Posts

Mixed mode Defender subscription & licensing for endpoints

Image
I was recently asked by a customer about the possibility of using mixed licensing for Defender for Endpoint for endpoints. They had both MDE plan 1 and plan 2 licenses as part of M365 E3 and E5 respectively, but wanted all the Windows endpoints to be moved to MDE plan 1 capabilities until all the features under plan 2 were tested out. For a long time this was not possible and in cases of multiple subscriptions, the highest functional subscription would take precedence in the tenant. But not anymore. Microsoft now supports use of a mixture of subscriptions & licenses. Some of the most common scenarios are - 1. Mixed tenant - Different sets of capabilities for groups of users and their devices based off licenses like MDE plan 1 & plan 2, Microsoft 365 E3 & E5. 2. Mixed trial - Mixture of full and trial licenses like MDE plan 1, M365 E3 (purchased for all users) & MDE plan 2, M365 E5 trial (purchased for some users) 3. Phased upgrades - Upgrade user licenses in phases by m

'Device States' in Conditional Access for both Corporate and Personal Intune managed devices - A retrospect

Image
Source:Microsoft With the help of Microsoft Intune, organizations can use the device states returned from the enrolled devices to Entra ID to identify whether these devices meet specific policy compliance requirements and accordingly enforce controls to grant or block access to corporate resources. With device states, once the user has successfully authenticated, a Primary Refresh Token (PRT) containing both user and device claims is issued. With conditional access policies requiring either a device-based control or a multifactor authentication control in place, the policy requirement can be met through its device state using PRT without attempting MFA. This is because when a PRT requests access to an application, its device, session, and MFA claims are trusted by Microsoft Entra ID. The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience. With the currently available device states, Microsoft recommen

Intune Web based device enrolment with Just-in-time registration and Defender for Endpoint onboarding for iPadOS - Tips from the field!

Image
I recently worked on a project that required setting up Intune and Defender for Endpoint enrolment policies for iPadOS. While some might say that this is a pretty routine task and in an absolute sense, it may very well be to some extent, I actually went another way. Let me start by mentioning that the iPadOS devices in scope were existing devices and in some come cases BYO so resetting them was not an option. Therefore, a user based enrolment had to be the choice of enrolment. Now back in the days, one would normally enroll the iOS\iPadOS devices using Company Portal and while this is still supported, with the introduction of support of Single Sign On extensions (SSO) of Apple devices, I chose to configure Web based device enrolment together with Just-in-time (JIT) for iPadOS devices. Web-based enrolment utilizes just in time (JIT) registration with the Apple single sign-on (SSO) extension to facilitate Microsoft Entra registration within the work apps thus reducing the number of authe

Using Log Analytics to identify Multifactor Authentication Gaps

Image
On August 15 2024, Microsoft released a communication  stating that enabling multifactor authentication (MFA) will be enforced by October 15 2024, in order to access Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center.  The enforcement is planned to be rolled out in 2 phases: Phase 1: Starting in the second half of 2024, MFA will be required to sign in to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase won't impact other Azure clients such as Azure CLI, Azure PowerShell, Azure mobile app, or IaC tools.  Phase 2: Beginning in early 2025, MFA enforcement gradually begins for sign in to Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools. Some customers may use a user account in Microsoft Entra ID as a service account. It's recommended to migrate these user-based service accounts to secure cloud based service accounts with wor