Tag - Conditional access

Reader question: Deny-by-Default?

Reader Question: How can I set up a “Deny-by-Default” Conditional Access Policy?

It has been a while since I took a question from a reader and turned it into a blog post. It is one of my favorite things to do here on ITProMentor, but the “busy-ness” of life has taken me away from the keyboard a lot in recent months. Now...
Read more...
Choosing (and implementing) your strategy for personal devices

Choosing (and implementing) your strategy for personal devices

In a recent Microsoft blog announcing some cool new discovery features in Microsoft Defender for Endpoint, there is an interesting (but hardly surprising) statistic shared: your users are 71% more likely to be infected on an unmanaged device. Now the thrust of the article is around discovering assets in your environment...
Read more...

Deploying Conditional Access Policies via PowerShell

There is a new GitHub repository available from Microsoft: Manage Conditional Access policies like code. Similar to the infamous Intune samples repo from which I and many others have built their automated Intune setup scripts for new tenants, this repo is replete with the resources that you need for accomplishing...
Read more...

A simpler Conditional Access baseline

Some folks have written to me about the "complexity" of my Conditional Access guide and were hoping to find something a bit simpler. This surprised me, and initially I shrugged it off. But I have heard this feedback more than once now, so I decided to take this thought experiment...
Read more...

Boost your security with Hybrid Azure AD Join: From Zero to Conditional Access in one afternoon

"Alex, I work at a non-profit and I would love to take advantage of the better security in Microsoft 365 Business (we have Business Premium now), but it sounds like it is for "cloud-only" customers? Is that right?? We are using Office 365 for Exchange, but we can't go cloud-only...
Read more...

The many ways to prevent data leakage in Microsoft 365

Office 365 Data Loss Prevention (DLP), Windows Information Protection (aka Endpoint DLP), Conditional Access App Enforced Restrictions, Conditional Access App Control with Microsoft Cloud App security, Sensitivity labels, Retention labels--are you thoroughly confused yet? All of the above can help you to prevent the leakage of sensitive data under certain...
Read more...

Notes from the field: Windows 10 Device Compliance

One of the coolest features in Microsoft 365 is the ability to measure device compliance, and based on that reading, grant, deny or limit access to cloud resources. For mobile devices this works really well, and most compliance policies are fairly simple: make sure the device isn't jail-broken/rooted, require a...
Read more...

2020 Edition of the Recommended Conditional access policy design guide is available now

I just finished updating the Conditional access design guide, part of the Microsoft 365 Best practices checklists. The new updates reflect some carefully considered feedback from my clients (real-world scenarios), as well as some new additions and a better organizational structure, in three major groups:  Authentication Baseline policies – Replaces the Security...
Read more...

No more excuses: 5 Tips & tricks to make Office 365 MFA easier on people

As I'm sure you are aware by now, Multi-factor Authentication reduces your risk of identity compromise by 99.9%. Requiring so called "strong passwords," by contrast, doesn't make that much difference at the end of the day. And yet, we're still beneath 10% of even just admin accounts in Azure AD...
Read more...

iPadOS (iOS 13+) still not compatible with MAM enforced by Conditional access

Update 11/18/2019: This issue has now been fixed. I wrote about this before the update dropped, and in my testing since then I am afraid the situation has not improved. The setup Create a Conditional access policy for iOS that requires an approved client app. In other words, users cannot...
Read more...

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.