Posts on Ru Campbell MVP

Test: Syntax Highlighting and Table of Contents

Mon, 30 Mar 2026 00:00:00 +0000

Verification post — confirms Chroma syntax highlighting, Hugo native ToC, and OG meta tags are all working correctly.

Microsoft 365: The Essential 10 Security Considerations

Fri, 28 Nov 2025 13:42:07 +0000

When we talk about Microsoft 365 security, we are talking about two things:

Securing Microsoft 365 the platform, such as Exchange Online, SharePoint Online, Microsoft 365 Copilot; ensuring they are hardened and monitored in proportion to risk appetite.
Using Microsoft 365 security tooling, such as Defender, Purview, Entra, and Intune; ensuring they are deployed, well configured, and you’re not paying for capabilities gathering dust.

The latter can be used to achieve the former, as well as other (non-Microsoft 365) platforms. For example, using Defender for Endpoint on a Linux server in AWS, or using Entra for single sign on to Salesforce.

Thoughts on Copilot for Security’s Early Days

Mon, 13 May 2024 07:22:42 +0000

April 1, 2024, seen the release of Microsoft Copilot for Security to general availability (GA). It is a generative AI solution integrating with Defender XDR, Entra, Purview, and Intune. Just over a month later, it’s time to write down some thoughts.

In cybersecurity, we face the challenge of scarce resources — time, finances, attention, will — to identify, protect, and respond to threats and vulnerabilities.

There’s an old joke. One economist asks another, “How’s your wife?”. The other economist replies, “Compared to what?”

[Updated Feb 2024] Ultimate Comparison of Defender for Endpoint Features by OS

Fri, 16 Feb 2024 17:13:38 +0000

Finally, it’s time for a refresh. It’s been a while! Due to personal circumstances, I haven’t been able to keep the Ultimate Comparison of MDE by OS updated. I’ve had time to dive into the changes since v5 and it’s really been amazing to see MDE grow in scope.

What is MDE and why do we need an ‘ultimate comparison’?

Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with the broader Microsoft Defender XDR and is available for almost any OS you’ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It’s not always intuitive, and you may be in for some surprises. Hence by I began the Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.

Microsoft Defender for Cloud Apps - Common Microsoft 365 Security Mistakes Series

Fri, 09 Feb 2024 17:30:41 +0000

Defender for Cloud Apps (MDA) is such a hidden gem. When talking with Microsoft 365 E5 customers, it’s amazing how few of them really grab MDA and squeeze all they can out of it. It’s often classified as a cloud access security broker (CASB) but that’s an oversimplication: the product can do so much more such as SaaS security posture management (SSPM) and, most topical in light of recent events, OAuth app governance.

Entra ID Protection - Common Microsoft 365 Security Mistakes Series

Wed, 07 Feb 2024 17:54:59 +0000

Signals from across Microsoft’s services and ecosystems inform Entra ID Protection to detect risk. The risk detections can alert administrators or, better still, combine with other Entra and Defender XDR capabilities to perform remediation and prevention. The most obvious example of this may be preventing a risky sign in. Contrary to popular understanding, not all of Entra ID Protection’s detections are limited to the Entra ID P2 license: the nonpremium risks listed here don’t require P2.

Entra Self Service Password Reset - Common Microsoft 365 Security Mistakes Series

Sat, 03 Feb 2024 11:32:34 +0000

It’s a trope in IT circles: users forget their passwords. The greater your scale, the more time this can occupy with tickets, service desk calls, and so on. If you use Microsoft Entra ID (previously Azure Active Directory), self service password reset (SSPR) is a capability that can help reduce this overhead. SSPR offers a user-driven admin-less approach, where users verify they are authorised to reset forgotten passwords then can do so.

Microsoft Defender Vulnerability Management - Common Microsoft 365 Security Mistakes Series

Sat, 03 Feb 2024 10:57:52 +0000

Microsoft Defender Vulnerability Management (MDVM) is an often overlooked service that can be licensed standalone or is included in other Microsoft Defender licenses. In my experience, I’ve never seen it licensed standalone, but customers with Defender for Endpoint (MDE) P2, Defender for Servers (MDS) P1, and Defender for Business (MDB) benefit from it’s core capabilities. In addition to the core capabilities, add-on capabilities are available in the standalone license, Defender for Servers P2, or as an upgrade to the P1 licenses.

Exchange Online Protection & Defender for Office 365 - Common Microsoft 365 Security Mistakes Series

Tue, 19 Dec 2023 08:26:45 +0000

Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) are the email and collaboration security services native to Microsoft 365. EOP is included at all levels of licensing for Exchange Online, with MDO bringing additional security capabilities to license levels such as Business Premium, Microsoft 365 E3, and Microsoft 365 E5.

In this blog, I’ll review five of the most common security mistakes I see in tenants regarding EOP and MDO. Realistically, this list could go to fifty mistakes, but I’ll focus on ones I think you can quickly convert into quick wins or just may have never crossed your mind.

Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series

Sun, 19 Nov 2023 14:01:41 +0000

Entra ID’s P2 license (previously Azure AD Premium P2) unlocks the Privileged Identity Management (PIM). PIM is part of broader identity governance features, and is most known for enabling just-in-time admin rights. For example, you are eligible to become an administrator for a maximum of X hours, at which point the permissions expire and you need to reactivate.

This blog covers five of the common misconfigurations and misunderstandings I see with customers. Intuitive as PIM may appear, there are some gotchas you need to be aware of. It is a follow up from my previous Conditional Access – Common Microsoft 365 Security Mistakes Series article.

Conditional Access - Common Microsoft 365 Security Mistakes Series

Thu, 05 Oct 2023 21:11:27 +0000

Conditional Access (CA) is front and center of any attempt to secure Microsoft 365. If you’ve spent any time securing your tenant and Entra resources, you’ll know what Conditional Access is by now, so we’ll assume at least a level 200 understanding, skip the introduction, and instead dive into the most common mistakes I see when helping folks out with it.

These aren’t listed in any particular order, and the devil’s in the details, so make sure you read the full post instead of just skimming the bullet points! There are also way more than five mistakes you can make with Conditional Access, but let’s start with these.

Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

Mon, 10 Jul 2023 20:47:03 +0000

In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings.

In this blog, we’ll look at what that change is, why it was necessary, initial impressions, and what you might want to do next.

Historic management architecture needed simplifying

MDE (and it’s Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint protection platforms as being, well, a bit weird in terms of management architecture. With most platforms, you get a central admin console which pushes out endpoint settings. Think scan schedules, quarantine rules, exclusions, CPU throttling, etc. MDE/MDAV, on the other hand, instead relied on an external management tool such as Intune (MDM), Configuration Manager, or Group Policy.

Stop Making These Conditional Access Mistakes

Tue, 16 May 2023 09:14:28 +0000

Conditional Access is the most important security feature you will configure in Azure AD. You need to get this right, or most other things don’t even matter.

Compared to on-premises AD, which requires line of sight to a domain infrastructure often limited to physical or VPN access, Azure AD is wide open by default. Users can authenticate from anywhere, on any device.

[Feb 2023] Ultimate Comparison of Defender for Endpoint Features by OS

Sun, 19 Feb 2023 15:46:12 +0000

Microsoft Defender for Endpoint (MDE) is a massive stack of endpoint protection and endpoint detection and response (EDR) capabilities. It integrates with Microsoft 365 Defender (the broader XDR platform) and is available for almost any OS you’ll find in an enterprise. This cross-platform nature of MDE makes it difficult to understand and track what features and capabilities are available on each OS. It’s not always intuitive, and you may be in for some surprises. I try to keep this Ultimate Comparison of Defender for Endpoint Features by OS up to date to keep you aware of what you’re getting and what you need to go start implementing if you haven’t already.

Ultimate Comparison of Defender for Endpoint Features by OS [Updated August 2022]

Fri, 26 Aug 2022 07:32:32 +0000

This is the updated “matrix” of OS supported for the almost 80 features, services, and important components that make up Microsoft Defender for Endpoint. This follows up on my March 2022 release of the comparison.

What’s new?

Now available in Excel format, which was the biggest request :)
Added the new Microsoft Defender Vulnerability Management capabilities (add-on license required)
Added macOS tamper protection support
Added macOS network and web protection
Added iOS and Android’s mobile network protection
Added Linux cloud-delivered protection support
Added Windows troubleshooting mode
Added macOS, iOS, and Android support for network indicators of compromise
Updated host firewall reporting supported OSs
Updated attack surface reduction (ASR) rule supported Windows and Windows Server versions
Updated block at first sight (BAFS) supported OSs (thanks Polle Vanhoof + Thomas Verheyden)
Updated Windows Server support for indicators of compromise (thanks Polle Vanhoof + Thomas Verheyden)
Removed preview references for the unified agent for Windows Server 2012 R2 and 2016

Obligatory disclaimers:

Updated March 2022: Ultimate Comparison of Defender for Endpoint Features by Operating System

Tue, 29 Mar 2022 07:27:18 +0000

It’s been about 5 months since I last updated my comparison of Defender for Endpoint features by OS. This is a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update. So here it is :) I’ve also decided to rename it to The Ultimate Comparison of MDE Features by OS… because renaming’s what we do, right?

Exploring Microsoft 365's NOBELIUM Defence Capabilities

Fri, 24 Dec 2021 19:37:50 +0000

I recently read through an excellent article by Mandiant, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM. This group appeared on most IT pro’s radar because of their SolarWinds’ software supply chain. You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds’ Orion IT software was “trojanised” via an attack on their software supply chain. Orion is (probably now “was”) used by enterprise customers to monitor their servers, network, etc, so not only was SolarWinds compromised, so too potentially were its customers.

Updated October 2021: Availability of Defender for Endpoint Features by Operating System

Tue, 19 Oct 2021 20:36:54 +0000

In July, I released v1 of The Big Comparison of Defender for Endpoint Features by Operating System (or, what I think is much catchier, TBCMDEFOS). This was a “matrix” of the tons of features, services, and important components that make up Microsoft Defender for Endpoint.

Three months later, it’s overdue an update. So here it is :)

The headline news is that, in preview anyway, there’s a bunch of additions to Windows Server 2012 R2 and 2016 thanks to a new agent-based deployment (“unified solution”) that replaces the need for the Microsoft Monitoring Agent and System Centre Endpoint Protection. You now get almost feature parity with Windows Server 2019’s security features: ASR rules, next-generation protection, block at first sight, etc. For a guide on how to get up and running with it, check out my writeup on Petri.

Tons of Microsoft Defender for Endpoint Improvements for Server 2012 R2 & 2016

Fri, 08 Oct 2021 11:36:48 +0000

New protection capabilities for Microsoft Defender for Endpoint (MDE) customers have landed in public preview, Oct 7 ‘21, for Windows Server 2012 R2 and Windows Server 2016. With the public preview released today, Windows Server 2012 R2 and 2016 gain ’ functional equivalence’ to 2019, thanks to the use of a new agent that is being described as the ‘unified solution’.

Historically, a significant gap

Previously, as I’ve detailed here and here, there was a large feature gap between Windows Server 2019 and these “down-level” OSs. The onboarding process was also different. To get devices into MDE, you had to deploy the Microsoft Monitoring Agent (MMA). This was required as the EDR sensor wasn’t built-in, unlike with Server 2019. While Server 2016 shipped with Microsoft Defender Antivirus (MDAV) installed already, to get any kind of scanning and endpoint protection capability in Server 2012 R2, you had to install System Centre Endpoint Protection.

Security Hygiene, Azure Security Center, and Secure Score

Sun, 01 Aug 2021 16:17:21 +0000

The basics

Let’s start this article with some basic cybersecurity terminology. Security hygiene, or cyber hygiene, is a general term used to describe the ongoing practice of keeping your technology and IT estate in a healthy and protected state. The metaphor with physical hygiene is valid because we know with our bodies that there’s no such thing as “set it and forget it”: if we don’t maintain regular hygiene practices and exercise, we atrophy. It’s a continual effort comprised of daily discipline, habit, and ritual.

The Big Comparison of Defender for Endpoint Features by Operating System

Sun, 11 Jul 2021 09:59:10 +0000

Microsoft Defender for Endpoint (MDE) is a massive platform. It’s not a single product, and it’s more than just a service. It’s a platform of tons of security features, portals, services, and controls. The more you dig in, the more elements of general Microsoft security have been included in the MDE “branding”. It’s not only endpoint detection and response (EDR), but also Windows 10 security settings. It’s not just the security software on the device, it’s also ongoing threat and vulnerability management.

Reauthorise Windows Server DHCP with One Line of PowerShell

Sat, 26 Jun 2021 19:23:38 +0000

This will be a brief blog, as I am certainly not a DHCP expert or day-to-day administrator. I do, however, run a DHCP server on Windows Server 2019 constantly in my lab environment, but sometimes encounter a problem whereby the server is no longer authorised, and when I use the GUI to do so, I get the error the specified servers are already present in the directory service.

The PowerShell I use to resolve this does the following:

Deploying Office 365 with Intune as a Win32 App (and Why You'd Want To)

Tue, 15 Jun 2021 15:26:14 +0000

Office 365, or Microsoft 365 Apps for Enterprise, or whatever it’s called this month, can be deployed by Intune to Windows 10 devices using a built-in wizard. The advantage of this is you don’t need to package anything: you fill out some nice drop-downs and options in a GUI, assign it like any other app, and Microsoft takes care of the rest.

In the background, this is using the Office CSP to deploy the client, which makes it quite unique compared to the deployment of other apps, which are best done with Win32 packaging. I wrote a general guide about that for Petri.com, available here.

Three Cool Things To Do With Azure Information Protection

Sun, 13 Jun 2021 17:38:11 +0000

In my last blog, I wrote about three considerations for your Azure Information Protection deployments and commented on often overlooked potential downsides, or at least areas with which to be cautious. In hindsight, it all feels a bit negative. I am, for the record, an advocate of Microsoft 365 customers using AIP (sensitivity labels) in basically any circumstance it’s appropriate to do so. So in this blog, I’ll counter the earlier post with three often overlooked useful things you can do with it.

Three Considerations for Azure Information Protection Deployments

Sat, 15 May 2021 08:25:46 +0000

Azure Information Protection (AIP) - more accurately exposed to Microsoft 365 now as sensitivity labels- is close to the top of my favourite wins for securing your data in a Microsoft ecosystem. While designing a detailed labelling and classification system is far from quick, it is quick to get up and running with baseline policies that protect your confidential company data from getting read outside the company. Simply by applying a sensitivity label that limits access to confidential data to users in your domain, you’ve covered a massive chunk of data loss scenarios.

Automatically Hide IP Addresses When Recording Demos or Screen Sharing

Mon, 03 May 2021 19:47:24 +0000

The Azure Mask browser extension is a really great tool when either recording on-screen demos or sharing your screen. Available for Edge/Chrome and Firefox, @_clarkio’s extension censors sensitive tenant information, so that your recording or viewers can’t see it. For example, the tenant ID within Azure AD’s overview page is blurred out.

If you’re doing a demonstration of any kind of security software with logs and auditing information, chances are you’ll get IP addresses on-screen too. If you’re running a lab environment at home or you’re showing off your own business’s production environment, you probably don’t what those seen by everyone, particularly if the session is going to be recorded.

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

Mon, 19 Apr 2021 20:02:44 +0000

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you’re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.

I was recently setting up hybrid Azure AD join and Intune enrollment, as I’ve done hundreds of times before, but this time I was hitting a strange problem. Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere. Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.

Revoke Access to Office Files with Sensitivity Labels and Azure Information Protection

Thu, 08 Apr 2021 06:16:40 +0000

Most of us have had that “oh < blank >” moment where we have given someone access to someone only to immediately or later need to undo that access. Azure Information Protection has historically been able to help us there. AIP allowed us to create protected (encrypted) documents and also let us remove access. However, in the move from ‘classic’ AIP to the new unified labelling with sensitivity labels, the ability to revoke was lost in the transition. Now it’s back in preview, but unlike the classic version, it’s managed on the client and not a web portal.

Conditional Access: Skip MFA for Company Devices on the Company Network

Wed, 31 Mar 2021 07:13:29 +0000

A common Conditional Access policy is to add trusted locations as an exception to multi-factor authorisation requirements. The logic goes, if you accessing resources such as Office 365 from a location such as the corporate office, that’s an element of verification in itself that your login should be trusted, so we should improve your user experience by removing MFA. Personally, I support the use of MFA regardless of where you are authenticating (at the very least, if you have an Azure AD admin role assigned). However, doing something like this is a great option if you are introducing MFA from scratch: you will improve user buy in the less you change their standard experience. Then, increase the scope gradually.

Update BitLocker Unique Identifiers with Intune

Mon, 22 Mar 2021 18:01:18 +0000

BitLocker unique identifiers are values used to identify the ownership of an encrypted volume. The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume.

The identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique identifier of the removable drive doesn’t match a list of unique identifiers managed on the device. The idea here is you want to enforce BitLocker on removable drives to improve data loss (encrypted drives, if found, are unreadable without the means to decrypt them), but you only want them to be encrypted within your organisation: someone can’t encrypt their device elsewhere and then copy data to it. You may want to do this because it means you, as an administrator, would not be able to decrypt it if required.

How Conditional Access Assignments and Access Controls Work

Sun, 21 Mar 2021 19:47:39 +0000

When you authenticate with Azure AD, Conditional Access policies let you apply if-then rules for licensees of Azure AD Premium P1 or P2.

The conditions within Conditional Access (CA) are called assignments, but you may also see them referred to as signals, session details, or criteria. They make up the if part of if-then, and the then part is referred to as the access control or enforcement.

For example:

if the authentication attempt is for an administrative role (assignments / signals / session details / criteria)
then enforce multi-factor authentication (MFA) (access control / enforcements)

Assignments are broken down into

Microsoft Defender Antivirus – Schedule & Install Updates via Network Shares

Sat, 13 Mar 2021 21:28:12 +0000

Although not common, there are scenarios out where you will have LAN-only devices onboarded in Microsoft Defender for Endpoint (MDE), or at least using Microsoft Defender Antivirus (MDAV). With no line of sight to the internet, you can use options such as WSUS, but in this blog, I’ll explore using a network share, as WSUS isn’t always an option.

Create a directory on your file server with subdirectories for the different CPU architectures you’ll be supporting.

2. On the server, we’ll be installing a script provided by Microsoft. In PowerShell with elevated rights:

Microsoft Defender Network Protection - Not Enabling via Intune - Troubleshooting & Fix

Sun, 07 Mar 2021 13:27:29 +0000

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection. Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic. It is a prerequisite for things such as MDE’s web content filtering and URL/domain indicators of compromise.

This blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.

Microsoft Information Protection Sensitivity Labels - Custom User Permissions and Do Not Forward

Thu, 25 Feb 2021 15:02:30 +0000

With Microsoft Information Protection, you can apply sensitivity labels to files, emails, and containers such as SharePoint Libraries. These labels apply protection which, in the context of files and emails, really means encryption using AES-128 or 256 (key size depends on file type). The great thing about Information Protection is that you control an access control list of who is allowed to access the content and it’s managed as a cloud service by Microsoft. The document or message, when opened, checks who is authenticated (who is signed to Outlook or the Office 365 app, for example) and only allows access if they have permission.

Microsoft Defender for Endpoint - Offline Onboarding for Windows 10 via a Proxy

Thu, 18 Feb 2021 07:30:40 +0000

Getting your devices into Defender for Endpoint is referred to as onboarding and can be done in lots of different ways, depending on the scenario. The tools you use for Windows Server 2008 R2, for example, are different from the tools you use for Windows Server 2019, which are different from the tools you use for Windows 10, and so on.

The common denominator behind most onboarding methods is internet connectivity. Your device connects directly to the cloud service and provides all that telemetry goodness via a direct line of sight.

Block LSASS.exe using Attack Surface Reduction

Sat, 13 Feb 2021 21:10:23 +0000

Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

Thu, 11 Feb 2021 21:24:59 +0000

In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group. Device groups (previously machine groups), are used to assign devices different rules and administrative ownership. A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it.

While you can assign tags, and therefore determine group membership, manually from the Security Center, this doesn’t exactly scale well.

Turn Existing Azure AD Devices into Windows Autopilot Devices

Sat, 06 Feb 2021 09:19:13 +0000

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service. When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.

Understanding Application Guard for Office, Now Generally Available

Sat, 30 Jan 2021 22:13:50 +0000

Application Guard first appeared in Windows 10 1709 (“Fall Creators Update”) to isolate Edge browser activity within a Hyper V container. Microsoft now extends that same idea to Word, Excel, and PowerPoint in Office 365 ProPlus Microsoft 365 Apps for Enterprise on Windows 10…

… if you have Microsoft 365 E5 or E5 Security. You knew that was coming!

With Application Guard for Office, your files can open in a sandbox without access local or network storage. This provides an additional layer of protection against threats such as ransomware, for which Office apps are infamous as an attack surface. There’s a significant catch: a standard configuration of Application Guard will allow users to bypass it if they say they trust the file, therefore executing it in the normal way; resource access included. You can change this default behaviour though, so keep reading.

Understanding Modern vs. Legacy Authentication in Microsoft 365

Sun, 24 Jan 2021 13:46:35 +0000

Since October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants. Security Defaults are a group of best-practice security settings, and one of note is the disablement of all legacy authentication, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017.

The term legacy authentication doesn’t refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA). Protocols that support MFA are described as modern authentication. In the context of Microsoft 365 and Azure Active Directory, which handles Microsoft 365’s authentication, these are protocols such as ADAL and OAuth.

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

Fri, 15 Jan 2021 18:18:36 +0000

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe. You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.

The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined. You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD’s properties for the device).

The 10 Technical IT Books of Most Influence on Me

Wed, 28 Oct 2020 19:34:29 +0000

In the name of transparency, or maybe stating the bleeding obvious, I confess I am that guy who can happily read an IT reference book or something like docs.microsoft.com or Practical 365 in the way someone else would read a popular fiction book. It’s partly an inability to turn off from the job, and partly just because I like learning how everything works. I’ve digested a ton of them over the last decade, so this blog is kind of my ‘acknowledgements’, where I’m recognising and conveying my gratitude to the ones most influential in the formation of my learning, writing style, and career.

PowerShell: Run Cmdlet If Another Was Successful (And Keep Trying Until It Is)

Fri, 23 Oct 2020 17:30:52 +0000

Today I’m sharing a useful bit of PowerShell I gracelessly punt from script to script whenever I need to make sure a prerequisite it met before running something and to keep checking until it’s met, then run what I need: “do X when Y is ready and keep checking Y until it’s ready”.

The original use for this was my script to create a new Microsoft 365 user, but hold off on some parts of it - such as time zone settings - until the Exchange Online mailbox is provisioned. That takes some time, so I wanted to keep checking and as soon as I could, continue the script.

The Difference Between Cloud App Security Discovery (CAD), Office 365 Cloud App Security (OCAS), and Microsoft Cloud App Security (MCAS)

Mon, 07 Sep 2020 19:15:17 +0000

Microsoft Cloud App Security (MCAS), Redmond’s cloud app security broker (CASB) offering, is a powerful tool for investigating and pro-actively controlling your SaaS estate. It includes tools such as reverse proxying to control sessions and sits inside the Microsoft Threat Protection stack alongside Defender ATP, Office 365 ATP, and Azure ATP. MCAS started life as Adallom prior to Microsoft’s acquisition of that company in 2015. It’s included in Microsoft 365 E5 and numerous other licensing subsets, including EMS E5, E5 Security (an add-on for Microsoft 365 E3), Information Protection & Governance, or standalone. In all cases, you’d need to make sure it includes or you also get a license for Azure AD Premium for the reverse proxy benefits, delivered via Conditional Access App Control.

Protecting Sensitive Information in Windows 10 with Microsoft Endpoint Data Loss Prevention (DLP)

Sun, 23 Aug 2020 17:30:21 +0000

After being released to Public Preview last month (July 2020), I have finally had a chance to test out Microsoft Endpoint DLP. The management of endpoint DLP - that is, preventing sensitive information from leaving the host computer - comes up frequently in my discussions with companies I help with security and compliance. Often, they have third-party tools doing it and are looking to centralise under Microsoft’s stack.

In this blog, I’ll give an overview of:

Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)

Sun, 16 Aug 2020 14:13:09 +0000

This blog is the last in a small series on Azure AD Premium P2’s Identity Governance toolkit.

Part 1: Entitlement Management

Part 2: Access Reviews

Part 3: Privileged Identity Management (PIM) (this post)

PIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD. Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached. While this is still supported under PIM, it’s less of a requirement - PIM makes admin rights time bound on the same account and optionally require approval to activate.

Getting Started with Azure AD Identity Governance – Part 2: Access Reviews

Sun, 02 Aug 2020 14:46:34 +0000

This blog is the second in a small series on Azure AD Premium P2’s Identity Governance toolkit.

Part 1: Entitlement Management

Part 2: Access Reviews (this post)

Part 3: Privileged Identity Management (PIM)

Historically, the apps, groups, and rights a user had were all under central and constant management by IT. Azure AD and modern management have pushed this towards ‘self-service’, including guest users, which improves productivity. The goal of Azure AD access reviews is to improve the management of user rights and access, in this modern environment, throughout their lifecycle in your tenant. It empowers you with automated tools to control their groups, apps, and roles (admin rights).

Getting Started with Azure AD Identity Governance - Part 1: Entitlement Management

Sun, 26 Jul 2020 17:27:32 +0000

This blog is the first in a small series on Azure AD Premium P2’s Identity Governance toolkit.

Part 1: Entitlement Management (this post)

Part 2: Access reviews

Part 3: Privileged Identity Management (PIM)

Azure AD entitlement management is a bit of an overlooked gem. It’s a feature that automates the processes for giving users access to resources. The typical scenario is a user has just joined a new department or is a new employee. Over time, the resources their team need access to have sprawled across the M365 estate and it would be laborious to give permission to them all manually - if you even remember them all. Additionally, you want to ensure the user’s access is time-controlled so that as their role changes, their access does too.

Microsoft Defender for Endpoint Web Content Filtering - Migrate Rules from Existing Security Software

Sat, 04 Jul 2020 14:15:32 +0000

In my last blog, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps. Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites. Nothing is perfect, though, and anyone who’s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.

The engine for MDATP web content filtering is Cyren, and you can check if a website is caught by its category rules using their online category check tool. This takes a bit of time, as each check is subject to a Google reCAPTCHA test. If you’re migrating anything of scale to MDATP, you don’t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now. When you allowed or blocked websites on your existing solution, it’s assumed you’ve done the due diligence, and you want to take the remediation you’ve applied against those (potential) false positives and false negatives with you.

Microsoft Defender for Endpoint Web Content Filtering - Administration, Limitations, and User Experience

Sun, 28 Jun 2020 16:37:29 +0000

Historically, one of the big features missing “out of the box” with MDATP was web content filtering. Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it. They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering. Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you’d be looking at other solutions too. This took away from Defender ATP’s “single pane of glass” selling point.

Sign In to Azure AD Using Google with Azure AD External Identities

Sun, 07 Jun 2020 10:47:31 +0000

External Identities is a new public preview feature of Azure AD which allows external users to authenticate with a non-Microsoft account such as their Google or Facebook identity. This has been available in Azure AD B2C for some time, but that solution is really targetted at highly customised applications with potentially millions of users. External Identities opens up that idea to you ordinary Azure AD tenant so that any SAML or WS-Fed IdP can be used. You are essentially federating Azure AD with the external IdP, not a million miles off in construct to how you might federate your Active Directory Domain Services domains to trust others.

The Differences Between (and History of) the Microsoft 365 Security Centre, Compliance Centre, and Security & Compliance

Mon, 01 Jun 2020 07:11:37 +0000

There are currently three separate admin consoles in Microsoft 365 for administrators to view or configure security and compliance policies, alerts, and reports. Believe it or not, this is down from four at the peak of just-tell-me-where-to-go-to-do-this. This doesn’t even include consoles such as Microsoft Cloud App Security (MCAS). The direction things are heading is good, as I’ll explain in this blog, but the situation does highlight Microsoft’s relatively new culture and position of continual small updates rather than delivering fully finished products.

Connect Microsoft Store for Business to Intune in Microsoft Endpoint Manager

Fri, 29 May 2020 19:32:29 +0000

When you link up the Microsoft Store for Business to Intune, you can centrally deploy store apps, automatically keep them up to date, and access volume-purchases.

1. In MEM, browse to Tenant administration > Connectors and tokens > Microsoft Store for Business.

2. Set the state to Enable and follow the link to Open the business store 3.

Hybrid Azure AD Join + Intune Enrollment - Prerequisites Checklist and Process Flow

Mon, 25 May 2020 17:22:04 +0000

I’m a simple person, and sometimes it just helps to have a checklist to refer to when you’re troubleshooting rather than navigating the sparse pages of docs.microsoft.com. In this blog, I explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!) There are no screenshots and it’s not a click-by-click: this is a quick reference for when you’re pulling your hair out wondering what could be stopping you.

Microsoft 365 Updates from Build 2020

Thu, 21 May 2020 17:55:43 +0000

Build 2020 had some nice bits of M365 related news. Microsoft deserves commendation for sticking to the schedule and pulling this off (remotely) during the COVID-19 lockdown - Apple has delayed WWDC and Google just gave up on I/O. I’ve summarised (bullet points!) my favourite updates below. I will update it I find I’ve missed something good.

Azure AD

Publisher Verification lets developers verified through the Microsoft Partner Center stick a verified badge on their AAD apps. There is a new setting in AAD > Consent and permissions to Allow for apps from this organisation and verified publishers, which is Microsoft’s recommendation (as opposed to allowing user consent for all/none).
External Identities is now in public preview. This allows invited external users to ‘bring their own identity’ (BYOI) and sign in with a federated service like Google, Facebook, or another SAML2/WS-Fed IdP.
Microsoft Authentication Libraries (MSAL) now support Angular and the ASP.NET web libraries are in public preview.

Development

Register Domain-Joined Computers as Devices - The Redundant and Broken Hybrid Azure AD Join GPO

Tue, 19 May 2020 19:11:46 +0000

The group policy object Register domain-joined computers as devices, or Automatically workplace join client computers in older templates, was previously a requirement for enabling Hybrid Azure AD Join. After configuring Azure AD Connect and your Seamless SSO GPOs, this had to be enabled.

Since Windows 10 1607 (“Anniversary Update”), in Azure AD Connect environments, on-premises Active Directory joined computers become Azure Active Directory registered when a synchronised user signs in to a synchronised computer; regardless of the GPO existing. Prior to this, on Windows 10 1511 (“November Update”) and before, only if this GPO, or other configuration to create this registry value, was used.

Connect a Work or School Account - MDM vs. MAM in Self Enrolment

Sat, 16 May 2020 06:13:47 +0000

A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect.

What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership. For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win. The opposite is true of corporate devices. [wptb id=277]

Windows Information Protection (WIP) App Protection Policies: Protected and Exempt; Denied and Allowed - What Do They Mean?

Thu, 14 May 2020 21:05:30 +0000

One of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps: what’s the exact difference between a protected app and an exempt app; and what does allow or deny exactly do for both of those?

A recap on some terminology before explaining what-does-what.

Targeted apps are ones the WIP service will implement controls over.
Unenlightened apps cannot differentiate between work and personal data. They have no idea what WIP is as the developer has not incorporated it. They can only implement controls if the device is MDM enrolled.
Enlightened apps have incorporated WIP into the design and can differentiate between work and personal data. For example, Outlook knows if the email account is tenant one or not. They can implement controls even if it’s just using MAM. Such a scenario is called WIP Without Enrollment or WIP-WE.
Enterprise context is the ownership of data in the application. You can review this by adding the column in Task Manager. Data will either belong to the tenant (work) or personal (not work). It can also be exempt, which means waived from rules.

In the example below, every app you see - protected and exempt - will be controlled if an MDM scenario, but only enlightened ones can be in a MAM scenario.

Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)

Sat, 18 Jan 2020 22:47:50 +0000

Unified labels refer to a movement whereby Azure Information Protection (AIP) labels are now being replaced by sensitivity labels. Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new Microsoft 365 Security Centre, with several other benefits beyond the scope of this post.

With this change comes a new AIP client, called the unified labeling client, that replaces the old one, now called the classic client. The AIP unified labeling client will refer to the M365 Security Centre to download labels, but note that (and ‘unified’ gives this away) labels created on either the old Azure AIP dashboard or new M365 Security Centre will sync to each other after you have enabled unified labeling. Current guidelines from Microsoft are that, unless you have a use case that isn’t a feature of the unified labeling client, this is what you should be installing. This post holds your hand through a deployment of the client using Intune.

Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix 'Not Applicable' Status)

Fri, 10 Jan 2020 21:00:30 +0000

Intune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done. If you don’t follow these steps, you will receive the status of Not applicable in the Intune client apps user and device install status pages.

Prerequisite: This only works with SCCM 1806+.

Prerequisites and Planning for Centrally Deploying Office 365 Outlook Add-Ins

Sun, 05 Jan 2020 21:00:38 +0000

Deploying Outlook add-ins (“apps”) for your O365 tenant is an intuitive experience via AppSource. As a Global Administrator, click GET IT NOW on the app’s page and you are immediately redirected to the Services & add-ins page of the M365 Admin Center.

From there, you can configure add-ins for the whole tenant, just yourself, or by group. All AAD group types, except non-email enabled ones, are supported. If a group is nested, the top-level group gets it, but none of the nested ones. You then choose to deploy as fixed, which means enforced, available, which means shown when users search for apps, or optional, which means installed but can be removed.

Manage MyAnalytics Weekly Insight Digest Emails and App Availability

Mon, 21 Oct 2019 14:25:45 +0000

Made available to more than just E5 licencees earlier this year, MyAnalytics will, by default, send users weekly emails regarding their work patterns.

Users can control this themselves in settings pane of the MyAnalytics web app.

image-2

Administrators cannot, in bulk, keep MyAnalytics enabled for users but disable the email digest. The following PowerShell example instead disables MyAnalytics across all your Microsoft 365 Business licensed users, and therefore removing these emails.