The new built-in admin consent workflow within AzureAD Enterprise Application is amazing!
This feature will give you the control that you need to take care of your companies sensitive information like user id`s, files, email accounts etc.
Did you know that malicious applications is often a start of a sophisticated phising attack?
If a malicious application get`s the right permissions it could be a bad situation for your company!
Just have a look at this random application and what that app can retreive, other also gives a complete user list of all the employees back to the app developers.
In this case ALL files that this user has access to does this app now have access to read – meaning that`s there is no secrets anymore..
So to be able to block and and have controll over the applications that get`s granted to your AzureAD tenant you should use the new “Admin Consent Workflow” within AzureAD. This feature is in preview at the moment but I highly recomend using it.
It takes two minute to configure and after it`s configured the users see`s this when trying to connect a thirdparty application to your tenant
After this request is sent – the admin that is configured within the workflow get`s an approval email and can easlly approve consents 🙂
The configuration looks like this:
Please have a look at the official documentation and enable it for your deployment!
If your Microsoft 365 tenant like mine is located in a region that not`s include your country then this is how you should configure your tenant to get the data as close to you as posible!
(if Microsoft has opened a Datacenter in your country of course :))
Why move your data?
There are several improvements by getting your data moved to a closer datacenter.
Improved latency to the services
Data stored in your own country
Still have DR capabilities outside of your country if infrastructure failes
Multi-geo capabilities to many more closeby countries for your staff
The latency improvements are incredible! I have noticed this when using a SharePoint Online site located in Europe vs. In my home country Norway. The latency against Norway was much much better and when using the service it feels much more “snappy”.
Creating a new Microsoft 365 tenant for everyone living in Norway will create the data store in Norway aswel for the services
When to do it?
Microsoft has released a table of when the Request period for requesting a move of data, take a look here to have a look for your country!
For us in Norway this means that we need to opt-in by the end of October to be migrated and get our core customer data at rest in Norway.
When will your data be moved?
A catch with all this is that Microsoft says that they may use 24 months to move your data! TWO years for migrating it to new datacenters.. But that said, it can happend faster. After you request a move of data, Microsoft will plan to move your company data as soon as operational constraints allow.
How to request a move of data?
It`s quite easy to request a move of data!
Head in to “Settings -> Organization profile -> Data residency” and check the checkmark and “Save changes” then wait 🙂
To look at where your data is at the moment head into the “Data location” in the same menu under Organization profile and have a look 🙂
In this post I want to go through some steps that I think is quickest method to get started with Microsoft Endpoint Manager. This will not cover ALL the features but it will give you an quickstart to the service.
For instance, what shold you start with?
To be honest, start with something easy and creates quick ROI (Return of investment) and that could be more than just how to get my money back – rather it could mean that your infrastructure is getting more secure.
So to start with something “easy” let`s kick it of with mobile devices. Many companies does not have any Mobile device management in place and their Cloud services is available for EVERYONE to attache to. So let`s start with demanding compliant devices and closing the door for others!
Requirements: Microsoft 365 E3 / E5 or EMS E3 / E5 or Intune licenses
Devices Android devices will work straight “out of the box” with Intune but to be able to join iOS/iPadOS Devices to Intune we need to generate and apply a “Apple MDM Push certificate”.
Let`s start with the Certificate for Apple devices (this certificate is also needed for MacOS devices). The only thing you need here is an Apple ID and follow the guide from “Devices -> iOS enrollment -> Apple MDM Push Certificate”. When this is in plnace we can procede.
When it`s created you have a valid Certificate for the next 365 days. That means that you need to remind your self to renew the certificate every year! When the certificate expires your intune services will stop against Apple devices.
So what is a compliant device?
A compliant device is a device registred to Intune and has passed the Compliance policy that you have created.
The policy can contain several “settings” that must be enabled or set on your device for it to be marked as “Compliant Device”. For iOS/iPadOS we have at the moment (04.04.2020) 17 settings we can check to validate the device and for Android 19 settings (04.04.2020).
Here is a simple set of compliant device policies for Android and iOS.
Navigate to “Devices -> iOS -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Jailbroken devices” and “Require password to unlock device”
Hit Create and go to “Assignments”, in this menu we will assign the policy to all users so that everyone that tries to enroll their device will get the policy. (this is the same step for both iOS and Android).
Navigate to “Devices -> Android -> Compliance policies” and create a new policy. Give it a name, set some settings and click create. In this policy i have just put on two settings, “block Rooted devices” and “Require password to unlock device”
And like the iOS policy we need to assign it to all users, so head in to Assignents after creating the policy and assign it to all users.
Block devices that are not compliant
To block users from connecting with other devices we will use Conditional Access to prevent devices that are not enrolled in your organization. The policy is created from the Microsoft Endpoint Manager portal under “Endpoint security -> Conditional Access. Create a new policy and name it “Require compliant devices”
The policy looks like this and will of course not block the Intune enrollment portal 😊
Users and groups
Include all users and create exclution for users you want to exclude from the policy
Cloud Apps or actions
Include “All cloud apps” and click on “Exclude” and search after “Microsoft Intune Enrollment”
Device platforms, configure it and choose Android and iOS from the list.
Grant access and choose “Require device to be marked as compliant”
Now you can enroll your first device, i`ll show it with an iPad her, but first you need to downlod the Company Portal to your iPad.
Then you stat the application and sign in – then starts the enrollment of the device.
When that`s completed the device is registred in the Device pane in Microsoft Endpoint Manager Admin Center and you`ll see complance status on it.
That`s it! Now you have a new requirement for all users, they need to enroll their devices (mobile devices) within Microsoft Endpoint Manager to gain access to cloud resources!
Many people wonder what Microsoft Endpoint Manager is and how to quickly gain value to their company by using it.
In this post i will
give you some quick information on what it is and later on create a how to get
started quckly with Microsoft Endpoint Manager!
So what is Microsoft
Some people are saying “It`s the new name of Intune” and that`s not what it is at all! or Intune is in there, but it`s so much more.
MS Endpoint Manager is a tool set witch are combining several solutions and gives you “One place to manage” several infrastructure services. To name them:
Microsoft Intune (ofcourse :))
Microsoft Endpoint Configuration Manager (SCCM)
Microsoft Defender ATP
Azure Active Directory
By doing this Microsoft achieves a ground breaking new management solution for us that gives us ability to manage all major platforms like Windows devices, Apple devices, Linux distros and Android devices.
So to be clear,
Microsoft Intune or Microsoft Endpoint Configuration Manager (SCCM) will not be
discontinued! They both will live their life but be combined with Microsoft
So what do you need
to start using Microsoft Endpoint Manager?
You need to have either Intune licenses or SCCM licenses and you also need to have Azure Active Directory Premium P1 to utilize Azure AD Conditional Access.
I will in the next blogpost come up with a brief guide om how to get started using Microsoft Endpoint Manager and quickly gain usage of yours EMS package!
Last but not least
in my blog post series “S for Security in EMS” is about Microsoft
Cloud App Security!
Microsoft Cloud App
Security is a CASB (Cloud access security broker) service delivered by
Microsoft that will give you several features to protect your data, users and
cloud services. MCAS is giving you a great insight on
Shadow IT visibility
Cloud applications usage
Notifications when users take advantage of new Cloud applications
Dive into specific applications, users or ip addresses
Microsot Cloud App
Security comes in two editions – Microsoft Cloud App Security and Office 365
Cloud App Security
With both editions you can easily upload your firewall logs to MCAS and get a analysis on what users are using of Cloud applications from your office network or you can configure reverse proxy features with Conditional Access and MCAS giving you great insight on what applications users are using with Azure AD integration and files shared across other services outside of Office 365.
When creating a new
snapshot report (aka firewall log upload) the data goes through several steps
like file parsing, data analysis and then the report is created.
This is a sample on
how the report could look like and what can be discovered.
Note that here you
see Open Alerts on Cloud applications users are using, how many GB of data is
being uploaded to what applications and much more!
Next up you also get
som pritty nice alerting out of the box.
There is 26 enabled
policies that will govern your environment looking for leaked credentials,
multiple failed logons, imposible travel and much more
Take a look here at
some alerts on imposible travel
The alert gives us
rich information on IP addresses, country, what service is used and witch user
are affected. A great tool to investigate a account breach!
Some of the policies available
That in mind!
Microsoft Cloud App Security or Office 365 Cloud App Security is a greate tool to use within your organization!
So in this fourth
blog post in my series S for Security in EMS we will og deeper in Advanced
Threat Analytics included within EMS.
So what is Advanced
Well, it`s an
on-premises platform that helps protect your enterprise from multiple types of
advanced targeted cyber attacks and insider threats.
Why is this a
important toolset to have on your hybrid environment?
Well, since you have
an hybrid environment you are lacking a system to detect abnormal behavour like
password sharing, lateral movements and so on and Malicious attacks like
Pass-the-Ticket, Pass-the-Hash and several other attack vectors.
analytics uses machine learning and user usage analytics discover abnorman
activities and suspicious activities.
Threat Analytics we can also get insights on Security Issues and risk within
our on-premises environment like broke trust between machines and domain
controlelrs, weak protocols used by our users and systems and much more!
All these actions and insights can be viewed from the Advanced Threat Analytics Dashboard
This is just a smal insight on what ATA can do for you!
So this is the third post in my blog post series “S for Security in EMS” and I will try to cover some Microsoft Intune benefits and quick-wins meaning how to quickly get started with Intune and to gain some benefits right the way.
First, what is Microsoft Intune?
Microsoft Intune is an cloud based mobile device manager, this does not mean that MS Intune only can be used for
Celular phones and tablets. All devices can be enrolled into Intune and by requireing this of your users we can start protecting business data with other tool-sets like Conditional Access, Information Protection and so on.
When users enroll their devices into intune (that can be Windows, macOS, Android or iOS) the device goes through an “Compliance policy” that you have configured to “measure” the device and stamp it as compliant or non-compliant based on evaluations against the the compliance policy.
So why is Intune so important for the Security part within the EMS Suite? Well! When your device is added to Intune and gone through the Compliance policy marking the device as an Compliant device we can use that status with for example Conditional access to deside on what services a user can access based on compliant device or not.
Azure Information Protection is included within the EMS package i would
recomend using the Office 365 Unified Labeling insted.
which can be eather Sensitivity or Retention labels and capabilities comes with
in the Office 365 E3 or Office 365 E5 license.
you use Unified labels you say?
Well, in my
opinion you should keep it as simple as posible for your users therefore by
embracing the Unified labels within Office 365 users don`t have to think about
using a labeling client to manage their labels. Unified labels are built into
Office applications both web and installed ones and also embeded into the
mobile applications. That meaning users can label on any device with
Azure Information Protection internal IT department of your company need to
roll out the AIP Client to all machines and drawbacks here is that web
applications and mobile applications are not eligable for this client.
creating some labels from Security & Compliance center and play arround
crating watermarks, encryption and deploy to test users at first to be able to
test your policies.
going through the Wizard you need to take some descisions on what the policy
Yes or no and what
permissions should be set automatically to your files.
Should the access to the
file expire on a givven date or days after encryption
Allow offline access to
files could be convenient for some.
Should the content be
Add DLP policy from the
Entpoint (Windows Information protection WIP).
Use this label to protect
Office365 groups (Teams and SharePoint sites also)
Here you can choose if the
created SharePoint site, Teams or Office 365 Group should be have
restricted access from unmanaged devices and such.
Use Autolable based on
This feature require E5
You can automatically lable
documents with for example Norwegian passport number is written in a
You have created your first label – quite easy.
going big-scale you need to evaluate how your company should label documents.
General, Confidential, Higly confidential and so on.
My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.
Since MyAnalytics is an “Opt-Out” feature in Office 365, some companies wants to change this behavour for their users, meaning that each users should enable this feature them self instead of the service being automatically enabled when users are created.
Changing settings in Office 365 to change this behavour:
Remove the three ticks on the MyAnalytics service window to change the default behavour for new users. removing these ticks will ensure that users need to “opt-in” their self by accessing “Myanalytics.microsoft.com” and change settings there.
And in each user can ustomize their own MyAnalytics settings by opt-in or opt-out in the dashboard “myanalytics.microsoft.com”
Remove the service from each user forcing the users to enable the service themself
#Connect to Exchange Online with MFA
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1) #download module from Exchange Online Admin Center under "hybrid" and using IE.
#Connect to Exchange Online
Connect-EXOPSSession -UserPrincipalName firstname.lastname@example.org
#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don't have to write password and stuff
#check what state the users is in today
Get-UserAnalyticsConfig –Identity email@example.com
#Opt-out from service - users can opt-in again at https://myanalytics.microsoft.com/
Set-UserAnalyticsConfig –Identity firstname.lastname@example.org -PrivacyMode Opt-out
$privacyMode = "Opt-Out"
$users = Get-Mailbox *
ForEach ($user in $users)
Set-UserAnalyticsConfig –Identity $upn -PrivacyMode $privacyMode
Get-UserAnalyticsConfig –Identity $upn
Let`s start off
with the EMS E3 package and that will give you access and user rights to use
Azure AD Premium P1 features.
So do you need
Well, Azure AD Premium P1 gives you capabilities for your hybrid users to access both on-prem and cloud resources. The synchronization also provides write-back capabilities so self-service password reset for on-prem users can be achieved. Along with advanced features as Dynamic groups, self-service group management and “Microsoft Identity Manager” (on-prem identity and access management).
And one more
important feature which is one of the most powerfull regarding securing your
cloud services is “Conditional Access”. Yes we have “Security
Defaults” witch is a free service but if you need to do some exclutions
you need to upgrade to Azure AD Premium P1 to gain “Conditional
Over to EMS E5 –
that gives you several additions to the P1 license with all the Azure AD P2
are at the time “Azure Identity Protection” and “Priviledged
When going to P2
i will say that PIM is the feature you want to configure right the way as this
gives you access management in a whole new level. Users who have been givven
additional roles within your AzureAD does not have the role active at all time
lowering the attack vector for users. When users need to use their priviledge
roles they have to activate it and by adding a second factor to the activation
your priviledge roles are more secure! Hey, you can also add approvers to roles
so that a second person need to approve the request.
Many options on
this part as you see!
As this blogg post is in a series of several posts please stay tuned for the next service within EMS and this blog post series “S for security in EMS”