Modern Device Management

  Source: Microsoft If you are deploying and managing Microsoft 365 Apps at an enterprise level, then you should consider implementing a security update policy as well. One can achieve this through many ways depending on the management tool you are using, but in the world of cloud management, organizations will typically deploy and manage Microsoft 365 apps using Intune. However, for greater control, Microsoft has provided a feature called Servicing Profiles which is available through Microsoft 365 admin portal. What are Servicing Profiles? Servicing Profiles lets you automatically deliver monthly Office updates under Monthly Enterprise Channel beginning the second Tuesday of every month. The Monthly Enterprise channel with its delivery cadence of performance and quality updates is the recommended default channel for most organizations. Updates can be targeted to users or groups and can be delivered in waves to limit the impact on the network. One can also set deadlines for the up...

  While working on an conditional access requirement involving authentication context, I stumbled upon protected actions in Entra ID and thought of blogging my thoughts and experience working with the feature. What are Protected actions? Protected actions are role permissions with Conditional Access applied for added security. Conditional Access requirements are enforced when a user performs the protected action, triggering a process that will require first satisfying the Conditional Access policies assigned to the required permissions. Because the policy enforcement occurs at the time the user attempts to perform the protected action and not during user sign-in or rule activation, users are prompted only when needed. Protected actions is currently in preview and can be applied to only a limited set of permissions spanning across the following areas: - Conditional Access policy management - Cross-tenant access settings management - Custom rules that define network locations - Prote...

Replacing a third party AV solution like Sophos with Microsoft Defender for Endpoint on Windows endpoints can be a harrowing experience. However, if you know the ins & outs of the process, then it can make things a little easier. I recently dealt with the task of removal of Sophos AV as part of an implementation project for Defender for Endpoint and thought of writing a blog post on it. Hope it helps. Let's look at some of the key steps first 1. Ensure that the devices are checking into Sophos Central and are healthy. 2. Turn off Tamper Protection on the endpoints. Just like other third party AV products in the market, Sophos does support removal of their products by running the relevant product uninstallers, however, in my experience this is a hit or miss and therefore, I resorted to using Sophoszap utility which gave me consistent results. It is important to note that you should use the latest Sophoszap utility, so always check the Sophos official vendor's website for lat...

  While creating assignments for policies in Intune as part of a project, something caught my attention, which got me intrigued. In Entra ID, there are multiple ways membership in the groups are evaluated and I wanted to explore all possible options. Let's start with Transitive membership Transitive memberships is basically indirect memberships, where objects are evaluated through the membership of other groups. As a result, objects in the sub-group are members of both groups. To demonstrate this through an example, I created an Entra ID group containing other groups.  Intune - All Cloud PCs - It is a dynamic group containing all cloud PCs Intune - All Mobile Devices - It is a dynamic group containing all enrolled iOS and Android devices. These groups were added to another group called - Intune All MDM Lab Devices Transitive As a result when you check the membership of devices, based on the evaluation of the conditions, you will be able to see whether the group membership eval...