Conditional access

Phish-resistant MFA for the SMB

Phish-Resistant MFA: A Quick Roadmap for the SMB

I recently published an article about multifactor authentication and compliant device bypass techniques, and pointed out that phish-resistant authentication is becoming more of a priority. But very few small and mid-sized organizations have made the transition to using stronger auth methods which can resist phishing attacks such...
Read more...
Updated Intune Scripts and a Security Profile for the SMB

Updated Intune Scripts and a Security Profile for the SMB

Some years ago, Microsoft published a repo on GitHub describing how to use PowerShell to interact with the Microsoft Graph and create/manipulate objects within Intune. This was soon followed by another project, where they published three "Security profiles" as pictured below: Image credit: Microsoft Most of the configurations required...
Read more...
Global Secure Access for the SMB

Global Secure Access: Is it for the SMB?

A couple of months ago, I presented a session on Microsoft Entra's Global Secure Access (GSA), which is really two products under a single unifying banner. Image credit: Microsoft Almost nobody in the audience had heard of Global Secure Access before. Granted, it was (and still is) fairly new, but I was...
Read more...
Turn your MFA up to 11

But have you turned multifactor authentication ALL the way on?

Do you remember just a short time ago, Microsoft would claim that switching on Multi-factor Authentication (MFA) prevents 99.9% of identity-based attacks? Well, the times they are a-changin. I do not know what they would report today for a percentage of attacks which are thwarted by MFA alone, but...
Read more...
Reader question: Deny-by-Default?

Reader Question: How can I set up a “Deny-by-Default” Conditional Access Policy?

It has been a while since I took a question from a reader and turned it into a blog post. It is one of my favorite things to do here on ITProMentor, but the “busy-ness” of life has taken me away from the keyboard a lot in recent months. Now...
Read more...
Choosing (and implementing) your strategy for personal devices

Choosing (and implementing) your strategy for personal devices

In a recent Microsoft blog announcing some cool new discovery features in Microsoft Defender for Endpoint, there is an interesting (but hardly surprising) statistic shared: your users are 71% more likely to be infected on an unmanaged device.Now the thrust of the...
Read more...

Deploying Conditional Access Policies via PowerShell

There is a new GitHub repository available from Microsoft: Manage Conditional Access policies like code. Similar to the infamous Intune samples repo from which I and many others have built their automated Intune setup scripts for new tenants,...
Read more...

A simpler Conditional Access baseline

Some folks have written to me about the "complexity" of my Conditional Access guide and were hoping to find something a bit simpler. This surprised me, and initially I shrugged it off. But I have heard this feedback more than once now, so I decided to take this thought experiment...
Read more...

Boost your security with Hybrid Azure AD Join: From Zero to Conditional Access in one afternoon

"Alex, I work at a non-profit and I would love to take advantage of the better security in Microsoft 365 Business (we have Business Premium now), but it sounds like it is for "cloud-only" customers? Is that right?? We are using Office 365 for Exchange, but we can't go cloud-only...
Read more...

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.