Modern Device Management

With the recent spate of IT security breaches involving  #okta #mfafatigue  to name a few, the importance of implementing strong security measures has been put into question once again. Through this blog, I wanted to cover enabling Fraud alert as one of the counter measures, especially against MFA fatigue.  So what is MFA fatigue? In simple terms, MFA fatigue is tricking users into allowing device access due to overload of push notifications through Authenticator App. There are many ways one can about addressing this. Ideally organizations should consider going password-less by replacing push notifications with phone sign-in to thwart threats like MFA fatigue. In case this is not an option or the organization is not ready to implement it right away, then you can consider implementing fraud alert as a counter measure. What is a Fraud Alert? As the name suggests, the fraud alert feature lets users report fraudulent attempts being made to access corporate resources using th...

Back in December 2020, I had blogged about leveraging Google Chrome's CSP settings to configure Google chrome browser configuration on Windows 10 devices. As of March 2022, using this ADMX backed CSP for Google Chrome is no longer required because now Microsoft have added the ADMX as an admin template in the Device Configuration profile in Intune. Strangely, as of writing this blog, the ADMX has not been added in Settings Catalog as yet, but atleast it is good to know that now the Google Chrome settings can be deployed natively using Intune. <Update 26.03.2022 - Google Chrome ADMX settings are now available in Settings Catalog. Keep reading to check the configuration later in the blog.> Administrative Template Settings in Intune 1. Navigate to Microsoft Endpoint Manager admin console. 2. Under Devices -> Windows -> Configuration profiles -> Create profile. 3. Under Platform, select Windows 10 & later . 4. Under Profile types, select Templates -> Administrati...

Picking up from my previous post on configuring and enabling MFA through registration campaign and conditional access policies , it is now time to address the requirement of configuring risk policies as part of over all implementation of Azure AD Identity protection feature. So what is a risk? Any suspicious action related to user accounts in the directory may be considered as a risk in Azure AD Identity protection. Identity Protection identifies risks under the following categories:  - Anonymous IP address  - Atypical travel  - Malware linked IP address  - Unfamiliar sign-in properties  - Leaked credentials  - Password spray Identity protection also supports automated remediation actions which can be tiggered in form of requiring users to perform Azure AD Multi-Factor Authentication, reset their password, self-service password reset, or blocking until an administrator takes action. There are some licensing requirements which need to be taken into considera...

The importance of mobile security is on the rise and to secure web access, Microsoft recommends using Edge to prevent data leakage, not just on mobile devices but across all device platforms. Being an approved browser for mobile devices, policies can be enforced to protect Office 365 services like Exchange Online, SharePoint Online, the Office portal, and even access to on-premises (intranet) sites via the Azure AD Application Proxy. In addition to this, Edge supports multi-identity which means users can add both work & a personal account, thus allowing complete separation between the two identities. Something which is already offered in other Microsoft mobile apps.  Be it Intune or a third party MDM, managed app configuation can be enforced to pre-load corporate specific settings and also leverage Azure conditional access policies to enforce controls to allow access only using Edge. In this blog, we are going to take a look at what all is involved in putting the configuration ...