Entra ID Protection – Common Microsoft 365 Security Mistakes Series
Posted inEntra ID (Azure Active Directory) Entra ID Protection (Identity Protection)

Entra ID Protection – Common Microsoft 365 Security Mistakes Series

Signals from across Microsoft's services and ecosystems inform Entra ID Protection to detect risk. The risk detections can alert administrators or, better still, combine with other Entra and Defender XDR capabilities to perform remediation and prevention. The most obvious example of this may be preventing a risky sign in. Contrary to popular understanding, not all of Entra ID Protection's detections are limited to the Entra ID P2 license: the nonpremium risks listed here don't…
Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series
Posted inConditional Access Entra ID (Azure Active Directory) Identity Governance Privileged Identity Management

Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series

Entra ID's P2 license (previously Azure AD Premium P2) unlocks the Privileged Identity Management (PIM). PIM is part of broader identity governance features, and is most known for enabling just-in-time admin rights. For example, you are eligible to become an administrator for a maximum of X hours, at which point the permissions expire and you need to reactivate. This blog covers five of the common misconfigurations and misunderstandings I see with customers. Intuitive as…
Conditional Access – Common Microsoft 365 Security Mistakes Series
Posted inAccess Reviews Conditional Access Entitlement Management Entra ID (Azure Active Directory) Microsoft 365 Microsoft Defender for Cloud Apps Privileged Identity Management

Conditional Access – Common Microsoft 365 Security Mistakes Series

Conditional Access (CA) is front and center of any attempt to secure Microsoft 365. If you've spent any time securing your tenant and Entra resources, you'll know what Conditional Access is by now, so we'll assume at least a level 200 understanding, skip the introduction, and instead dive into the most common mistakes I see when helping folks out with it. These aren't listed in any particular order, and the devil's in the details,…
Exploring Microsoft 365’s NOBELIUM Defence Capabilities
Posted inEntra ID (Azure Active Directory) Microsoft 365 Microsoft Defender Windows Server

Exploring Microsoft 365’s NOBELIUM Defence Capabilities

I recently read through an excellent article by Mandiant, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM.  This group appeared on most IT pro's radar because of their SolarWinds' software supply chain.  You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds' Orion IT software was "trojanised" via an attack on their software supply chain.  Orion is…
Three Considerations for Azure Information Protection Deployments
Posted inMicrosoft 365 Sensitivity labels (Azure Information Protection)

Three Considerations for Azure Information Protection Deployments

Azure Information Protection (AIP) - more accurately exposed to Microsoft 365 now as sensitivity labels - is close to the top of my favourite wins for securing your data in a Microsoft ecosystem.  While designing a detailed labelling and classification system is far from quick, it is quick to get up and running with baseline policies that protect your confidential company data from getting read outside the company.  Simply by applying a sensitivity label…
Troubleshooting Hybrid Azure AD Intune Automatic Enrollment
Posted inEntra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune Windows

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you're banging your head off the table, and laugh off the embarrassment of not checking the fundamentals. I was recently setting up hybrid Azure AD join and Intune enrollment,…
Microsoft Information Protection Sensitivity Labels – Custom User Permissions and Do Not Forward
Posted inMicrosoft 365 Office 365 Sensitivity labels (Azure Information Protection)

Microsoft Information Protection Sensitivity Labels – Custom User Permissions and Do Not Forward

With Microsoft Information Protection, you can apply sensitivity labels to files, emails, and containers such as SharePoint Libraries.  These labels apply protection which, in the context of files and emails, really means encryption using AES-128 or 256 (key size depends on file type).  The great thing about Information Protection is that you control an access control list of who is allowed to access the content and it's managed as a cloud service by Microsoft. …
Turn Existing Azure AD Devices into Windows Autopilot Devices
Posted inAutopilot Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune Windows

Turn Existing Azure AD Devices into Windows Autopilot Devices

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service.  When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID (ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number,…
Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted
Posted inBitLocker Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune PowerShell Windows

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe.  You can store those keys either in on-premises Active Directory or in the cloud with Azure AD. The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is…
Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)
Posted inEntra ID (Azure Active Directory) Identity Governance Microsoft 365 Privileged Identity Management

Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)

This blog is the last in a small series on Azure AD Premium P2's Identity Governance toolkit. Part 1: Entitlement Management Part 2: Access Reviews Part 3: Privileged Identity Management (PIM) (this post) PIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD.  Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached. …