Revisiting Baseline Policies in Microsoft 365
Microsoft has been doing more to make secure configurations easier to implement for admins. But, from my testing and experience, I still have reservations about some of them. Let’s review.
Conditional Access Baseline Policies
There are presently four baseline policies available under Azure AD > Security > Conditional Access.
Require MFA for admins has been around the longest, but it is redundant if you are already enforcing MFA on all of your admin accounts (except emergency access accounts), as you should be.
But the policies all have one major issue anyway–they no longer support exemptions. Back when these first dropped, exceptions were available, even for the newer policies.
The Exclude option disappeared shortly after the initial launch of the three newer ones. This is a big problem however, since we need to be able to exclude emergency access accounts at a minimum, and also very often service accounts must be excluded also.
The other major problem is that we cannot exclude guest and external accounts. That means that if I enable the End user protection policy, for example, it will also require guests to register for MFA within 14 days. However, I don’t necessarily want guests to have to do that in every case. As well, I have seen issues with this option: for example, the policy will actually cause guests to be prompted over and over again, making this policy basically unusable.
Not having exemption capability, and specifically not being able to exclude emergency access, service accounts and guests, I think, will severely hamper the adoption of these policies. So hopefully Microsoft fixes this soon–that would allow more customers to enable these security safeguards, without having to create their own custom policies (which requires additional licensing).
Intune MDM Baselines for Windows 10
The other place “Baseline” policies show up is in the Intune / Device management portal. Under Security baselines, we have options to configure an MDM Security Baseline, and Microsoft Defender ATP.
Previously, when this feature was still in preview, I had some bad experiences with the MDM Security Baseline. However, I am happy to report that in my testing on the latest published profile (May 2019), the experience is much improved.
As with rolling out any security configurations, you will still want to launch this against a pilot group in your own environment first, and you may discover some settings that are in conflict with your own setup, and require tweaking. But this is easy to accomplish, since there are some reports included that will give you a per-setting status so you can see precisely where conflicts or errors are happening in your environment.
In my own baseline policies, I found only one conflict: I like to dial the UAC settings in so that users are always prompted on the secure desktop. The security baseline actually takes a more strict approach and just outright blocks any kind of elevation or prompt from happening (for standard users that is – admins are still prompted). I personally still like to prompt standard users, which means they have a dialogue box where they can enter local admin credentials if needed.
This is super easy to adjust. Just go to the Properties of the profile and click Edit by Configuration settings.
Under Local policies security options, I just set this back to my preferred selection, then go to Review + save.
And that is the only setting that I have found to be in conflict with my own preferred configuration. However, results may vary. Therefore I advise that you still proceed with caution, and implement this with a pilot group first, as always.
Conclusion
As with all good Microsoft products that stick around for a while (and it is pretty safe to say that Microsoft 365 is going to be one of those), some of this cloud management stuff is getting really good. And… yes: some of it is still in process. That’s okay. The Conditional Access baselines are still in preview, after all. But I suspect that these will continue to develop over time, just as the MDM Baselines will be updated at regular intervals even now that they are generally available.
There is a lot of opportunity out there for partners who are on top of this stuff, and know what security features are ready for prime time and which are not, and how to dial each in appropriately to work for their customer’s environments. These “Baselines” give you a good place to get started, but even then it is not meant to be a “set and forget” sort of thing. This is going to require a new managed service offering. So do not believe the “MSP model is dead” if you hear or see that somewhere. I haven’t seen firsthand evidence of that.
Comments (2)
Hi.
What is you’re take on the mdm vs defender baseline’s that contains eaual settings. I.e. in MDM baseline they call it Device Installation, in Defender baseline they call it Device Controll. Almost the same settings.
Exploit Guard and Exploit Protection is the same. And there are more. Can’t find anything from microsoft about this. The defender baseline has a lot less settings, but as fare as I can see, it contains some that MDM baseline lacks.
These are indeed separate baselines, even though they contain some of the same settings. The Defender ATP baseline does not apply to Microsoft 365 Business and E3 subscriptions since those subscriptions do not contain MDATP. If you own E5 or E5 Security on top of E3 you could apply the Defender ATP baseline in addition to the MDM baseline. The MDM baseline actually contains a couple of settings that are not compatible (or not supported anyway) with the Business SKU, but for the most part it still applies.