Modern Device Management

Microsoft has defined a four-step approach to end the era of passwords:  Source: Microsoft As part of the passwordless deployment solution, T emporary A ccess P ass simplifies and secures the account onboarding experience for the end user. It also makes account access recovery easier by using time limited passcodes to sign in and then allowing the end user to re-register for a new strong authentication methods in situations where the user has lost or forgotten their authentication factors like a FIDO2 security key or Microsoft Authenticator app. In this blog I am going to cover the steps of enabling TAP and what the end user experience looks like when trying to recover an account. In order to sign in with a Temporary Access Pass, TAP needs to be enabled in the authentication method policy. Although one can create a Temporary Access Pass for any user, only those included in the policy can sign-in with it. Note: Only Global administrator and Authentication Method Policy administrato...

The current version and some earlier versions of 7-Zip have a security vulnerability which could allow hackers to escalate privileges. The zero-day referred to as CVE-2022-29072  exploits the misconfiguration of 7z.dll. Hackers can gain unauthorized access to systems when a file with the .7z extension is placed within the Help > Contents area . The command then runs as a child process under the 7zFM.exe process. At present, 7-Zip has not released a security update to address this vulnerability, which means that all current versions of 21.07 are vulnerable. Luckily there is a workaround available to mitigate the vulnerability and through this blog, I will cover the remediation steps of implementing this workaround using ConfigMgr.  Workaround for mitigation To remedy this vulnerability, 7-zip.chm file in the 7-Zip installation directory needs to be deleted. This way the help section of 7-zip becomes unusable and the attackers cannot exploit it any further.  I have creat...

As part of my blogging series for implementing Azure AD authentication methods, I wanted to now cover passwordless authentication. Many organizations don't enable passwordless authentication because they think pins are less secure, but a username and password remains a primary attack vector and weak form of authentication that can be abused by bad actors through the means of social engineering, phishing, and spray attacks to compromise passwords.  A passwordless authentication strategy mitigates the risk of these attacks as the authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD): Source: Microsoft In this blog, I will be covering the details on how to enable passwordless using Microsoft Authenticator App. The Microsoft ...

Back in August 2021, I had published a blog covering the details and the process of configuring Enterprise mode site list  to support Internet Explorer dependent URLs\web apps together with the use of an Azure blob for storing the custom enterprise mode list (EML) in the cloud. With the introduction of  Cloud site list management  in the  Microsoft 365 Admin Portal, the entire configuration has been simplified. Cloud site list management  is a great addition as organizations can now store their own site list directly in Azure cloud. Not only that, they will be able to create, publish, import, export site lists, and audit changes to site list entries all through the Microsoft 365 Admin Center itself. The site lists can then be delivered using GPO, Intune or ConfigMgr. However, there are some prerequisites which need to be considered before one can start using the feature - - Customers must have an Azure AD tenant . - Admins must have Microsoft Edge version 93 or...

When I blogged about using settings catalog for Google Chrome browser settings  back in March 2022, I knew this is only a start as Google Chrome's admx was now built into Intune. After only a couple of weeks, I now find myself using settings catalog again to configure yet another Google Chrome browser setting which I had been configuring using CSP all this while. The configuration in question is for enabling specific Google Chrome browser extensions in order to support device state based Conditional Access policies. Enabling Google Chrome Windows Accounts or Office Online extensions Windows Accounts  or Office Online  extensions are required if you want Google Chrome browser to support Conditional Access policies where device state is being used as a condition. Note: These extensions may not work with Hybrid Azure AD join scenario and may only work for Azure AD identity. In this blog, I will configure Windows Accounts extension as an example. Follow the steps below ...