Entra ID Protection – Common Microsoft 365 Security Mistakes Series
Posted inEntra ID (Azure Active Directory) Entra ID Protection (Identity Protection)

Entra ID Protection – Common Microsoft 365 Security Mistakes Series

Signals from across Microsoft's services and ecosystems inform Entra ID Protection to detect risk. The risk detections can alert administrators or, better still, combine with other Entra and Defender XDR capabilities to perform remediation and prevention. The most obvious example of this may be preventing a risky sign in. Contrary to popular understanding, not all of Entra ID Protection's detections are limited to the Entra ID P2 license: the nonpremium risks listed here don't…
Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series
Posted inConditional Access Entra ID (Azure Active Directory) Identity Governance Privileged Identity Management

Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series

Entra ID's P2 license (previously Azure AD Premium P2) unlocks the Privileged Identity Management (PIM). PIM is part of broader identity governance features, and is most known for enabling just-in-time admin rights. For example, you are eligible to become an administrator for a maximum of X hours, at which point the permissions expire and you need to reactivate. This blog covers five of the common misconfigurations and misunderstandings I see with customers. Intuitive as…
Troubleshooting Hybrid Azure AD Intune Automatic Enrollment
Posted inEntra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune Windows

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you're banging your head off the table, and laugh off the embarrassment of not checking the fundamentals. I was recently setting up hybrid Azure AD join and Intune enrollment,…
Conditional Access: Skip MFA for Company Devices on the Company Network
Posted inConditional Access Entra ID (Azure Active Directory) Microsoft 365

Conditional Access: Skip MFA for Company Devices on the Company Network

A common Conditional Access policy is to add trusted locations as an exception to multi-factor authorisation requirements.  The logic goes, if you accessing resources such as Office 365 from a location such as the corporate office, that's an element of verification in itself that your login should be trusted, so we should improve your user experience by removing MFA.  Personally, I support the use of MFA regardless of where you are authenticating (at the…
Turn Existing Azure AD Devices into Windows Autopilot Devices
Posted inAutopilot Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune Windows

Turn Existing Azure AD Devices into Windows Autopilot Devices

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service.  When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID (ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number,…
Understanding Modern vs. Legacy Authentication in Microsoft 365
Posted inEntra ID (Azure Active Directory) Microsoft 365

Understanding Modern vs. Legacy Authentication in Microsoft 365

Since October 2019, Microsoft has enabled Security Defaults by default in new Microsoft 365 tenants.  Security Defaults are a group of best-practice security settings, and one of note is the disablement of all legacy authentication, which itself has been off in Exchange Online and SharePoint Online, by default, since August 2017. The term legacy authentication doesn't refer to one particular protocol, but rather any that do not support Multi-Factor Authentication (MFA).  Protocols that support…
The Difference Between Cloud App Security Discovery (CAD), Office 365 Cloud App Security (OCAS), and Microsoft Cloud App Security (MCAS)
Posted inMicrosoft 365 Microsoft Defender Microsoft Defender for Cloud Apps Office 365

The Difference Between Cloud App Security Discovery (CAD), Office 365 Cloud App Security (OCAS), and Microsoft Cloud App Security (MCAS)

Microsoft Cloud App Security (MCAS), Redmond's cloud app security broker (CASB) offering, is a powerful tool for investigating and pro-actively controlling your SaaS estate.  It includes tools such as reverse proxying to control sessions and sits inside the Microsoft Threat Protection stack alongside Defender ATP, Office 365 ATP, and Azure ATP.  MCAS started life as Adallom prior to Microsoft's acquisition of that company in 2015.  It's included in Microsoft 365 E5 and numerous other…
Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)
Posted inEntra ID (Azure Active Directory) Identity Governance Microsoft 365 Privileged Identity Management

Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)

This blog is the last in a small series on Azure AD Premium P2's Identity Governance toolkit. Part 1: Entitlement Management Part 2: Access Reviews Part 3: Privileged Identity Management (PIM) (this post) PIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD.  Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached. …
Getting Started with Azure AD Identity Governance – Part 2: Access Reviews
Posted inAccess Reviews Entra ID (Azure Active Directory) Identity Governance Microsoft 365

Getting Started with Azure AD Identity Governance – Part 2: Access Reviews

This blog is the second in a small series on Azure AD Premium P2's Identity Governance toolkit. Part 1: Entitlement Management Part 2: Access Reviews (this post) Part 3: Privileged Identity Management (PIM) Historically, the apps, groups, and rights a user had were all under central and constant management by IT.  Azure AD and modern management have pushed this towards 'self-service', including guest users, which improves productivity.  The goal of Azure AD access reviews…
Getting Started with Azure AD Identity Governance – Part 1: Entitlement Management
Posted inEntitlement Management Entra ID (Azure Active Directory) Identity Governance Microsoft 365

Getting Started with Azure AD Identity Governance – Part 1: Entitlement Management

This blog is the first in a small series on Azure AD Premium P2's Identity Governance toolkit. Part 1: Entitlement Management (this post) Part 2: Access reviews Part 3: Privileged Identity Management (PIM) Azure AD entitlement management is a bit of an overlooked gem.  It's a feature that automates the processes for giving users access to resources. The typical scenario is a user has just joined a new department or is a new employee. …