Modern Device Management

Source: Microsoft The memo 22-09  utilizes Microsoft Entra ID as the centralized identity management system when implementing Zero Trust principles and requires employees using enterprise-managed identities to authenticate through multifactor authentication through the means of FIDO2 security keys or Windows Hello for Business to protect against phishing related online attacks. There are multiple options for meeting phishing-resistant multifactor authentication requirements with Microsoft Entra ID. However, the trajectory should be towards implementing modern credentials. Some of the modern approaches are - 1. FIDO2 security keys which according to the Cybersecurity & Infrastructure Security Agency (CISA) is the gold standard of multifactor authentication. 2. Microsoft Entra certificate authentication without dependency on a federated identity provider. 3. Windows Hello for Business as phishing-resistant multifactor authentication Access to Microsoft admin portals like Microsoft En

If you follow @merill from Microsoft on X, then he recently shared a one pager on Microsoft Entra security capabilities . It caught my attention and I wanted to verify which all security features I had already implemented so far. While going through the list, I realized that I had actually left out on testing and understanding the end user behavior of one of the security capabilities i.e. Microsoft Entra Smart Lockout , and decided  to give it a go. Let's first see what is this feature all about. What is Smart lockout and how it works? Smart lockout helps in protecting against bad actors that try to guess passwords of end user accounts or use brute-force methods to get in. The feature can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. By default, smart lockout locks an account from sign-in after 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants, while 3 failed attempts for

For a long time Role-based access control (RBAC) has been the method of choice for managing access to organization's resources by using built-in Intune roles. However, there was no way to enforce just-in-time like access control against these roles. This changed earlier in the year 2023, when Microsoft released Privileged Identity Management (PIM) for Groups which allowed creating a just-in-time (JIT) policy to support a wide range of roles such as Microsoft Entra roles, Azure resource roles, Microsoft Intune and non-Microsoft application roles and services.  As of writing this blog, this feature together with PIM integration with Conditional Access went into GA which has now enabled organizations to enforce specific requirements for PIM role activations, thus enhancing the overall security posture. In this blog post, I explore these methods on how to give users just-in-time privileged access to Intune RBAC by using PIM for Groups and leveraging CA by enforcing additional security