Update: On September 23, 2021, the Exchange Team announced that effective October 1st, 2022 basic authentication, regardless of usage will be permanently disabled in all tenants. Update: On June 17, 2021, the Exchange Team announced that they are going to turn of basic authentication for tenants not using it. Update: On February 5th, 2021, the…
A guide to implementing Applocker on your Modern Workplace
At our last Windows Management User Group Netherlands meeting, we had the honor to have Sami Laiho, one of the world’s leading professionals in the Windows OS and Security flying over to the Netherlands and present for our user group. In his presentation titled: “Securing Windows in 2020 and forward”, Sami made us aware that…
Stopping automatic email forwarding in your Exchange Online environment in a controlled way
Working as a modern workplace consultant also means that sometimes you have to go deep into Exchange Online options in order to make sure that (sensitive) data of your customer doesn’t leave the organization without the proper security measurements taken. In the Microsoft documentation titled: “Best practices for configuring EOP and Office 365 ATP“, the…
Challenges while managing administrative privileges on your Azure AD joined Windows 10 devices
By default, on Windows 10 devices which are Azure AD joined, the user performing the join is added to the Local Administrator group. Besides the user and the local administrator (which is disabled by default), two other SIDs are added without any friendly name which explain who they are. So where are those SIDs coming…
Did you already modify your Azure AD consent defaults settings? Here is why you should
As you may know, it’s possible for your users to sign-in to SaaS based applications using their Azure AD account. By doing this, a Single Sign On (SSO) experience is created for the user. Before this SSO for an SaaS based application is possible though, the user needs to accept (a) permission request(s) from the…
Blocking access to Cloud apps by integrating Microsoft Cloud App Security with Microsoft Defender Advanced Threat Protection
Microsoft has quietly introduced the option to automatically block connections to unsanctioned cloud apps from the Microsoft Cloud App Security (MCAS) console. This is accomplished by integrating MCAS with Microsoft Defender Advanced Threat Protection (MDATP). Based on the information available in Cloud App Security, the app’s domains are used to create domain indicators in the Microsoft Defender…
Microsoft deprecates Conditional Access baseline policies in favour of Security Defaults, here is what you need to know and do
Last week, Microsoft announced that the Azure AD conditional access baseline policies will not make it out of their current preview status. The functionality of the baseline policies will be made in available in a new feature called “Security Defaults”, Microsoft will remove the baseline policies on February 29th, so if you are using them…
Implementing RBAC and Scoping in Microsoft Intune
When you create an Intune tenant within your environment, you execute the creation with an account which is Global Administrator within Azure Active Directory. And in my work as an indendent consultant I see a lot of companies which keep using the account with Global Administator rights to manage their Microsoft Intune environment as well….
Did you already enable DKIM and DMARC for your Office 365 domains?
When you host your email on the Exchange Online (EXO) platform part of Office365 you can implement several security measures to make sure that email send from your domain gets delivered to the mailbox of the recipient. The most known solution for this is by implementing a Sender Policy Framework (SPF) DNS record. By creating…
Intune: Choosing whether to assign to User or Device Groups
One of the disadvantages of being an experienced consultant in IT is the fact that once in a while you need to re-learn. With re-learn I mean that for some concepts it’s easier to understand how it works if you come from no-experience. I’ve experienced this with quite some Microsoft products as well. If you…
Report-only mode, and some more handy reporting functionality for Conditional Access and Azure AD
During its annual Microsoft Ignite 2019 conference this week, Microsoft announced a new feature for Conditional Access called Report-Only mode in preview. So, what is Report-only mode? Report-Only mode is a new option within a Conditional Access policy. Besides the option to turn the conditional access policy on or off, the option to Report-only has…
What are Guided Scenarios in Microsoft 365 Device Management/Intune?
While browsing the new Microsoft 365 Device Management portal I noticed the following option: “Guided scenarios (preview)”. From the What’s new in Intune page it seems that this functionality was released in the release of October 14th 2019. Disclaimer: This post is written on Oktober 29th 2019 and reflects the state of this functionality at…
iOS restore behaviour when re-enrolling devices with backup data into Intune
While implementing Intune at my customers I rarely encounter green field implementations where computers and mobile devices are newly delivered and no data needs to be restored on the device. Most of the time, the devices are already in use and we need to figure out some strategy to deal with the data from the…
What are Intune Policy Sets?
Starting with the Intune release from October 14th 2019, Microsoft made available a new functionality called “Policy Sets”. Even though there a now (at time of writing this article) still in preview, they are a very welcome addition to the Intune options available. Added November 29th: Please make sure to also read about Guided scenario’s…
Extending Conditional Access to Microsoft Cloud App Security using Conditional Access App Control
In my blog article series on Conditional Access Demystied I mentioned that Conditional Access can be used to route sessions toward Microsoft Cloud App Security (MCAS). In this article I will go into more detail on what MCAS is, and how to setup Conditional Access App Control. Disclaimer: This article discusses the full option MCAS…