Enterprise Mobility + Security

Revisiting Baseline Policies in Microsoft 365

Microsoft has been doing more to make secure configurations easier to implement for admins. But, from my testing and experience, I still have reservations about some of them. Let's review.

Conditional Access Baseline Policies

There are presently four baseline policies...
Read more...

How to prevent users from circumventing MAM by going through OWA on mobile devices

One of my smart co-workers pointed out that my Conditional access baseline policies, as written, actually leave open the possibility that users could simply use OWA on their mobile devices, instead of using the Outlook app.And that means a user could bypass your protections such as encryption of app data,...
Read more...

Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity

As I have previously pointed out on this blog before, all of the best security products, like Microsoft Cloud App Security or Microsoft Defender Advanced Threat Protection, are held hostage in E5 plans. But there is a really big cost delta in the SMB space between...
Read more...

Updates coming soon to the Azure AD Best practices checklist

Update: The best practices checklists and guides are now available.I will be updating the best practices checklist and guide for Azure AD again soon, but I wanted to post a couple of notes about the coming changes--since...
Read more...

A Reader’s input for your consideration: Blocking unsupported devices with Conditional access

Consider the following scenario (from a reader who wished to remain anonymous):Let's say you have implemented my recommended baseline policies for Conditional access, which require Windows & Mac computers to become managed/compliant with Intune, and iOS...
Read more...

A framework for implementing device-based Conditional access with Microsoft Intune

I recently shared a set of scripts to help make deployment of Intune a bit quicker. Today I just want to cover a framework which can be used for deploying device-based conditional access in conjunction with your baseline policy set. The main crux of the issue, which I have...
Read more...

Three ways to disable basic authentication and legacy protocols in Exchange Online

One of the most common (and often successful) attacks we see in the wild is a simple brute force / password spray against weak accounts. Especially against shared mailboxes. From that foothold, the most common next step attackers will take is to send out spam/phishing emails from the compromised account,...
Read more...

My favorite Conditional Access Policies for the SMB

It's not even a question in my mind anymore--every org who moves their email and other data sets into Office 365 should be protected with Enterprise Mobility + Security (also available in Microsoft 365 Enterprise plans). If you are in the Business subscription of Microsoft 365, this means adding Azure...
Read more...

Limiting privilege in Microsoft 365 Business

One of the most important things you can do for boosting your security posture on any technology platform (Microsoft or otherwise), is limiting administrative privilege. We have long known that any given user should really only have enough access to do their jobs, and nothing more.Now in the Enterprise subscriptions...
Read more...

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.