Entra-Id-(Azure-Ad) on Ru Campbell MVP

Microsoft 365: The Essential 10 Security Considerations

Fri, 28 Nov 2025 13:42:07 +0000

When we talk about Microsoft 365 security, we are talking about two things:

Securing Microsoft 365 the platform, such as Exchange Online, SharePoint Online, Microsoft 365 Copilot; ensuring they are hardened and monitored in proportion to risk appetite.
Using Microsoft 365 security tooling, such as Defender, Purview, Entra, and Intune; ensuring they are deployed, well configured, and you’re not paying for capabilities gathering dust.

The latter can be used to achieve the former, as well as other (non-Microsoft 365) platforms. For example, using Defender for Endpoint on a Linux server in AWS, or using Entra for single sign on to Salesforce.

Entra ID Protection - Common Microsoft 365 Security Mistakes Series

Wed, 07 Feb 2024 17:54:59 +0000

Signals from across Microsoft’s services and ecosystems inform Entra ID Protection to detect risk. The risk detections can alert administrators or, better still, combine with other Entra and Defender XDR capabilities to perform remediation and prevention. The most obvious example of this may be preventing a risky sign in. Contrary to popular understanding, not all of Entra ID Protection’s detections are limited to the Entra ID P2 license: the nonpremium risks listed here don’t require P2.

Privileged Identity Management (PIM) – Common Microsoft 365 Security Mistakes Series

Sun, 19 Nov 2023 14:01:41 +0000

Entra ID’s P2 license (previously Azure AD Premium P2) unlocks the Privileged Identity Management (PIM). PIM is part of broader identity governance features, and is most known for enabling just-in-time admin rights. For example, you are eligible to become an administrator for a maximum of X hours, at which point the permissions expire and you need to reactivate.

This blog covers five of the common misconfigurations and misunderstandings I see with customers. Intuitive as PIM may appear, there are some gotchas you need to be aware of. It is a follow up from my previous Conditional Access – Common Microsoft 365 Security Mistakes Series article.

Conditional Access - Common Microsoft 365 Security Mistakes Series

Thu, 05 Oct 2023 21:11:27 +0000

Conditional Access (CA) is front and center of any attempt to secure Microsoft 365. If you’ve spent any time securing your tenant and Entra resources, you’ll know what Conditional Access is by now, so we’ll assume at least a level 200 understanding, skip the introduction, and instead dive into the most common mistakes I see when helping folks out with it.

These aren’t listed in any particular order, and the devil’s in the details, so make sure you read the full post instead of just skimming the bullet points! There are also way more than five mistakes you can make with Conditional Access, but let’s start with these.

Exploring Microsoft 365's NOBELIUM Defence Capabilities

Fri, 24 Dec 2021 19:37:50 +0000

I recently read through an excellent article by Mandiant, which recently split with FireEye, on their findings and analysis of the continued actions of suspected nation-state actor NOBELIUM. This group appeared on most IT pro’s radar because of their SolarWinds’ software supply chain. You are probably familiar with it by now, but if not, the tl;dr is that SolarWinds’ Orion IT software was “trojanised” via an attack on their software supply chain. Orion is (probably now “was”) used by enterprise customers to monitor their servers, network, etc, so not only was SolarWinds compromised, so too potentially were its customers.

Three Considerations for Azure Information Protection Deployments

Sat, 15 May 2021 08:25:46 +0000

Azure Information Protection (AIP) - more accurately exposed to Microsoft 365 now as sensitivity labels- is close to the top of my favourite wins for securing your data in a Microsoft ecosystem. While designing a detailed labelling and classification system is far from quick, it is quick to get up and running with baseline policies that protect your confidential company data from getting read outside the company. Simply by applying a sensitivity label that limits access to confidential data to users in your domain, you’ve covered a massive chunk of data loss scenarios.

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

Mon, 19 Apr 2021 20:02:44 +0000

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you’re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.

I was recently setting up hybrid Azure AD join and Intune enrollment, as I’ve done hundreds of times before, but this time I was hitting a strange problem. Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere. Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.

Microsoft Information Protection Sensitivity Labels - Custom User Permissions and Do Not Forward

Thu, 25 Feb 2021 15:02:30 +0000

With Microsoft Information Protection, you can apply sensitivity labels to files, emails, and containers such as SharePoint Libraries. These labels apply protection which, in the context of files and emails, really means encryption using AES-128 or 256 (key size depends on file type). The great thing about Information Protection is that you control an access control list of who is allowed to access the content and it’s managed as a cloud service by Microsoft. The document or message, when opened, checks who is authenticated (who is signed to Outlook or the Office 365 app, for example) and only allows access if they have permission.

Block LSASS.exe using Attack Surface Reduction

Sat, 13 Feb 2021 21:10:23 +0000

Turn Existing Azure AD Devices into Windows Autopilot Devices

Sat, 06 Feb 2021 09:19:13 +0000

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service. When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

Fri, 15 Jan 2021 18:18:36 +0000

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe. You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.

The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined. You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD’s properties for the device).

Getting Started with Azure AD Identity Governance – Part 3: Privileged Identity Management (PIM)

Sun, 16 Aug 2020 14:13:09 +0000

This blog is the last in a small series on Azure AD Premium P2’s Identity Governance toolkit.

Part 1: Entitlement Management

Part 2: Access Reviews

Part 3: Privileged Identity Management (PIM) (this post)

PIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD. Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached. While this is still supported under PIM, it’s less of a requirement - PIM makes admin rights time bound on the same account and optionally require approval to activate.

Getting Started with Azure AD Identity Governance - Part 1: Entitlement Management

Sun, 26 Jul 2020 17:27:32 +0000

This blog is the first in a small series on Azure AD Premium P2’s Identity Governance toolkit.

Part 1: Entitlement Management (this post)

Part 2: Access reviews

Part 3: Privileged Identity Management (PIM)

Azure AD entitlement management is a bit of an overlooked gem. It’s a feature that automates the processes for giving users access to resources. The typical scenario is a user has just joined a new department or is a new employee. Over time, the resources their team need access to have sprawled across the M365 estate and it would be laborious to give permission to them all manually - if you even remember them all. Additionally, you want to ensure the user’s access is time-controlled so that as their role changes, their access does too.

Sign In to Azure AD Using Google with Azure AD External Identities

Sun, 07 Jun 2020 10:47:31 +0000

External Identities is a new public preview feature of Azure AD which allows external users to authenticate with a non-Microsoft account such as their Google or Facebook identity. This has been available in Azure AD B2C for some time, but that solution is really targetted at highly customised applications with potentially millions of users. External Identities opens up that idea to you ordinary Azure AD tenant so that any SAML or WS-Fed IdP can be used. You are essentially federating Azure AD with the external IdP, not a million miles off in construct to how you might federate your Active Directory Domain Services domains to trust others.

Register Domain-Joined Computers as Devices - The Redundant and Broken Hybrid Azure AD Join GPO

Tue, 19 May 2020 19:11:46 +0000

The group policy object Register domain-joined computers as devices, or Automatically workplace join client computers in older templates, was previously a requirement for enabling Hybrid Azure AD Join. After configuring Azure AD Connect and your Seamless SSO GPOs, this had to be enabled.

Since Windows 10 1607 (“Anniversary Update”), in Azure AD Connect environments, on-premises Active Directory joined computers become Azure Active Directory registered when a synchronised user signs in to a synchronised computer; regardless of the GPO existing. Prior to this, on Windows 10 1511 (“November Update”) and before, only if this GPO, or other configuration to create this registry value, was used.