Modern Device Management

There are many options available for deploying Windows Hello for Business, ensuring compatibility with various organizational infrastructures. For cloud-only organizations, the implementation is simple and works straight out of the box. However, for Hybrid based models, where most organizations operate, there are can be some additional configurations requirements. Out of the available trust types - Cloud Kerberos, Key or certificate, Cloud Kerberos is the easiest and also the Microsoft recommended trust type. It allows users to authenticate to Active Directory by requesting a TGT from Microsoft Entra ID, using Microsoft Entra Kerberos. This way the on-premises domain controllers remains responsible for Kerberos service tickets and authorization. Which brings me to the reason behind writing this blog post. I recently assisted a customer with an issue involving Windows Hello for Business authentication while accessing on-premises resources like file shares. The end user experience was so...

When it comes to implementing least privilege model for Intune permissions, the most common way is to use the role-based access control (aka RBAC). As a focus for this article, I wanted to touch upon the permissions required for managing endpoint security related settings in Intune, but configured using Defender. Consider a scenario where security and endpoint teams are different. While Endpoint team will normally focus on the administration of managed enterprise devices using Microsoft Intune admin center, security analysts will focus on security aspect of resources using the Defender portal. The real challenge comes, when the two roles start to merge or overlap. This is where strong governance for access permissions can play a crucial role. While implementing RBAC in the respective administration portals is the recommended way to address this, in the off chance that an organization has not implemented this, the relevant permissions, for endpoint security in Intune in particular, can ...