CategoryIdefixBlog

What is Microsoft Endpoint Manager?

Many people wonder what Microsoft Endpoint Manager is and how to quickly gain value to their company by using it.

In this post i will give you some quick information on what it is and later on create a how to get started quckly with Microsoft Endpoint Manager!

So what is Microsoft Endpoint Manager?

Some people are saying “It`s the new name of Intune” and that`s not what it is at all! or Intune is in there, but it`s so much more.

MS Endpoint Manager is a tool set witch are combining several solutions and gives you “One place to manage” several infrastructure services. To name them:

  • Microsoft Intune (ofcourse :))
  • Microsoft Endpoint Configuration Manager (SCCM)
  • Windows Autopilot
  • Desktop Analytics
  • Microsoft Defender ATP
  • Azure Active Directory

By doing this Microsoft achieves a ground breaking new management solution for us that gives us ability to manage all major platforms like Windows devices, Apple devices, Linux distros and Android devices.

So to be clear, Microsoft Intune or Microsoft Endpoint Configuration Manager (SCCM) will not be discontinued! They both will live their life but be combined with Microsoft Endpoint Manager.

So what do you need to start using Microsoft Endpoint Manager?

You need to have either Intune licenses or SCCM licenses and you also need to have Azure Active Directory Premium P1 to utilize Azure AD Conditional Access.

I will in the next blogpost come up with a brief guide om how to get started using Microsoft Endpoint Manager and quickly gain usage of yours EMS package!

Stay tuned for more secure devices!

S for Security in EMS – Cloud App Security

Last but not least in my blog post series “S for Security in EMS” is about Microsoft Cloud App Security!

Microsoft Cloud App Security is a CASB (Cloud access security broker) service delivered by Microsoft that will give you several features to protect your data, users and cloud services. MCAS is giving you a great insight on

  • Shadow IT visibility
  • Cloud applications usage
  • Notifications when users take advantage of new Cloud applications
  • Dive into specific applications, users or ip addresses

Microsot Cloud App Security comes in two editions – Microsoft Cloud App Security and Office 365 Cloud App Security

To see differences in features have a look at docs.microsoft.com here

With both editions you can easily upload your firewall logs to MCAS and get a analysis on what users are using of Cloud applications from your office network or you can configure reverse proxy features with Conditional Access and MCAS giving you great insight on what applications users are using with Azure AD integration and files shared across other services outside of Office 365.

When creating a new snapshot report (aka firewall log upload) the data goes through several steps like file parsing, data analysis and then the report is created.

This is a sample on how the report could look like and what can be discovered.

Note that here you see Open Alerts on Cloud applications users are using, how many GB of data is being uploaded to what applications and much more!

Next up you also get som pritty nice alerting out of the box.

There is 26 enabled policies that will govern your environment looking for leaked credentials, multiple failed logons, imposible travel and much more

Take a look here at some alerts on imposible travel

The alert gives us rich information on IP addresses, country, what service is used and witch user are affected. A great tool to investigate a account breach!

Some of the policies available

That in mind!

Microsoft Cloud App Security or Office 365 Cloud App Security is a greate tool to use within your organization!

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS – Advanced Threat Analytics

So in this fourth blog post in my series S for Security in EMS we will og deeper in Advanced Threat Analytics included within EMS.

So what is Advanced Threat Analytics?

Well, it`s an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.

Why is this a important toolset to have on your hybrid environment?

Well, since you have an hybrid environment you are lacking a system to detect abnormal behavour like password sharing, lateral movements and so on and Malicious attacks like Pass-the-Ticket, Pass-the-Hash and several other attack vectors.

Advanced threat analytics uses machine learning and user usage analytics discover abnorman activities and suspicious activities.

Within Advanced Threat Analytics we can also get insights on Security Issues and risk within our on-premises environment like broke trust between machines and domain controlelrs, weak protocols used by our users and systems and much more!

All these actions and insights can be viewed from the Advanced Threat Analytics Dashboard

This is just a smal insight on what ATA can do for you!

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS – Microsoft Intune

So this is the third post in my blog post series “S for Security in EMS” and I will try to cover some Microsoft Intune benefits and quick-wins meaning how to quickly get started with Intune and to gain some benefits right the way. 

First, what is Microsoft Intune?  

Microsoft Intune is an cloud based mobile device manager, this does not mean that MS Intune only can be used for 

Celular phones and tablets. All devices can be enrolled into Intune and by requireing this of your users we can start protecting business data with other tool-sets like Conditional Access, Information Protection and so on. 

When users enroll their devices into intune (that can be Windows, macOS, Android or iOS) the device goes through an “Compliance policy” that you have configured to “measure” the device and stamp it as compliant or non-compliant based on evaluations against the the compliance policy.  

Image result for microsoft intune compliance

So why is Intune so important for the Security part within the EMS Suite? Well! When your device is added to Intune and gone through the Compliance policy marking the device as an Compliant device we can use that status with for example Conditional access to deside on what services a user can access based on compliant device or not.  

Furter on we can with the MDM deploy software like Antivirus/Antimalware (if you don`t use Microsoft Defender ATP :)), deploy Windows 10 security baselines where you can controll several services within Window 10 (https://docs.microsoft.com/en-us/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-may-2019).  

And the last but not least, you have an inventory of devices that can access your enterprise data and applications! Thats a big value to have in your pocket! 🙂 

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS – Azure Information Protection

Even tho Azure Information Protection is included within the EMS package i would recomend using the Office 365 Unified Labeling insted.

Those labels which can be eather Sensitivity or Retention labels and capabilities comes with in the Office 365 E3 or Office 365 E5 license.

Why should you use Unified labels you say?

Well, in my opinion you should keep it as simple as posible for your users therefore by embracing the Unified labels within Office 365 users don`t have to think about using a labeling client to manage their labels. Unified labels are built into Office applications both web and installed ones and also embeded into the mobile applications. That meaning users can label on any device with application.

When using Azure Information Protection internal IT department of your company need to roll out the AIP Client to all machines and drawbacks here is that web applications and mobile applications are not eligable for this client.

So!

Start with creating some labels from Security & Compliance center and play arround crating watermarks, encryption and deploy to test users at first to be able to test your policies.

Head into https://protection.office.com/ and navigate to “Classifications -> Sensitivity labels” and from her create a new label

CD 
Home 
Alerts 
Permissions 
— Classification 
Sensitivity labels 
Retention labels 
Sensitive info types 
https://protection.office.com/sensitivity?viewid=sensitivitylabels 
Office 365 Security & Compliance 
Home > sensitivity 
Labels Label policies 
Sensitivity labels are used to classify email messages, documents, sites, and more. 
encrypt files, add content marking, and control user access to specific sites. Learn 
+ Create a label Publish labels C) Refresh 
Name 
Classified - Web only from not compliant clients 
Highly classified - Block access from not compliant devices

Follow through with the wizard

New sensitivity label 
o 
o 
o 
o 
o 
Name & description 
Encryption 
Content marking 
Endpoint data loss prevention 
Site and group settings 
Auto-labeling for Office apps 
Review your settings 
Name your label 
The protection settings you choose for this label will be immediately enforced on the files, email messages or sites to which it's applied. Labeled files will be protected wherever 
they go, whether they're saved in the cloud or downloaded to a computer. 
Name 
Classified 
Tooltip 
Enter text that helps users understand this label's purpose 
Description 
Enter a description that's helpful for admins who will manage this label

And when going through the Wizard you need to take some descisions on what the policy should do.

  • Encryption
    • Yes or no and what permissions should be set automatically to your files.
    • Should the access to the file expire on a givven date or days after encryption
    • Allow offline access to files could be convenient for some.
  • Should the content be watermarked?
  • Add DLP policy from the Entpoint (Windows Information protection WIP).
  • Use this label to protect Office365 groups (Teams and SharePoint sites also)
    • Here you can choose if the created SharePoint site, Teams or Office 365 Group should be have restricted access from unmanaged devices and such.
  • Use Autolable based on conditions
    • This feature require E5
    • You can automatically lable documents with for example Norwegian passport number is written in a document.

Thats it! You have created your first label – quite easy.

But before going big-scale you need to evaluate how your company should label documents. General, Confidential, Higly confidential and so on.

My best tip there is to create a table on the labels you think you need and describe the “rules” of when to apply the labels. Like financial data should maybe be labels highly confidential while some company flyers should have “General”.

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Change to Opt-In in MyAnalytics

Since MyAnalytics is an “Opt-Out” feature in Office 365, some companies wants to change this behavour for their users, meaning that each users should enable this feature them self instead of the service being automatically enabled when users are created.

Changing settings in Office 365 to change this behavour:

Remove the three ticks on the MyAnalytics service window to change the default behavour for new users. removing these ticks will ensure that users need to “opt-in” their self by accessing “Myanalytics.microsoft.com” and change settings there.

And in each user can ustomize their own MyAnalytics settings by opt-in or opt-out in the dashboard “myanalytics.microsoft.com”

Remove the service from each user forcing the users to enable the service themself

#Connect to Exchange Online with MFA
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA+"\Apps\2.0\") -Filter CreateExoPSSession.ps1 -Recurse ).FullName | Select-Object -Last 1) #download module from Exchange Online Admin Center under "hybrid" and using IE.
#Connect to Exchange Online
Connect-EXOPSSession -UserPrincipalName julian.rasmussen@xxxxxxxxxx.no
#This will make sure when you need to reauthenticate after 1 hour that it uses existing token and you don't have to write password and stuff
$global:UserPrincipalName="julian.rasmussen@xxxxxxxxxx.no"

#check what state the users is in today
Get-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no

#Opt-out from service - users can opt-in again at https://myanalytics.microsoft.com/ 
Set-UserAnalyticsConfig –Identity julian.rasmussen@xxxxxxxxxx.no -PrivacyMode Opt-out

#multiple opt-out
$privacyMode = "Opt-Out"

$users = Get-Mailbox *
ForEach ($user in $users)
{
$user.Userprincipalname
$upn=$user.UserPrincipalName

Set-UserAnalyticsConfig –Identity $upn -PrivacyMode $privacyMode
Get-UserAnalyticsConfig –Identity $upn
}

S for Security in EMS – AAD Premium

Let`s start off with the EMS E3 package and that will give you access and user rights to use Azure AD Premium P1 features.

So do you need it?

Well, Azure AD Premium P1 gives you capabilities for your hybrid users to access both on-prem and cloud resources. The synchronization also provides write-back capabilities so self-service password reset for on-prem users can be achieved. Along with advanced features as Dynamic groups, self-service group management and “Microsoft Identity Manager” (on-prem identity and access management).

And one more important feature which is one of the most powerfull regarding securing your cloud services is “Conditional Access”. Yes we have “Security Defaults” witch is a free service but if you need to do some exclutions you need to upgrade to Azure AD Premium P1 to gain “Conditional Access” features.

Over to EMS E5 – that gives you several additions to the P1 license with all the Azure AD P2 features.

Those features are at the time “Azure Identity Protection” and “Priviledged Identity Management”

When going to P2 i will say that PIM is the feature you want to configure right the way as this gives you access management in a whole new level. Users who have been givven additional roles within your AzureAD does not have the role active at all time lowering the attack vector for users. When users need to use their priviledge roles they have to activate it and by adding a second factor to the activation your priviledge roles are more secure! Hey, you can also add approvers to roles so that a second person need to approve the request.

Many options on this part as you see!

As this blogg post is in a series of several posts please stay tuned for the next service within EMS and this blog post series “S for security in EMS”

S for Security in EMS – Overview
Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

S for Security in EMS

Since Enterprise Mobility + Security (EMS) is a core component of Microsoft 365 services you need to understand what services is present within the EMS package. In the same way that Microsoft 365 services comes with a E3 or E5 service level does EMS also that. I will try to give a easy and understandable overview of all the core components of EMS within the next 5 blog posts.

We will dig into all the main topics that you se in the table below.

In the table below you will see the difference between the EMS E3 and EMS E5

Service EMS E3 EMS E5
Azure AD Premium P1 P2
Azure Information Protection P1 P2
Microsoft Advanced Threat Analytics Incl. Incl.
Microsoft Intune Incl. Incl.
Cload App Security   Incl.

By now you probably trying to figure out on some questions;

Do I need EMS in my organisation?

Witch EMS subsctiption do I need?

Should we move to Microsoft 365 subscriptions?

The short answered for this is; Yes, depends and maybe. Not much of an answer but if you stay put on the next few blog posts, I will walk through the services on what it does and what it can be used for to make it a little easier to choose the right licenses for your organisation.

Part 1 – S for Security in EMS – Azure AD Premium
Part 2 – S for Security in EMS – Information Protection
Part 3 – S for Security in EMS – Microsoft Intune
Part 4 – S for Security in EMS – Advanced Threat Analytics
Part 5 – S for Security in EMS – Cloud App Security

Azure Tags

Azure tags is an important tool of marking your resources with some additional information. 

This information can be what your business requires and is not set by any templates or so. 

Keep in mind that when you start with tagging it must give you some sort of value in some reasons this is cost-related that meaning you can tag resources with a costcenter tag like 

CostCenter : BusinessApplication 
CostCenter : Human Resources 

Other departments can also be in use of tags and then i`m thinking of the Security department and their Incidence and Respond team. By adding additional information to your Azure resources, you can set an value on resources and with that also prioritize what resources to mitigate first if there is an security incident.  

Setting tags can be done at creation of the resource in the Azure Portal but also within ARM templates or you can use Azure Policy to add tags after deployments aswell.  

When adding tags to a existing resource navigate to the resource and hit the Tags pane in the menu then add a TagName and a Value of the tag. 

Going forward this can also be done when creating a new resource within the Wizard and also by ARM temlates by adding this to the “Parameter” section of your ARM temlate:

"resourceTags": {  
      "type": "object",
      "defaultValue": {
      "CostCenter": "BusinessApplication"}
      }

And this to the actual resource 

"tags": "[parameters('resourceTags')]", 

If using Azure Policy to remidiate existing resources you can use a built in policy named “Add a tag to resource” and deploy that to your subscription.  

By using Azure Policies you can also block creation of new resources without having a Tag set to the resources upon creation.  

All of these methods are powerfull methods but i like the Azure Policy methods the most as these policies can be givven a logic to it – but more on Azure Policies in another blog post. 

Keep tagging all your resources and grow your value of your assets in Azure!  

Security Defaults – a lifesaver for some and a little pain for others

So lets talk about “Security Defaults” a bit, this new feature in AzureAD who replaces “Baseline policies: ” in the Conditional Access pane within Security in AzureAD.

First of all – the baseline policies where in preview and could be changed before the feature went GA so we cant blame anyone of the service changing before production.

The Baseline policies gave us remediaton of MFA and and blocking of legacy authentication within 4 policies that everyone could use within Conditional Access, these four policies where free so no cost and that sweet!

  • Baseline Policy: Require MFA for admins (Preview)
    • Enabled MFA to all administrator roles within AzureAD
  • Baseline Policy: End user protection (Preview)
    • Enabled MFA registration to all users and required MFA for users with leaked password or other risky signins.
  • Baseline Policy: Require MFA for Service Management (Preview)
    • Require MFA for accessing the Azure Portal, Azure PowerShell modules or Azure CLI
  • Baseline Policy: Block legacy authentication (Preview)
    • Blocked the usage of legacy authentication on all services (such as pop, IMAP, native android clients etc.

For a good time now we cound enabled one or more of those 4 baseline rules – but that ends! At February 29th 2020 Microsoft will discontinue the use of Baseline policies so if you are using some of them you need to enable Security Defaults in AzureAD.

Head into portal.azure.com -> Properties -> Security Defaults and enable it.

Please not that if you have license for using Conditional Access (Azure AD Premium P1) you cannot a Conditional Accessrule without disabling Security Defaults.

And if you have Azure AD Premium P1 you should be creating the Conditional Access rules manually and that gived you several advantages such as exclude users, pinpoint to some cloud apps or exclude them and set other requiremets aswel.

Best practice says that you should always have a “Break the glass administrator” account who is excluded from all the Requirements – but please note! That account need to be monitored and high security alerts should be raised every time the account is used.

© 2020 IdefixWiki

Theme by Anders NorénUp ↑