17Dec2019
11Dec2019
Notes from the field: Windows 10 Device Compliance
One of the coolest features in Microsoft 365 is the ability to measure device compliance, and based on that reading, grant, deny or limit access to cloud resources. For mobile devices this works really well, and most compliance policies are fairly simple: make sure the device isn't jail-broken/rooted, require a...
01Dec2019
2020 Edition of the Recommended Conditional access policy design guide is available now
I just finished updating the Conditional access design guide, part of the Microsoft 365 Best practices checklists. The new updates reflect some carefully considered feedback from my clients (real-world scenarios), as well as some new additions and a better organizational structure, in three major groups: Authentication Baseline policies – Replaces the Security...
22Nov2019
Updates to my Exchange Online and Office 365 ATP scripts
Just a quick note--this week I updated the Exchange Online and ATP scripts that I publish and use to provision new tenants--to fall more in line with the new best practices that were published by the Exchange Online Protection and Office 365 ATP teams.* You can also use the new...
11Nov2019
From Ignite 2019: Office 365 ATP Best Practices Analyzer, and other actions MS is taking to democratize security
I haven't had time to write an overall review of Ignite and all the various announcements that were made. And honestly, I might just skip that because there are so many others out there doing the same. They probably did an even do a better job than I would. So...
21Oct2019
No more excuses: 5 Tips & tricks to make Office 365 MFA easier on people
As I'm sure you are aware by now, Multi-factor Authentication reduces your risk of identity compromise by 99.9%. Requiring so called "strong passwords," by contrast, doesn't make that much difference at the end of the day. And yet, we're still beneath 10% of even just admin accounts in Azure AD...
11Oct2019
Removing local admin: a game of compromise (and some tips and tricks)
Look, I am a realist. Yes: from a security perspective it would be ideal if we could take away local admin privileges on every corporate owned Windows 10 workstation. But that still isn't very easy to do for many organizations. Some orgs do need to maintain a bit more flexibility, with...
04Oct2019
Introducing the Windows 10 Business Secure Configuration Framework
Update March 2023: This publication has been updated significantly and renamed as well. It is now called The SMB Guide to Threat Defense and Microsoft Defender in Microsoft 365 Business Premium Plans. This guide describes implementation of Microsoft Defender for Office 365 as well as Microsoft Defender for Business, and...
03Oct2019
Windows Information Protection done right, part 2: typical set up steps
Last time we talked about a couple of key concepts including enlightened and non-enlightened apps, and how Windows Information Protection (WIP) treats corporate data differently than personal. In short, a non-enlightened app and all of its data will be treated by WIP as personal (by default). However, if you choose...
30Sep2019