo;d in Azure AD\u0026rdquo;. In this article, I\u0026rsquo;ll reference Mandiant\u0026rsquo;s above article, then explain how implementing security capabilities found across the Microsoft 365 E5 license may help mitigate similar threats. In many cases, you don\u0026rsquo;t even need E5. Check out m365maps.com to see exactly where it falls in the licensing picture and if it\u0026rsquo;s available to you in something like Microsoft 365 E3 or Business Premium.\nThis is not a third-party vs. Microsoft security blog. There are pros and cons to all solutions. This is an attempt to help folks paying for Microsoft 365 E5 get their money\u0026rsquo;s worth by squeezing as much of its offerings out as possible. Details are light on some parts of the report, so those will be reviewed at a high level only. Additionally, there may be simplifications for the sake of brevity. I am available on Twitter @rucam365 for any clarifications you want.\nCompromised CSPs and privileged access \u0026ldquo;multiple instances where the threat actor compromised service providers and used the privileged access and credentials belonging to these providers to compromise downstream customers\u0026rdquo; \u0026ldquo;The account held a specific Azure AD role that allowed it to use the Admin on Behalf Of (AOBO) feature. With AOBO, users with a specific role in the CSP tenant have Azure Role Based Access Control (RBAC) Owner access to Azure subscriptions in their customer’s tenants\u0026rdquo; \u0026quot;\u0026hellip; evidence that the actor compromised multiple accounts and used one for the sole purpose of reconnaissance, while the others were reserved for lateral movement within the organization\u0026hellip;\u0026quot;\nDefence against compromised CSPs and privileged access with Microsoft 365\nCSPs, cloud solution providers, in the context of Microsoft 365, are typically license resellers and if set up as delegated administrators, can have global administrative rights to customers\u0026rsquo; tenants. As pointed out in the article, and I reference in the quotes below, they can be extremely powerful with Azure owner access to subscriptions. If an Azure VM owner is compromised, and that VM happens to run Active Directory Domain Services, you are trivial steps away from being pwned. Obviously, you can have other service providers beyond the scope of Microsoft or Microsoft 365, managing other services.\nLess of a capability, more of a change in practice. Don\u0026rsquo;t give your Microsoft CSP delegated admin privileges to the tenant unless you need to. Unfortunately, this includes (for now) Lighthouse. While you can allow them to use their primary email address as an Azure AD guest account with Azure AD B2B, I prefer a full member (not a guest) as you have additional controls such as controlling password policies. Note that \u0026lsquo;granular delegated admin privileges (GDAP)\u0026rsquo; are on the roadmap so guidance should change when that becomes available. Enforce enhanced requirements on inbound authentication to your tenant using Azure AD Conditional Access with Azure Multi-factor Authentication (MFA) and Identity Protection, to specifically block high-risk users and high-risk sign-ins. If your CSP is given access to the tenant (as a full Azure AD member), limit the scope of their rights using RBAC, which is applicable across Azure AD and Azure resources. Use Privileged Identity Management (PIM) to enforce conditions and time fences on how long a user can have privileged access. For example, limit their ownership of a resource group in Azure to only X hours, and to get it, enforce MFA and/or approval to another user ( guidance here). Continually review the access rights for these individuals using Azure AD Identity Governance\u0026rsquo;s access reviews. Don\u0026rsquo;t give out permissions easily, and monitor and track those that are issued. One approach I use is entitlement management, in which users apply to join a group, and that group gets privileged access. This too can be time-fenced (automatically revoked after a certain period) and subject to access reviews. Microsoft Defender for Cloud Apps (MDCA), previously called Microsoft Cloud App Security (MCAS), can audit administrative operations across Microsoft 365, Azure, and even third parties like AWS. You can use this capability to create alerts if any such activities happen by users outside a specified list or group. Compromised VPNs \u0026ldquo;the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment\u0026rdquo;\nDefence against compromised VPNs with Microsoft 365\nThis one is light on specifics, but for your client endpoints, you should be moving away from VPNs entirely by considering the following points.\nReplace on-premises Active Directory domain join or Hybrid Azure AD join with pure Azure AD join. In The Case For Azure AD Join, I lay out a manifest of why so many reasons you thought you couldn\u0026rsquo;t do Azure AD join are not necessarily true. Replace on-premises file servers with SharePoint Online and OneDrive for Business. I know, I know\u0026hellip; ScarePoint, etc, etc. I get that SPO is not exactly a replacement for file servers, but many (most?) environments can and should make the move. Why? Get rid of that dependency on VPN for network drives, speed up file access for users, and get modern improvements such as auto-save and co-authoring. Replace Group Policy and ConfigMgr with Intune MDM. Again, reduce that dependency on VPNs (or Cloud Management Gateways, etc) and get a bunch of other benefits. Not suitable in all cases, but the vast majority. Also not a quick journey: the best practice would be to start from scratch as much as possible. Access on-premises applications securely over the internet without a VPN by using Azure AD Application Proxy. Your apps will benefit from Single Sign On with Azure AD accounts, and be protected from the wider internet by pre-authentication using Azure AD. This means you get the benefits of Azure AD such as Conditional Access, DDOS protection, etc, all before any packets touch your app (and even then, only via a connector intermediary replacing your DMZ). For your servers infrastructure, VPN isn\u0026rsquo;t so easy to kill. I\u0026rsquo;m focusing on Microsoft 365 E5 in this article, but of course, Microsoft and the industry, in general, is heading towards PaaS/SaaS which means less infrastructure for you to manage in general. Don\u0026rsquo;t misquote me: I\u0026rsquo;m not saying cloud = security and on-prem/VPN = insecurity. I\u0026rsquo;m saying, personally, I\u0026rsquo;d rather keep my need for managing VPNs to a minimum\u0026hellip; or get one that supports Azure AD auth.\nMalware and low reputation websites \u0026quot;\u0026hellip; some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated. Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or “cracked”, software.\u0026quot;\nDefence against malware and low reputation websites with Microsoft 365\nMalware protection and web controls are seen as basic stuff, but what can Microsoft 365 E5 offer us?\nWeb content filtering, part of network protection, can be used to protect against these types of websites with the likes of legal liability and uncategorized categories. While I can\u0026rsquo;t guarantee it would have picked it up, it is likely Cryptbot would get identified by a number of Microsoft Defender Antivirus and Microsoft Defender for Endpoint capabilities, never mind the standard antivirus signatures/heuristics. These include potentially unwanted app (PUA) protection, block at first sight (BAFS), or an Attack Surface Reduction (ASR) rule like block executable files from running unless they meet a prevalence, age, or trusted list criterion. The gold standard of OS security should be application allow-listing. If it\u0026rsquo;s not allowed explicitly, it doesn\u0026rsquo;t run. Windows can be secured for this using AppLocker (no longer actively developed) or Windows Defender Application Control. Anonymous IP access \u0026ldquo;These tokens were used by the actor via public VPN providers to authenticate to the target’s Microsoft 365 environment.\u0026rdquo; \u0026ldquo;Mandiant witnessed the actor use a mixture of TOR, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments.\u0026rdquo; \u0026ldquo;Mandiant was then able to identify numerous TOR exit nodes that the threat actor used based on new authentication events.\u0026rdquo;\nDefence against anonymous IP access with Microsoft 365\nIn the enterprise context, it\u0026rsquo;s usually safe to block access from things like Tor and known VPN providers. I understand that a lot of modern security talk wants to move away from caring about locations, IP based controls, etc, but in my opinion, it should still be used as part of defence-in-depth, especially if you can reasonably say your user base will only be connecting from a known list of regions.\nConditional Access can be used to block access from IPs located outwith specified countries. Create a policy that blocks all locations except those in your named list of allowed ones. You can also choose how to determine the location: by IP (v4 only) or GPS (requires the Microsoft Authenticator app but doesn\u0026rsquo;t work with passwordless if you\u0026rsquo;re using that). Azure AD Identity Protection has a real-time detection capability for anonymous IP addresses, which Microsoft explicitly describe as \u0026quot; for example, Tor browser or anonymous VPN\u0026quot;. Identity Protection policies can be configured standalone or (recommended) included as Conditional Access conditions. There are offline sign-in risk Identity Protection detections (as opposed to real-time) for malicious IP addresses and a ctivity from anonymous IP addresses. Although these could not prevent a login, they will raise logs for you to audit, with about a 48-hour delay. Microsoft Defender for Cloud Apps has anomaly detection capabilities that can be used to warn you about suspicious behaviour across integrated apps. You can also use proactive governance to revoke access from services like Tor. MFA Push Notifications \u0026quot;\u0026hellip; the threat actor had a valid username and password combination. Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user’s legitimate device until the user accepted the authentication\u0026hellip;\u0026quot;\nDefence against falsely approved MFA with Microsoft 365\nI\u0026rsquo;m in the camp of \u0026ldquo;push notifications are better than no MFA at all\u0026rdquo;. But at the same time, if you\u0026rsquo;re doing something, do it right. Hammering someone with MFA requests until they submit - yikes.\nIn the MFA service settings, you can disable phone call, SMS, and/or app push notification MFA. There are improvements to MFA push notifications on the way. You will be shown the location and app, for example. Additionally - most importantly - you won\u0026rsquo;t just get a approve/disapprove. You will have to perform number matching to the code shown on the screen which should mitigate against accidental approvals, approvals-by-spam-request, or automated apps for approval ( they exist and they\u0026rsquo;re insane). Conditional Access can require device compliance for access, which means in addition to compromising the credentials (and the MFA), you have to compromise the device. Where this gets more powerful is you can base the device compliance on attributes like the device health in Defender for Endpoint and it\u0026rsquo;s unlikely a remotely compromised device will have a \u0026lsquo;clear\u0026rsquo; state (but not impossible). Even more, you can use custom compliance to confirm that your own device requirements are met: certain services are running, system hardening policies in place, etc. Lastly on this point, you can use Conditional Access device filters to limit access to privileged services to privileged access workstations, etc. MFA only kicks in if the username and password are correct. Azure AD Identity Protection can mark users as high risk if their credentials have been leaked on paste bins, dark websites, etc. Note this only applies to newly discovered leaks and not retrospectively when enabled (really wish it did). It also needs Password Hash Sync for hybrid users. After your user has been marked as high-risk, you can use Conditional Access to force a password reset after they\u0026rsquo;ve MFA\u0026rsquo;d to prove it\u0026rsquo;s really them. This can write back to on-premises Active Directory if it\u0026rsquo;s a hybrid user. Alternatively, use Conditional Access to block high-risk users then, as an administrator, have your own process to investigate + remediate. LSASS and ntds.dit dumps \u0026ldquo;On one device, the threat actors made use of the Windows Task Manager to dump the process memory belonging to LSASS\u0026hellip;. There was also evidence that the threat actor used Sysinternals ProcDump to dump the process memory of the LSASS process.\u0026rdquo; \u0026ldquo;Mandiant identified multiple attempts by the threat actor to dump the Active Directory database (ntds.dit) using the built-in ntdsutil.exe command.\u0026rdquo;\nDefence against LSASS and ntds.dit dumps with Microsoft 365\nLet\u0026rsquo;s have a look at how Microsoft 365 Defender services can be used in this scenario.\nMicrosoft Defender for Endpoint (MDI) can alert administrators about exfiltration scenarios involving ntds.dit, with the likes of the data exfiltration over SMB alert. You could also use Advanced Hunting custom detections to be informed about process events that involve it, ntdsutil, or other processes like AzCopy, etc. Windows Defender Credential Guard is a capability that uses VBS to isolate and harden secrets against compromise. Attack Surface Reduction rules (ASR rules) can run on Windows Server 2012 R2 and newer. The rule block credential stealing from the Windows local security authority subsystem will help LSASS dumps in scenarios that Credential Guard cannot be used. If a process tries to use OpenProcess() for LSASS with the access right PROCESS_VM_READ, it is blocked. Azure AD Connect compromise \u0026ldquo;The threat actor also obtained the Azure AD Connect configuration, the associated AD service account, and the key material used to encrypt the service account credentials.\u0026rdquo;\nDefence against Azure AD Connect compromise with Microsoft 365\nDon\u0026rsquo;t have the full details here but let\u0026rsquo;s review Azure AD Connect and securing it in general. Why is AADC important? It\u0026rsquo;s what syncs on-prem AD to Azure AD, so is significant for lateral movement. Lateral movement aside, the connector account also gets a bunch of permissions to the directory and control over users, groups, and passwords.\nGive the AADC server the same respect in regards to security as a domain controller: treat it as a tier 0/ asset, with controls around only privileged access workstations getting access, what other apps can run ( allow listing), outbound network access, etc. You no longer need the Global Admin role to manage Azure AD Connect: use least privilege and stick with Hybrid Identity Administrator. Keep Azure and Azure AD privileged access accounts (admins) as cloud-only accounts and do not synchronise your on-premises administrators (e.g. Domain Admin) to Azure AD. Active Directory Federation Services (AD FS) attacks \u0026quot;\u0026hellip; the threat actor obtained the Active Directory Federation Services (ADFS) signing certificate and key material. This allowed the threat actor to forge a SAML token which could be used to bypass 2FA and conditional access policies to access Microsoft 365.\u0026quot; \u0026ldquo;Mandiant discovered that the threat actor had stolen the AD FS token signing certificate and the DKM key material. This would allow the threat actor to perform Golden SAML attacks and authenticate as any user into federated environments that used AD FS for authentication, such as Microsoft 365.\u0026rdquo;\nDefence against AD FS SAML token forging with Microsoft 365\nGenerally, when I see AD FS, I run in terror. Here goes\u0026hellip;\nReplace AD FS with Azure AD. I know, I know, easier said than done, especially at scale. But as an IdP, Azure AD has a ton of benefits like Conditional Access (referenced heavily in this article), no/less infrastructure to manage, etc. Microsoft Defender for Identity (MDI) now supports AD FS. You will be alerted for attacks such as remote code execution attempts, and suspected brute-force LDAP attacks. Azure AD Identity Protection can identify and assign sign-in risk (for auditing/action) if the SAML token issuer for a token is potentially compromised due to anomalies or similarities with attack patterns. Lateral movement and privilege escalation \u0026ldquo;The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell\u0026hellip; mainly to perform reconnaissance\u0026hellip; distribute BEACON around the network\u0026hellip;\u0026rdquo; \u0026ldquo;In some cases, the actors passed in a specific Kerberos ticket during the WMIC execution using the /authority:Kerberos flag to authenticate as computer accounts.\u0026rdquo; \u0026ldquo;the threat actor used Azure’s built-in Run Command feature to execute commands on numerous downstream devices. The threat actor used native Windows tools to perform initial reconnaissance, credential theft and deploy Cobalt Strike BEACON to devices via PowerShell.\u0026rdquo; \u0026ldquo;The actor then used this BEACON implant to persistently install CEELOADER as a Scheduled Task that ran on login as SYSTEM on specific systems.\u0026rdquo;\nDefence against lateral movement and privilege escalation with Microsoft 365\nAgain, we return to Microsoft 365 Defender to review some threat protection capabilities for this.\nMicrosoft Defender for Identity (MDI) can be deployed to domain controllers to alert administrators in Microsoft 365 Defender if it identifies several activites of this type, including pass-the-ticket, reconnaissance, and credential theft. Attack Surface Reduction rules (ASR rules) can be deployed to block process creations originating from PSExec and WMI commands. This is unavailable for obvious reasons if you use ConfigMgr, and best start using it in audit mode in case anything else in your environment is dependent on PSExec/WMI. Microsoft Defender for Endpoint can detect Cobalt Strike\u0026hellip; even if it\u0026rsquo;s not there ;) (I say \u0026ldquo;can detect\u0026rdquo;\u0026hellip; nothing is 100% guaranteed in this cat/mouse game). Microsoft Defender for Endpoint will also automatically investigate anomalous new scheduled task creation. Unauthorised data access and exfiltration \u0026ldquo;The threat actors performed data theft through several PowerShell commands, uploading several sequential archive files ending with the .7z extension. The threat actor uploaded these files to a webserver they presumably controlled.\u0026rdquo; \u0026ldquo;Mandiant identified binaries that were configured to upload data to the Mega cloud storage provider. The threat actor deployed the tool in the %TEMP%\\d folder as mt.exe and mtt.exe. \u0026ldquo; \u0026ldquo;Mandiant also observed the threat actor access a victim’s on-premises SharePoint server looking for sensitive technical documentation and credentials. The threat actor then used the gathered credentials to move laterally around the network.\u0026rdquo; \u0026ldquo;From this documentation, the actor was able to identify a route to gain access to their ultimate target’s network.\u0026rdquo;\nDefence against unauthorised data access and exfiltration with Microsoft 365\nThere are a few ways to approach this. We need to consider that the upload operations to attacker-controlled servers and Mega.com were probably on servers, which have different Microsoft 365 capabilities than Windows 10 clients. We also need to consider everything I\u0026rsquo;m about to list as part of defence-in-depth and no silver bullet.\nSensitive information can be encrypted by Azure Information Protection using sensitivity labels in SharePoint Online (SPO). If you are using on-prem SharePoint Server, start the migration to SPO. The encryption essentially enforces an access control list and access can be audited. The encryption can be handled manually by users (you can force it) or you can automatically encrypt (label) using a number of methods, which include automatically detecting network/IT information such as IP addresses or Azure access keys. That said, don\u0026rsquo;t store your credentials in documentation anyway. On endpoint clients, Endpoint DLP or Windows Information Protection can be used to limit data uploads to allow listed apps and websites only. Microsoft Defender for Endpoint identifies data transfers to the Mega.com Desktop App (which I assume is the tool referenced above) as a potential attack technique (MITRE T1005) in Microsoft 365 Defender. Also you should use application allow listing. Microsoft Defender for Cloud Apps can both block access to Mega.com or other file sharing websites as an unsanctioned app and alert administrators about the level of data transfer to it, achieved via integration with Microsoft Defender for Endpoint and its network protection capabilities. You can use Advanced Hunting in Microsoft Defender for Endpoint to monitor activities related to archive file formats and PowerShell commands that can transfer data (link references downloads, can be altered for upload commands etc too). Unauthorised Exchange mailbox access \u0026ldquo;Mandiant witnessed the threat actor use impersonation to access multiple mailboxes belonging to users within the victim organization.\u0026rdquo; \u0026ldquo;The threat actor also created a new account within the Microsoft 365 environment which Mandiant deems was for backup access in the event of detection.\u0026rdquo;\nDefence against unauthorised Exchange mailbox access\nIf delegating access to mailbox permissions, you should have an established process for this and monitor any delegations that deviate from the process.\nMicrosoft Defender for Cloud Apps can be used to investigate and automatically respond if mailbox delegation is performed. Tweek the activity properties so that they deviate from your standard process in this case. The unified audit log can inform administrators if mailbox delegation is performed. There are lots of other activities you can manage in this log too, such as other permissions granted. You can finally review mailbox items an account has accessed with MailItemsAccessed, but beware this is a bit of a strange action to configure (it\u0026rsquo;s part of Advanced Audit). Concluding thoughts There are no silver bullets against sophisticated, dedicated attackers. Similarly, there are no perfect security solutions or software services. However, in this article, I\u0026rsquo;ve tried to explain that if you are a Microsoft 365 customer already, you probably have a lot of tools in your arsenal to mitigate a lot of potential threats or at least generate enough noise that you can start investigating.\n","permalink":"https://campbell.scot/exploring-microsoft-365s-nobelium-defence-capabilities/","summary":"\u003cp\u003eI recently read through an \u003ca href=\"https://www.mandiant.com/resources/russian-targeting-gov-business\"\u003eexcellent article by Mandiant\u003c/a\u003e, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM.  This group appeared on most IT pro\u0026rsquo;s radar because of their SolarWinds\u0026rsquo; software supply chain.  You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds\u0026rsquo; Orion IT software was \u0026ldquo;trojanised\u0026rdquo; via an attack on their software supply chain.  Orion is (probably now \u0026ldquo;was\u0026rdquo;) used by enterprise customers to monitor their servers, network, etc, so not only was SolarWinds compromised, so too potentially were its customers.\u003c/p\u003e","title":"Exploring Microsoft 365's NOBELIUM Defence Capabilities"},{"content":"In July, I released v1 of The Big Comparison of Defender for Endpoint Features by Operating System (or, what I think is much catchier, TBCMDEFOS). This was a \u0026ldquo;matrix\u0026rdquo; of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.\nThree months later, it\u0026rsquo;s overdue an update. So here it is :)\nThe headline news is that, in preview anyway, there\u0026rsquo;s a bunch of additions to Windows Server 2012 R2 and 2016 thanks to a new agent-based deployment (\u0026ldquo;unified solution\u0026rdquo;) that replaces the need for the Microsoft Monitoring Agent and System Centre Endpoint Protection. You now get almost feature parity with Windows Server 2019\u0026rsquo;s security features: ASR rules, next-generation protection, block at first sight, etc. For a guide on how to get up and running with it, check out my writeup on Petri.\nOther changes this time include some Windows 10 required feature version clarifications, updated Linux TVM capabilities, Windows 11 + Server 2022, and collecting quarantine files collected by Defender Antivirus.\nOne thing not yet included is info about Plan 1. ICYMI, Defender for Endpoint is now available in two license plans: 1 and 2. The short version is that plan 1 excludes EDR, AIR, TVM, and other advanced features outside of MDAV\u0026rsquo;s features. What you do get is centralised reporting for MDAV on license SKUs that you never used to, such as Microsoft 365 E3. It didn\u0026rsquo;t make this release of the comparison as it\u0026rsquo;s still in preview and it\u0026rsquo;s not been easy to find out for sure what\u0026rsquo;s available at as low a level as I\u0026rsquo;d like. It might make v3 of the comparison, or I may leave licensing to the experts.\nNext on the to-do list is improved management of this on GitHub, probably in markup format, and also Excel + CSV availability.\nLastly, Ignite is just around the corner so expect more updates then if there are announcements.\nAnd the obligatory disclaimers\u0026hellip;\nThis is provided without warranty and only my best effort. This stuff isn\u0026rsquo;t always obvious in the documentation, so expect updates to refine accuracy over time. Where I have used a green check ✓ to note support, this doesn\u0026rsquo;t mean all versions of that OS, but it does mean all MDE-supported versions of that OS. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. For the most part, I have gone by what the docs say. Why point this out? For example, my friend Rudy Ooms has previously pointed out that some ASR rules apply on OSs that aren\u0026rsquo;t officially listed in Microsoft\u0026rsquo;s docs (this was before the unified solution became available). The point is: the docs don\u0026rsquo;t always reflect what really works. I\u0026rsquo;ve stuck to the docs because if you ever need support, that\u0026rsquo;s what you\u0026rsquo;ll have to help. In some cases, the docs say nothing about the OS version required, so I\u0026rsquo;ve had to figure it out myself or make a presumption based on other information (for example, Server SAC versions response actions, by looking at the LTSC version supported). If you notice any errors or have suggestions for improvement, let me know! You can download it below.\nPDF Image Or check it out in this (probably compressed and squashed) image below.\nLet me know any feedback you have!\n","permalink":"https://campbell.scot/october-2021-comparison-of-defender-for-endpoint-features/","summary":"\u003cp\u003eIn July, I released v1 of The Big Comparison of Defender for Endpoint Features by Operating System (or, what I think is much catchier, TBCMDEFOS).  This was a \u0026ldquo;matrix\u0026rdquo; of the \u003cem\u003etons\u003c/em\u003e of features, services, and important components that make up Microsoft Defender for Endpoint.\u003c/p\u003e\n\u003cp\u003eThree months later, it\u0026rsquo;s overdue an update.  So here it is :)\u003c/p\u003e\n\u003cp\u003eThe headline news is that, in preview anyway, there\u0026rsquo;s a bunch of additions to Windows Server 2012 R2 and 2016 thanks to a new agent-based deployment (\u0026ldquo;unified solution\u0026rdquo;) that replaces the need for the Microsoft Monitoring Agent and System Centre Endpoint Protection.  You now get almost feature parity with Windows Server 2019\u0026rsquo;s security features: ASR rules, next-generation protection, block at first sight, etc.  For a guide on how to get up and running with it, \u003ca href=\"https://petri.com/how-to-install-defender-for-endpoint-server-2012-r2-2016\"\u003echeck out my writeup on Petri\u003c/a\u003e.\u003c/p\u003e","title":"Updated October 2021: Availability of Defender for Endpoint Features by Operating System"},{"content":"New protection capabilities for Microsoft Defender for Endpoint (MDE) customers have landed in public preview, Oct 7 \u0026lsquo;21, for Windows Server 2012 R2 and Windows Server 2016. With the public preview released today, Windows Server 2012 R2 and 2016 gain \u0026rsquo; functional equivalence\u0026rsquo; to 2019, thanks to the use of a new agent that is being described as the \u0026lsquo;unified solution\u0026rsquo;.\nHistorically, a significant gap Previously, as I\u0026rsquo;ve detailed here and here, there was a large feature gap between Windows Server 2019 and these \u0026ldquo;down-level\u0026rdquo; OSs. The onboarding process was also different. To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA). This was required as the EDR sensor wasn\u0026rsquo;t built-in, unlike with Server 2019. While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection.\nEven after onboarding and having either MDAV or SCEP, you still didn\u0026rsquo;t get the full capabilities of MDE that you did with Server 2019. Key among the features missing were attack surface reduction (ASR) rules and automated investigation and response (AIR). On the portal, you also couldn\u0026rsquo;t perform actions such as live response or file responses. As of today, in public preview, you can.\nImprovements now in public preview With the improved feature parity, Microsoft remove a blocker for many organisations adopting MDE on servers, close the gap with competitors with enhanced protection, and make IT/security pros lives a little easier with consistent onboarding and tools. This does, however, for now, still leave Windows Server 2008 R2 in the same old place.\nThe features previously unavailable that you can now leverage include ASR rules, network protection, Controlled Folder Access (CFA), AIR, tamper protection, and device actions in the Microsoft 365 Defender portal, such as device isolation, but not app execution restriction. Note that not all ASR rules are available: block JavaScript and VBScript from launching downloadable executable content didn\u0026rsquo;t make it to Server 2012 R2, and neither server gets the rules to block Win32 API calls from Office macros or block persistence through WMI event subscription. This is more down to intrinsic differences in the operating system, though.\nHow to deploy the new unified solution Both the most thorough and simple way to deploy the new agent I\u0026rsquo;ve found, for most environments, is through the upgrade helper script that Microsoft has published to GitHub. This automates a few steps that otherwise would be done separately.\nFirst, in the Microsoft 365 Defender portal, you\u0026rsquo;ll find an onboarding option for Windows Server 2012 R2 and 2016 (Preview). From here, choose to download the Group Policy installation and onboarding packages. Store the script, MSI, and onboarding package in a place accessible by the server(s) you\u0026rsquo;ll be upgrading or deploying to. I have found that network paths are not supported so you may want to consider ways to execute with local paths. Now, you\u0026rsquo;ll run the script with some parameters. How you run it depends on your own environment: for example, you may scale it using a centralised management tool or manually on a server. The RemoveMMA parameter is required if upgrading from the MMA agent (i.e. not a new install), where you\u0026rsquo;d replace ABCDE with the workspace ID (you can find this in Control Panel \u0026gt; Microsoft Monitoring Agent \u0026gt; Azure Log Analytics). This command assumes the MSI and onboarding script are in the same directory as the PowerShell script. .\\Install.ps1 -RemoveMMA ABCDE -OnboardingScript \u0026#34;.\\WindowsDefenderATPOnboardingScript.CMD\u0026#34; As the script runs, it gets rid of that workspace it no longer needs, checks for SCEP and uninstalls if present, applies some prerequisite patches (which may not be needed on fully updated servers), installs the agent, then connects it to the MDE instance identified in the onboarding package.\nImportant points to note Without getting into the minutia and intricacies of deployments, if you\u0026rsquo;re now in a position to deploy or upgrade MDE on servers using the public preview agent, check out these key points of interest.\nBoth 2012 R2 and 2016\nYou no longer onboard with MMA. Instead, you install an MSI agent that provides those missing capabilities. Network requirements are the same as Windows Server 2019, rather than what they previously may have been for MMA. This is most significant if your servers connect via a proxy. Network protection, a feature now available, must be enabled manually using Set-MpPreference; it is not on by default. You should make sure all Windows updates are applied. For example, KB5005292 is needed to get the updated MsSense.exe sensor. Should you do an in-place upgrade of the OS (e.g. from 2012 R2 to 2016, or 2016 to 2019) you will need to first offboard then onboard again. 2016\nDefender Antivirus, which is built-in, must be up to date before you deploy. 2012 R2\nYou no longer need SCEP. The agent includes Microsoft Defender Antivirus. If you have SCEP installed, installing the new agent will automatically replace it if you use the script described in this article. After installation, unlike with SCEP, there is no UI on the server. As already mentioned, it\u0026rsquo;s best practice to get the server fully updated before deploying, but in particular for 2012 R2, if you don\u0026rsquo;t, network events may not populate in the device\u0026rsquo;s timeline in Microsoft 365 Defender. ","permalink":"https://campbell.scot/tons-of-microsoft-defender-for-endpoint-improvements-for-server-r/","summary":"\u003cp\u003eNew protection capabilities for Microsoft Defender for Endpoint (MDE) customers have landed in public preview, Oct 7 \u0026lsquo;21, for Windows Server 2012 R2 and Windows Server 2016.  With the public preview released today, Windows Server 2012 R2 and 2016 gain \u0026rsquo; \u003ca href=\"https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292\"\u003efunctional equivalence\u003c/a\u003e\u0026rsquo; to 2019, thanks to the use of a new agent that is being described as the \u0026lsquo;unified solution\u0026rsquo;.\u003c/p\u003e\n\u003ch2 id=\"historically-a-significant-gap\"\u003eHistorically, a significant gap\u003c/h2\u003e\n\u003cp\u003ePreviously, as I\u0026rsquo;ve detailed \u003ca href=\"https://petri.com/understanding-microsoft-defender-for-endpoint-and-how-it-protects-your-data\"\u003ehere\u003c/a\u003e and \u003ca href=\"/the-big-comparison-of-defender-for-endpoint-features-by-operating-system/\"\u003ehere\u003c/a\u003e, there was a large feature gap between Windows Server 2019 and these \u0026ldquo;down-level\u0026rdquo; OSs. The onboarding process was also different.  To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA).  This was required as the EDR sensor wasn\u0026rsquo;t built-in, unlike with Server 2019.  While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection.\u003c/p\u003e","title":"Tons of Microsoft Defender for Endpoint Improvements for Server 2012 R2 \u0026 2016"},{"content":"The basics Let\u0026rsquo;s start this article with some basic cybersecurity terminology. Security hygiene, or cyber hygiene, is a general term used to describe the ongoing practice of keeping your technology and IT estate in a healthy and protected state. The metaphor with physical hygiene is valid because we know with our bodies that there\u0026rsquo;s no such thing as \u0026ldquo;set it and forget it\u0026rdquo;: if we don\u0026rsquo;t maintain regular hygiene practices and exercise, we atrophy. It\u0026rsquo;s a continual effort comprised of daily discipline, habit, and ritual.\nThe same is true of our increasingly connected infrastructure. Nature wants to tear your body down if you don\u0026rsquo;t maintain it, and malicious cyber actors are the equivalent in IT. The infrastructure that\u0026rsquo;s in a best-practice, fully patched state one day is not going to be like that forever. You only need to pay attention to recent developments to realise this, such as Windows elevation of privilege vulnerabilities ( SeriousSAM) and remote code execution vulnerabilities ( PrintNightmare). Without continual monitoring and remediation, we are left open to these threats. To back this up with numbers, the Online Trust Alliance published a study estimating 93% of incidents reported would not have occurred should best practice and basic hygiene been followed. As time progresses, as does best practice and the actions you must take to implement it. Similarly, you must stay on top of new solutions being introduced into your environments, such as PaaS and IaaS in the cloud.\nWhere do you start? Beginning with a vendor-neutral approach, a number of institutes publish guidance for what they regard as best practice hygiene. The Center for Internet Security (CIS) are an example of this. Published as CIS Controls, and released in regular versions, these provide a mechanism to review high-level recommendations and prioritise accordingly. An organisation can take the recommendations (for example, get the PDFs online) and use them as a standard to work to, applying them across their multi-vendor estate, or use the vendor-specific CIS Benchmarks, such as CIS Benchmarks for Microsoft Azure Foundations.\nAzure Security Center These are great, but one of the reasons customers (myself included) like Microsoft solutions is the inclusion of things natively and integration with the larger platform to make the IT pro\u0026rsquo;s life easier. Sticking with Azure, Microsoft\u0026rsquo;s native solution for ongoing security hygiene management is the Azure Security Center. I briefly touched on what exactly the Azure Security Centre (ASC) is in this blog over at Petri.com before, but let\u0026rsquo;s recap.\nAt its core, ASC is about security posture management and belongs to a category called cloud security posture management (CSPM) tools. The CSPM capabilities of ASC are provided at no additional cost to you, the Azure administrator, and sometimes referred to as \u0026ldquo;Security Center without Azure Defender\u0026rdquo;. What\u0026rsquo;s Azure Defender then? Azure Defender is comprised of many protective services (think about how many types of Azure resources there are!) and is a consumption-based license (with a 30-day trial), which extends ASC into a cloud workload protection platform (CWPP) that includes additional protective and remedial capabilities. Now that\u0026rsquo;s a lot of acronyms and tech jargon, so let\u0026rsquo;s break it down, and think about ASC as having two pillars:\nAzure Security Center without Azure Defender: a CSPM that reports your security posture and builds a Secure Score (more on this later) Azure Security Center with Azure Defender: a CWPP that builds on the CSPM to additionally protect your Azure resources I detailed the various resources that Azure Defender can protect here, so for the remainder of this article I\u0026rsquo;ll focus on how we can use the free Secure Score to tackle that opening problem: security hygiene.\nSecure Score If you take away one thing from this article, it should be this. Not every IT department has a SOC or MSSP. In the small business space, this is especially true. What that team does have, with ASC\u0026rsquo;s Secure Score, is a clear roadmap on what to do, why to do it, and how to do it .\nNot to be confused with the Microsoft Secure Score (which pertains to Microsoft 365 resources such as identities and devices), Secore Score within ASC presents information and recommendations for improving the security posture and hygiene of your Azure IaaS and PaaS estate. These are then turned into a sort of KPI by assigning a score; 100% being what Azure administrators should aspire to (and it\u0026rsquo;s really satisfying as you start checking things off and improving that score).\nIn the example above, you can see an overarching Secure Score with differently scored controls, which are groups of recommendations. In this instance, there\u0026rsquo;s a lot of failures (it\u0026rsquo;s a demo environment\u0026hellip; for the record!), but also opportunities with clear descriptions about what to do. For example, immediately I can see that both the VMs in my environment have open management ports, which in terms of a \u0026ldquo;score\u0026rdquo;, remediating would bump me up by eight points.\nAfter entering the recommendation, I\u0026rsquo;m given clear instructions on how to fix the problem (and why). Should you step up to have Azure Defender, some recommendations will get quick fix, a button that kick-starts auto-remediation. You can even run Logic Apps and workflow automation to reduce additional manual effort.\nThis brings me to the huge and immediate advantage of Secure Score (compared to manual or third-party controls): the sheer accessibility of it. One intuitive location in the Azure portal (though you can also use APIs or PowerBI if you want) to understand the current state of things and plain-speaking language about what you should do to improve it.\nRecommendations have an accompanying severity, which is a good place to start. Filters to the top of the recommendations list in ASC allow you to first target high severity recommendations, so you can resource your time more appropriately towards significant threats.\nAs you remediate and improve, the secure score updates, but only improves when all recommendations in that control have been remediated.\nSometimes, you may have business exemptions against a recommendation or a business process/third-party solution that mitigates it but ASC cannot detect this. Under such circumstances, an exemption can be made so it doesn\u0026rsquo;t hurt your score. An important note about exemptions is they are currently a preview premium feature.\nYour environment may have a requirement for certain security hygiene requirements which are not included in the default Secure Score feedback, which is powered by the Azure Security Benchmark. This is where the concept of policy management steps in, which can be managed from the security policy section of ASC.\nFirstly, there are specific industry and regulatory standards that can be managed, such as ISO 27001, and are set up already \u0026ldquo;out of the box\u0026rdquo;. Or, within the security policy page, you can add additional standards on which recommendations will build on.\nMore advanced still, there is a facility to create custom initiatives, which can even be customised with their own severity and remediation descriptions. This is useful if you have a bespoke security benchmark or compliance standard not yet managed by Microsoft.\nA challenge: next actions This blog is in response to a challenge issued by Yuri Diogenes of the C+AI Security CxE Team at Microsoft to write about getting started with security hygiene in Azure using ASC and Secure Score. Now the challenge is for readers: start using it! Your priority actions should be something like this:\nVisit ASC by searching for Security Center in the Azure portal. The overview page may recommend enabling Azure Defender, so at least try it for 30 days and see what additional benefits it opens up (beyond the scope of this article, but expect things such as just-in-time VM access and vulnerability scanning powered by Qualys, and more!). Jump into the Secure Score section of ASC to see, at a high level, your overall posture by subscription. Then into view recommendations, so you can start building that roadmap, starting based on severity. Lastly, get into the routine of regular reviews for ongoing security hygiene. ","permalink":"https://campbell.scot/security-hygiene-az-security-center-secure-score/","summary":"\u003ch3 id=\"the-basics\"\u003eThe basics\u003c/h3\u003e\n\u003cp\u003eLet\u0026rsquo;s start this article with some basic cybersecurity terminology.  Security hygiene, or cyber hygiene, is a general term used to describe the ongoing practice of keeping your technology and IT estate in a healthy and protected state.  The metaphor with physical hygiene is valid because we know with our bodies that there\u0026rsquo;s no such thing as \u0026ldquo;set it and forget it\u0026rdquo;: if we don\u0026rsquo;t maintain regular hygiene practices and exercise, we atrophy.  It\u0026rsquo;s a continual effort comprised of daily discipline, habit, and ritual.\u003c/p\u003e","title":"Security Hygiene, Azure Security Center, and Secure Score"},{"content":"Microsoft Defender for Endpoint (MDE) is a massive platform. It\u0026rsquo;s not a single product, and it\u0026rsquo;s more than just a service. It\u0026rsquo;s a platform of tons of security features, portals, services, and controls. The more you dig in, the more elements of general Microsoft security have been included in the MDE \u0026ldquo;branding\u0026rdquo;. It\u0026rsquo;s not only endpoint detection and response (EDR), but also Windows 10 security settings. It\u0026rsquo;s not just the security software on the device, it\u0026rsquo;s also ongoing threat and vulnerability management.\nAs the platform has grown to protect not only Windows clients, but also servers, mobile operating systems, and Linux, what I always struggled to keep in mind is what specifically do you get for each? For example, EDR capabilities are now available across Windows, macOS, and Linux - so you\u0026rsquo;ll see alerts and investigations about potentially malicious activity - but how you respond to these isn\u0026rsquo;t universal: you don\u0026rsquo;t get all the response actions or automated investigations for all the OSs, including older Windows systems. Additionally, actually getting devices into MDE - what it calls onboarding, is going to differ from OS to OS.\nScattered across tons of official documentation, you can piece all this together. Credit where it\u0026rsquo;s due: the Microsoft Docs website is amazing: constantly updating, Wiki-style, and a great level of detail. Where I think it struggles, and this is not just for MDE, is immediately presenting high-level overviews. Being a visually-led person, when I start working with new tech, I like diagrams and tables that kind of immediately illustrate to me \u0026ldquo;hey, here\u0026rsquo;s what this is, here are the different approaches, and here are some gotchas\u0026rdquo;.\nInspired in large part by Aaron Dinnage\u0026rsquo;s m365maps.com which does this for Microsoft 365 licensing, and Joe Stocker\u0026rsquo;s blog on MDE for Windows Server, I\u0026rsquo;ve put together a table/chart/diagram/matrix/thing on all parts of Microsoft Defender for Endpoint, then supportability by OS. I\u0026rsquo;m calling it The Big Comparison of Defender for Endpoint Features by Operating System, or TBCMDEFOS. That part\u0026rsquo;s inspired by the dude at Microsoft who names stuff.\nIn this, you\u0026rsquo;ll find the name of the feature/service, a brief description of it, then OS support. Some gotchas of my own now:\nThis is my first attempt at this, so it\u0026rsquo;s \u0026ldquo;v1\u0026rdquo; and provided without warranty and only my best effort. This stuff isn\u0026rsquo;t always obvious in the documentation, so expect updates to refine accuracy over time. Where I have used a green check ✓ to note support, this doesn\u0026rsquo;t mean all versions of that OS, but it does mean all MDE-supported versions of that OS. For example, macOS is supported for the three latest versions, and Windows 10 from 1607. For the most part, I have gone by what the docs say. My friend Rudy Ooms has pointed out that some ASR rules apply on OSs that aren\u0026rsquo;t officially listed in Microsoft\u0026rsquo;s docs. I\u0026rsquo;ve stuck to the docs because if you ever need support, that\u0026rsquo;s what you\u0026rsquo;ll have to help. In some cases, the docs say nothing about the OS version required, so I\u0026rsquo;ve had to figure it out myself or make a presumption based on other information (for example, Server SAC versions response actions, by looking at the LTSC version supported). If you notice any errors or have suggestions for improvement, let me know! You can download it below. PDF is the best quality.\nPDF JPG Or check it out in this (probably compressed and squashed) image below.\nLet me know any feedback you have!\n","permalink":"https://campbell.scot/the-big-comparison-of-defender-for-endpoint-features-by-operating-system/","summary":"\u003cp\u003eMicrosoft Defender for Endpoint (MDE) is a massive platform.  It\u0026rsquo;s not a single product, and it\u0026rsquo;s more than just a service.  It\u0026rsquo;s a platform of \u003cem\u003etons\u003c/em\u003e of security features, portals, services, and controls.  The more you dig in, the more elements of general Microsoft security have been included in the MDE \u0026ldquo;branding\u0026rdquo;.  It\u0026rsquo;s not only endpoint detection and response (EDR), but also Windows 10 security settings.  It\u0026rsquo;s not just the security software on the device, it\u0026rsquo;s also ongoing threat and vulnerability management.\u003c/p\u003e","title":"The Big Comparison of Defender for Endpoint Features by Operating System"},{"content":"This will be a brief blog, as I am certainly not a DHCP expert or day-to-day administrator. I do, however, run a DHCP server on Windows Server 2019 constantly in my lab environment, but sometimes encounter a problem whereby the server is no longer authorised, and when I use the GUI to do so, I get the error the specified servers are already present in the directory service.\nThe PowerShell I use to resolve this does the following:\nGets the Active Directory DHCP server object of the server it executes on Removes that server from Active Directory (fixing the fact the server is already present, from the error) Authorises the server in Active Directory You must review and test this before running in your own environment; I can only post what works for me and leave it to you to confirm it\u0026rsquo;s suitable.\nGet-DhcpServerInDC | Where-Object DNSName -EQ (([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname) | Remove-DhcpServerInDC ; Add-DhcpServerInDc -DnsName (([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname) Now, the DHCP server is authorised.\nHope this works for you! Best to check the results of Get-DhcpServerInDC and its Where-Object filter are what you expect before piping it over to Remove-DhcpServerInDC.\n","permalink":"https://campbell.scot/reauthorise-windows-server-dhcp/","summary":"\u003cp\u003eThis will be a brief blog, as I am certainly not a DHCP expert or day-to-day administrator.  I do, however, run a DHCP server on Windows Server 2019 constantly in my lab environment, but sometimes encounter a problem whereby the server is no longer authorised, and when I use the GUI to do so, I get the error \u003cstrong\u003ethe specified servers are already present in the directory service\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2021/06/the-specified-servers-are-already-present-in-the-directory-service.png\"\u003e\u003c/p\u003e\n\u003cp\u003eThe PowerShell I use to resolve this does the following:\u003c/p\u003e","title":"Reauthorise Windows Server DHCP with One Line of PowerShell"},{"content":"Office 365, or Microsoft 365 Apps for Enterprise, or whatever it\u0026rsquo;s called this month, can be deployed by Intune to Windows 10 devices using a built-in wizard. The advantage of this is you don\u0026rsquo;t need to package anything: you fill out some nice drop-downs and options in a GUI, assign it like any other app, and Microsoft takes care of the rest.\nIn the background, this is using the Office CSP to deploy the client, which makes it quite unique compared to the deployment of other apps, which are best done with Win32 packaging. I wrote a general guide about that for Petri.com, available here.\nRecently, there have been problems deploying Office 365 apps with this Office CSP method. From what I read online, Microsoft support said this is due to a CDN replication problem and, at the time of writing, is listed under service health advisory IT262216.\nWhatever the root cause of the Office CSP deployment problem, deployments were fine using the standard Office Deployment Toolkit approach, as recommended by many on Twitter. In this blog, I\u0026rsquo;ll cover how to get that working with Intune.\nBig thank you to Peter Klapwijk, Alex Durrant, Rudy Ooms, and Chris Roberts for encouraging the Win32 approach. Thank you to DarrenG for pointing out the Intune health advisory.\nDeploying Office 365 as a Win32 App Firstly, download the Office Deployment Toolkit and extract the contents to a folder. You will end up with setup.exe and some XML files. The XML files can be disregarded as we\u0026rsquo;ll be creating our own, which manage the settings for our deployment.\nYou can create your own XML from scratch, or use config.office.com to build one. The UI for this is very simple, so I won\u0026rsquo;t guide you through that. You\u0026rsquo;ll end up with an XML that will be similar to the example below, which I\u0026rsquo;ve saved as install.xml.\n\u0026lt;Configuration\u0026gt; \u0026lt;Add OfficeClientEdition=\u0026#34;64\u0026#34; Channel=\u0026#34;Current\u0026#34;\u0026gt; \u0026lt;Product ID=\u0026#34;O365ProPlusRetail\u0026#34;\u0026gt; \u0026lt;Language ID=\u0026#34;en-us\u0026#34; /\u0026gt; \u0026lt;ExcludeApp ID=\u0026#34;Groove\u0026#34; /\u0026gt; \u0026lt;ExcludeApp ID=\u0026#34;Lync\u0026#34; /\u0026gt; \u0026lt;ExcludeApp ID=\u0026#34;Bing\u0026#34; /\u0026gt; \u0026lt;/Product\u0026gt; \u0026lt;/Add\u0026gt; \u0026lt;Property Name=\u0026#34;FORCEAPPSHUTDOWN\u0026#34; Value=\u0026#34;TRUE\u0026#34; /\u0026gt; \u0026lt;RemoveMSI /\u0026gt; \u0026lt;AppSettings\u0026gt; \u0026lt;User Key=\u0026#34;software\\microsoft\\office\\16.0\\excel\\options\u0026#34; Name=\u0026#34;defaultformat\u0026#34; Value=\u0026#34;51\u0026#34; Type=\u0026#34;REG_DWORD\u0026#34; App=\u0026#34;excel16\u0026#34; Id=\u0026#34;L_SaveExcelfilesas\u0026#34; /\u0026gt; \u0026lt;User Key=\u0026#34;software\\microsoft\\office\\16.0\\powerpoint\\options\u0026#34; Name=\u0026#34;defaultformat\u0026#34; Value=\u0026#34;27\u0026#34; Type=\u0026#34;REG_DWORD\u0026#34; App=\u0026#34;ppt16\u0026#34; Id=\u0026#34;L_SavePowerPointfilesas\u0026#34; /\u0026gt; \u0026lt;User Key=\u0026#34;software\\microsoft\\office\\16.0\\word\\options\u0026#34; Name=\u0026#34;defaultformat\u0026#34; Value=\u0026#34;\u0026#34; Type=\u0026#34;REG_SZ\u0026#34; App=\u0026#34;word16\u0026#34; Id=\u0026#34;L_SaveWordfilesas\u0026#34; /\u0026gt; \u0026lt;/AppSettings\u0026gt; \u0026lt;Display Level=\u0026#34;None\u0026#34; AcceptEULA=\u0026#34;TRUE\u0026#34; /\u0026gt; \u0026lt;/Configuration\u0026gt; Like most XML, this builds a reasonably intuitive code that shows exactly what the deployment is doing.\nImportant Note: You\u0026rsquo;ll see the Language ID above is specified to en-us. In my testing, the default of MatchOS gave me error code 30183-44 (400). Although the devices I deploy to have en-gb as their language, en-us still applies the correct proofing for British users.\nYou should also create a second XML that specifies the uninstall job. For me, this is the below, saved as uninstall.xml.\n\u0026lt;Configuration\u0026gt; \u0026lt;Display Level=\u0026#34;None\u0026#34; AcceptEULA=\u0026#34;True\u0026#34; /\u0026gt; \u0026lt;Property Name=\u0026#34;FORCEAPPSHUTDOWN\u0026#34; Value=\u0026#34;True\u0026#34; /\u0026gt; \u0026lt;Remove\u0026gt; \u0026lt;Product ID=\u0026#34;O365ProPlusRetail\u0026#34;\u0026gt; \u0026lt;/Product\u0026gt; \u0026lt;/Remove\u0026gt; \u0026lt;/Configuration\u0026gt; Now, you\u0026rsquo;ll have three files: two XMLs specifying install/uninstall options and one executable.\nThese should be packaged using the Win32 Content Prep Tool. That will take the three files and put them in one .intunewin file. The specific steps on this are covered in my Petri.com blog on Win32 packaging, but are summarised in the below screenshot.\nAfter your .intunewin file is uploaded to Endpoint Manager, you need to specify the install and uninstall commands that reference your XML files. The format for these is setup.exe /configure filename.xml. For install behaviour, SYSTEM is needed for admin rights.\nThe remainder of the Win32 app settings is largely the same as any other Win32 app. For a detection rule, I use the existance of registry value HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\O365ProPlusRetail - en-us\\DisplayName.\nAssign the app to users or devices like any other Win32 app, and it should now deploy fine using the Click2Run engine, and you don\u0026rsquo;t need to worry about dependencies on the Office CSP deployment approach. If you have additional requirements for Visio or Project to be deployed or managed separately, check out the work Thijs Lectome has done on that here.\n","permalink":"https://campbell.scot/deploying-office-365-with-intune-as-a-win32-app/","summary":"\u003cp\u003eOffice 365, or Microsoft 365 Apps for Enterprise, or whatever it\u0026rsquo;s called this month, can be deployed by Intune to Windows 10 devices using a built-in wizard.  The advantage of this is you don\u0026rsquo;t need to package anything: you fill out some nice drop-downs and options in a GUI, assign it like any other app, and Microsoft takes care of the rest.\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2021/06/Office-365-Intune-Deployment-Wizard.png\"\u003e\u003c/p\u003e\n\u003cp\u003eIn the background, this is using the Office CSP to deploy the client, which makes it quite unique compared to the deployment of other apps, which are best done with Win32 packaging.  I wrote a general guide about that for \u003ca href=\"https://petri.com/how-to-package-and-deploy-windows-applications-with-intune\"\u003ePetri.com, available here\u003c/a\u003e.\u003c/p\u003e","title":"Deploying Office 365 with Intune as a Win32 App (and Why You'd Want To)"},{"content":"In my last blog, I wrote about three considerations for your Azure Information Protection deployments and commented on often overlooked potential downsides, or at least areas with which to be cautious. In hindsight, it all feels a bit negative. I am, for the record, an advocate of Microsoft 365 customers using AIP (sensitivity labels) in basically any circumstance it\u0026rsquo;s appropriate to do so. So in this blog, I\u0026rsquo;ll counter the earlier post with three often overlooked useful things you can do with it.\nMy great friend Peter and I run a show called Cloud Conversations, which you can catch on YouTube and podcast apps like Spotify or through Anchor. We chat with a lot of MVPs and other experts on areas such as Azure, Microsoft 365, and IT careers in general. Watching shows back as a host, you start to notice your own linguistic habits, and shake your head in despair. One I have, and can\u0026rsquo;t seem to break, is the constant use of \u0026ldquo;cool\u0026rdquo; to describe just about everything.\nAs IT pros, we know not to start using the tech just because it\u0026rsquo;s cool, but because it contributes to an organisational goal. Although these are all things I think are fun (and cool) to implement, I\u0026rsquo;ll also back up their introduction to your Azure Information Protection deployment with the appropriate scenarios for their use.\n1. Conditional Access for Labelled Documents Azure AD Conditional Access (CA) is the backbone of much of Microsoft 365\u0026rsquo;s zero-trust security philosophy. I\u0026rsquo;ll spare the background of Conditional Access, which I\u0026rsquo;ve covered mostly over at Petri.com, but remind you that with CA, you have policies that apply \u0026ldquo;if this, then that\u0026rdquo; rules to accessing Azure AD authenticated applications.\nAzure Information Protection is available as a selectable cloud app within CA policies, which means you can enforce grant controls on various conditions.\nWhen a user opens a file with a sensitivity label, they (the client) connect to the Azure Rights Management (RMS) cloud service. The client\u0026rsquo;s Azure AD account is used to confirm their rights to the file (if any). It\u0026rsquo;s at the point of connecting to the service that the Conditional Access policy works; as if the user were connecting to any other Azure AD app.\nThe headline use of Conditional Access + Azure Information Protection is multi-factor authentication, the most common use case for Conditional Access in general. What\u0026rsquo;s important to know about MFA is that if the user has already satisfied authentication requirements for the Office app, even from Windows SSO, they won\u0026rsquo;t get the MFA prompt. For that same reason, this does not apply to files accessed in SharePoint Online/OneDrive for Business and access via the web apps if you navigate there after already authenticating.\nMFA aside, we can really use any of CA\u0026rsquo;s grant controls, including only allowing access on managed devices, limiting access to known IPs, or prohibiting access if there is Identity Protection risk associated.\n2. Label and Protect Files on Download Continuing the trend of Conditional Access, one of the things you can do with it is reverse proxy traffic through Microsoft Cloud App Security (MCAS) using what it calls session policies. For apps and users in scope, traffic is routed to the user as a subdomain of mcas.ms, which gives the administrator, rather than only the app, the means to control (and monitor) activities in web app sessions.\nA use case for this is usually unmanaged device access. Let\u0026rsquo;s say you want to allow users to download and work on corporate files on PCs you don\u0026rsquo;t control, but you still keep those files safe. With a session policy, when users download Office format files or PDF files (up to 50MB), a label can be applied; and not just to Office 365 content - this can apply to other SaaS applications you have integrated with MCAS, including services such as Google Workspace. For files that you can\u0026rsquo;t protect - for example, an unsupported format, size, or service - you can block those downloads altogether.\nThe actual benefit for that unmanaged device access then comes when the user no longer should access the file. If their account is disabled or they are otherwise removed from the label\u0026rsquo;s access rights, they cannot access the file (assuming you have configured the label appropriately; such as not allowing infinite offline access).\nIn the session policies, you can either apply a predefined label (such as \u0026ldquo;Confidential\u0026rdquo;) or instead set custom permissions: viewer, reviewer, co-author, or co-owner. Following the animation below, you can see there is no sensitivity label on the file hosted in SharePoint Online (check the empty \u0026lsquo;sensitivity\u0026rsquo; column), but when opening it locally after download, it has a Confidential label.\nIf you want to get really fine-grained about what you protect, you can use the session policy\u0026rsquo;s inspection capabilities. This leverages the data classification service or built-in DLP functionality to label only files that meet certain criteria. For example, only protect files that include a trainable classifier match (source code, resume, etc); sensitive info type (identifiable info, financial information); or exact data match (records from an external system, such as CRM data).\n3. Auto Label Files by File Attribute or Location At the risk of this blog turning into \u0026ldquo;cool things to do with Microsoft Cloud App Security\u0026rdquo;, we turn to MCAS again for this tip on utilising Azure Information Protection.\nWhen Microsoft first revealed sensitivity labels for containers, the assumption was it would automatically label any files added to those containers with that same label. If you uploaded a file to a \u0026ldquo;Confidential\u0026rdquo; Team or SharePoint site, it would inherit that label. Not so fast. Container labels operate entirely differently and only apply settings to the container itself, such as external sharing settings and privacy, rather than its contents.\nWhen it comes to auto labelling files by container, we can sort of use MCAS\u0026rsquo;s file policy options. While we can\u0026rsquo;t select a whole Team or site, we can select folders for which we\u0026rsquo;ll automatic apply file labels. Just like session policies, labels can be applied broadly or you can use content inspection services based on the data that\u0026rsquo;s actually in the file. I\u0026rsquo;ll skip past that for now and focus on protecting all files in a folder. We can do actually do this not just for SharePoint and OneDrive, but also Dropbox and Box if they have been integrated with MCAS using app connectors.\nI say we can sort of do this because it\u0026rsquo;s a bit limited. For starters, there\u0026rsquo;s a 50 count limit on file policies, a 100 label per tenant per day limit, and you also have to manually select the folders, you can\u0026rsquo;t have dynamic rules such as \u0026ldquo;folder name contains X\u0026rdquo;. To me, this feature has its place but still has a long way to go. As a general warning about MCAS-protected files, these cannot be opened in the web apps if hosted in SharePoint Online and OneDrive for Business, as covered here.\nHowever, file policies apply to more than just location, so consider the other users. For example, label all files where user X is the owner; are shared with user X or domain X. Really, any kind of file filter MCAS supports.\nRegardless of what criteria you choose for auto-labelling with MCAS, you\u0026rsquo;ll find the files it matches against your policy by going into the policy itself, then you can view the history of actions (applying labels) to confirm your scope is as expected.\nMicrosoft Information Protection with AIP P2 licensing has a native ability to auto-protect content in ODfB and SPO with automatic labelling policies, created in the Compliance Centre, or on-prem using the AIP Scanner. But if you need to protect content in third-party SaaS, start looking at MCAS.\n","permalink":"https://campbell.scot/three-cool-things-to-do-with-azure-information-protection/","summary":"\u003cp\u003eIn my last blog, I wrote about \u003ca href=\"/3-considerations-for-aip-deployments/\"\u003ethree considerations for your Azure Information Protection deployments\u003c/a\u003e and commented on often overlooked potential downsides, or at least areas with which to be cautious. In hindsight, it all feels a bit negative.  I am, for the record, an advocate of Microsoft 365 customers using AIP (sensitivity labels) in basically any circumstance it\u0026rsquo;s appropriate to do so.  So in this blog, I\u0026rsquo;ll counter the earlier post with three often overlooked useful things you can do with it.\u003c/p\u003e","title":"Three Cool Things To Do With Azure Information Protection"},{"content":"Azure Information Protection (AIP) - more accurately exposed to Microsoft 365 now as sensitivity labels- is close to the top of my favourite wins for securing your data in a Microsoft ecosystem. While designing a detailed labelling and classification system is far from quick, it is quick to get up and running with baseline policies that protect your confidential company data from getting read outside the company. Simply by applying a sensitivity label that limits access to confidential data to users in your domain, you\u0026rsquo;ve covered a massive chunk of data loss scenarios.\nBut\u0026hellip; not so fast. While AIP is fantastic, there are some often overlooked elements you need to consider before rushing in and deploying to your users. None of them are dealbreakers, but probably things you\u0026rsquo;ll have wished you knew.\n1. OneDrive and SharePoint Support Historically, you could not access any protected files in the web Word, Excel, and PowerPoint apps. The services could not decrypt the content to present it in the web app, and you would get an error message that the content would only be readable in the full client app. What this also meant is that other services reliant on reading content weren\u0026rsquo;t supported, such as coauthoring.\nNow, you can enable Office online support for encrypted files from either the Compliance Centre or PowerShell. When turned on, uploaded files are actually decrypted as they enter the cloud storage, to enable that content indexing and retrieval, then downloaded if it ever leaves the web. It\u0026rsquo;s opt-in, for now (and note that coauthoring is only in preview for lab tenants).\nThis is such an improvement, but there are still some important things you need to know about it.\nIf you save a file directly to OneDrive for Business or SharePoint Online from a full client app or get one into there syncing with OneDrive.exe, you\u0026rsquo;ll hit problems when opening that file in the web app. Microsoft describes this as a \u0026ldquo;limitation\u0026rdquo;, noting \u0026quot; if the service is still processing the encryption, the user sees a message that the document must be opened in their desktop app. If they try again in a couple of minutes, the document successfully opens in Office for the web.\u0026quot; My experience is that the minutes really go on forever: I have uploaded files that have never been readable in Office online, despite the functionally being enabled. Some label settings matter and will render the file unsuitable for Office online. Labels that protect content and have an expiration, use a double key/hold your own key, or user-specified permissions are not compatible with Office online. They cannot be viewed in the web apps, and cannot be indexed by services such as eDiscovery. Similarly, how a label is applied matters. If a label is applied using Microsoft Cloud App Security, rather than by a user or automatic labelling in an app, Office online will have the same problem as above. Earlier, I mentioned how Office online support for sensitivity labels actually works: by removing the encryption as it enters the platform, and reapplying it as it exits. The big risk? If a label is deleted, it cannot be reapplied, and the file exists with no encryption. While this is a significant risk, best practice has been for some time to not delete labels: only remove them from policies. 2. Super User A common concern around the process of encrypting company files is losing access to it. The encryption\u0026rsquo;s strength means you can\u0026rsquo;t just mess around with the file and get in some way like a password protected Excel worksheet: you must explicitly have access rights.\nThere is always a \u0026ldquo;backdoor\u0026rdquo; to your AIP protected files if there\u0026rsquo;s a super user available. Described as a feature rather than a role, the ability for someone to be an AIP super user isn\u0026rsquo;t even on by default, and you must enable it with PowerShell AIPService module. When it\u0026rsquo;s enabled, it can be assigned to users or groups with PowerShell. It\u0026rsquo;s not enabled by default as a security precaution: a super user can open all your AIP protected files without limitation, as they get Full Control rights over any files protected with sensitivity labels. While this is useful in moments of disaster and you just need access (or even scenarios like tenant migrations), you obviously better protect this privilege.\nTwo things worth considering with regards to protecting super user rights are:\nMonitor activities. This can be done in the Compliance Center under Data Classification \u0026gt; Activity Explorer. Alternatively, use Get-AipServiceAdminLog. It doesn\u0026rsquo;t explicitly tell you if a user is super user while accessing the content, but you can marry these logs up with auditing making someone a super user with Add-AipServiceSuperUser cmdlet or Set-AipServiceSuperUserGroup. All of this should make its way to your SIEM, making it easier to recognise super users being created, then accessing files. Protect elevation using Privileged Identity Management (PIM). You can assign roles to Microsoft 365 groups created since August 2020; a feature we can use to make elevations to super user rights protected by PIM and therefore things like MFA, approval, and justifications. Enable PIM for the group, then set its members to be a super users with Set-AipServiceSuperUserGroup. The users will not get these rights, however, until they activate them using PIM, which controls if membership to the group is active or not. 3. Track and Revoke Protecting documents with AIP went under a facelift a few years ago with the introduction of sensitivity labels in 2018. These still use AIP, but the application is different; a change mostly for the better.\nThe updates have seen the migration of label management from the Azure portal to Microsoft 365 admin portals, with labels now mostly managed at compliance.microsoft.com. The change has also seen the introduction of labelling built into the Office apps - across all platforms - which was a welcomed feature. Previously, labelling was done with the deployment of a client: the Azure Information Protection client. The client also underwent a facelift and is differentiated from the old one (which you can no longer download) with the branding of Azure Information Protection unified labeling client.\nRegretfully, as part of all this, a feature called track and revoke was lost until very recently. To the horror of many, it was also described as not being planned for reintroduction. We now, fortunately, are starting to see it make an appearance again, with client version 2.9.111.0. You can read more about that in my blog here.\nWhat\u0026rsquo;s important to know about the \u0026rsquo;new\u0026rsquo; track and revoke is its poor feature parity with the classic labelling track and revoke system. That classic system was managed with a web portal at track.azurerms.com, and end-users could \u0026quot; see exactly who has opened, used, and attempted to view your documents\u0026quot; and \u0026quot; revoke access when you need to.\u0026quot;\nThe kind of features available in this web portal included:\nComplete list of documents you have protected Data on the number of document views and denied access attempts Time since last activity A map of geo-IP access (!!!) Email notifications whenever the file was opened or denied (your choice) A revoke access button Now, there is no web portal, and revocation is handled in the app itself if you open the file. The kind of features available include:\nA revoke access button You get the picture\u0026hellip;\nWhile this is a welcomed step forward compared to no ability, consider a few areas things will get difficult. Previously, the end user could revoke access to any of their files; but now, what if they delete a file then need to revoke it? As covered in this blog, they will need an administrator to track the file using PowerShell. Ultimately, track and revoke has gone from being a popular user feature to an administrator-dependent option of last resort. Please remember to manage expectations if you have previously deployed classic labelling and start preaching the benefits of tracking or revocation for a new deployment.\nConclusion The benefits of sensitivity labels vastly outweigh any shortcomings or problems highlighted above. Do not use these as reasons to delay your deployment, but rather as only constraints you will need to factor into your adoption and communication plans. None of the shortcomings will be with us forever: track and revoke can get better, and the OneDrive/SharePoint issues definitely are. As for the super user function, that\u0026rsquo;s far from a shortcoming: it a break-glass, a get-out-of-dodge feature that you simply have to treat as Tier 1, so protect and monitor it as such.\n","permalink":"https://campbell.scot/3-considerations-for-aip-deployments/","summary":"\u003cp\u003eAzure Information Protection (AIP) - more accurately exposed to Microsoft 365 now as \u003cstrong\u003esensitivity labels\u003c/strong\u003e- is close to the top of my favourite wins for securing your data in a Microsoft ecosystem.  While designing a detailed labelling and classification system is far from quick, it \u003cem\u003eis\u003c/em\u003e quick to get up and running with baseline policies that protect your confidential company data from getting read outside the company.  Simply by applying a sensitivity label that limits access to confidential data to users in your domain, you\u0026rsquo;ve covered a massive chunk of data loss scenarios.\u003c/p\u003e","title":"Three Considerations for Azure Information Protection Deployments"},{"content":"The Azure Mask browser extension is a really great tool when either recording on-screen demos or sharing your screen. Available for Edge/Chrome and Firefox, @_clarkio\u0026rsquo;s extension censors sensitive tenant information, so that your recording or viewers can\u0026rsquo;t see it. For example, the tenant ID within Azure AD\u0026rsquo;s overview page is blurred out.\nIf you\u0026rsquo;re doing a demonstration of any kind of security software with logs and auditing information, chances are you\u0026rsquo;ll get IP addresses on-screen too. If you\u0026rsquo;re running a lab environment at home or you\u0026rsquo;re showing off your own business\u0026rsquo;s production environment, you probably don\u0026rsquo;t what those seen by everyone, particularly if the session is going to be recorded.\nThe solution: Text Rewriter, a Chrome/Edge and Firefox extension.\nThanks! Full credit to @dotBATman on Twitter for pointing me in the direction of Text Rewriter!\nWith Text Rewriter installed, jump into the extension options(edge://extensions)\nIt operates using RegEx, where we enter a phrase to rewrite. Being a sane person, I Googled, rather than figured out myself, the RegEx of IPv4 addresses:\n(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} Place the RegEx into the phrase field, and however you want to censor it into the rewrite field, then save.\nNow when web pages render, the extension dynamically updates any references to IPv4 addresses with the rewrite value.\nThis very simple tool really helps, and if you\u0026rsquo;re confident with RegEx you could go on to hide additional sensitive info that might show up in logs, such as ISPs or geographies.\n","permalink":"https://campbell.scot/automatically-hide-ip-addresses-when-recording-demos-or-screen-sharing/","summary":"\u003cp\u003eThe \u003ca href=\"https://github.com/clarkio/azure-mask\"\u003eAzure Mask\u003c/a\u003e browser extension is a really great tool when either recording on-screen demos or sharing your screen.  Available for Edge/Chrome and Firefox, \u003ca href=\"https://twitter.com/_clarkio\"\u003e@_clarkio\u003c/a\u003e\u0026rsquo;s extension censors sensitive tenant information, so that your recording or viewers can\u0026rsquo;t see it.  For example, the tenant ID within Azure AD\u0026rsquo;s overview page is blurred out.\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2021/05/01-azure-ad-tenant-info.png\"\u003e\u003c/p\u003e\n\u003cp\u003eIf you\u0026rsquo;re doing a demonstration of any kind of security software with logs and auditing information, chances are you\u0026rsquo;ll get IP addresses on-screen too.  If you\u0026rsquo;re running a lab environment at home or you\u0026rsquo;re showing off your own business\u0026rsquo;s production environment, you probably don\u0026rsquo;t what those seen by everyone, particularly if the session is going to be recorded.\u003c/p\u003e","title":"Automatically Hide IP Addresses When Recording Demos or Screen Sharing"},{"content":"As I have blogged about alot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you\u0026rsquo;re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.\nI was recently setting up hybrid Azure AD join and Intune enrollment, as I\u0026rsquo;ve done hundreds of times before, but this time I was hitting a strange problem. Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere. Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.\nOn the device itself, the go-to command to begin troubleshooting this, for me, is dsregcmd /status. This is mostly for checking the domain status, but it spits out a bunch of MDM information too. Yet, everything looked good:\nAs you can see, it\u0026rsquo;s pulled down the MdmUrl and all the other key data you\u0026rsquo;d expect. This confirmed a couple of other prerequisites were definitely set up properly: user scope and licensing. I\u0026rsquo;ve heavily documented prerequisites, and the general process flow of all this, in my blog before, available here.\nWhere to now?\nEvent Viewer logs Windows\u0026rsquo; attempt to MDM enrol within Applications and Service Logs\\ Microsoft\\ Windows\\ DeviceManagement-Enterprise-Diagnostics-Provider, and this is where we get into more detail about specific errors. And boy there were a few:\nYou\u0026rsquo;ll see we have two error event IDs: 71 and 76. Interestingly enough, some of these had different error codes: 0x80192ee7, 0xcaa70004, and 0x82aa0008.\nSo, I next do what every sensible person does: Google it! Unfortunately, I\u0026rsquo;m left scratching my head: all the results are generic reports of the prerequisites I\u0026rsquo;ve already mentioned; specifically licensing. To further infuriate things, Microsoft\u0026rsquo;s MDM Registration Error Values page ( here) lists none of these error codes. If some can adequately explain to me how Microsoft can get away with creating error codes but not documenting them online, please do.\nBack to basics. The user account exists, can log in, has licenses assigned, is correctly linked from on-prem to Azure AD via AD Connect, and is within MDM scope as specified in Azure AD\u0026rsquo;s mobility options. Time to go even further back to basics. Can you see where this going yet?\nAs already seen in the results of dsregcmd /status, and confirmed within Azure AD, the address we need connectivity to for enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc:\nGetting there! From the above, at first, it looks like general network connectivity and DNS are fine because I can ping yahoo.com. Personally, I always test first using Yahoo because I\u0026rsquo;m confident enough it won\u0026rsquo;t be used that it won\u0026rsquo;t be in the DNS cache :-). Processing, though, and I can see that a ping to enrollment.management.microsoft.com. Completely fails, not even resolving to an IP address. Now it looks like we know the problem, because it\u0026rsquo;s always the problem: DNS.\nNot being a DNS expert by any means, I stumbled into the DNS settings, which were on a Windows Server 2019 server. Looking at the server properties, the forwarding server was the server itself. Forwarders are servers that resolve DNS if the server itself cannot. My expectation, therefore, was that the forwarding server couldn\u0026rsquo;t resolve enrollment.manage.microsoft.com, but the root hints would allow it do to so, but that obviously wasn\u0026rsquo;t working. As soon as the forwarding servers were updated to include an alternative server, we got a result. You\u0026rsquo;ll not the ping doesn\u0026rsquo;t respond, but that could just be because the server doesn\u0026rsquo;t it. Importantly, we have an IP.\nBack on the hybrid Azure AD joined device, automatic enrollment is attempted roughly every five minutes, and sure enough, the errors are replaced in Event Viewer by informational events. Key among these, event 72: MDM enroll: succeeded.\nTo sum up, errors 0x80192ee7, 0xcaa70004, and 0x82aa0008 for Intune enrolment were, in this case, DNS. Of course! But the moral of the story, for me, is to start with the fundamentals: using OSI, work your way up. I wasted time looking into a whole bunch of intricate prerequisites, none of which mattered, and I knew were set up correctly (due to earlier success) but still double and triple checked.\nHopefully, this blog will also help anyone else doing what every sensible person does: Googling it!\n","permalink":"https://campbell.scot/troubleshooting-hybrid-azure-ad-intune-automatic-enrollment/","summary":"\u003cp\u003eAs I have blogged about \u003ca href=\"/hybrid-azure-ad-join-intune-enrollment-prerequisites-checklist-and-process-flow/\"\u003ea\u003c/a\u003e\u003ca href=\"https://petri.com/how-to-automatically-hybrid-azure-ad-join-and-intune-enroll-pcs\"\u003elot\u003c/a\u003e, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you\u0026rsquo;re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.\u003c/p\u003e\n\u003cp\u003eI was recently setting up hybrid Azure AD join and Intune enrollment, as I\u0026rsquo;ve done hundreds of times before, but this time I was hitting a strange problem.  Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere.  Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.\u003c/p\u003e","title":"Troubleshooting Hybrid Azure AD Intune Automatic Enrollment"},{"content":"Most of us have had that \u0026ldquo;oh \u0026lt; blank \u0026gt;\u0026rdquo; moment where we have given someone access to someone only to immediately or later need to undo that access. Azure Information Protection has historically been able to help us there. AIP allowed us to create protected (encrypted) documents and also let us remove access. However, in the move from \u0026lsquo;classic\u0026rsquo; AIP to the new unified labelling with sensitivity labels, the ability to revoke was lost in the transition. Now it\u0026rsquo;s back in preview, but unlike the classic version, it\u0026rsquo;s managed on the client and not a web portal.\nRevoking means we can block access to a file even after it\u0026rsquo;s been sent, even if the label applied to it gave the user permission. For example, you have a label in your organisation named Confidential. That label allows anyone in your company, but not outside it, permission to view the file. You, the owner, made a mistake emailing a file with that label to someone within your company. Revocation lets you block access even after they\u0026rsquo;ve received and downloaded the file. Note that the file must be protected - a file with a label with no protection cannot be revoked.\nThe prerequisite is to use the revoke files is the Azure Information Protection unified labelling client version 2.9.111.0, which must be installed for users we want to give this ability to. Both end-users and administrators can revoke access, the latter being most likely in circumstances where the user no longer has the original file or the recipient changed the permissions to the file. This is because revoking access is dependent on the file\u0026rsquo;s content ID and this value changes whenever permission changes; for example, if a user downgrades the sensitivity label. Administrators are able to query the AIP service document log to find that changed content ID. The content ID is key to making revocation work and I\u0026rsquo;ll explain some significant gotchas later on in this article.\nUser Experience Without the AIP client above (or later), this is the end-user experience clicking the sensitivity button:\nIn this example, I\u0026rsquo;m the owner of a file with a label called custom protection(which was set up to allow the end-user to specify named user access rights - see here for that!). You\u0026rsquo;ll note I can change the label, but that\u0026rsquo;s about it. The label itself has no limitations on how long access is allowed.\nAfter installing the AIP client, the file now presents a revoke access option. An important note I found in my testing of this is that the file had to be saved and locally available on my PC. If I accessed a SharePoint Online or OneDrive for Business file via the cloud only, it wasn\u0026rsquo;t available.\nThe revoke access option asks the end-user to confirm they want to proceed.\nA ribbon bar confirms the action was successful. If users who have this file are offline and offline access has been allowed, this obviously won\u0026rsquo;t take effect until they are forced to check-in (or go online with the file before that mandatory check-in).\nWhen a user I emailed the file as an attachment to now tries to open the file, they receive the generic message that they don\u0026rsquo;t have permission.\nAdmin Experience Ok, back to content ID, and some gotchas for the preview release. This is an ID that is registered in the AIP service when a sensitivity label protected file is opened for the first time on a device with the AIP unified labelling client that supports revocation (i.e. 2.9.111.0+). When you revoke, you revoke against the content ID, so it\u0026rsquo;s important it doesn\u0026rsquo;t change. But it does change - a lot!\nAt the moment, a significant drawback is that when a file is uploaded to SharePoint Online or OneDrive for Business (or Teams\u0026hellip; it\u0026rsquo;s all SharePoint, really!), the content ID is lost. Take the scenario where you protect a file locally, then share it using SPO, and the recipient downloads it to their local device. Your end-user cannot revoke this file, because the content ID was lost.\nWhat if we need to revoke a file that has since been lost by the owner? An administrator can use the AIPService module for PowerShell to find the content ID of files, and then revoke access.\nInstall-Module AIPService Import-Module AIPService Connect-AipService Get-AipServiceDocumentLog -ContentName \u0026#34;file.xlsx\u0026#34; A host of information is presented to the admin for all matching results, including the owner, created time, and existing revocation status if any. The administrator can then take the content ID, and revoke access.\nSet-AipServiceDocumentRevoked -ContentId \u0026#34;xyz\u0026#34; Lastly, be very careful if the document has EDITRIGHTSDATA as permission. This will allow a recipient to remove the label, which if they do so means you can\u0026rsquo;t revoke it. This also applies to copies of files: if a file is copied and the label changed, you won\u0026rsquo;t be revoking that copy.\nBecause of the above gotchas, you may, for now at least, until things improve, want to disable this feature entirely in your tenant. This can be achieved by an administrator using PowerShell.\nConnect-AipService Disable-AipServiceDocumentTrackingFeature And to remove the choice from clients, run the following from the Exchange Online V2 PowerShell module.\nImport-Module ExchangeOnlineManagement Connect-IPPSSession -UserPrincipalName admin@whatever.com Set-LabelPolicy -Identity \u0026#34;yourlabel\u0026#34; -AdvancedSettings @{EnableTrackAndRevoke=\u0026#34;False\u0026#34;} ","permalink":"https://campbell.scot/revoke-access-to-office-files-with-sensitivity-labels-and-azure-information-protection/","summary":"\u003cp\u003eMost of us have had that \u0026ldquo;oh \u0026lt; \u003cem\u003eblank\u003c/em\u003e \u0026gt;\u0026rdquo; moment where we have given someone access to someone only to immediately or later need to undo that access.  Azure Information Protection has historically been able to help us there.  AIP allowed us to create protected (encrypted) documents and also let us remove access.  However, in the move from \u0026lsquo;classic\u0026rsquo; AIP to the new \u003cstrong\u003eunified labelling\u003c/strong\u003e with \u003cstrong\u003esensitivity labels\u003c/strong\u003e, the ability to revoke was lost in the transition.  Now it\u0026rsquo;s back in preview, but unlike the classic version, it\u0026rsquo;s managed on the client and not a web portal.\u003c/p\u003e","title":"Revoke Access to Office Files with Sensitivity Labels and Azure Information Protection"},{"content":"A common Conditional Access policy is to add trusted locations as an exception to multi-factor authorisation requirements. The logic goes, if you accessing resources such as Office 365 from a location such as the corporate office, that\u0026rsquo;s an element of verification in itself that your login should be trusted, so we should improve your user experience by removing MFA. Personally, I support the use of MFA regardless of where you are authenticating (at the very least, if you have an Azure AD admin role assigned). However, doing something like this is a great option if you are introducing MFA from scratch: you will improve user buy in the less you change their standard experience. Then, increase the scope gradually.\nRecently, I was asked how to bypass MFA if accessing from a trusted location, just like described above, but also only on managed devices. Managed devices refer to those that have some kind of IT control over them. In the realm of Microsoft 365, Azure AD, and Conditional Access, this specifically means devices that are Intune MDM enrolled and meet our compliance policy, or Hybrid Azure AD Joined (HAADJ). Adding this additional requirement to the MFA bypass goal removes a few weaknesses, such as personal devices using the company Wi-Fi.\nHowever, it\u0026rsquo;s not as simple as you may think due to the way the logical operators work.\nConditions are like a big checklist of criteria an authentication session has to meet in order to be controlled by the policy: operating system, location, risk level, app/protocol, etc. The session must meet all the criteria you set up, but we can also add exclusions. If one exclusion is applicable, that means the remainder of the checklist doesn\u0026rsquo;t matter: the policy isn\u0026rsquo;t applicable.\nFor example, you may start to build a CA policy that enforces MFA then excludes trusted locations and managed devices - makes sense, right? The problem here is in the way the logic works: as soon as one exclusion criteria is met, the inclusions are not enough. You\u0026rsquo;re not saying exclude the device when it\u0026rsquo;s both managed and in a trusted location, you\u0026rsquo;re saying if it\u0026rsquo;s either.\nThe way around this particular requirement is two policies; one for each location boundary. Conditional Access policies, if more than one qualify for a session, are applied together in the most restrictive way. You can set these up like this:\nPolicy 1 - Trusted Locations This policy will be applied if a user is in a trusted location, but not if they\u0026rsquo;re on a managed device.\nConditions Locations Include: trusted locations Device state Exclude: compliant and HAADJ Access controls Grant MFA Policy 2 - Untrusted Locations This policy will be applied if a user isn\u0026rsquo;t in a trusted location.\nConditions Locations Include: any locations Exclude: trusted locations Access controls Grant MFA Policy 1 only applies to unmanaged devices in trusted locations. This does the job of making our managed devices in trusted locations not need MFA. But what about those same devices in untrusted locations? For that, we need a second policy, which scoops up any untrusted location logins and enforces MFA.\nHopefully, this explains a little more about how exclusions for conditions work in Conditional Access. You want to keep your policy number as low as possible for manageability, but if you have a requirement such as this, you will have to add in additional rules to cater for those exclusions.\nRemember that trusted locations are based on IP range, so best as accurate as you can with the IPs that you manage, and don\u0026rsquo;t introduce an MFA bypass like this on a whim: can you really trust a connection just because it comes from a known IP or device?\n","permalink":"https://campbell.scot/conditional-access-skip-mfa-for-company-devices-on-the-company-network/","summary":"\u003cp\u003eA common Conditional Access policy is to add trusted locations as an exception to multi-factor authorisation requirements.  The logic goes, if you accessing resources such as Office 365 from a location such as the corporate office, that\u0026rsquo;s an element of verification in itself that your login should be trusted, so we should improve your user experience by removing MFA.  Personally, I support the use of MFA \u003cem\u003eregardless\u003c/em\u003e of where you are authenticating (at the very least, if you have an Azure AD admin role assigned).  However, doing something like this is a great option if you are introducing MFA from scratch: you will improve user buy in the less you change their standard experience.  Then, increase the scope gradually.\u003c/p\u003e","title":"Conditional Access: Skip MFA for Company Devices on the Company Network"},{"content":"BitLocker unique identifiers are values used to identify the ownership of an encrypted volume. The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume.\nThe identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique identifier of the removable drive doesn\u0026rsquo;t match a list of unique identifiers managed on the device. The idea here is you want to enforce BitLocker on removable drives to improve data loss (encrypted drives, if found, are unreadable without the means to decrypt them), but you only want them to be encrypted within your organisation: someone can\u0026rsquo;t encrypt their device elsewhere and then copy data to it. You may want to do this because it means you, as an administrator, would not be able to decrypt it if required.\nIn some scenarios, such as Hybrid Azure AD Joined devices, when you enable the aforementioned setting to block write access unless it was encrypted within your organisation, you will find that after a reboot, the encrypted volume can\u0026rsquo;t be written to. That\u0026rsquo;s because Intune did not give your device (and therefore the encrypted volume) a unique identifier. When the encrypting device reboots, it loses the fact the encrypted volume was encrypted by itself, thus rendering it \u0026lsquo;unwritable\u0026rsquo;.\nGroup Policy provided a very simple way to manage unique identifiers (Windows Components\\BitLocker Drive Encryption\\ Provide the unique identifiers for your organization) but the setting is not exposed through Intune endpoint security settings or configuration profiles. Originally I presumed I could just ingest the ADMX into Intune, however, Microsoft actually prevent the ingestion of most first-party Group Policies except a small list found here.\nWhen all else fails, PowerShell :)\nAll the group policy does is manage registry entries:\nHKLM\\Software\\Policies\\Microsoft\\FVE\\ IdentificationField This is a DWORD set to 1 or 0, to enable or disable the use of a unique identifier HKLM\\Software\\Policies\\Microsoft\\FVE\\ IdentificationFieldString This is a string field which contains the unique identifier PowerShell makes it pretty straight forward to update the registry, and you can do it for this using the below, where I use rucam365 as the identifier:\n$registryPath = \u0026#34;HKLM:\\SOFTWARE\\Policies\\Microsoft\\FVE\u0026#34; $enable = \u0026#34;IdentificationField\u0026#34; $string = \u0026#34;IdentificationFieldString\u0026#34; $identifier = \u0026#34;rucam365\u0026#34; if(!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null New-ItemProperty -Path $registryPath -Name $enable -Value 1 -PropertyType \u0026#34;DWord\u0026#34; -Force | Out-Null New-ItemProperty -Path $registryPath -Name $string -Value $identifier -PropertyType \u0026#34;String\u0026#34; -Force | Out-Null} else { New-ItemProperty -Path $registryPath -Name $enable -Value 1 -PropertyType \u0026#34;DWord\u0026#34; -Force | Out-Null New-ItemProperty -Path $registryPath -Name $string -Value $identifier -PropertyType \u0026#34;String\u0026#34; -Force | Out-Null} When the Intune Management Extension (IME) on the client next runs the script, registry will update:\nImmediately, drives encrypted with BitLocker will have the identification field populated. This only applies to new encryption.\n","permalink":"https://campbell.scot/update-bitlocker-unique-identifiers-with-intune/","summary":"\u003cp\u003eBitLocker unique identifiers are values used to identify the ownership of an encrypted volume.  The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume.\u003c/p\u003e\n\u003cp\u003eThe identifiers are typically used in tandem with the BitLocker removable data-drive setting \u003cstrong\u003ewrite access to devices configured in another organisation\u003c/strong\u003e which, if set to \u003cstrong\u003eblock\u003c/strong\u003e, will prevent write operations on devices where the unique identifier of the removable drive doesn\u0026rsquo;t match a list of unique identifiers managed on the device.  The idea here is you want to enforce BitLocker on removable drives to improve data loss (encrypted drives, if found, are unreadable without the means to decrypt them), \u003cem\u003ebut\u003c/em\u003e you only want them to be encrypted within your organisation: someone can\u0026rsquo;t encrypt their device elsewhere and then copy data to it.  You may want to do this because it means you, as an administrator, would not be able to decrypt it if required.\u003c/p\u003e","title":"Update BitLocker Unique Identifiers with Intune"},{"content":"When you authenticate with Azure AD, Conditional Access policies let you apply if-then rules for licensees of Azure AD Premium P1 or P2.\nThe conditions within Conditional Access (CA) are called assignments, but you may also see them referred to as signals, session details, or criteria. They make up the if part of if-then, and the then part is referred to as the access control or enforcement.\nFor example:\nif the authentication attempt is for an administrative role (assignments / signals / session details / criteria) then enforce multi-factor authentication (MFA) (access control / enforcements) Assignments are broken down into\nWhen the authentication process happens, all assignments must be applicable to the session for the access controls to occur. This means assignments work with AND logic, which you cannot change. Think of it as a bouncer with a checklist at the door: they look you up and down (the user logging in) and suss you out. If you meet everything on his list, they proceed to their separate access control list. However, if you don\u0026rsquo;t meet everything specified, you are overlooked; it\u0026rsquo;s as if the Conditional Access policy doesn\u0026rsquo;t exist.\nAccess controls are broken down into two further areas: grant controls and session controls.\nGrant controls let you decide: do all controls need to be enforced, or only one of the selection ( OR logic) Session controls don\u0026rsquo;t give you that ability: they are all enforced using AND logic ","permalink":"https://campbell.scot/how-conditional-access-assignments-and-access-controls-work/","summary":"\u003cp\u003eWhen you authenticate with Azure AD, Conditional Access policies let you apply if-then rules for licensees of Azure AD Premium P1 or P2.\u003c/p\u003e\n\u003cp\u003eThe \u003cem\u003econditions\u003c/em\u003e within Conditional Access (CA) are called \u003cstrong\u003eassignments\u003c/strong\u003e, but you may also see them referred to as signals, session details, or criteria.  They make up the \u003cem\u003eif\u003c/em\u003e part of if-then, and the \u003cem\u003ethen\u003c/em\u003e part is referred to as the \u003cstrong\u003eaccess control\u003c/strong\u003e or enforcement.\u003c/p\u003e\n\u003cp\u003eFor example:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cem\u003eif\u003c/em\u003e the authentication attempt is for an administrative role (assignments / signals / session details / criteria)\u003c/li\u003e\n\u003cli\u003e\u003cem\u003ethen\u003c/em\u003e enforce multi-factor authentication (MFA) (access control / enforcements)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAssignments are broken down into\u003c/p\u003e","title":"How Conditional Access Assignments and Access Controls Work"},{"content":"Although not common, there are scenarios out where you will have LAN-only devices onboarded in Microsoft Defender for Endpoint (MDE), or at least using Microsoft Defender Antivirus (MDAV). With no line of sight to the internet, you can use options such as WSUS, but in this blog, I\u0026rsquo;ll explore using a network share, as WSUS isn\u0026rsquo;t always an option.\nSet up the network share for updates Create a directory on your file server with subdirectories for the different CPU architectures you\u0026rsquo;ll be supporting. 2. On the server, we\u0026rsquo;ll be installing a script provided by Microsoft. In PowerShell with elevated rights:\nInstall-Script -Name SignatureDownloadCustomTask -Force 3. Confirm where the script downloaded to as we need to reference the file path when scheduling. Alternatively, you can manually download the script, or move it once you ran Install-Script.\nGet-InstalledScript -Name SignatureDownloadCustomTask | FL InstalledLocation 4. The script will create Task Scheduler entries to automatically download updates that are \u0026ldquo;published\u0026rdquo; within our shared folders. Each architecture (x86, x64, and ARM) can get full and delta updates, with a full update required for clients that have not updated for some time; approximately one month.\nTo create the full and delta updates, update daily, run the following, replacing the destDir and scriptPath values to your own. The latter part of this ensures the PowerShell script has permission to run.\n$destDir = \u0026#34;C:\\mdav-updates\u0026#34; $scriptPath = \u0026#34;C:\\Program Files\\WindowsPowerShell\\Scripts\\SignatureDownloadCustomTask.ps1\u0026#34; .\\SignatureDownloadCustomTask.ps1 -Action Create -Arch x64 -isDelta 0 -destDir $destDir\\x64 -scriptPath $scriptPath -daysInterval 1 .\\SignatureDownloadCustomTask.ps1 -Action Create -Arch x86 -isDelta 0 -destDir $destDir\\x86 -scriptPath $scriptPath -daysInterval 1 .\\SignatureDownloadCustomTask.ps1 -Action Create -Arch ARM -isDelta 0 -destDir $destDir\\arm -scriptPath $scriptPath -daysInterval 1 .\\SignatureDownloadCustomTask.ps1 -Action Create -Arch x64 -isDelta 1 -destDir $destDir\\x64 -scriptPath $scriptPath -daysInterval 1 .\\SignatureDownloadCustomTask.ps1 -Action Create -Arch x86 -isDelta 1 -destDir $destDir\\x86 -scriptPath $scriptPath -daysInterval 1 .\\SignatureDownloadCustomTask.ps1 -Action Create -Arch ARM -isDelta 1 -destDir $destDir\\arm -scriptPath $scriptPath -daysInterval 1 PowerShell will return that several tasks have successfully been created: 6. We can confirm this in the Task Scheduler GUI by navigating to Microsoft\\Windows\\Windows Defender. Note the triggers are daily at the time we executed the PowerShell commands. You can change this if you need to.\n7. For now, the tasks haven\u0026rsquo;t run, and the folders we created earlier to house the updates are still empty. So right-click \u0026gt; Run.\n8. Reviewing the folders, we can see the update files. If the jobs don\u0026rsquo;t run, it\u0026rsquo;s probably your execution policy for PowerShell. You could update the Task Scheduler entries to bypass it.\nUpdate Defender Antivirus Update Source Your updates are good to go, but MDAV has no awareness of them yet. Group Policy is how we\u0026rsquo;ll get our LAN-only device to point to a shared folder to get them, and this can be done for your domain\u0026rsquo;s Group Policy or a local Group Policy if you have no domain line of sight or no domain at all; which is likely if you\u0026rsquo;re doing this instead of WSUS\u0026hellip; or maybe you just share my terror of WSUS.\nIn the Group Policy Edit, navigate to Computer Configuration\\ Administrative Templates\\ Windows Components\\ Microsoft Defender Antivirus\\ Security Intelligence Updates.\nFor the setting Define file shares for download security intelligence updates point to the UNC path minus the architecture subdirectories.\n3. For the setting Define the order of sources for downloading security intelligence updates set the value as FileShares.\n4. The client will now update using the network share.\n","permalink":"https://campbell.scot/microsoft-defender-antivirus-schedule-install-updates-via-network-shares/","summary":"\u003cp\u003eAlthough not common, there are scenarios out where you will have LAN-only devices onboarded in Microsoft Defender for Endpoint (MDE), or at least using Microsoft Defender Antivirus (MDAV).  With no line of sight to the internet, you can use options such as WSUS, but in this blog, I\u0026rsquo;ll explore using a network share, as WSUS isn\u0026rsquo;t always an option.\u003c/p\u003e\n\u003ch2 id=\"set-up-the-network-share-for-updates\"\u003eSet up the network share for updates\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCreate a directory on your file server with subdirectories for the different CPU architectures you\u0026rsquo;ll be supporting.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2021/02/01-create-update-folders-on-server.png\"\u003e2. On the server, we\u0026rsquo;ll be installing a script provided by Microsoft.  In PowerShell with elevated rights:\u003c/p\u003e","title":"Microsoft Defender Antivirus – Schedule \u0026 Install Updates via Network Shares"},{"content":"When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection. Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic. It is a prerequisite for things such as MDE\u0026rsquo;s web content filtering and URL/domain indicators of compromise.\nThis blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.\nThe problem Configuring network protection should be super straight forward. In your antivirus endpoint security profile, you simply choose yes against turn on network protection.\nInfo: Until about a year ago, all configuration of Microsoft Defender was done using an endpoint protection Intune device configuration profile. This was a type of configuration profile that covered Antivirus, Firewall, BitLocker, etc. Microsoft since then introduced endpoint security- a blade within the Microsoft Endpoint Manager admin center that intends to simplify and improve management of all security related profiles. This isn\u0026rsquo;t always foolproof, and there are reasons you may want to stick with device configuration profiles, which I\u0026rsquo;ll be blogging about soon. For what it\u0026rsquo;s worth, this blog applies to both, as I tried both and had the same problem (and fix).\nHowever, on my devices, even after syncing to Intune, network protection just didn\u0026rsquo;t enable.\nTroubleshooting network protection On the device, a few ways to check network protection are\u0026hellip;\nIn a third-party browser, visit the SmartScreen test website. Why third party? Because SmartScreen is built into Edge. Network protection is about extending that to the general network. In the screenshot below, I can tell network protection isn\u0026rsquo;t doing it\u0026rsquo;s job because I see the page render and not a failure to load. In PowerShell, Get-MpPreference returns MDAV settings. In this case, EnableNetworkProtection returns a value of 0. The MEM setting configured earlier should have set it to 1. In the MDMDiagReport ( Settings \u0026gt; Accounts \u0026gt; Access work or school \u0026gt; [ your account] \u0026gt; Info \u0026gt; Create report), you can find out information on configuration service providers (CSPs) set up in Intune. This means you can search for many Intune settings and see what has been applied. In my case, EnableNetworkProtection was under the area for unmanaged policies. Strangely, in Intune, the policy clearly shows success:\nAt the moment, my guess is this to some kind of bug in configuration profiles and endpoint security profiles. I will get in touch with Intune support to confirm. Why do I think it\u0026rsquo;s a bug? Because when I apply the fix, all I\u0026rsquo;m doing is bypassing the profiles and turning it on directly\u0026hellip;\nThe fix Fundamentally, when we are updating endpoint security profiles, we are just working with a user interface to set up OMA-URIs. Without getting into too much detail, these are the underlying settings an MDM configures, exposed by the OS to a tool like Intune.\nWhen the MDM\u0026rsquo;s UI doesn\u0026rsquo;t let us change these, even if they exist in the OS, we can, in Intune at least, create a custom configuration profile. In it, we point directly to the OMA-URI and say how we want to configure it.\nThe OMA-URI for network protection is ./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection. When you configure this as an Integer of value 1, you enable it. Value 0 disables it. To create a this in Intune, when adding a configuration profile, choose custom, then add a row configured as below. You don\u0026rsquo;t need a description, but make sure the OMA-URI is exactly as just stated and the value is 1.\nImmediately after the client synced, the value changed to 1 in Get-MpPreference.\nWhen the test website is attempted in a third-party browser (Firefox in my example), it now presents an error code SSL_ERROR_NO_CYPHER_OVERLAP.\nFinally, EnableNetworkProtection is now showing as a managed policy in MDMDiagReport (but note it only shows the default value of 0, and the actual value column is not populated - I am not sure why this is the behaviour. Tamper protection?)\n","permalink":"https://campbell.scot/microsoft-defender-network-protection-not-enabling-via-intune-troubleshooting-fix/","summary":"\u003cp\u003eWhen configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection.  Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic.  It is a prerequisite for things such as MDE\u0026rsquo;s web content filtering and URL/domain indicators of compromise.\u003c/p\u003e\n\u003cp\u003eThis blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.\u003c/p\u003e","title":"Microsoft Defender Network Protection - Not Enabling via Intune - Troubleshooting \u0026 Fix"},{"content":"With Microsoft Information Protection, you can apply sensitivity labels to files, emails, and containers such as SharePoint Libraries. These labels apply protection which, in the context of files and emails, really means encryption using AES-128 or 256 (key size depends on file type). The great thing about Information Protection is that you control an access control list of who is allowed to access the content and it\u0026rsquo;s managed as a cloud service by Microsoft. The document or message, when opened, checks who is authenticated (who is signed to Outlook or the Office 365 app, for example) and only allows access if they have permission.\nTypically, administrators create sensitivity labels that are preconfigured to say who gets permission and what level of permission. For example, a label called Confidential may limit access to users whose account ends in yourcompany.com, and prohibit changing the label. However, in this article, you\u0026rsquo;ll be guided on the let users assign permissions setup option of sensitivity labels. Using this feature allows the end-user, rather than an administrator, to control access rights. Here\u0026rsquo;s how to set up such a label, and the experience of both label-assigner and recipient.\nCreate and Publish a Sensitivity Label Navigate to the Microsoft 365 Compliance Centre at compliance.microsoft.com. Under Solutions, click on Information Protection.\nClick + Create a label which takes you into the New sensitivity label wizard.\n3. You need to give your label a name, display name, and description. The name is seen only by admins when configuring, but the display name and description are seen by users in their software like Office and Outlook, so choose something appropriate and descriptive so your users know exactly what choosing this label does.\n4. On the define the scope for this label page, only choose files \u0026amp; emails.\n5. On the choose protection settings\u0026hellip; page, only choose to encrypt files and emails.\n6. The encryption page is where you can choose preconfigured access rights, but in our case, we want to choose to let users assign permissions when they apply the label. Additionally, check the boxes to enforce restrictions equivalent to the Do Not Forward(DNF) option in Outlook and in Word, PowerPoint, and Excel, prompt users to specify permissions.\nBy choosing to enforce DNF, you automatically apply a collection of rights to email recipients. You don\u0026rsquo;t have to apply it, but I\u0026rsquo;ve done so to demonstrate how it works. There is a separate right (\u0026ldquo;action permission\u0026rdquo;) that can be assigned to files called Forward, so you may think all DNF does is not grant this right. In fact, Do Not Forward additionally prevents users from printing and saving, and uses the email recipients list dynamically to grant read permission only to them. Additionally, if there\u0026rsquo;s an Office attachment without protection applied, it will have printing rights restricted.\n7. The next page, auto-labelling for files and emails is for Azure Information Protection Premium P2 licensees who want to automatically apply a label if they\u0026rsquo;re creating a file or message with a content condition such as a type of sensitive information type. This option will not work for labels that allow users to assign permissions.8. Proceed through the wizard without changing any more settings, then finally review your settings and finish, choosing to create label.\n9. Now the sensitivity label exists, we need to publish it. Publishing means making available to users to assign. Back at your list of labels, click publish labels.\n10. In the first page of the publication wizard, choose sensitivity labels to publish and select the one just created. You can select multiple labels (if you need the group of labels to have the same publication settings), but in our example we only need to choose the one.\n11. In the publish to users and groups page, choose who can apply this label. For this demonstration, I\u0026rsquo;m leaving it as all users and groups in my tenant. Note that users must be licensed with Azure Information Protection to assign licences (but anyone can open protected content).\n12. In policy settings, I choose not to apply any policy settings, but you could potentially use this page of the wizard to mandate a user must assign a label, or if they are going to change the label to a lesser one, justify their doing so.\nFinally, name your policy. This is only seen by administrators during configuration. Review and finish your label policy, then submit to make the label live for the users. User Experience Protecting documents in Office In Excel, Word, or PowerPoint, select your label from the ribbon toolbar.\nYou are presented with a Permission window, within which you can restrict permission to this document. If you click more options, in addition to read/change permissions, you can control copy, print, expiration, and offline access. As the owner of the file, I will retain full control.\nOpening protected documents If the file is opened by someone without permission, they will be asked to sign the Office app into an account that does have permission.\nFailing this, they are informed the file cannot be opened.\nIf the user does have permission, the Office file authenticates them against the access list by connecting to the Azure cloud service. They will see a yellow RESTRICTED ACCESS bar in the app which lets them view permission.\nWhen the user attempts to do something that violates the permissions, the option will be blocked or greyed out. In Word on Windows, a screenshot results in only black pixels.\nProtecting emails in Outlook As with the other Office app, choose your label from the ribbon toolbar. When the label is applied, a message displays the description.\nOpening protected emails as a recipient An Office 365 user sees the email message normally, but their abilities are limited. Note below, where the forward button is greyed out.\nA non-Office 365 user sees the email message delivered with a URL to read the message on an Office 365 web page. This is because Microsoft can\u0026rsquo;t really interact with other email providers and prevent them from forwarding, printing, and so on. However, it can have some control over a website of its own.\nWhen the recipient follows the read the message link, they will be asked to authenticate with a one-time passcode (OTP) that is emailed to the recipient. This is so that if the URL is forwarded, it still can\u0026rsquo;t be accessed by anyone other than the original recipient. If the recipient uses Gmail, which is actually federated with Azure AD, they can sign in with their Google account instead of the OTP.\nThe OTP arrives at the original recipient\u0026rsquo;s inbox but is only valid for 15 minutes.\nBack on the web page for the email, you have the option to remember your identity for twelve hours.\nFinally, you get to your email. It\u0026rsquo;s not rocket science to get around the restrictions (screenshots\u0026hellip;), but the web page renders with controls that prevent you from copying and pasting the body of the email, from printing, and you only have the option to reply. As with most DLP solutions, this is about preventing accidental data loss and may just putting a few road blocks in someone\u0026rsquo;s way.\n","permalink":"https://campbell.scot/microsoft-information-protection-sensitivity-labels-custom-user-permissions-and-do-not-forward/","summary":"\u003cp\u003eWith Microsoft Information Protection, you can apply \u003cstrong\u003esensitivity labels\u003c/strong\u003e to files, emails, and containers such as SharePoint Libraries.  These labels apply \u003cstrong\u003eprotection\u003c/strong\u003e which, in the context of files and emails, really means \u003cstrong\u003eencryption\u003c/strong\u003e using AES-128 or 256 (key size depends on file type).  The great thing about Information Protection is that you control an access control list of who is allowed to access the content and it\u0026rsquo;s managed as a cloud service by Microsoft.  The document or message, when opened, checks who is authenticated (who is signed to Outlook or the Office 365 app, for example) and only allows access if they have permission.\u003c/p\u003e","title":"Microsoft Information Protection Sensitivity Labels - Custom User Permissions and Do Not Forward"},{"content":"Getting your devices into Defender for Endpoint is referred to as onboarding and can be done in lots of different ways, depending on the scenario. The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on.\nThe common denominator behind most onboarding methods is internet connectivity. Your device connects directly to the cloud service and provides all that telemetry goodness via a direct line of sight.\nWhat about Windows devices that only have LAN access? That is, they can connect with your on-premises infrastructure and are probably Active Directory domain-joined, but you have restricted their ability to connect to the public internet. This is commonly seen in scenarios where you are using PCs more like appliances. They have one function (security camera footage, machine operations), and that\u0026rsquo;s it. You have restricted internet access as part of a layered approach to reducing attack surfaces.\nThere are two elements of Defender we need to consider: Microsoft Defender Antivirus and Microsoft Defender for Endpoint(MDE).\nDefender Antivirus is the core engine on the client that does the malware scanning and provides functionality such as Network Protection. It is built into Windows 10. This blog will focus only on Windows 10, but it\u0026rsquo;s worth knowing that Defender Antivirus has many different names and features depending on the operating system, and in some cases is not pre-installed. Defender for Endpoint is the EDR/XDR solution that reports telemetry and device information to the administrator in a central management pane for protection against often malware-free attacks. Some elements of MDE require Defender Antivirus, such as cloud-delivered protection. So, we know the two parts that need to be tackled. How can we do each for Windows 10 no-internet devices?\nDefender Antivirus can be configured using Group Policy, or even the GUI on the device itself. Defender for Endpoint can be configured to point to a proxy application/device using Group Policy, or registry edits on the device. In this blog, I\u0026rsquo;ll guide you through the latter; including how to set up a proxy on a Windows Server using Squid.\nSet up Squid proxy Squid is free software (GNU General Public Licence v2) that we can install on a Windows Server to make that server a proxy server.\nDownload Squid for Windows here.\nInstall Squid on what will become your proxy server. The default settings are fine.\n3. You need to open inbound TCP port 3128 for Squid on your firewall. In Windows Firewall, this is done automatically by the install, and you can confirm it by viewing the rule Squid Cache Server Properties.\n4. Squid will show as running in the notification area on the server. Choose to Stop Squid Service, then Open Squid Configuration. All configuration in Squid is done by editing the configuration text file.\n5. I make two changes to the configuration file. I add an ACL entry for my LAN:\nAnd I comment out the DNS servers, which means it will use the DNS servers the server is set to use instead of the config file.\n6. Save the config file, close it, then from the notification area icon, Start Squid service.\nSet up telemetry proxying with Group Policy Older versions of Windows required an agent to onboard into MDE because they didn\u0026rsquo;t have Windows 10\u0026rsquo;s built-in ability to gather the required telemetry. To gather that telemetry, we need to tell devices to transmit it through our proxy server because, by default, Windows 10 tries to do it using a direct internet connection.\nCreate/update a Group Policy Object scoped to the appropriate OU. The policies we\u0026rsquo;ll be setting are found in Administrative Templates \u0026gt; Windows Components \u0026gt; Data Collection and Preview Builds.\nEnable Configure Connected User Experiences and Telemetry with the FQDN of your proxy server and port. E.g. server1.domain.local:3128.\n3. Enable Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service and set it to Disable Authenticated Proxy usage.\nConfigure onboarding with Group Policy Navigate to Microsoft Defender Security Center \u0026gt; Settings \u0026gt; Onboarding and choose Windows 10 as the OS.\nClick Download package to get WindowsDefenderATPOnboardingPackage.zip, which you should extract to a shared location the LAN device can access remotely.\n3. We use this package as a scheduled task on the devices to onboard, so in your Group Policy, navigate to Computer Configuration \u0026gt; Preferences \u0026gt; Control Panel Settings \u0026gt; Scheduled Tasks.\nChoose Action \u0026gt; New \u0026gt; Immediate Task (At least Windows 7). 5. In the General tab, give the task a name, specify NT AUTHORITY\\SYSTEM as the account to run as, and tick the box for Run with highest privileges.\n6. In the Actions tab, create a New\u0026hellip; action of type Start a program, where the program/script is the full network-accessible path of the WindowsDefenderATPOnboardingScript.cmd file you downloaded earlier.\nResults On the client, when group policy now updates, it will apply the configuration and Defender for Endpoint will onboard via your proxy server. The device will show in device inventory in MDE. In a future blog, I will include a writeup on how to configure the Antivirus engine and other elements such as Attack Surface Reduction via Group Policy, which will complete the picture for your LAN-only Windows 10 devices. Note that some features such as Live Response will be unavailable because the proxy only applied to telemetry traffic. We can, however, use that telemetry to get alerts and a timeline:\n","permalink":"https://campbell.scot/microsoft-defender-for-endpoint-offline-onboarding-for-windows-10-via-proxy/","summary":"\u003cp\u003eGetting your devices into Defender for Endpoint is referred to as \u003cstrong\u003eonboarding\u003c/strong\u003e and can be done in lots of different ways, depending on the scenario.  The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on.\u003c/p\u003e\n\u003cp\u003eThe common denominator behind most onboarding methods is internet connectivity.  Your device connects directly to the cloud service and provides all that telemetry goodness via a direct line of sight.\u003c/p\u003e","title":"Microsoft Defender for Endpoint - Offline Onboarding for Windows 10 via a Proxy"},{"content":"","permalink":"https://campbell.scot/block-lsass-exe-using-attack-surface-reduction/","summary":"","title":"Block LSASS.exe using Attack Surface Reduction"},{"content":"In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group. Device groups (previously machine groups), are used to assign devices different rules and administrative ownership. A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it.\nWhile you can assign tags, and therefore determine group membership, manually from the Security Center, this doesn\u0026rsquo;t exactly scale well.\nDevices managed by Intune give us a couple of options, depending on which version of Windows 10 our device runs. If we run Windows 10 version 1709 or later, we can use a Custom OMA-URI configuration profile. If we run a version before 1709, we can edit the registry using a script. Technically, we could go down the script route for version 1709+ too, but using Intune\u0026rsquo;s native toolset is much easier to manage as you get ongoing visibility of the setting. With both, the tag is driven by the device itself, rather than an administrator in the Defender Security Center. Therefore, if we want to change the tag, we need to do it using the same method we used to deploy; rather than just updating it in Defender Security Center.\nCustom Intune Policy (Windows 1709+) 1. Navigate to the Microsoft Endpoint Manager admin center at endpoint.microsoft.com.\n2. Browse to Devices \u0026gt; Windows \u0026gt; Configuration Profiles and click + Create Profile. You want to choose a Custom type.\n**3.**Give the profile an appropriate name and description. One profile = one tag, so I like to include the tag itself in the name.\n**4.**Click the Add button on the OMA-URI settings page. The name and description can be whatever you want. The important parts are the OMA-URI should be ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group, the Data type should be String, and the Value should be your tag. When all the info is filled out, choose Save to add the line, then Next.\n5. Assign your policy to the appropriate device group, then proceed to Create the policy.\nWhen the device now syncs with Intune, it will apply the custom profile you created, and the device will show with your tag.\nPowerShell Script (Registry Update) (Windows 1703 or older) If you can\u0026rsquo;t use the above custom OMA-URI due to your version of Windows, you can use a PowerShell script to update the registry. The script should look something like the below, where $tag is the string you want your tag to be.\n$registryPath = \u0026#34;HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection\\DeviceTagging\u0026#34; $name = \u0026#34;Group\u0026#34; $tag = \u0026#34;Kiosk\u0026#34; if(!(Test-Path $registryPath)) { New-Item -Path $registryPath -Force | Out-Null New-ItemProperty -Path $registryPath -Name $name -Value $tag -PropertyType \u0026#34;String\u0026#34; -Force | Out-Null} else { New-ItemProperty -Path $registryPath -Name $name -Value $tag -PropertyType \u0026#34;String\u0026#34; -Force | Out-Null} 1. Navigate to the Microsoft Endpoint Manager admin center at endpoint.microsoft.com.\n2. Browse to Devices \u0026gt; Windows \u0026gt; PowerShell scripts and click + Add . 3. Give the script an appropriate name and description. One script = one tag, so I like to include the tag itself in the name.\n**4.**Upload your script. If you require signature checking, choose yes to this, otherwise leave the settings as No.\n**5.**Assign your script to the appropriate device group, review the settings, then Add the script.\nWhen the device now syncs with Intune, the Intune Management Extension on Windows 10 will execute the PowerShell script. This adds the registry entry, and the Defender Security Center will reflect this.\nBecause I have a device group created based on the tag \u0026lsquo;Kiosk\u0026rsquo;, I can now see my two devices in it:\n","permalink":"https://campbell.scot/use-intune-to-manage-microsoft-defender-for-endpoint-tags-and-device-groups/","summary":"\u003cp\u003eIn \u003cstrong\u003eMicrosoft Defender for Endpoint\u003c/strong\u003e (MDE), \u003cstrong\u003etags\u003c/strong\u003e can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a \u003cstrong\u003edevice\u003c/strong\u003e \u003cstrong\u003egroup\u003c/strong\u003e.  Device groups (previously machine groups), are used to assign devices different rules and administrative ownership.  A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it.\u003c/p\u003e\n\u003cp\u003eWhile you can assign tags, and therefore determine group membership, manually from the Security Center, this doesn\u0026rsquo;t exactly scale well.\u003c/p\u003e","title":"Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups"},{"content":"To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service. When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.\nThe ideal way to do this is to get your supplier to do it. When you buy a device, they can automatically register the ZTDID in your tenant. You can also get your devices in there yourself by using PowerShell, generating CSVs, and uploading these - a long-winded process that detracts from the benefits of Autopilot. Regardless of how you get the data in there, as soon as devices are registered as Autopilot devices, a special device object is populated in Azure AD by the Device Registration Service (DRS) with that ZTDID.\nWhen Windows 10 Pro/Enterprises go through the out-of-box experience (OOBE) (the factory reset screen), after getting a network connection it will check the Autopilot service to see what Autopilot tenant and rules it should follow by downloading what\u0026rsquo;s called an Autopilot deployment profile. How does it know what profile to assign? Because against the profile, you have assigned a group, which contains that aforementioned Autopilot Azure AD device object.\nThat\u0026rsquo;s great for new or redeployed devices, but you have a fleet of PCs already out there. The good news is we can also use these deployment profiles to take existing Azure AD devices and register than into the Autopilot service. These devices should be enrolled in Intune MDM, so if you are using on-premises AD you should consider Hybrid Azure AD Join + automatic enrolment, which I\u0026rsquo;ve blogged about here.\nIn the Microsoft Endpoint Manager admin centre, browse to your deployment profile or create a new one, and select Yes against the option to Convert all targeted devices to Autopilot.\nProceed to give your profile the required settings, and on Assignments choose an Azure AD group with the existing device(s) in it.\nAt the moment in my example tenant, I have no Autopilot registered devices, as evident from the screenshot below.\nHowever, the group I assigned the profile to does have a full Azure AD device object in it.\nMicrosoft\u0026rsquo;s documentation advises it can take a couple of days for the devices in the group to be registered as Autopilot devices. This is consistent with my experience. When the device is finally registered, you\u0026rsquo;ll find it in the Windows Autopilot devices page, linked to the Associated Azure AD device when you select it.\nThe device has to have been online long enough for Intune to gather hardware information and store this against the device object. If you have gone days without the device showing as an Autopilot device, investigate this as a starting point. In the example below, I\u0026rsquo;ve navigated to the device object in Microsoft Endpoint Manager, then chosen the Hardware tab. The Process Architecture is \u0026ldquo;unknown\u0026rdquo;, but CPU info is needed as part of the required information for the ZTDID discussed earlier. In my testing, after the device hadn\u0026rsquo;t been added for four days (with no hardware information in Intune), it then appeared as an Autopilot device within hours of being booted up and letting Intune populate the data.\n","permalink":"https://campbell.scot/turn-existing-azure-ad-devices-into-autopilot-devices/","summary":"\u003cp\u003eTo provision Windows 10 PCs using Autopilot and Intune, they must first be registered as \u003cstrong\u003eWindows Autopilot devices\u003c/strong\u003e in the \u003cstrong\u003eDevice Directory Service\u003c/strong\u003e, which is really the cloud Autopilot service.  When a device is registered to the Autopilot service, its \u003cstrong\u003ehardware hash\u003c/strong\u003e is used to generate a \u003cstrong\u003eZero Touch Device ID\u003c/strong\u003e(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.\u003c/p\u003e","title":"Turn Existing Azure AD Devices into Windows Autopilot Devices"},{"content":"Application Guard first appeared in Windows 10 1709 (\u0026ldquo;Fall Creators Update\u0026rdquo;) to isolate Edge browser activity within a Hyper V container. Microsoft now extends that same idea to Word, Excel, and PowerPoint in Office 365 ProPlus Microsoft 365 Apps for Enterprise on Windows 10\u0026hellip;\n\u0026hellip; if you have Microsoft 365 E5 or E5 Security. You knew that was coming!\nWith Application Guard for Office, your files can open in a sandbox without access local or network storage. This provides an additional layer of protection against threats such as ransomware, for which Office apps are infamous as an attack surface. There\u0026rsquo;s a significant catch: a standard configuration of Application Guard will allow users to bypass it if they say they trust the file, therefore executing it in the normal way; resource access included. You can change this default behaviour though, so keep reading.\nNote I say \u0026ldquo;an additional layer of protection\u0026rdquo;. We know there are no perfect solutions to anything, much less IT security, and I can\u0026rsquo;t exactly guarantee attackers will never find a way to escape the hypervisor Application Guard uses. So keep patching.\nIf you do have the appropriate level of licensing, Application Guard for Office 365 (which I\u0026rsquo;ll now just call Application Guard for this article) isn\u0026rsquo;t enabled by default. On the endpoint, the requirements are beyond those of standard Microsoft 365 apps, which is part of the reason for this. Your users need a quad-core CPU that supports Intel VT-x or AMD-V and 8GB of memory (the same is true for Application Guard for Edge).\n**Tip:**These hardware requirements are enforced when you try to turn Application Guard on, but you can get around them by editing registry values in HKLM\\Software\\Microsoft\\Hvsi:\nSpecRequiredMemoryInGB\nSpecRequiredProcessorCount\nSpecRequiredFreeDiskSpaceInGB\n\u0026hellip; or just buy your users a suitable device (please).\nAdditionally, because this is only for M365 E5/E5 Security licensees, you need to be running Windows 10 Enterprise 2004 or later. Windows 10 Pro does not support Application Guard for Office.\nApplication Guard itself is a Windows 10 feature you need to enable too. Manually, you can use the Enable-WindowsOptionalFeature cmdlet or, at scale, use an Intune Endpoint Security App and Browser Isolation profile:\nOptionally, you can also choose if Application Guard files are allowed to print. This is another benefit over Protected View, which blocks printing:\nThere\u0026rsquo;s a range of Application Guard settings configurable in the Office cloud policy service too. You can set these in Intune ( Apps \u0026gt; Policies for Office apps) or config.office.com.\nThese generally do what they say on the tin, but I want to explore Prevent users from removing Application Guard protection on files a bit more. This prevents users from disabling Application Guard in settings or per file. It also means that if a user does need to get that file into local or network resources, you\u0026rsquo;re going to prevent that (e.g. maybe it\u0026rsquo;s an Excel file that references other workbooks by network file path). This is also important because, at the time of writing, you can\u0026rsquo;t run any macros in Application Guard. Good for security, but chances are your users will have some trusted files that Application Guard blocks (shared over email, downloaded from SharePoint Online, etc). Another potential problem is, to make sure you\u0026rsquo;re appropriately licensed, Application Guard needs to be online the first time a file opens in it. Consider if your users regularly go offline before deploying/enforcing.\nAfter the device reboots from enabling Application Guard, you\u0026rsquo;ll find a local account called WDAGUtilityAccount is now enabled (you don\u0026rsquo;t need to do anything with this; it\u0026rsquo;s managed by Windows for Application Guard instances to anonymise the actual user\u0026rsquo;s identity if queried by the file). Application Guard is now available. Files opened under it are given a special icon in the taskbar, ribbon, and splash screen.\nBut when exactly is Application Guard invoked? How do some files open in a standard instance, but others don\u0026rsquo;t?\nExcel, Word, and PowerPoint files open in Application Guard (or Protected View, if you can\u0026rsquo;t use Application Guard but want to put files in read-only by default) under circumstances like\u0026hellip;\nOffice File Validation (OFV) checks\u0026rsquo; to make sure the file aligns to set format standards fail. File Block includes the file extension in scope. File Block is an index of denied extensions, which are generally legacy formats, but an administrator can use Administrative Templates to control the formats, which may include nearer formats such as 2007 and later macro-enabled workbooks and templates. Files saved in locations such as %temp%, which Office regards as unsafe locations. Files downloaded from the internet (based on zones) which are given a Mark of the Web (MotW) by Windows, if the downloading/extracting software supports it. Most will (think browsers), though things get messy with some apps if we\u0026rsquo;re then extracting files from ZIPs or VHDs, etc. MotW can be seen below in Properties. Tip: Bit off topic, but open \u0026ldquo;YourFile.extension: Zone.Identifier:$DATA\u0026rdquo; in Notepad to see how this works and that Windows 10 logs the referrer URL\u0026hellip; yikes!\nThe last two of these are of particular interest to the Application Guard (and Protected View) approach to securing Word, Excel, and PowerPoint. It\u0026rsquo;s trivial to relocate a file from an \u0026lsquo;unsafe location\u0026rsquo; to a \u0026lsquo;safe location\u0026rsquo; (can such a thing exist?), and as you can see from the MotW screenshot, so is removing a MotW. Using either of these workarounds, users will bypass the earlier discussed setting to stop them from turning off Application Guard.\nAgain: security is just layers.\n","permalink":"https://campbell.scot/understanding-application-guard-for-office-now-generally-available/","summary":"\u003cp\u003e\u003cstrong\u003eApplication Guard\u003c/strong\u003e first appeared in Windows 10 1709 (\u0026ldquo;Fall Creators Update\u0026rdquo;) to isolate Edge browser activity within a Hyper V container.  Microsoft now extends that same idea to Word, Excel, and PowerPoint in Office 365 ProPlus Microsoft 365 Apps for Enterprise on Windows 10\u0026hellip;\u003c/p\u003e\n\u003cp\u003e\u0026hellip; if you have Microsoft 365 E5 or E5 Security.  You knew that was coming!\u003c/p\u003e\n\u003cp\u003eWith \u003cstrong\u003eApplication Guard for Office\u003c/strong\u003e, your files can open in a sandbox without access local or network storage.  This provides an additional layer of protection against threats such as ransomware, for which Office apps are infamous as an attack surface.  There\u0026rsquo;s a significant catch: a standard configuration of Application Guard \u003cem\u003ewill\u003c/em\u003e allow users to bypass it if they say they trust the file, therefore executing it in the normal way; resource access included.  You can change this default behaviour though, so keep reading.\u003c/p\u003e","title":"Understanding Application Guard for Office, Now Generally Available"},{"content":"Since October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants. Security Defaults are a group of best-practice security settings, and one of note is the disablement of all legacy authentication, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017.\nThe term legacy authentication doesn\u0026rsquo;t refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA). Protocols that support MFA are described as modern authentication. In the context of Microsoft 365 and Azure Active Directory, which handles Microsoft 365\u0026rsquo;s authentication, these are protocols such as ADAL and OAuth.\nWhen you use modern authentication, your users authenticate interactively with a web dialogue that belongs to your identity provider (Azure AD), rather than a dialogue the OS (Windows) or application (Outlook, Thunderbird) itself owns. This means the apps and services themselves are not trusted to handle credentials; your (hopefully) trusted authority like Azure AD deals with the credentials and issues a token.\nBasic authentication for the protocols EWS, EAS, POP3, IMAP4, and Remote PowerShell was set to be disabled on 13 October 2020. Of these, POP3, IMAP, and Remote PowerShell will all get OAuth support. This has since been changed to the second half of 2021, but when it does happen, if the application attempting to authenticate does not support the modern authentication protocols, you will not be able to authenticate. Note that SMTP AUTH (basic authentication) is already affected: since 2019, new tenants have had it disabled, customers who didn\u0026rsquo;t use it had it disabled, and if you used it, it would be disabled at the tenant level but supported at the mailbox/user level:\nSet-CasMailbox –SmtpClientAuthenticationDisabled $True The reasons Microsoft advocate against continued support of legacy authentication are because it does not support MFA (which is by far the simplest way of protecting your users from account breaches), and because automated attacks such as password spray are more susceptible to it.\nYou can use Azure Active Directory\u0026rsquo;s Sign-In reports to see basic authentications against your tenants to understand and prepare for support changes. This can be exported to JSON or CSV too.\nAdditionally, in Outlook for Windows, you can view whether or not you are connected using legacy or modern authentication. In the Notification Area (beside the clock) on Windows, hold CTRL and right-click the Outlook sync icon, then select Connection Status.\nIn the General tab, there is a column called Authn. If the value is Bearer*, you are using modern authentication. If the value is Clear*, you are using basic authentication. A common question is what happens to the user experience if you are currently only on classic authentication and change to modern? If you enable modern authentication, you don\u0026rsquo;t need to rebuild the Outlook profile - the next connection will simply change to Bearer*.\n","permalink":"https://campbell.scot/understanding-modern-vs-legacy-authentication-in-microsoft-365/","summary":"\u003cp\u003eSince October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants.  Security Defaults are a group of best-practice security settings, and one of note is the disablement of all \u003cstrong\u003elegacy authentication\u003c/strong\u003e, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017.\u003c/p\u003e\n\u003cp\u003eThe term legacy authentication doesn\u0026rsquo;t refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA).  Protocols that support MFA are described as \u003cstrong\u003emodern authentication\u003c/strong\u003e.  In the context of Microsoft 365 and Azure Active Directory, which handles Microsoft 365\u0026rsquo;s authentication, these are protocols such as ADAL and OAuth.\u003c/p\u003e","title":"Understanding Modern vs. Legacy Authentication in Microsoft 365"},{"content":"As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe. You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.\nThe behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined. You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD\u0026rsquo;s properties for the device).\nIf you are going through any of the following scenarios, you, therefore, won\u0026rsquo;t have keys automatically uploaded and stored in Azure AD.\nIntroducing Hybrid Azure AD Join to an existing fleet and you want to store recovery keys in Azure AD Third-party software \u0026ldquo;brokering\u0026rdquo; BitLocker encryption and storing recovery keys in itself (e.g. Sophos Central) The device has manually or otherwise encrypted by BitLocker prior to Azure AD or Hybrid Azure AD Join The ideal way to resolve and get those keys in Azure AD is using the PowerShell cmdlet BackupToAAD-BitLockerKeyProtector, which does what it says on the tin. The even better way is to do this for your entire encrypted estate by deploying a script with using Intune.\nHere\u0026rsquo;s how in three steps.\n1. The script I recommend is available here, but make sure you remove the -WhatIf parameter when you deploy to production. Save this as a PowerShell .ps1 script file.\n2. Navigate to Microsoft Endpoint Manager Admin Centre \u0026gt; Devices \u0026gt; Windows \u0026gt; PowerShell Scripts and choose + Add.\n3. Choose to run the script as SYSTEM then assign it to the devices for which you need to save the recovery key.\nIntune executes PowerShell scripts using an agent on Windows 10 - the Intune Management Extension (IME). This means for devices newly enrolling into Intune, if you have scoped this to them at the time of enrolment, the script will execute via the IME soon after enrolment. For existing devices, the script will run at next check-in or whenever the IME service restarts (e.g. a reboot). After the script runs successfully, the recovery key will be available in Azure AD almost immediately after in my experience.\n","permalink":"https://campbell.scot/store-bitlocker-recovery-keys-in-azure-ad-for-devices-already-encrypted/","summary":"\u003cp\u003eAs you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe.  You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.\u003c/p\u003e\n\u003cp\u003eThe behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined.  You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD\u0026rsquo;s properties for the device).\u003c/p\u003e","title":"Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted"},{"content":"In the name of transparency, or maybe stating the bleeding obvious, I confess I am that guy who can happily read an IT reference book or something like docs.microsoft.com or Practical 365 in the way someone else would read a popular fiction book. It\u0026rsquo;s partly an inability to turn off from the job, and partly just because I like learning how everything works. I\u0026rsquo;ve digested a ton of them over the last decade, so this blog is kind of my \u0026lsquo;acknowledgements\u0026rsquo;, where I\u0026rsquo;m recognising and conveying my gratitude to the ones most influential in the formation of my learning, writing style, and career.\n10. Mastering IBM i, by Jim Buck and Jerry Fottral My first company\u0026rsquo;s ERP system was hosted on an IBM i5/OS server - a descendent of the famous AS400 family. Fresh out of university - where I studied Computer Networking\u0026hellip; nothing to do with ERP or AS400s! - it was an intimidating beast. Sitting in the corner of the server room (or, more accurately, coatroom), the iSeries churned away with enviable reliability and robustness. It partly achieved this stability by minimising its UI, almost entirely being managed over telnet console emulation sessions. Basic tasks were nerve-wracking for a newbie such as myself, but Mastering IBM by Jim Buck and Jerry Fottral served me well, explaining concepts such as the file system, virtualisation, and (most fun) Query for i5/OS.\n9. The Practice of System and Network Administration, Second Edition, by Thomas Limoncelli et al. This (and others to come in the list) are books I devoured during my first job as a sysadmin, generally responsible for the uptime, stability, and management of my company\u0026rsquo;s IT infrastructure. \u0026ldquo;Practice\u0026rsquo;\u0026rdquo; offers best-practice, practical advice for anyone involved in IT infrastructure management on long-term planning, managing helpdesks, monitoring, backups and resiliency, and personal skills. This second edition was perfect for me in around 2012 when I started it, but in $currentYear is potentially a little outdated unless you are primarily on-prem. A new edition focuses on cloud environments so I\u0026rsquo;d recommend going for that if this sounds like something you\u0026rsquo;d benefit from.\n8. Time Management for System Administrators, by Thomas Limoncelli Limoncelli makes the list again for this excellent book on making the most of your time. It\u0026rsquo;s a quick read at about 200 pages but packed with practical advice and recommendations. How to manage your day, how to deal with interruptions (and minimise them), how to introduce habits into your week, etc. Worthwhile reading for anyone who struggles with time or wants a few good lifehacks (yes, I used that word).\n7. Unix and Linux System Administration Handbook, Fourth Edition, by Evi Nemeth et al. As a Microsoft 365 guy, my day-to-day work in production work environments doesn\u0026rsquo;t touch much on *nix. However, in my earlier days, I managed Ubuntu servers and studied Unix System Administration at university. In fact, it was the course I got my best grades in, primarily down to this amazing book. I wasn\u0026rsquo;t the first and won\u0026rsquo;t be the last to be slightly intimidated by Linux when starting off, coming from a Windows background. The terminal, the weird command names to remember, and being largely text-based as opposed to object-based. But Unix and Linux System Administration Handbook took complicated themes and made them easy to understand through simplification (just enough) and humour.\nEvi Nemeth, the lead author, tragically has been missing for seven years, after sailing near the Tasman Sea. My thoughts are with her and her family; she is a true legend in mathematics and system administration.\n6. Computer Networks, by Andrew Tanenbaum and David Wetherall Another icon in computing, Andrew Tanenbaum is perhaps best known for his work on operating systems, particularly his Unix clone MINIX. In Computer Networks, he and David Wetherall deliver technical deep dives on protocols and technologies, catalogued by their place in the OSI model. My current role doesn\u0026rsquo;t require a tremendous level of knowledge about networking, but this still makes an excellent reference piece if anything comes up, particularly chapter eight on network security. This makes my influences list, like most others, because it gets into such deep levels of analysis and explanation without being overwhelming. You can pick this up, spend 10-30 minutes reading, it comes away really feeling you learned something that should have taken a lot longer.\n5. Learn Windows PowerShell in a Month of Lunches, Second Edition, by Don Jones and Jeffery Hicks It\u0026rsquo;s 2013, and I\u0026rsquo;m leading a project on migrating my company from Lotus Domino and Notes to Office 365. In the early stages, I\u0026rsquo;m feeling good. The board are buying into it. Users love the idea of getting Outlook and the latest version of the Office apps. We\u0026rsquo;ve got good migration software that\u0026rsquo;s testing fine, and although I\u0026rsquo;m stressed about what could go wrong, I\u0026rsquo;m feeling pretty good.\nThen I\u0026rsquo;m asked by a manager in our pilot group: \u0026ldquo;Can you give me permission to this mailbox, but not map it my Outlook?\u0026quot;. \u0026ldquo;Sure\u0026rdquo;, I reply, assuming it\u0026rsquo;ll just find a tick box somewhere in Exchange Online (and of course getting them to raise a ticket, as Thomas Limoncelli taught me in Time Management).\nSome frantic Googling researching, and it transpires I need to use this thing called PowerShell to do it. \u0026ldquo;What?!\u0026rdquo; was my first thought. How could I be dragging us from the last century using Lotus only to need to back to a command line for basic stuff like this?\nSo, I fire up PowerShell ISE. \u0026ldquo;This is pretty cool - it basically holds my hand through the commands.\u0026rdquo; I log in to Exchange Online. \u0026ldquo;Hm, I can easily get lists of everything here, or apply settings to them all; not bad\u0026rdquo;. I run my command (or as I\u0026rsquo;d soon learn, cmdlet), and voila, it\u0026rsquo;s done. It becomes apparent to me very early on, if I want to have any kind of skill with our new Office 365 environment, and to scale administration, I need to get better at this\u0026hellip;\nI devoured \u0026ldquo;Lunches\u0026rsquo;\u0026rdquo; in no time at all, in fact going into my evenings and early mornings too. I used it in conjunction with Don Jones\u0026rsquo;s online materials, and before long I was taking my need to assign mailbox permissions into scripts, pulling things such as Active Directory attributes (manager) and applying automatically for new users. Since then, I\u0026rsquo;ve never been comfortable enough to call myself anything other than \u0026ldquo;experienced\u0026rdquo; in PowerShell (definitely not an expert), but \u0026ldquo;Lunches\u0026rdquo; by Don and Jeffery provides such a strong foundational level of knowledge that anyone in IT can pick it up, follow it through, then feel comfortable enough with any PowerShell problem that \u0026ldquo;hey, I can probably figure this out.\u0026rdquo;\n4. The Art of Deception, by Kevin Mitnick Another one from my early days in IT, at university, \u0026ldquo;Deception\u0026rdquo; got me interested in the basic rules of IT security as they pertain to people. It\u0026rsquo;s not my favourite book of his (keep reading), but I read this page to page in a couple of days. It\u0026rsquo;s mostly fictional stories inspired by his real-life experience as a prolific and controversial hacker, but also includes practical advice on corporate policy for information security. This maybe isn\u0026rsquo;t one for someone with a lot of infosec experience, but reading it at such an early stage in my IT life, it opened my eyes into what is possible beyond merely the tech.\n3. Microsoft 365 Security Administration: MS-500 Exam Guide, by Peter Rising OK, I know what you\u0026rsquo;re thinking. I mentioned I was a geek who\u0026rsquo;d read the documentation for fun, but an exam guide- really? Hear me out.\nI\u0026rsquo;ve passed a bunch of Microsoft exams over the years and have had mixed experiences with the official exam reference books - some great, some not so great. This is in large part due to Microsoft changing exam objectives and also authors having to be careful around NDAs. It\u0026rsquo;s also caused by authors who don\u0026rsquo;t really translate super-technical topics very well to normal language that\u0026rsquo;s easily digested by newbies. This exam guide by Peter does it well - taking some rather advanced security concepts and distilling them into easy-to-understand concepts. I work with Microsoft 365 security daily (as you can tell if you read this blog) and that experience, coupled with this guide to formalise my understanding of things, helped me pass the exam first time.\nThat\u0026rsquo;s not the whole story of it making this list. Peter is a colleague and friend of mine; a fellow Microsoft 365 consultant who has helped and supported me constantly since I moved from internal IT to consultancy. This is his first book and part of a tremendous output of work and contributions of his to the Microsoft community that recently culminated in the much-deserved MVP award. Seeing his journey, in large part instigated by this book, has been very inspirational. And it\u0026rsquo;s just cool to be friends with an MVP! Thank you, Peter, for all your support and inspiration.\n2. CCNA Study Guide, Fifth Edition, by Todd Lammle It\u0026rsquo;s my second year of college, and we\u0026rsquo;ve finally progressed from learning about computer parts to networking. I\u0026rsquo;m sitting in a lecture about subnetting. My eyes are glazed over as my lecturer speaks, what I presume to be, an alien language; taking numbers, inverting them, converting them to binary, and somehow this means computer A knows computer B isn\u0026rsquo;t on the same network. Huh?\nI\u0026rsquo;m left feeling completely out of my depth. Maybe this computing stuff isn\u0026rsquo;t for me. This is\u0026hellip; maths? Or something weird, anyway. But, the lecturer recommended getting a CCNA study guide, so onto Amazon that night, buying Todd\u0026rsquo;s book.\nThe night the book arrives, I sit at my desk - distraction-free. I didn\u0026rsquo;t have a smartphone at the time, which, looking back, made studying so much easier. I remember planting the study guide flat on my desk on Chapter 3 and holding down either side of the book with other books; it was that massive, it just wanted to fold in on itself. Then, I crack on, notepad in front, and start doing subnet masks like my gran did crosswords, using Todd\u0026rsquo;s book as my reference guide.\nThe reason this particular book is so influential to me is it taught me you can learn what is, on first glance, beyond you. In fact, there really isn\u0026rsquo;t much beyond you. Put in the work - with the help good reference material - and you will learn it.\n1. Mastering Microsoft Windows Server 2008 R2, by Mark Minasi et al. By far the most influential technology book of my career, \u0026ldquo;Mastering\u0026rdquo; by Mark Minasi is what turned me into a Microsoft IT guy.\nUntil I read this, my grades in college and university were always worst in Microsoft subjects and highest in things such as networking or Linux. I was, frankly, perplexed by subjects such as Active Directory. Too complicated, too many gotchas, and difficult to get a bird\u0026rsquo;s eye view of. Additionally, I felt I was only ever told what to do and now how things actually worked. When I finally read Mastering, it was like sitting down with someone in normal conversation, explaining, after years of experiences, \u0026lsquo;here\u0026rsquo;s what you really need to know\u0026rsquo;.\nMastering matches my learning style as it explains thing from a high level, piecing together all the little bits you\u0026rsquo;ve heard of to reveal the bigger picture and where they all meet in the chain. Then, when you know that, it gets more technical - the AD database, etc. Reading it, I thought this is what I want to learn and this is how I want to teach. It was eye-opening how I could go from being so bamboozled, to just getting it.\nUltimately, learning comes down to putting in the time, but when the teaching material is written in an approachable way such as it is in this, that time both flies by and is reduced. If my blog and writing is even a patch on this, I\u0026rsquo;ll be glad.\nBonus: Ghost in the Wires, by Kevin Mitnick Not really influential, but a thrilling read that is more like a novel than real life. One of the few books I can easily re-read, Ghost in the Wires is Kevin\u0026rsquo;s retelling of his prolific and controversial past as one of the FBI\u0026rsquo;s most wanted hackers. Starting with his time as a phreaker, things escalate as technology advances, and Kevin breaks into serious government agencies, ultimately serving prison time after being found guilty of numerous federal charges such as wire fraud.\n","permalink":"https://campbell.scot/the-10-technical-it-books-of-most-influence-to-me/","summary":"\u003cp\u003eIn the name of transparency, or maybe stating the bleeding obvious, I confess I am \u003cem\u003ethat guy\u003c/em\u003e who can happily read an IT reference book or something like \u003ca href=\"http://docs.microsoft.com\"\u003edocs.microsoft.com\u003c/a\u003e or \u003ca href=\"https://practical365.com/\"\u003ePractical 365\u003c/a\u003e in the way someone else would read a popular fiction book.  It\u0026rsquo;s partly an inability to turn off from the job, and partly just because I like learning how everything works.  I\u0026rsquo;ve digested a ton of them over the last decade, so this blog is kind of my \u0026lsquo;acknowledgements\u0026rsquo;, where I\u0026rsquo;m recognising and conveying my gratitude to the ones most influential in the formation of my learning, writing style, and career.\u003c/p\u003e","title":"The 10 Technical IT Books of Most Influence on Me"},{"content":"Today I\u0026rsquo;m sharing a useful bit of PowerShell I gracelessly punt from script to script whenever I need to make sure a prerequisite it met before running something and to keep checking until it\u0026rsquo;s met, then run what I need: \u0026ldquo;do X when Y is ready and keep checking Y until it\u0026rsquo;s ready\u0026rdquo;.\nThe original use for this was my script to create a new Microsoft 365 user, but hold off on some parts of it - such as time zone settings - until the Exchange Online mailbox is provisioned. That takes some time, so I wanted to keep checking and as soon as I could, continue the script.\nAnother scenario this could potentially be used is if you have to execute something with a dependency to connectivity to a remote server, but you need to wait on a connection being established, e.g. VPN connection separate to the script.\nHere\u0026rsquo;s what it looks like using my \u0026ldquo;don\u0026rsquo;t proceed until the mailbox exists\u0026rdquo; example:\nif ((Get-Mailbox $email).PrimarySmtpAddress -eq $email) { [System.Windows.Forms.MessageBox]::Show(\u0026#34;Mailbox provisioned in Exchange Online.\u0026#34;) } else { Do { Start-Countdown -Seconds 30 -Message \u0026#39;Syncing to Azure AD and creating Office 365 mailbox.\u0026#39; } Until ((Get-Mailbox $email).PrimarySmtpAddress -eq $email) [System.Windows.Forms.MessageBox]::Show(\u0026#34;Mailbox provisioned in Exchange Online.\u0026#34;) } I can hear some screaming in the distance at my use of MessageBox, but for everyone else: what\u0026rsquo;s happening here?\nFirst, Get-Mailbox runs against the mailbox we are interested in setting. It does not find the mailbox, so passes it to else, which says \u0026ldquo;I\u0026rsquo;ll wait a minute, then try again\u0026rdquo;, when until confirms the mailbox exists. And repeat. In your own use of checking the mailbox existed, all you\u0026rsquo;d need to do is change the variable of $email and the messages displayed.\nI am also using Start-Countdown, an awesome function by Martin Pugh which is like Start-Sleep but with a visual countdown. Available here.\nIn another example, I only run the $install block if Test-Connection confirms I can connect to $server. This one uses Start-Sleep instead of Start-Countdown and consequently, if it\u0026rsquo;s running interactively, the user will see error messages until the server\u0026rsquo;s available. I use this when installing apps using PowerShell running as SYSTEM. For example, run at startup but only when the VPN\u0026rsquo;s connected.\nif (Test-Connection \u0026#34;$Server\u0026#34; -Count 1 -TimeToLive 135){ \u0026amp;$install } else { Do { Start-Sleep -Seconds 30 } Until (Test-Connection \u0026#34;$Server\u0026#34; -Count 1 -TimeToLive 135) \u0026amp;$install } The template minus any example information is below, where Check-This presenents your cmdlet for a prerequisite, and Do-This is the cmdlet for your action.\nif (Check-This){ Do-This } else { Do { Start-Sleep -Seconds 5 } Until (Check-This) Do-This } ","permalink":"https://campbell.scot/powershell-run-cmdlet-if-another-was-successful-and-keep-trying-until-it-is/","summary":"\u003cp\u003eToday I\u0026rsquo;m sharing a useful bit of PowerShell I gracelessly punt from script to script whenever I need to make sure a prerequisite it met before running something and to \u003cem\u003ekeep checking\u003c/em\u003e until it\u0026rsquo;s met, then run what I need: \u0026ldquo;do X when Y is ready and keep checking Y until it\u0026rsquo;s ready\u0026rdquo;.\u003c/p\u003e\n\u003cp\u003eThe original use for this was my script to create a new Microsoft 365 user, but hold off on some parts of it - such as time zone settings - until the Exchange Online mailbox is provisioned.  That takes some time, so I wanted to keep checking and as soon as I could, continue the script.\u003c/p\u003e","title":"PowerShell: Run Cmdlet If Another Was Successful (And Keep Trying Until It Is)"},{"content":"Microsoft Cloud App Security (MCAS), Redmond\u0026rsquo;s cloud app security broker (CASB) offering, is a powerful tool for investigating and pro-actively controlling your SaaS estate. It includes tools such as reverse proxying to control sessions and sits inside the Microsoft Threat Protection stack alongside Defender ATP, Office 365 ATP, and Azure ATP. MCAS started life as Adallom prior to Microsoft\u0026rsquo;s acquisition of that company in 2015. It\u0026rsquo;s included in Microsoft 365 E5 and numerous other licensing subsets, including EMS E5, E5 Security (an add-on for Microsoft 365 E3), Information Protection \u0026amp; Governance, or standalone. In all cases, you\u0026rsquo;d need to make sure it includes or you also get a license for Azure AD Premium for the reverse proxy benefits, delivered via Conditional Access App Control.\nOf course, every penny\u0026rsquo;s a prisoner, and you don\u0026rsquo;t want to pay any more than you do already. What else is available in lesser subscriptions?\nIf you have Azure AD Premium P1, you get Microsoft Cloud App Security Discovery (CAD). This is a limited subset of MCAS that lets you manually or automatically upload logs to review cloud usage by your users. As the name suggests, with CAD you get the discovery toolkit of MCAS, but nothing else.\nIf you have Office 365 E5, your plan includes Office 365 Cloud App Security (OCAS) (not Microsoft Cloud App Security). This was previously called Office 365 Advanced Security Management and renamed at Ignite 2017 to better represent the relationship with its big brother MCAS.\nOCAS lacks some of the advanced features of MCAS such as third party support, anomaly detection, policy settings, and AIP integration, but does have some compelling capabilities for securing your Microsoft 365 estate. I\u0026rsquo;ve listed these below and note they are all limited to Office 365 or Azure. Again, third-party integration requires full MCAS.\nConditional Access App Control Lets you impose rules on web-based access to Office 365 services. For example, block the download or cut/copy/paste/print of sensitive information. Need to have Azure AD Premium P1 too A detailed activity log Review details of things such as identity events (attempted logins, password resets, etc), and SharePoint list + file events (downloaded, edited, deleted, etc) SIEM connections for your Office 365 alerts Centralise reporting in a service such as Sentinel Azure security configurations Recommendation reports for improving your Azure posture, such as audit settings, access to storage accounts, NSG port access, etc. Automated alerts with remediation From the activity log filter, you can create activity policies based on the results of that filter. For example, you filter to view the activities you are interested in. You can then create an activity policy to alert if these activities occur by certain user criteria, file, IP, device type. You can also use this for potential malware detection. Additionally, you can apply governance actions for when activities match. For example, if a user performances an impersonated activity on an unmanaged device, suspend them. Or if a user starts uploading files with file types associated with ransomware, confirm them as compromised. If you manually upload logs to an OCAS snapshot report, you can also gain some insight into your third (and first) party cloud usage. This is part of CAS\u0026rsquo;s discovery feature set you get in CAD, discussed earlier. Logs come from sources such as your firewall appliance or W3C logs. What can you do is quite limited though. You\u0026rsquo;ll find information about traffic (up and down), associated users, and IP addresses.\nThe session controls you get via Conditional Access App Control are also not as complete as they with MCAS, even for Office 365 applications. With MCAS, for example, you get complete access to Microsoft\u0026rsquo;s sensitive info types engine which recognises types of information such as passport numbers or even Azure Storage Keys. With OCAS, you get a much-reduced selection and it\u0026rsquo;s largely USA-centric PII. So not UK passport numbers, for example.\nWhat does a session policy look like to the end-user in OCAS? On login, their domain will redirect to a subdomain of cas.ms and, optionally, they\u0026rsquo;ll be warned their activity is monitored.\nWhen the user performs an action OCAS is configured to control against, they will get a message about it. In this simple example, I have a rule against copying email addresses. OCAS, unlikely some of the out-of-the-box SharePoint access controls, therefore, gives you more fine-grained controls over what users can do on things such as unmanaged devices. While SPO can let you block access entirely or just block downloads, OCAS takes it a step further, based on the type of information.\nAs an administrator, I can now browse the activity log and see these attempted actions. It logs permitted actions as well as blocked ones; useful for reactive investigations. I can also, using tools such as the hyperlinks and filters, spin out what I find to find related events and chain investigations together.\nTo conclude, if you have Office 365 E5 and don\u0026rsquo;t want to strech to a package that includes the full MCAS suite, there is a lot you can do with OCAS, but you\u0026rsquo;ll probably be frustrated with the limitations eventually. If you have Azure AD Premium P1 - say, as part of Microsoft 365 E3 - you will have CAD, which will be good for showing you what shadow IT is going on, but that\u0026rsquo;s about it.\n","permalink":"https://campbell.scot/the-difference-between-cloud-app-security-discovery-cad-office-365-cloud-app-security-ocas-and-microsoft-cloud-app-security-mcas/","summary":"\u003cp\u003e\u003cstrong\u003eMicrosoft Cloud App Security\u003c/strong\u003e (MCAS), Redmond\u0026rsquo;s cloud app security broker (CASB) offering, is a powerful tool for investigating and pro-actively controlling your SaaS estate.  It includes tools such as reverse proxying to control sessions and sits inside the \u003cstrong\u003eMicrosoft Threat Protection\u003c/strong\u003e stack alongside Defender ATP, Office 365 ATP, and Azure ATP.  MCAS started life as Adallom prior to Microsoft\u0026rsquo;s acquisition of that company in 2015.  It\u0026rsquo;s included in Microsoft 365 E5 and numerous other licensing subsets, including EMS E5, E5 Security (an add-on for Microsoft 365 E3), Information Protection \u0026amp; Governance, or standalone.  In all cases, you\u0026rsquo;d need to make sure it includes or you also get a license for Azure AD Premium for the reverse proxy benefits, delivered via \u003cstrong\u003eConditional Access App Control\u003c/strong\u003e.\u003c/p\u003e","title":"The Difference Between Cloud App Security Discovery (CAD), Office 365 Cloud App Security (OCAS), and Microsoft Cloud App Security (MCAS)"},{"content":"After being released to Public Preview last month (July 2020), I have finally had a chance to test out Microsoft Endpoint DLP. The management of endpoint DLP - that is, preventing sensitive information from leaving the host computer - comes up frequently in my discussions with companies I help with security and compliance. Often, they have third-party tools doing it and are looking to centralise under Microsoft\u0026rsquo;s stack.\nIn this blog, I\u0026rsquo;ll give an overview of:\nWhat Endpoint DLP is and what I think it can replace Prerequisites (licenses, software, etc) How you get your devices protected by it (\u0026ldquo;onboarded\u0026rdquo;) Configuring protection settings User experience Overview Until now, the initial recommendation for a first-party way of DLP on machines was Windows Information Protection (WIP), which I have blogged about before. WIP is a very powerful tool for encrypting enterprise information and reducing it\u0026rsquo;s (mostly accidental) spread away from devices or work apps/sites, but it\u0026rsquo;s a bit of sledgehammer approach. Although powerful, it can be difficult to wrap your head around its intricacies, and therefore easy to break (for example, I have never gotten Azure Information Protection integration to work).\nWith Endpoint DLP, you are given a more intuitive way of managing data loss prevention by centralising its management under the existing policies managed in the Compliance Centre at compliance.microsoft.com. This way, you can protect sensitive information such as credit cards or PII from a single policy covering the communication tools such as Exchange and SharePoint, but also the Windows 10 device. Additionally, you are not encrypting files as you do with WIP - only blocking their movement. While this feature of WIP makes it great for BYOD (revoke the keys), I do wonder how many people actually use it fully in that context, and even if they do, AIP is probably a better solution.\nYour options for Endpoint DLP are listed below, and I test each later in this post. These can be run either in full block mode, audit only mode, or audit with permission for the user to override.\nUpload to unsupported cloud services, browsers, or apps You specify the services (domains), browsers (from a list, or choose your own), and apps (executable names). Copy to clipboard Copy to USB Copy to a network share Access by unallowed apps Print Prerequisites / limitations Endpoint DLP is available under the full M365 E5 license or it\u0026rsquo;s smaller offsprings E5 Compliance and E5 Information Protection \u0026amp; Governance. It is a native tool, which means you don\u0026rsquo;t need any additional agents or software except a small onboarding process. This process is the same as the one used for Microsoft Defender ATP, to provide telemetry, so if you have already onboarded devices to the MDATP service, you are good to go. It is supported on Windows 10 1809+ and Edge (Chromium). Devices must be Azure AD Joined or Hybrid Azure AD Joined. For more on Hybrid Joined devices, refer to my blog post here. File types supported: Word, PowerPoint, Excel PDF CSV, TSV C, Class, CPP, CS, H, Java Onboarding As mentioned earlier, onboarding for Endpoint DLP is the same as for Defender ATP, so if you\u0026rsquo;re familiar with that or have already done so, you can safely skip this.\n1. Open compliance.microsoft.com and navigate to Settings \u0026gt; Onboard devices. Choose turn on device onboarding. If you don\u0026rsquo;t have the appropriate licensing, you won\u0026rsquo;t be able to proceed.\n2. Acknowledge the warning that any Defender ATP devices will now also be presented as Compliance Centre onboarded devices.\n3. You are presented with a warning that device monitoring is being turned on. In my case, I had no MDATP in this tenant and could proceed to the onboarding page within a minute or two.\n4. You have a few ways to onboard depending on the tools at your disposal:\nScript(s) Group policy ConfigMgr Intune If all the above at your disposal, Intune is my preference. For the sake of this blog though, I opted for a local script, which will be available to everyone.\n5. Choose Local script from the drop-down and download package. This gives you a ZIP called DeviceComplianceOnboardingPackage which extracts a single file, DeviceComplianceLocalOnboardingScript.cmd. Again, if you\u0026rsquo;ve ever used or played about with MDATP, this will all be very familiar.\n6. As a local administrator, run the script on the device you\u0026rsquo;re going to onboard and, when prompted, enter Y to confirm.\n7. Almost immediately, the device showed in the devices page of device onboarding in the Compliance Centre.\nSetting up DLP policies Endpoint DLP settings are set up in the same interface as existing DLP policies in the Compliance Centre. However, before we get into setting up an actual policy, we\u0026rsquo;ll look at a new tab called Endpoint DLP settings. These settings are universal to all Endpoint DLP policies we create. Note the page is currently in preview and I have found it buggy, having to refresh constantly for changes to show.\nThe first setting is file path exclusions and does what it says on the tin. You can put in wildcards and variables too, and the directories you specify will be completely excempt from any Endpoint DLP. When you specify a folder, you are also specifiying all its subfolders.\nNext is unallowed apps in which you specify the process.exe name and an identifier. In the example below, I have added Evernote apps as unallowed, and Endpoint DLP will prevent me from actions such as copy and paste to them (if I specify that control in the policy).\nUnallowed browsers are an extension of the above and will prevent actions such as uploading files to the browsers. You can put in your own process.exe or choose from a list of known ones.\nFinally, you can configure service domains. This one caught me out a little. As you can see to the left of the screenshot, there is an allow or block category which lets you specify if a website domain can or cannot have files uploaded to it in Edge (Chromium). Note that when you add a service domain (no wildcards supported), you can\u0026rsquo;t actually then see if it\u0026rsquo;s set as allowed or blocked. For example, I changed the drop-down to block then added wetransfer.com. I then changed it to allow, assuming this would change the filter view; but it didn\u0026rsquo;t. Not a great experience.\nTo now apply these settings to Endpoint DLP, you need to create a policy targetted to users. In this demo, I create a simple one to prevent the loss of IP addresses. I won\u0026rsquo;t cover creating DLP policies in great detail as others have done it to death (and better than I could), so I\u0026rsquo;ll focus on the endpoint stuff.\nIn the choose locations to apply the policy page of your policy, note a new location called devices.\nIn the actions for endpoint DLP, you have the aforementioned options.\nAdmin Experience - Telemetry I created a test file called IP Addresses with the sensitive information configured above (IP address type). I also made a file I knew wouldn\u0026rsquo;t have sensitive information in it for false-positive testing.\nAs an administrator, I can visit the data classification page in the Compliance Centre and, for onboarded devices, see some interesting (bordering on intrusive) information about the files the device is now working with.\nAs you can see towards the bottom of the screenshot below, not only can I see file activity of sensitive files, but also any files (my completely empty file is shown).\nUser Experience - Blocks s\n","permalink":"https://campbell.scot/protecting-sensitive-information-in-windows-with-microsoft-endpoint-data-loss-prevention-dlp/","summary":"\u003cp\u003eAfter being released to Public Preview last month (July 2020), I have finally had a chance to test out Microsoft Endpoint DLP.  The management of endpoint DLP - that is, preventing sensitive information from leaving the host computer - comes up frequently in my discussions with companies I help with security and compliance.  Often, they have third-party tools doing it and are looking to centralise under Microsoft\u0026rsquo;s stack.\u003c/p\u003e\n\u003cp\u003eIn this blog, I\u0026rsquo;ll give an overview of:\u003c/p\u003e","title":"Protecting Sensitive Information in Windows 10 with Microsoft Endpoint Data Loss Prevention (DLP)"},{"content":"This blog is the last in a small series on Azure AD Premium P2\u0026rsquo;s Identity Governance toolkit.\nPart 1: Entitlement Management Part 2: Access Reviews Part 3: Privileged Identity Management (PIM) (this post) PIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD. Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached. While this is still supported under PIM, it\u0026rsquo;s less of a requirement - PIM makes admin rights time bound on the same account and optionally require approval to activate.\nUsers are added as members to administrative roles then assigned to eligible or active role assignment categories.\nEligible users need to take an extra step to activate the elevated role and get its rights. This might be requesting approval from someone, MFA usage, or potentially both. Active users will not have to perform anything like this; they just always have the permissions, as if traditionally assigned them. You can time fence things with an expiration period for both of these. The user stops being entitled to the administrative role when the expiration hits. As an example of usage, consider a temporary employee or contractor who needs unfettered Global Administrator rights to get the job done. When the employee is no longer active in your tenant your security position is improved even without deleting the account as it no longer has the elevate rights - they\u0026rsquo;ve expired - and your attack surface is reduced.\nJIT applies to eligible users. With JIT, during BAU and doing normal work such as email, the account is just as powerful as a standard user (i.e. it isn\u0026rsquo;t powerful). The user can, however, visit the Azure AD Privileged Identity Management web interface and activate roles they have been scoped for.\nSeen above, the expiration period is the end time and a user can begin Global Administrator activation any time until then.\nTo activate, additional verification may be required, configured at time of set up by a PIM Administrator. For example, clicking Activate sends an MFA prompt to the device, because it has been configured that all Global Administrators require this to activate. The PIM administrator can also control how long the user request activation to last to a limit of 24 hours. If not required immediately, the elevating user can also choose a custom start time, at which points the new rights kick in. Reasons can also be mandated.\nIf the role is configured for approval, an approver is emailed about the request.\nWhen they click Approve or deny request, they\u0026rsquo;re taken to the PIM web console to choose.\nWhoever requested elevation is then sent an email to let them know it\u0026rsquo;s been approved, at which point they now can process actions that are limited to that role, until they expire.\n","permalink":"https://campbell.scot/getting-started-with-azure-ad-identity-governance-part-3-privileged-identity-management-pim/","summary":"\u003cp\u003eThis blog is the last in a small series on Azure AD Premium P2\u0026rsquo;s Identity Governance toolkit.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-1-entitlement-management/\"\u003ePart 1: Entitlement Management\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-2-access-reviews/\"\u003ePart 2: Access Reviews\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-3-privileged-identity-management-pim/\"\u003ePart 3: Privileged Identity Management (PIM) (this post)\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003cp\u003ePIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD.  Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached.  While this is still supported under PIM, it\u0026rsquo;s less of a requirement - PIM makes admin rights time bound on the same account and optionally require approval to activate.\u003c/p\u003e","title":"Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)"},{"content":"This blog is the second in a small series on Azure AD Premium P2\u0026rsquo;s Identity Governance toolkit.\nPart 1: Entitlement Management Part 2: Access Reviews (this post) Part 3: Privileged Identity Management (PIM) Historically, the apps, groups, and rights a user had were all under central and constant management by IT. Azure AD and modern management have pushed this towards \u0026lsquo;self-service\u0026rsquo;, including guest users, which improves productivity. The goal of Azure AD access reviews is to improve the management of user rights and access, in this modern environment, throughout their lifecycle in your tenant. It empowers you with automated tools to control their groups, apps, and roles (admin rights).\nAccess reviews are managed across the Azure AD portal based on what access you\u0026rsquo;re actually reviewing. For this reason, think of access reviews not as a product, but rather a feature of the product that opens up with appropriate licensing (covered later).\nIf you want to manage app access, you manage this from Azure AD\u0026rsquo;s access review page or its enterprise applications page. If you want to manage group membership, you manage this from Azure AD\u0026rsquo;s access review page or its groups page. If you want to manage roles (permissions) on Azure resources or Azure AD, you manage this from within the Privileged Identity Management page of the Azure AD portal. If you want to management entitlement management access packages, covered in Part 1 of this series, use the access package page. Access reviews are conducted either by the user themselves or a reviewer(sometimes called a sponsor in the case of guests). This user does not to be an administrator, but global admins, user admins, security admins, and security readers have permissions to access reviews that they are not the allocated reviewer of.\nEvery access review is linked to a program (the default one if you don\u0026rsquo;t choose otherwise). These are groups of access reviews that you might use if there is a particular requirement for the review. For example, a compliance program.\nYou need Azure AD Premium P2 licenses for anyone who will be reviewing access (theirs or others\u0026rsquo;). As with entitlement management, one licensed internal user gives you license compliance for five guest users.\nRun-through Navigate to the Azure AD \u0026gt; Identity Governance \u0026gt; Access reviews \u0026gt; Onboard.\nChoose to Onboard Now, which enables access reviews for the Azure AD directory. Note that if you don\u0026rsquo;t complete this step, the Overview page of access reviews will report an error Tenant is not onboarded for Access Reviews feature. I have no idea why access reviews need to be enabled manually\u0026hellip;\n3. You are kicked out of the panes you had opened and a notification displays that onboarding is running and, very quickly, completed. Acknowledge this and browse back to Access reviews.\n4. As mentioned earlier in the article, you can create access reviews from the normal administrative page of the function you want to audit. For example, you can create one from the groups AAD page under the activity section. However, for this demo, I\u0026rsquo;ll work within the dedicated access reviews page and choose + New access review.\n5. There are a ton of options. Let me focus on explaining the more significant ones.\nStart date controls when the access review is initiated. The main use case for this is aligning it to a calendar week or month. For example, you anticipate different use patterns during that window that if you otherwise just chose the default current date.\nFrequency controls how often this access review is repeated. That is, how often the review is initiated again using the start date as a reference point. For example, if I choose Monday as a start date, then weekly, it\u0026rsquo;ll run every Monday. If I choose semi-annually and start 1 January, the next runs 1 July.\nDuration and end date are exclusive options and the former only applies if you choose a recurring frequency. End date does what it says on the tin and duration is controlled by the frequency\u0026rsquo;s upper limit. For example, a weekly access review can only run for six days; an annual one can run for 360 days. For recurring reviews, you can also control how many times in total it should run, or a final date after which no more run.\nFor users, you can choose all users in an enterprise app\u0026rsquo;s assignment scope, guests, groups, or everyone. In the review screenshotted below, I\u0026rsquo;ve chosen to do an access review for everyone using an enterprise app called IIS Hello World. Alternatively, I could limit it to guest users of the app. Two things of note:\nI am told about historic reviews for my choice. If I scope to a selection that\u0026rsquo;s empty, the access review automatically closes itself after creation. For example, scoping to guests when there are none. Reviewers are who visits the access review page to view details of the review and can be named users (not groups) or the user being reviewed themselves in a mode called assigned access review or self-access review. In the demo below, I\u0026rsquo;ve chosen self-access.\nUpon completion settings control what happens after the reviewer has chosen to remove or approve access. You have controls over what to do if the reviewer doesn\u0026rsquo;t choose anything: do nothing, remove, approve, or follow the Azure-generated recommendation (based on use patterns). My recommendation for the self-access review scenario is to choose to remove access against if reviewers don\u0026rsquo;t respond.\nAdvanced settings let you choose whether or not recommendations (mentioned above) are shown to the reviewer, whether or not justification is required (for both assigned review and self-access), and whether or not admins and reviewers get emails at the end and beginning of reviews (or reminders to action). New to access reviews, you can also include additional custom text in those emails, for example, a quick explainer in your own words about what access reviews are or who to consult for help.\n6. The reviewer - self or someone else - receives an email advising they must start the review and when to do so by. This comes in from azure-noreply@microsoft.com which you cannot change. The wording in the case of self-access is a bit strange, as it asks them to do it for \u0026ldquo;one or more users\u0026rdquo;. It would be nice if it were a bit finer tuned between self-access and someone else reviewing.\n7. After clicking Start review in the email, you are taken to My Access(myaccess.microsoft.com) if self-assessing. If you read the first blog in this series on entitlement management, this page will be familiar as it\u0026rsquo;s also where users can manage access packages for easy onboarding to collections of apps and groups.\nThe user is simply asked if they need continued access and, if selected when the access review was created, a reason why. 9. As an administrator, navigate to the access review: Azure AD \u0026gt; Identity Governance \u0026gt; Access reviews \u0026gt; [access review name]\nIn the results page, I can see that my demo user has approved themselves for continued use of the app. 11. If I ran this in assigned access review mode - ie, someone else reviewed the user\u0026rsquo;s access - their result would be displayed here. Then, if the setting to auto-apply results to resource were set to enable, that would automatically be applied. Were it set to disable, an administrator would need to choose to apply on the overview page.\n","permalink":"https://campbell.scot/getting-started-with-azure-ad-identity-governance-part-2-access-reviews/","summary":"\u003cp\u003eThis blog is the second in a small series on Azure AD Premium P2\u0026rsquo;s Identity Governance toolkit.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-1-entitlement-management/\"\u003ePart 1: Entitlement Management\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-2-access-reviews/\"\u003ePart 2: Access Reviews (this post)\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-3-privileged-identity-management-pim/\"\u003ePart 3: Privileged Identity Management (PIM)\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eHistorically, the apps, groups, and rights a user had were all under central and constant management by IT.  Azure AD and modern management have pushed this towards \u0026lsquo;self-service\u0026rsquo;, including guest users, which improves productivity.  The goal of Azure AD access reviews is to improve the management of user rights and access, in this modern environment, throughout their lifecycle in your tenant.  It empowers you with automated tools to control their groups, apps, and roles (admin rights).\u003c/p\u003e","title":"Getting Started with Azure AD Identity Governance – Part 2: Access Reviews"},{"content":"This blog is the first in a small series on Azure AD Premium P2\u0026rsquo;s Identity Governance toolkit.\nPart 1: Entitlement Management (this post) Part 2: Access reviews Part 3: Privileged Identity Management (PIM) Azure AD entitlement management is a bit of an overlooked gem. It\u0026rsquo;s a feature that automates the processes for giving users access to resources. The typical scenario is a user has just joined a new department or is a new employee. Over time, the resources their team need access to have sprawled across the M365 estate and it would be laborious to give permission to them all manually - if you even remember them all. Additionally, you want to ensure the user\u0026rsquo;s access is time-controlled so that as their role changes, their access does too.\nEntitlement management allows those resources to be accessed in what it calls an access package. In an access package, you throw in the resources a user will need. What sort of resources? You can include groups (security or M365 types), Azure AD registered apps, and SPO sites. You can therefore also assign users licenses (assign it to a group), join a Team (linked to an M365 Group), or any other type of resource allocation linked to the groups they join.\nThe access packages then have policies that control the users who can request them and the approvers who, optionally, approve those requests. You aren\u0026rsquo;t limited to only one policy, which gives you the ability to configure different rules for different users. Users who you give the ability to request access can then visit the My Access portal link ( myaccess.microsoft.com) to kick off the process.\nThe cool thing is, when you start working with entitlement management, you are not going to overburden IT. You may think this is just going to shift the responsibility for resource allocation from the team into central IT, but entitlement management can be fully delegated to allow others to create and manage access packages. For example, you can empower a team manager to control access packages. This is managed with a concept called catalogues which are a management boundary for access packages. You delegate permissions to catalogue creators, catalogue owners, or access package managers(most permissions to least; refer to here for a full a comparison).\nAdditionally, you can leverage Azure AD B2B and allow guests to get access packages, time-controlled with expiration dates for security. Time-control is not limited to guests and is part of the aforementioned policies you give access packages.\nLicensing gets a bit convoluted when you consider guests. As mentioned, this is an Azure AD Premium P2 feature, but you obviously cannot assign this to a guest. Instead, to be license compliant, each licensed user in your tenant entitles you to use the feature for five guest users. Administrative tasks also don\u0026rsquo;t need a P2 license. For example, setting up the packages. But as soon as you are someone who can use or does use an access package, you need a license. This is typical in the M365 licensing structure, where if a user benefits from the service, they need a license.\nRun-through From the Azure AD admin centre ( aad.portal.azure.com), browse to Identity Governance \u0026gt; Entitlement management \u0026gt; Access packages \u0026gt; New access package. 2. Give your access package a name, description, and catalogue. From this page, you can also create a new catalogue (management container) and specify if it\u0026rsquo;s enabled internally and/or externally. After entering all this information, click Next: Resource roles.\n3. You now add groups, apps, and SPO sites to the package, and the role (permissions) they have for each of these. This is important to note, as it means if you need to give different people different roles, this must be done with different access packages. When done, choose Next: Requests.\n4. Requests control who is allowed to request access to the package. This means if a user is not added here, they will not even be informed of the package\u0026rsquo;s existence. At this point, the users, except guests, must have an Azure AD P2 license. There are three top-level options:\nusers in your directory, which in this example I select, and then scope to all tenant users (but could choose named users/groups) users not in your directory, which could leverage Azure AD B2B and allow other organisations to be eligible by listing their domains administrator direct assignments, which doesn\u0026rsquo;t let anyone request and enforces that an administrator must assign the user the package 5. Within the request controls, there are approval options. Firstly, you can either enable or disable approval. If disabled, users who were specified in the above just need to choose to enrol into the access package; there are no additional \u0026lsquo;hoops\u0026rsquo;. If enabled, you can require the user to provide a justification and then one or two additional stages.\nThe stages are users or groups that must approve the request. If the user is approved by stage one, they are passed to stage two as a final approval step. In the options for the first approver, you can choose their manager (derived from Azure AD attributes) or a named group/user. If you choose their manager, you can also enter \u0026lsquo;fallback\u0026rsquo; groups/users, as that may interfere with business processes if, for example, the manager is unavailable. You also control, for both first and second stages, a timeout value. If the approvers do not approve it in this timescale, it\u0026rsquo;s automatically denied. Don\u0026rsquo;t rush these steps - consider the business processes involved and communicate with stakeholders to get it right, balancing security and the user experience.\nFinally, you want to choose yes to enable new requests and assignments to make the policy available. When all sorted, choose Next: Lifecycle.\n6. The lifecycle options control how long access packages last for the user, either by date or a number of days. You can also control whether or not the user can request an extension and if the approval flow previously configured must be run through again for the extension. Additionally, you can enforce access reviews, which can be done either in self-review or specific reviewer mode. An access review is a review of continued access to the access package and can be useful as an additional identity governance control by the delegated administrator or the user to themselves declare they no longer need it.\n7. After this stage, you are given the chance to review the configuration before creating the access package. You can revisit the access package later on to make changes if required by going to Azure AD \u0026gt; Identity Governance \u0026gt; Entitlement management \u0026gt; Access packages \u0026gt; your access package . 8. To get access, the user must visit My Access( myaccess.microsoft.com), browse the access packages scoped to them, and choose + Request access. They enter a business justification (if you required it) and can enter their own time restriction.\n9. The approval process beings as the user in the first stage receives an email prompting them to approve or deny the request. Remember, if they do not respond within the earlier specified timescale, the requestor will automatically be denied.\n10. When the approver clicks approve or deny request, they are taken to My Access\u0026rsquo;s approvals page. From here, they can approve or deny, view the details of the request, and also browse their approval history. The approver may have to provide justification if you specified it as a requirement in the initial set up.\n11. An email goes to the requester to confirm they have access. An email also goes to the approver to confirm the action.\n12. Now when the user visits My Access, they can see the access package in the active tab of the access packages list. They can also link directly to the resources from this page and do other actions such as revoke their own access, share (send a link to another person to request), or request an extension. Notice in the screenshot below there is a red notification icon to indicate the end date (self-imposed in this case) is soon.\n**Note:**Entitlement management is a feature in Azure AD but it is not exactly a product, in the sense that something like Conditional Access is. Hence why it\u0026rsquo;s not in Title Case in this blog\u0026hellip; just so my fellow grammarists are at ease 😉\n","permalink":"https://campbell.scot/getting-started-with-azure-ad-identity-governance-part-1-entitlement-management/","summary":"\u003cp\u003eThis blog is the first in a small series on Azure AD Premium P2\u0026rsquo;s Identity Governance toolkit.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-1-entitlement-management/\"\u003ePart 1: Entitlement Management (this post)\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-2-access-reviews/\"\u003ePart 2: Access reviews\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"/getting-started-with-azure-ad-identity-governance-part-3-privileged-identity-management-pim/\"\u003ePart 3: Privileged Identity Management (PIM)\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003cp\u003eAzure AD entitlement management is a bit of an overlooked gem.  It\u0026rsquo;s a feature that automates the processes for giving users access to resources. The typical scenario is a user has just joined a new department or is a new employee.  Over time, the resources their team need access to have sprawled across the M365 estate and it would be laborious to give permission to them all manually - if you even remember them all.  Additionally, you want to ensure the user\u0026rsquo;s access is time-controlled so that as their role changes, their access does too.\u003c/p\u003e","title":"Getting Started with Azure AD Identity Governance - Part 1: Entitlement Management"},{"content":"In my last blog, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps. Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites. Nothing is perfect, though, and anyone who\u0026rsquo;s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.\nThe engine for MDATP web content filtering is Cyren, and you can check if a website is caught by its category rules using their online category check tool. This takes a bit of time, as each check is subject to a Google reCAPTCHA test. If you\u0026rsquo;re migrating anything of scale to MDATP, you don\u0026rsquo;t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now. When you allowed or blocked websites on your existing solution, it\u0026rsquo;s assumed you\u0026rsquo;ve done the due diligence, and you want to take the remediation you\u0026rsquo;ve applied against those (potential) false positives and false negatives with you.\nAs previously explained, MDATP manages fine-grained allow and block lists through the concept of Indicators of Compromise (or just indicators). Indicators can be used for domains, specific URLs, and IP addresses. They also support files and certificates. Within the indicator rules management page, we can use a CSV import to quickly get the lists we export from the existing solution into MDATP.\nBefore we get into the guide, some upfront considerations.\nIndicators always win against other rules types. If indicators conflict, the most restrictive (block) wins. You cannot include internal IP addresses or IPv6 addresses in indicators. You cannot import \u0026ldquo;metadata\u0026rdquo; about indicators. For example, you may wish to retain who and when an indicator was created or last updated on your previous protection system. Instead, the time and user of the import job is used. Only SmartScreen browsers such as Edge Chromium and Legacy support specific HTTPS page rules. An HTTP page rule will work across browsers. This is because when you browse with HTTPS, anything past the domain name cannot be seen (decrypted). This is important as more and more websites, rightly, encrypt their web traffic. As an aside, check out Why No HTTPS? for a great name-and-shame of the web\u0026rsquo;s most visited sites that don\u0026rsquo;t run on HTTPS. Importing the CSV You import a UTF-8-BOM encoded comma-delimited CSV with your domains, URLs, and IP addresses. All three types of an indicator can be included in the same file, even though on the web interface domains/URLs and IPs are managed in separate pages.\nThe import is done in Microsoft Defender Security Centre \u0026gt; Settings \u0026gt; Rules \u0026gt; Indicators \u0026gt; Import (in any of the import tabs)\nA Microsoft example of the MDATP CSV is available here. You can download this for use a template.\nThe below tables below show how your data must be formatted in the import with an example. There are some important points to note so worth a read before you end up banging your head off the table figuring out what you\u0026rsquo;ve done wrong.\n[wptb id=454] [wptb id=451]\n","permalink":"https://campbell.scot/microsoft-defender-atp-web-content-filtering-migrate-rules-from-existing-security-software/","summary":"\u003cp\u003eIn my \u003ca href=\"/microsoft-defender-atp-web-content-filtering-administration-limitations-and-user-experience/\"\u003elast blog\u003c/a\u003e, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps.  Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites.  Nothing is perfect, though, and anyone who\u0026rsquo;s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.\u003c/p\u003e\n\u003cp\u003eThe engine for MDATP web content filtering is \u003ca href=\"https://www.cyren.com/\"\u003eCyren\u003c/a\u003e, and you can check if a website is caught by its category rules using their online \u003ca href=\"https://www.cyren.com/security-center/url-category-check\"\u003ecategory check tool\u003c/a\u003e.  This takes a bit of time, as each check is subject to a \u003ca href=\"https://developers.google.com/recaptcha/docs/v3\"\u003eGoogle reCAPTCHA test\u003c/a\u003e.  If you\u0026rsquo;re migrating anything of scale to MDATP, you don\u0026rsquo;t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now.  When you allowed or blocked websites on your existing solution, it\u0026rsquo;s assumed you\u0026rsquo;ve done the due diligence, and you want to take the remediation you\u0026rsquo;ve applied against those (potential) false positives and false negatives with you.\u003c/p\u003e","title":"Microsoft Defender for Endpoint Web Content Filtering - Migrate Rules from Existing Security Software"},{"content":"Historically, one of the big features missing \u0026ldquo;out of the box\u0026rdquo; with MDATP was web content filtering. Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it. They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering. Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you\u0026rsquo;d be looking at other solutions too. This took away from Defender ATP\u0026rsquo;s \u0026ldquo;single pane of glass\u0026rdquo; selling point.\nThe solution was rolled out earlier this year via an integrated third party, Cyren. In this blog, I will detail what Cyren offers within MDATP including limitations, what we know about the roadmap ahead, and how to configure it, including exceptions and manual additions.\nAbout Cyren Web Content Filtering Web content filtering is reasonably intuitive. You specify a list of categories you want to prohibit users from accessing, and the web content filtering engine enforces this across all browsers and applications on the endpoint. Thinking about how you would do this in an on-premises world, we are lifting the responsibility and ability to filter traffic from the firewall or web proxy appliance/software and putting it on the endpoint. In a work-from-home world, this is essential.\nThe categories offered by Cyren are what you\u0026rsquo;d expect, but it isn\u0026rsquo;t as comprehensive as some solutions I\u0026rsquo;ve seen. For example, you cannot filter on politics or job searches, even though these are categories maintained by Cyren, and often found in other solutions.\nOn desktop operating systems, Microsoft support MDATP on Windows 10, Windows 7, Windows 8.1, macOS, and even Linux. Cyren web content filtering, however, is reliant on the Windows Defender feature Network Protection which only works on Windows 10 1709+. Network Protection is really just SmartScreen but applied to outbound, rather than inbound, web traffic. Before deploying web content filtering, you should confirm that you have enabled Network Protection via your MDATP management tool (manually per-device, ConfigMgr, or Intune).\nFurthermore, because of the dependence on Network Protection (SmartScreen), you will only see an explanation of the blocked web page in Edge (Chromium and Legacy). Other browsers will report a generic error. For example, Firefox reports SL_ERROR_NO_CYPHER_OVERLAP.\nThe Roadmap Licensing A key difficulty many customers have faced with Cyren is licensing. As a third-party integration, you had to license it separately, even though it\u0026rsquo;s onboarded and managed from the normal MDATP web interface. Cyren did not publish the pricing online, and there are a lot of reports that getting any information from them regarding it is difficult. The good news is this month (June 2020), Microsoft announced that Cyren licensing will be inclusive, so available at no extra charge. A full announcement is expected next month (July 2020), but already the onboarding experience for web filtering has no requirement to sign up for Cyren - you can hit the ground running. If rolling out to production, I would still confirm all licensing information before deployment, at least until the full announcement is published.\nPlatform Support Although web content filtering only works on Windows 10 1709+ at the moment, Microsoft confirmed that macOS support is in the pipeline, but we don\u0026rsquo;t have a date. Downlevel platforms such as Windows 7 and Windows 8.1 are not on the roadmap, but we shouldn\u0026rsquo;t expect them to be.\nAdministering and Using Web Content Filtering Now I\u0026rsquo;ll take you through the administration of Cyren and how users experience blocks on Windows 10. The steps in the Microsoft Defender Security Centre are best taken with (you guessed it) a Global Administrator account, though Microsoft advises an Application Administrator, with sufficient Security Centre permissions, should also be able to enable the integration (untested by me).\nSet Up 1. In securitycentre.windows.com, navigate to Settings \u0026gt; General \u0026gt; Advanced features.\n**2.**You need to enable two settings: Web content filtering and Custom network indicators (the latter will let us make inclusions and exclusions - technically not part of Cyren, but compliments it).\n3. Navigate to Settings \u0026gt; Rules \u0026gt; Web content filtering.\n4. You create web content filtering policies using the + Add item button.\n**Note:**Previously, we would have to go through the Cyren onboarding/trial set up here. Though straightforward and instant, (no credit card details needed, for example), the new licensing structure makes it that little bit easier.\n5. Give the policy a name and choose the blocked categories.\nThe uncategorised option is a catchall for any that Cyren has not assigned a category to and would only be used in the most secure environments.\n**6.**Finally, you scope the policy. It can be assigned to one or several device/machine groups, or the entire scope your current user has permission to.\n**Note:**If a device has multiple policies assigned, it will apply them all in the most restrictive way. For example, Policy 1 blocks only peer-to-peer websites and Policy 2 blocks only violent websites. If both are scoped, the user won\u0026rsquo;t get on either.\n**Note:**If you add any process exclusions to the Defender engine, they will bypass any filter rules (including inclusions and exclusions). For example, if you add a Defender exclusion for firefox.exe, web content filtering will not apply under any circumstances for Firefox users.\nInclusions and exclusions MDATP has the concept of Indicators of Compromise ( IOCs or just Indicators). Indicators are about as fine-grained as you can get in allowing or denying files (by hash), IPs, URLs/domains, or certificates within your MDATP environment. In the context of web content filtering, indicators will win against any of the categorisation rules. Therefore, we can add setup exclusions using indicators, or add any sites manually. There is a limit of 15000 indicators (combined total of any kind) and you can also import a CSV of indicators. This is very useful when migrating from an existing security solution, assuming it lets you export too (which MDATP does).\nNote: If you integrate MDATP with Microsoft Cloud App Security (MCAS), and specify a website as unsanctioned within MCAS, it automatically populates that website\u0026rsquo;s known addresses as indicators.\nThe process for including or excluding a website is the same with the only difference being the action. This guide focuses on manual additions rather than CSV import.\n1. Navigate to Setting \u0026gt; Rules \u0026gt; Indicators \u0026gt; URLs/Domains.\n2. Click +Add Item 3. If you want to block a domain and all pages within it, you would use the format of www.website.com. If you want to block a specific page of a website, you would use https://www.website.com/page. You can choose an expiry date and also review the statistics MDATP has collected about this website from telemetry, to see the effects of what you\u0026rsquo;re about to do.\n**4.**The response action is what MDATP does with what you\u0026rsquo;ve just entered. Allow adds the URL/domain to an exception list, Alert creates an entry to the MDATP alerts queue if a user goes to it, and Alert and Block will prohibit access and log it to MDATP. If you choose to alert or alert and block, you must give the alert a title and severity (informational, low, medium, high).\n5. Finish the indicator setup by scoping it to a device group or all the devices in the current admin\u0026rsquo;s scope.\nUser Experience An Edge user will see a SmartScreen red warning notification on any page that is blocked by either web content filtering or an indicator. The message is the same in both circumstances.\nA Google Chrome user will get a generic forbidden error.\n","permalink":"https://campbell.scot/microsoft-defender-atp-web-content-filtering-administration-limitations-and-user-experience/","summary":"\u003cp\u003eHistorically, one of the big features missing \u0026ldquo;out of the box\u0026rdquo; with MDATP was web content filtering.  Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it.  They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering.  Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you\u0026rsquo;d be looking at other solutions too.  This took away from Defender ATP\u0026rsquo;s \u0026ldquo;single pane of glass\u0026rdquo; selling point.\u003c/p\u003e","title":"Microsoft Defender for Endpoint Web Content Filtering - Administration, Limitations, and User Experience"},{"content":"External Identities is a new public preview feature of Azure AD which allows external users to authenticate with a non-Microsoft account such as their Google or Facebook identity. This has been available in Azure AD B2C for some time, but that solution is really targetted at highly customised applications with potentially millions of users. External Identities opens up that idea to you ordinary Azure AD tenant so that any SAML or WS-Fed IdP can be used. You are essentially federating Azure AD with the external IdP, not a million miles off in construct to how you might federate your Active Directory Domain Services domains to trust others.\nIn this blog, I will go through the admin process of enabling this for Google, then demonstrate the user experience when using Microsoft Teams. I will create a second and third blog on External Identities covering the process for Facebook then a custom IdP.\nPrerequisite: Google Web App Client ID and Secret 1. You\u0026rsquo;ll need a Google API client ID and secret before we can do anything in Azure AD. Visit console.developers.google.com with a Google account and create a project. It\u0026rsquo;s recommended you use a shared account for your tenant\u0026rsquo;s administration rather than a personal one and give the project a name distinguishable for future reference.\n2. You are redirected into your project, and from here navigate to APIs \u0026amp; Services \u0026gt; OAuth consent screen and choose a User Type of External, then click create.\n3. You only need to fill out the Application name and Authorised domains on the following screen. The application name can be anything but the domain must be microsoftonline.com. You may also want to review the token grant rate which by default allows for 10,000/day. Save the settings once filled in.\n4. Navigate to Credentials on the left-hand pane then + Create Credentials. We want to create an OAuth client ID.\n5. On the client ID page, our application type is going to be a web application and we need to add in the following authorised redirect URIs then choose create. Note you easily copy your AAD tenant ID from the Overview page of Azure AD in the Azure portal ( aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)\nhttps://login.microsoftonline.com https://login.microsoftonline.com/te/your-AAD-tenant-ID/oauth2/authresp 7. You\u0026rsquo;ll be presented with the client ID (ending apps.googleusercontent.com) and secret(password). Save these as you\u0026rsquo;ll need them to configure Azure AD. You can retrieve them later from the Google APIs console just by going back into the web application we created.\nConfigure Azure AD 1. In Azure Active Directory, navigate to External Identities \u0026gt; All identity providers \u0026gt; + Google ( aad.portal.azure.com/#blade/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/IdentityProviders)\n2. Enter the client ID and secret you created earlier and choose to save. This adds Google as a social identity provider. You can remove it, if required later, from this same page and clicking \u0026hellip; User Experience So what benefit does this bring to the external user? I\u0026rsquo;ll demonstrate this using Microsoft Teams.\nFirstly, let\u0026rsquo;s go through the experience of an unsupported external identity: a Yahoo Mail user has been invited to join a Team. This uses Azure B2B to create a guest user account for the user.\nThe user follows the invitation email link and they are prompted to create a Microsoft account (this is Microsoft\u0026rsquo;s consumer account; not an Azure AD account) via signup.live.com, assuming they do not already have one. They can use the original email address (i.e. they don\u0026rsquo;t need to make one ending in yourdomain.com or microsoft.com), but need to provide a password and details such as their country/region and birthday. Then they need to verify the account with a code sent to their email address. They will probably need to go through a captcha too, then approve the app permissions. Finally, they\u0026rsquo;ll get in.\nIn Azure AD, an administrator can see the user as a guest.\nNow the supported external identity: a Google user has been invited after you followed the earlier steps to add Google as an Azure AD supported External Identity social identity provider.\nThe user follows the invitation email link and they are prompted to log in. The link in the email to Open Microsoft Teams points originally to login.microsoftonline.com but as the invite was sent to a Google user, it redirects to accounts.google.com for authentication. They need to give the app permissions, then they\u0026rsquo;re in.\nHow much easier was that!?\nIn Azure AD, the user is a guest, and note that the source is Google, rather than the Microsoft Account our Yahoo user had to create.\nAs the user experience for account creation improves and improves in consumer applications, we must continue to improve it for business applications that use Azure AD too. External Identities give you the same authenticated user security as guest accounts but without the overhead of an additional account for that guest to manage.\n","permalink":"https://campbell.scot/sign-in-to-azure-ad-using-google-with-azure-ad-external-identities/","summary":"\u003cp\u003eExternal Identities is a new public preview feature of Azure AD which allows external users to authenticate with a non-Microsoft account such as their Google or Facebook identity.  This has been available in Azure AD B2C for some time, but that solution is really targetted at highly customised applications with potentially millions of users.  External Identities opens up that idea to you ordinary Azure AD tenant so that any SAML or WS-Fed IdP can be used.  You are essentially federating Azure AD with the external IdP, not a million miles off in construct to how you might federate your Active Directory Domain Services domains to trust others.\u003c/p\u003e","title":"Sign In to Azure AD Using Google with Azure AD External Identities"},{"content":"There are currently three separate admin consoles in Microsoft 365 for administrators to view or configure security and compliance policies, alerts, and reports. Believe it or not, this is down from four at the peak of just-tell-me-where-to-go-to-do-this. This doesn\u0026rsquo;t even include consoles such as Microsoft Cloud App Security (MCAS). The direction things are heading is good, as I\u0026rsquo;ll explain in this blog, but the situation does highlight Microsoft\u0026rsquo;s relatively new culture and position of continual small updates rather than delivering fully finished products.\nFirst to be introduced, at the end of 2015, was the Office 365 Security \u0026amp; Compliance Centre(SCC) which is still the most feature-rich and available at protection.office.com.\nIt very quickly became the central location for administrators to configure things like Office 365 ATP and eDiscovery. SCC remains the only place some settings - like Office 365 ATP - can be configured. In 2018, a Microsoft 365 Security \u0026amp; Compliance Centre was introduced at protection.microsoft.com, looking much like SCC but intending to scope not just Office 365 but Microsoft 365 (ie, include EMS management that was part of M365 but not O365 - AIP, etc). This one was short-lived - Microsoft announced its retirement less than one year later in favour of two separate portals.\nIn early 2019, the Microsoft 365 Security Centre at security.microsoft.com and the Microsoft 365 Compliance Centre at compliance.microsoft.com were deployed. The intention was to split the existing experience by how large enterprises typically structure themselves with separate security (Security Centre) and data management (Compliance Centre) teams. Owning a single license to their services opens them up.\nThe fundamental direction of the Microsoft 365 Security Centre is the administration point for Microsoft Threat Protection(MTP). MTP is the subset of all M365 E5 and ATP security products and the message from Microsoft if they\u0026rsquo;re trying to unify their end-user service management here.\nProgress is slow: the main piece of configuration you can do, at time of writing, is for sensitivity labels; almost everything else redirects you to the SCC. However, soon expect things like O365 ATP to show up. The focus is the end-user security estate, and there is an Azure equivalent for the infrastructure estate: Azure Security Centre. Above all this sits (or can sit) Microsoft\u0026rsquo;s SIEM - Sentinel.\nThe Microsoft 365 Compliance Centre focuses more on information/data controls and compliance/regulation posture. You can create policies for Data Loss Prevention (DLP) and retention, and view the compliance score metrics. Again, progress is slow at making this the location for compliance - many policy configurations, such as alerts, just redirect you to the SCC.\nOne of the design choices I find interesting is the idea of the Solutions Catalog. This is a top-level link you visit in the Compliance Centre, and within it, you find links to features like Insider Risk Management and Records Management. It explains them with overview, benefits, Ignite videos, and requirements - all quite nice. When you\u0026rsquo;ve reviewed that, it\u0026rsquo;s just another click to actually open the solution, or you can go straight to it from the home page too.\nTo summarise:\nOffice 365 Security \u0026amp; Compliance (SCC) The original consolidated portal and now primarily for O365 services such as O365 ATP Microsoft 365 Security Centre Microsoft Threat Protection services such as AIP sensitivity labels A lot just redirects to SCC for now Simplication: where you go to stop the bad actors getting into or damaging your environment and data\u0026hellip; when it\u0026rsquo;s finally moved from the SCC Microsoft 365 Compliance Centre - for information/data controls such as retention and DLP For information/data controls such as retention and DLP Simplication: where you go to control what happens with your environment and data ","permalink":"https://campbell.scot/the-differences-between-and-history-of-the-microsoft-365-security-centre-compliance-centre-and-security-compliance/","summary":"\u003cp\u003eThere are currently \u003cstrong\u003ethree\u003c/strong\u003e separate admin consoles in Microsoft 365 for administrators to view or configure security and compliance policies, alerts, and reports.  Believe it or not, this is down from \u003cstrong\u003efour\u003c/strong\u003e at the peak of just-tell-me-where-to-go-to-do-this.  This doesn\u0026rsquo;t even include consoles such as Microsoft Cloud App Security (MCAS).  The direction things are heading is good, as I\u0026rsquo;ll explain in this blog, but the situation does highlight Microsoft\u0026rsquo;s relatively new culture and position of continual small updates rather than delivering fully finished products.\u003c/p\u003e","title":"The Differences Between (and History of) the Microsoft 365 Security Centre, Compliance Centre, and Security \u0026 Compliance"},{"content":"When you link up the Microsoft Store for Business to Intune, you can centrally deploy store apps, automatically keep them up to date, and access volume-purchases.\n1. In MEM, browse to Tenant administration \u0026gt; Connectors and tokens \u0026gt; Microsoft Store for Business.\n2. Set the state to Enable and follow the link to Open the business store 3.\n","permalink":"https://campbell.scot/connect-microsoft-store-for-business-to-intune-in-microsoft-endpoint-manager/","summary":"\u003cp\u003eWhen you link up the Microsoft Store for Business to Intune, you can centrally deploy store apps, automatically keep them up to date, and access volume-purchases.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e1.\u003c/strong\u003e In MEM, browse to \u003cstrong\u003eTenant administration\u003c/strong\u003e \u0026gt; \u003cstrong\u003eConnectors and tokens\u003c/strong\u003e \u0026gt; \u003cstrong\u003eMicrosoft Store for Business\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2020/05/0102.png\"\u003e\u003cstrong\u003e2.\u003c/strong\u003e Set the state to \u003cstrong\u003eEnable\u003c/strong\u003e and follow the link to \u003cstrong\u003eOpen the business store\u003c/strong\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2020/05/03-2.png\"\u003e \u003cstrong\u003e3.\u003c/strong\u003e\u003c/p\u003e","title":"Connect Microsoft Store for Business to Intune in Microsoft Endpoint Manager"},{"content":"I\u0026rsquo;m a simple person, and sometimes it just helps to have a checklist to refer to when you\u0026rsquo;re troubleshooting rather than navigating the sparse pages of docs.microsoft.com. In this blog, I explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!) There are no screenshots and it\u0026rsquo;s not a click-by-click: this is a quick reference for when you\u0026rsquo;re pulling your hair out wondering what could be stopping you.\nHybrid Azure AD Join Checklist (Prerequisites) On-prem Active Directory (obviously) Joining computer has a line of sight to a domain controller Azure AD Connect The OU the computer belongs to must be included in sync scope\nThe userCertificate attribute must be included in sync scope\nYou must enable HAADJ within Azure AD Connect settings which configures on-prem Active Directory with a Service Connection Point ( SCP) per forest\nThe SCP properties contain details of your Azure AD tenant, so computers know which to go to You can find the SCP in ADSI Edit\u0026rsquo;s Configuration Naming Context under Services\\Device Registration Configuration, under an attribute called keywords. You don\u0026rsquo;t need Seamless SSO configured because when the device becomes HAADJ, Azure AD issues Primary Refresh Tokens ( PRTs) for SSO, instead of Seamless SSO\u0026rsquo;s Windows Integrated Auth\nYou don\u0026rsquo;t need the user to sync to Azure AD for HAADJ as the device registers using a computer object credential, but you will need a synced (licensed) user for Intune\nThe Azure AD devices setting Users may join devices to Azure AD can be set to none as the device join to Azure AD is done by the device, not the user. But note this setting may have unintended consequences, such as Azure AD Join during Autopilot. Intune MDM Enrollment Checklist (Prerequisites) Device is Hybrid Azure AD Joined Device is Windows 10 1709+ You may see some information that 1703 works. I have found that although the GPO applies to 1703 and you\u0026rsquo;ll see the MDM URLs against the device in dsregcmd /status, it doesn\u0026rsquo;t actually work. When you look in Azure AD, you won\u0026rsquo;t see a registered MDM, and the device won\u0026rsquo;t show in Intune either. User is synced to Azure AD You can sign in with the sAMAccountName or User Logon Name (UPN) as long as the user is properly synced - you don\u0026rsquo;t need to sign in using the Azure AD address User is licensed to Intune User is licensed to Azure AD Premium P1 (required for auto-enrollment) User is within scope for MDM automatic enrollment, configured in Azure AD \u0026gt; Mobility (MDM and MAM) Make sure it\u0026rsquo;s Intune and not Intune Enrollment if you have the choice MDM URLs within Mobility (MDM and MAM) are configured to Intune User is within scope to join devices to Azure AD within Azure AD \u0026gt; Devices - Device Settings \u0026gt; Users may join devices to Azure AD The number of devices they\u0026rsquo;re allowed to join, configured in this same page, is also important - if it\u0026rsquo;s exceeded, they won\u0026rsquo;t enrol The GPO *Computer Config\\Policies\\Admin Templates\\Windows Components\\MDM* Enable Automatic MDM Enrollment Using Default Azure AD Credentials is scoped to devices using User Credential I have never got Device Credential to work with the GPO, testing Windows 10 versions up to 1903, but some report success. I kept getting Device based token is not supported for enrollment type errors in Event Viewer. Windows (MDM) is allowed in Intune \u0026gt; Device enrollment - Enrollment restrictions The Process - Part 1 - Hybrid Azure AD Join The computer joins on-prem Active Directory\nThe computer retrieves the SCP (tenant) information from Active Directory\nThis is achieved by a Task Scheduler entry within \\Microsoft\\Windows\\Workplace Join called Automatic-Device-Join which runs whenever there\u0026rsquo;s a login. You may find this task is disabled on older versions of Windows 10. At least, I found it disabled on Windows 10 version 1511. You need to enable and assign a Group Policy to enable it: Computer Config\\Policies\\Admin Templates\\Windows Components\\Device Registration\\Register domain joined computers as devices. The computer generates its self-signed userCertificate attribute and stores it in Active Directory (and can be found in Active Directory Users \u0026amp; Computers property page in the Attribute Editor tab)\nThis step is not required in an ADFS environment If the above Task Scheduler entry didn\u0026rsquo;t run or isn\u0026rsquo;t enabled, you won\u0026rsquo;t get a userCertificate, and your computer won\u0026rsquo;t sync to Azure AD The computer begins trying to register with Azure Active Directory and continues to do until it succeeds\nIt can only do so after the object has been synced by AAD Connect so may be delayed depending on the sync cycle You can force a sync on the AAD Connect server using Import-Module ADSync then Start-ADSyncSyncCycle -PolicyType Delta It won\u0026rsquo;t sync if the userCertificate isn\u0026rsquo;t yet stored in Active Directory Azure AD issues a Primary Refresh Token (PRT) to users who log in for AAD authentication.\nAzure AD issues an MS-Organization-P2P-Access certificate to the local computer ( certlm.msc) in AAD Token Issuer\\Certificates. This certificate manages two additional certificates in Local Computer\\Personal\\Certificates and Current User\\Personal\\Certificates. These are all for facilitating remote desktop (RDP) connections to computers joined to the same tenant.\nThe device is now Hybrid Azure AD Joined. You can confirm this by looking at the object in the Azure AD devices list or using dsregcmd /status on the client, where AzureAdJoined within Device State is YES and AzureAdPrt within SSO State is YES.\nThe Process - Part 2 - Intune MDM Enrollment At next GPO refresh, the device receives and applies the GPO from Active Directory As this could be at the first login, it may happen before the device is HAADJ due to sync cycle and userCertificate timing - in such a case, MDM enrollment will fail (but keep trying; see below) The device does not need to reboot for the GPO and subsequent steps to apply If you have MFA enabled, users will be prompted via a toaster notification; if you don\u0026rsquo;t, it\u0026rsquo;s completely transparent A Task Scheduler entry for Schedule created by enrollment for automatically enrolling in MDM from AAD is created to run once every five minutes for one day This runs deviceenroller.exe /c /AutoEnrollMDM which then enrols the device into Intune MDM The above Task Scheduler entry is removed and replaced by many more for things such as certificate renewal The device is now Intune MDM enrolled. You can confirm this by going to Settings \u0026gt; Access work or school \u0026gt; [account] \u0026gt; Info and confirming the Management Server Address within Connection info is r.management.microsoft.com. You can also check dsregcmd /status, looking for the appropriate URLs against MdmUrl and MdmtoURL under Device State.\n","permalink":"https://campbell.scot/hybrid-azure-ad-join-intune-enrollment-prerequisites-checklist-and-process-flow/","summary":"\u003cp\u003eI\u0026rsquo;m a simple person, and sometimes it just helps to have a checklist to refer to when you\u0026rsquo;re troubleshooting rather than navigating the sparse pages of docs.microsoft.com.  In this blog, I  explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!)  There are no screenshots and it\u0026rsquo;s not a click-by-click: this is a quick reference for when you\u0026rsquo;re pulling your hair out wondering what could be stopping you.\u003c/p\u003e","title":"Hybrid Azure AD Join + Intune Enrollment - Prerequisites Checklist and Process Flow"},{"content":"Build 2020 had some nice bits of M365 related news. Microsoft deserves commendation for sticking to the schedule and pulling this off (remotely) during the COVID-19 lockdown - Apple has delayed WWDC and Google just gave up on I/O. I\u0026rsquo;ve summarised (bullet points!) my favourite updates below. I will update it I find I\u0026rsquo;ve missed something good.\nAzure AD\nPublisher Verification lets developers verified through the Microsoft Partner Center stick a verified badge on their AAD apps. There is a new setting in AAD \u0026gt; Consent and permissions to Allow for apps from this organisation and verified publishers, which is Microsoft\u0026rsquo;s recommendation (as opposed to allowing user consent for all/none). External Identities is now in public preview. This allows invited external users to \u0026lsquo;bring their own identity\u0026rsquo; (BYOI) and sign in with a federated service like Google, Facebook, or another SAML2/WS-Fed IdP. Microsoft Authentication Libraries (MSAL) now support Angular and the ASP.NET web libraries are in public preview. Development\nThere are Graph API improvements to filtering, counting and sorting in the beta endpoint. For example, objects such as users and groups didn\u0026rsquo;t support $count, but now do. The new To Do API opens up feeding tasks into To Do across third parties, Teams, Outlook, Edge, Word, and Github (nice!). The associated app shows as a linked source in the To Do app with a deep link to it. For example, you could be taken straight to a Jira issue. The new Teams Activity Feed API allows devs an improved way to send notifications in Teams but details are scarce so far. Edge\nSync now supports extensions and IT will be able to manage the types of data that can sync. It\u0026rsquo;s even being extended to on-prem which is both shocking and welcomed. Windows Information Protection support has been added, presumably as an enlightened app. A feature called Automatic Profile Switching will switch between profiles depending on the URL. This has been in Firefox for a while under Containers and is a great feature in it. There is new native integration with page collections to Pinterest, because it\u0026rsquo;s 2020 and your browser can\u0026rsquo;t just be a browser. Teams\nTemplates can be created in the Teams Admin Centre with channels and apps already determined. Users select the template when creating a team. If you are signed into a mobile or desktop app, you can SSO into the app\u0026rsquo;s Teams tab. This is in developer preview. Conditional Access tabs in Teams will be fixed to resolve the problem of, for example, SPO sites that require CA failing with the \u0026ldquo;cannot access this resource\u0026rdquo; error. On mobile, more actions will be added to messages. For example, creating tasks. Other bits\nThe Fluid Framework - for which all we\u0026rsquo;ve seen so far is marketing fuzz all about improving app collaboration - will be open-source (available on GitHub shortly) and soon make its first appearance in Outlook. Project Cortex will be GA in summer. This is the first major new service in M365 since Teams and uses the Graph to \u0026ldquo;map knowledge to people, content, and modern work, and uses Microsoft Graph to deliver personalized knowledge\u0026rdquo;. From what I can tell, this just means it automates topic centres. Microsoft Lists is a new organising app that also works with Teams and is an \u0026quot; evolution on top of SharePoint lists\u0026quot;. It\u0026rsquo;s all about work management and tracking and can integrate with Power Apps and Power Automate. Apparently there are no plans to deprecate classic lists in favour of it. Click here for a product video or here for an interactive demo. Outlook on the web will get predictive text, much like Gmail. Bing Work has reached GA. This is the Microsoft Search tab in Bing search that extents it to M365. A good Microsoft Mechanics video on this by @deployjeremy is available. ","permalink":"https://campbell.scot/microsoft-365-updates-from-build-2020/","summary":"\u003cp\u003eBuild 2020 had some nice bits of M365 related news.  Microsoft deserves commendation for sticking to the schedule and pulling this off (remotely) during the COVID-19 lockdown - Apple has delayed WWDC and Google just gave up on I/O.  I\u0026rsquo;ve summarised (bullet points!) my favourite updates below.  I will update it I find I\u0026rsquo;ve missed something good.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAzure AD\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://aka.ms/publisherverification\"\u003ePublisher Verification\u003c/a\u003e lets developers verified through the Microsoft Partner Center stick a verified badge on their AAD apps.  There is a new setting in \u003cstrong\u003eAAD\u003c/strong\u003e \u0026gt; \u003cstrong\u003eConsent and permissions\u003c/strong\u003e to \u003cstrong\u003eAllow for apps from this organisation and verified publishers\u003c/strong\u003e, which is Microsoft\u0026rsquo;s recommendation (as opposed to allowing user consent for all/none).\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://azure.microsoft.com/en-us/services/active-directory/external-identities/\"\u003eExternal Identities\u003c/a\u003e is now in public preview.  This allows invited external users to \u0026lsquo;bring their own identity\u0026rsquo; (BYOI) and sign in with a federated service like Google, Facebook, or another SAML2/WS-Fed IdP.\u003c/li\u003e\n\u003cli\u003eMicrosoft Authentication Libraries (MSAL) \u003ca href=\"https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-angular\"\u003enow support Angular\u003c/a\u003e and the \u003ca href=\"https://github.com/AzureAD/microsoft-identity-web/wiki\"\u003eASP.NET web libraries are in public preview\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eDevelopment\u003c/strong\u003e\u003c/p\u003e","title":"Microsoft 365 Updates from Build 2020"},{"content":"The group policy object Register domain-joined computers as devices, or Automatically workplace join client computers in older templates, was previously a requirement for enabling Hybrid Azure AD Join. After configuring Azure AD Connect and your Seamless SSO GPOs, this had to be enabled.\nSince Windows 10 1607 (\u0026ldquo;Anniversary Update\u0026rdquo;), in Azure AD Connect environments, on-premises Active Directory joined computers become Azure Active Directory registered when a synchronised user signs in to a synchronised computer; regardless of the GPO existing. Prior to this, on Windows 10 1511 (\u0026ldquo;November Update\u0026rdquo;) and before, only if this GPO, or other configuration to create this registry value, was used.\nOkay, but there\u0026rsquo;s a disabled setting too; is that applicable from 1607 on? There is (at time of writing) an ongoing discussion about this on Github but it looks like this setting does not work - it will not block devices from HAADJ - and the problem is acknowledged by the product team. The workaround seems a major inconvenience, effectively disabling HAADJ across the board then pushing out a registry to devices you want it applied to.\n","permalink":"https://campbell.scot/register-domain-joined-computers-as-devices-the-redundant-and-broken-hybrid-azure-ad-join-gpo/","summary":"\u003cp\u003eThe group policy object \u003cstrong\u003eRegister domain-joined computers as devices\u003c/strong\u003e, or \u003cstrong\u003eAutomatically workplace join client computers\u003c/strong\u003e in older templates, was previously a requirement for enabling Hybrid Azure AD Join.  After configuring Azure AD Connect and your Seamless SSO GPOs, this had to be enabled.\u003c/p\u003e\n\u003cp\u003eSince Windows 10 1607 (\u0026ldquo;Anniversary Update\u0026rdquo;), in Azure AD Connect environments, on-premises Active Directory joined computers become Azure Active Directory registered when a synchronised user signs in to a synchronised computer; regardless of the GPO existing.  Prior to this, on Windows 10 1511 (\u0026ldquo;November Update\u0026rdquo;) and before, only if this GPO, or other configuration to create this registry value, was used.\u003c/p\u003e","title":"Register Domain-Joined Computers as Devices - The Redundant and Broken Hybrid Azure AD Join GPO"},{"content":"A Windows 10 user can self-enrol in MDM or MAM from Settings \u0026gt; Accounts \u0026gt; Access work or school \u0026gt; Connect.\nWhat happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership. For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win. The opposite is true of corporate devices. [wptb id=277]\nIntune devices are considered personal by default and only if they meet some criteria do they change to corporate:\nAD or AAD joined Changed manually in Intune An IMEI or serial number CSV is imported Enrolled using a DEM account Enrolled using DEP, Apple School or Business Manager, or Apple Configurator In the example below, if any users in the tenant self enrol their BYOD device using Connect, they will be enrolling in MAM. This is likely the configuration you want.\nThis is also true of enrolment using the Company Portal app, even if you select allow my organisation to manage this device.\nThe user will be told their device hasn\u0026rsquo;t been set up for corporate use yet and although it prompts them to change that, it will give them an error when trying to authenticate again that their device is already being managed by an organisation.\nReturning to Access work or school, there is an option to Enrol only in device management. This will enrol in MDM; kind of like a manual and not-so-obvious route around MAM if a user is scoped for both.\n","permalink":"https://campbell.scot/connect-a-work-or-school-account-mdm-vs-mam-in-self-enrolment/","summary":"\u003cp\u003eA Windows 10 user can self-enrol in MDM or MAM from \u003cstrong\u003eSettings\u003c/strong\u003e \u0026gt; \u003cstrong\u003eAccounts\u003c/strong\u003e \u0026gt; \u003cstrong\u003eAccess work or school\u003c/strong\u003e \u0026gt; \u003cstrong\u003eConnect\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cimg loading=\"lazy\" src=\"/wp-content/uploads/2020/05/01-1.png\"\u003e\u003c/p\u003e\n\u003cp\u003eWhat happens next depends on how \u003cstrong\u003eMobility (MDM and MAM)\u003c/strong\u003e is configured in Azure Active Directory and \u003cstrong\u003edevice ownership\u003c/strong\u003e.  For a personal device, if \u003cstrong\u003euser scope\u003c/strong\u003e for both MDM and MAM overlaps for the enrolling user, MAM will win.  The opposite is true of corporate devices. [wptb id=277]\u003c/p\u003e","title":"Connect a Work or School Account - MDM vs. MAM in Self Enrolment"},{"content":"One of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps: what\u0026rsquo;s the exact difference between a protected app and an exempt app; and what does allow or deny exactly do for both of those?\nA recap on some terminology before explaining what-does-what.\nTargeted apps are ones the WIP service will implement controls over. Unenlightened apps cannot differentiate between work and personal data. They have no idea what WIP is as the developer has not incorporated it. They can only implement controls if the device is MDM enrolled. Enlightened apps have incorporated WIP into the design and can differentiate between work and personal data. For example, Outlook knows if the email account is tenant one or not. They can implement controls even if it\u0026rsquo;s just using MAM. Such a scenario is called WIP Without Enrollment or WIP-WE. Enterprise context is the ownership of data in the application. You can review this by adding the column in Task Manager. Data will either belong to the tenant (work) or personal (not work). It can also be exempt, which means waived from rules. In the example below, every app you see - protected and exempt - will be controlled if an MDM scenario, but only enlightened ones can be in a MAM scenario.\nNow onto protected and exempt, denied and allowed. When you set these in their various arrangements, what happens?\nProtected apps that you allow will set the enterprise context to the tenant. This is true of enlightened or unenlightened apps.\nIf enlightened, the app can interact with any work data passed to a work context only. For example, you can copy and paste between a OneDrive for Business file and your Outlook tenant email, but not your personal email. If unenlightened, the app can interact with any work data passed to it. It doesn\u0026rsquo;t understand \u0026lsquo;contexts\u0026rsquo;, so any part of the app can access it. Protected apps that you deny will set the enterprise context to personal. This is true of enlightened or unenlightened apps.\nThe app cannot interact with any work data passed to it, even if it is something like a configured work website or email account. Exempt apps that you allow will set the enterprise context to exempt. You would only ever do this for unenlightened apps.\nThe app can interact with any work data passed to it. You are effectively giving the app a waiver to any restrictions. Exempt apps that you deny will set the enterprise context to personal. You would only ever do this for unenlightened apps.\nThe app cannot interact with any work data passed to it. Unconfigured apps that you do not target will set the enterprise context to personal.\nThe app cannot interact with any work data passed to it. I have summarised the various effects of app policies in the following table.\n[wptb id=237]\nA few conclusions worth noting:\nDenyinghas the same result under all circumstances: the app will not get work data. The nuance is that an enlightened one still knows what\u0026rsquo;s work and what\u0026rsquo;s not, but blocks you from that work context, unless override mode is on. Allowing always lets that app get access to work data, but if it\u0026rsquo;s enlightened, only to the work context. Rather than denying apps, you may as well just not configure them. The enterprise context and treatment of work data are the exact same. Simplify your policies. However, open to comments and feedback on why you may need to do this. Exempt enlightened app s are a redundant setting. An enlightened app is WIP aware and can manage the work/personal divide, so you have no reason not to protect it. Microsoft\u0026rsquo;s managed list of enlightened apps are all included in the recommended apps whenever you create a WIP policy. ","permalink":"https://campbell.scot/windows-information-protection-wip-app-protection-policies-protected-and-exempt-denied-and-allowed-what-do-they-mean/","summary":"\u003cp\u003eOne of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps:  what\u0026rsquo;s the \u003cem\u003eexact\u003c/em\u003e difference between a protected app and an exempt app; and what does allow or deny \u003cem\u003eexactly\u003c/em\u003e do for both of those?\u003c/p\u003e\n\u003cp\u003eA recap on some terminology before explaining what-does-what.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eTargeted apps\u003c/strong\u003e are ones the WIP service will implement controls over.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnenlightened apps\u003c/strong\u003e cannot differentiate between work and personal data.  They have no idea what WIP is as the developer has not incorporated it.  They can only implement controls if the device is MDM enrolled.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnlightened apps\u003c/strong\u003e have incorporated WIP into the design and can differentiate between work and personal data.  For example, Outlook knows if the email account is tenant one or not.  They can implement controls even if it\u0026rsquo;s just using MAM.  Such a scenario is called \u003cstrong\u003eWIP Without Enrollment\u003c/strong\u003e or \u003cstrong\u003eWIP-WE\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnterprise context\u003c/strong\u003e is the ownership of data in the application.  You can review this by adding the column in Task Manager.  Data will either belong to the \u003cstrong\u003etenant\u003c/strong\u003e (work) or \u003cstrong\u003epersonal\u003c/strong\u003e (not work).  It can also be \u003cstrong\u003eexempt\u003c/strong\u003e, which means waived from rules.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIn the example below, every app you see - protected and exempt - will be controlled if an MDM scenario, but only enlightened ones can be in a MAM scenario.\u003c/p\u003e","title":"Windows Information Protection (WIP) App Protection Policies: Protected and Exempt; Denied and Allowed - What Do They Mean?"},{"content":"Who we are Our website address is: https://campbell.scot.\nWhat personal data we collect and why we collect it Comments When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.\nAn anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.\nMedia If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.\nContact forms Cookies If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.\nIf you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.\nWhen you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select \u0026ldquo;Remember Me\u0026rdquo;, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.\nIf you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.\nEmbedded content from other websites Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.\nThese websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.\nAnalytics Who we share your data with How long we retain your data If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.\nFor users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.\nWhat rights you have over your data If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.\nWhere we send your data Visitor comments may be checked through an automated spam detection service.\nYour contact information Additional information How we protect your data What data breach procedures we have in place What third parties we receive data from What automated decision making and/or profiling we do with user data Industry regulatory disclosure requirements ","permalink":"https://campbell.scot/privacy-policy/","summary":"\u003ch2 id=\"who-we-are\"\u003eWho we are\u003c/h2\u003e\n\u003cp\u003eOur website address is: \u003ca href=\"https://campbell.scot\"\u003ehttps://campbell.scot\u003c/a\u003e.\u003c/p\u003e\n\u003ch2 id=\"what-personal-data-we-collect-and-why-we-collect-it\"\u003eWhat personal data we collect and why we collect it\u003c/h2\u003e\n\u003ch3 id=\"comments\"\u003eComments\u003c/h3\u003e\n\u003cp\u003eWhen visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.\u003c/p\u003e\n\u003cp\u003eAn anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: \u003ca href=\"https://automattic.com/privacy/\"\u003ehttps://automattic.com/privacy/\u003c/a\u003e. After approval of your comment, your profile picture is visible to the public in the context of your comment.\u003c/p\u003e","title":"Privacy Policy"},{"content":"Unified labels refer to a movement whereby Azure Information Protection (AIP) labels are now being replaced by sensitivity labels. Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new Microsoft 365 Security Centre, with several other benefits beyond the scope of this post.\nWith this change comes a new AIP client, called the unified labeling client, that replaces the old one, now called the classic client. The AIP unified labeling client will refer to the M365 Security Centre to download labels, but note that (and \u0026lsquo;unified\u0026rsquo; gives this away) labels created on either the old Azure AIP dashboard or new M365 Security Centre will sync to each other after you have enabled unified labeling. Current guidelines from Microsoft are that, unless you have a use case that isn\u0026rsquo;t a feature of the unified labeling client, this is what you should be installing. This post holds your hand through a deployment of the client using Intune.\n1. You can only deploy Win32 apps using Intune to Intune standalone devices. That is, not co-managed with SCCM. Verify the status of your devices in Intune in Devices - All devices and refer to the Managed by column. You are looking for devices only managed by MDM.\n2. Download the client, AzInfoProtection_UL_MSI_for_central_deployment.msi, currently hosted here.\n3. You cannot deploy Win32 apps without first packaging them into INTUNEWIM files using the command line based Microsoft Win32 Content Prep Tool, currently hosted here.\n4. Place the client MSI in its own folder and run the Win32 Content Prep Tool using this syntax:\n.IntuneWinAppUtil.exe -c C:AIP-ULC -s C:AIP-ULCAzInfoProtection_UL_MSI_for_central_deployment.msi -o C:AIP-ULC Where -c is the source folder path that will be archived into the INTUNEWIM, -s is the MSI file, and -o is the destination folder path for the INTUNEWIM.\n5. Navigate to Intune \u0026gt; Client apps \u0026gt; Manage \u0026gt; Apps \u0026gt; Add and specify a Windows app (Win32) 6. Upload the INTUNEWIM under App package file.\n7. We now fill out the details of the deployment. First is app information which includes the name, description, publisher (all mandatory), and category, etc.\n8. Next you specify the msiexec commands and device restart behavior. For the install command, I use:\nmsiexec /i \u0026#34;AzInfoProtection_UL_MSI_for_central_deployment.msi\u0026#34; /qn /norestart /l*v \u0026#34;C:ProgramDataMicrosoftIntuneManagementExtensionAIPUC.log\u0026#34; What this specifies is /qn for no UI, /norestart for obvious reasons, and /l*v to specify a verbose log output to the IntuneManagementExtension folder, which is a directory that contains other Intune logs.\n9. Next we specify OS and hardware requirements. Note this is simplified for demonstration purposes but there are quite extensive prerequisites that should be investigated before a production deployment.\n10. Then detection rules so Intune can ascertain if the app is already installed. I just use the IdentifyingNumber of the install.\n11. You can next configure return codes and your Intune deployment scope tags, however I\u0026rsquo;ll skim over those.\n12. The upload commences after you save your new app.\n13. If not just making it a requirement for all users or groups, Intune apps can be assigned to groups, which is suggested for test deployments at least. Navigate to the Assignments of the app \u0026gt; Add group \u0026gt; Assign. I have made the assignment type for this required which automatically installs for all users and devices in the scope. I choose to permit toast notifications and deploy as soon as possible, but note these are configurable.\n14. One neat page to check out on is on individual devices. Devices - all devices \u0026gt; %computername% \u0026gt; Managed apps and note the list of managed apps either deployed or queued. When you click into these, it also shows you the ongoing steps of the deployment.\n15. On the client device, you are indeed notified of ongoing updates.\n16. Jumping back to the Managed apps screen per device, we can track and see the installation complete successfully. Also note the collect logs option for if you encounter errors.\n17. Finally, we can see the Azure Information Protection Viewer within Recently added, but note that this didn\u0026rsquo;t just install the viewer; it also installed the explorer extension and replaces builtin Office app functionality for labeling.\nTwo additional pieces of information to round off this post.\nAny version of Microsoft Azure Information Protection installed with a 1.x prefix is a classic client and anything with 2.x is the unified client. Windows Update will now update the unified labeling client automatically on the general availability channel. The updates are added to WU just a few weeks after they\u0026rsquo;re available for independent download, and can therefore also be controlled through traditional channels such as WSUS. ","permalink":"https://campbell.scot/using-intune-to-deploy-the-azure-information-protection-aip-unified-labeling-client-win32-msi/","summary":"\u003cp\u003e\u003cstrong\u003eUnified labels\u003c/strong\u003e refer to a movement whereby \u003cstrong\u003eAzure Information Protection (AIP) labels\u003c/strong\u003e are now being replaced by \u003cstrong\u003esensitivity labels\u003c/strong\u003e.  Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new \u003ca href=\"https://security.microsoft.com/sensitivity?viewid=sensitivitylabels\"\u003eMicrosoft 365 Security Centre\u003c/a\u003e, with several other benefits beyond the scope of this post.\u003c/p\u003e\n\u003cp\u003eWith this change comes a new AIP client, called the \u003cstrong\u003eunified labeling client\u003c/strong\u003e, that replaces the old one, now called the \u003cstrong\u003eclassic client\u003c/strong\u003e.  The AIP unified labeling client will refer to the M365 Security Centre to download labels, but note that (and \u0026lsquo;unified\u0026rsquo; gives this away) labels created on either the old Azure AIP dashboard or new M365 Security Centre will sync to each other after you have enabled unified labeling.  Current guidelines from Microsoft are that, unless you have a \u003ca href=\"https://docs.microsoft.com/en-us/azure/information-protection/rms-client/use-client#compare-the-labeling-clients-for-windows-computers\"\u003euse case that isn\u0026rsquo;t a feature of the unified labeling client\u003c/a\u003e, this is what you should be installing.  This post holds your hand through a deployment of the client using Intune.\u003c/p\u003e","title":"Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)"},{"content":"Intune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done. If you don\u0026rsquo;t follow these steps, you will receive the status of Not applicable in the Intune client apps user and device install status pages.\nPrerequisite: This only works with SCCM 1806+.\n1. In the ConfigMgr console, browse to Administration, then Hierarchy Settings, and check the box to enable Pre-Release features.\n2. Stay in Administration, choose Updates and Services, then Features and right click Mobile apps for co-managed devices, choosing Turn on.\n3. You are advised this can take a few minutes to apply within the console and to restart it. Give it a few minutes, and close then reopen the console.\n4. Back in Administration, find Cloud Services, expand it to enter Co-management, and go into CoMgmtSettingsPro properties.\n5. As can be seen in the above screenshot, there is a new workload in the Workloads tab called Client apps. Use the slider to choose if SCCM or Intune should control these. You can also, like all workloads, use Intune only for a pilot group.\n6. When your co-managed devices (that is, those with the ConfigMgr agent and are Intune enrolled) next do a machine policy retrieval, they will collect the app assignment from Intune and enter the Install Pending state, followed by Installed when the app has been added to their Windows 10 device.\n","permalink":"https://campbell.scot/deploy-microsoft-store-apps-using-intune-with-sccm-co-management-fix-not-applicable-status/","summary":"\u003cp\u003eIntune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done.  If you don\u0026rsquo;t follow these steps, you will receive the status of \u003cstrong\u003eNot applicable\u003c/strong\u003e in the Intune client apps user and device install status pages.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"00.-Not-Applicable-in-Intune\" loading=\"lazy\" src=\"//wp-content/uploads/2020/05/00.-not-applicable-in-intune.png\"\u003e\u003cstrong\u003ePrerequisite:\u003c/strong\u003e This only works with SCCM 1806+.\u003c/p\u003e","title":"Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix 'Not Applicable' Status)"},{"content":"Deploying Outlook add-ins (\u0026ldquo;apps\u0026rdquo;) for your O365 tenant is an intuitive experience via AppSource. As a Global Administrator, click GET IT NOW on the app\u0026rsquo;s page and you are immediately redirected to the Services \u0026amp; add-ins page of the M365 Admin Center.\nFrom there, you can configure add-ins for the whole tenant, just yourself, or by group. All AAD group types, except non-email enabled ones, are supported. If a group is nested, the top-level group gets it, but none of the nested ones. You then choose to deploy as fixed, which means enforced, available, which means shown when users search for apps, or optional, which means installed but can be removed.\nLess intuitive are the requirements and confirming what users are supported for your deployed add-ins apps. To simplify:\nAdd-ins are stored, by tenant, within Exchange and deployment can only be done by an admin with and mailboxes for which Modern Authentication (OAuth) is enabled.\nModern authentication is enabled by default with Exchange Online, so you are probably clear for cloud-only mailboxes, however perhaps not on-prem users in a hybrid environment. Microsoft make available the Office Add-In Centralised Deployment Eligibility Checker, a PowerShell module and cmdlet that will verify the deployability to every user in the tenant.\n1. Install the module, available here.\n2. Run PowerShell, elevated, importing the module and running its only cmdlet, which prompts you for the tenant name (ending on.microsoft.com). Note the prompt is, ironically, not a modern authentication one, so you must use an administrative account without Multi Factor Authentication enabled.\nImport-Module O365CompatibilityChecker Invoke-CompatibilityCheck 3. PowerShell will export output.csv to the working directory; typically %SystemRoot%System32 or %userprofile%. In my example, it took 50-60 seconds per 100 mailboxes.\nThe Centralised Deploy Ready, which is where you should focus efforts, column differs from Supported Mailbox despite what the screenshot indicates. For example, if a mailbox previously had OAuth enabled but now has no EXO license, it would show as not ready but supported.\n","permalink":"https://campbell.scot/prerequisites-and-planning-for-centrally-deploying-office-365-outlook-add-ins/","summary":"\u003cp\u003eDeploying Outlook add-ins (\u0026ldquo;apps\u0026rdquo;) for your O365 tenant is an intuitive experience via AppSource.  As a Global Administrator, click \u003cstrong\u003eGET IT NOW\u003c/strong\u003e on the app\u0026rsquo;s page and you are immediately redirected to the \u003cstrong\u003eServices \u0026amp; add-ins\u003c/strong\u003e page of the M365 Admin Center.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"1\" loading=\"lazy\" src=\"//wp-content/uploads/2020/05/1.png\"\u003e\u003cimg alt=\"2\" loading=\"lazy\" src=\"//wp-content/uploads/2020/05/2.png\"\u003e\u003c/p\u003e\n\u003cp\u003eFrom there, you can configure add-ins for the whole tenant, just yourself, or by group.  All AAD group types, except non-email enabled ones, are supported.  If a group is nested, the top-level group gets it, but none of the nested ones.  You then choose to deploy as \u003cstrong\u003efixed\u003c/strong\u003e, which means enforced, \u003cstrong\u003eavailable\u003c/strong\u003e, which means shown when users search for apps, or \u003cstrong\u003eoptional\u003c/strong\u003e, which means installed but can be removed.\u003c/p\u003e","title":"Prerequisites and Planning for Centrally Deploying Office 365 Outlook Add-Ins"},{"content":"Made available to more than just E5 licencees earlier this year, MyAnalytics will, by default, send users weekly emails regarding their work patterns.\nUsers can control this themselves in settings pane of the MyAnalytics web app.\nimage-2\nAdministrators cannot, in bulk, keep MyAnalytics enabled for users but disable the email digest. The following PowerShell example instead disables MyAnalytics across all your Microsoft 365 Business licensed users, and therefore removing these emails.\nThis makes use of New-MsolLicenseOptions, a cmdlet with which you remove services by creating a LicenseOptions object that is then assigned to the user. The object exists only in the PowerShell session and when applied is just the standard license less the services you remove.\nIf you use a subscription other than M365 Business, change the value *SPB in the $M365 variable to the correct string ID as per Microsoft\u0026rsquo;s product names and service plan identifiers documentation. Similarly, you could remove other services. For example, remove Planner by changing MYANALYTICS_P2 to PROJECTWORKMANAGEMENT. If you want to remove multiple, list these comma seperated within the same LicenseOption, and importantly note this applies absolutely - if you have already removed a service and use this to remove one more, you must also list the previously removed service, or it will be made available.\n$M365 = (Get-MsolAccountSku | Where-Object {$_.AccountSkuId -Like \u0026#34;*SPB\u0026#34;}).AccountSkuId $LicenseOptions = New-MsolLicenseOptions -AccountSkuId $M365 -DisabledPlans \u0026#34;MYANALYTICS_P2\u0026#34; $M365Users = Get-MsolUser -All | Where-Object {($_.licenses).AccountSKUId -match $M365} $M365Users | Set-MsolUserLicense -LicenseOptions $LicenseOptions If you want to remove multiple, list these comma seperated within the same LicenseOption. For example, \u0026ldquo;MYANALYTICS_P2\u0026rdquo;,\u0026ldquo;PROJECTWORKMANAGEMENT\u0026rdquo;.\nImportantly, note that LicenseObjects applies absolutely - if you have already removed a service and use this to remove one more, you must also list the previously removed service, or it will be made available.\n","permalink":"https://campbell.scot/manage-myanalytics-emails-and-app-availability/","summary":"\u003cp\u003eMade available to more than just E5 licencees \u003ca href=\"https://www.microsoft.com/en-us/microsoft-365/blog/2019/01/02/myanalytics-the-fitness-tracker-for-work-is-now-more-broadly-available/\"\u003eearlier this year\u003c/a\u003e, MyAnalytics will, by default, send users weekly emails regarding their work patterns.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"image-1\" loading=\"lazy\" src=\"//wp-content/uploads/2020/05/image-1.png\"\u003e\u003c/p\u003e\n\u003cp\u003eUsers can control this themselves in settings pane of the \u003ca href=\"https://myanalytics.microsoft.com/\"\u003eMyAnalytics web app\u003c/a\u003e.\u003c/p\u003e\n\u003cfigure\u003e\n \u003cimg loading=\"lazy\" src=\"//wp-content/uploads/2020/05/image-2.png\"\n alt=\"image-2\"/\u003e \u003cfigcaption\u003e\n \u003cp\u003eimage-2\u003c/p\u003e\n \u003c/figcaption\u003e\n\u003c/figure\u003e\n\n\u003cp\u003eAdministrators cannot, in bulk, keep MyAnalytics enabled for users but disable the email digest. The following PowerShell example instead disables MyAnalytics across all your Microsoft 365 Business licensed users, and therefore removing these emails.\u003c/p\u003e","title":"Manage MyAnalytics Weekly Insight Digest Emails and App Availability"}]