10Sep2019
04Sep2019
How to prevent users from circumventing MAM by going through OWA on mobile devices
One of my smart co-workers pointed out that my Conditional access baseline policies, as written, actually leave open the possibility that users could simply use OWA on their mobile devices, instead of using the Outlook app.And that means a user could bypass your protections such as encryption of app data,...
20Aug2019
Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity
As I have previously pointed out on this blog before, all of the best security products, like Microsoft Cloud App Security or Microsoft Defender Advanced Threat Protection, are held hostage in E5 plans. But there is a really big cost delta in the SMB space between...
24Jul2019
Updates coming soon to the Azure AD Best practices checklist
Update: The best practices checklists and guides are now available.I will be updating the best practices checklist and guide for Azure AD again soon, but I wanted to post a couple of notes about the coming changes--since...
18Jul2019
A Reader’s input for your consideration: Blocking unsupported devices with Conditional access
Consider the following scenario (from a reader who wished to remain anonymous):Let's say you have implemented my recommended baseline policies for Conditional access, which require Windows & Mac computers to become managed/compliant with Intune, and iOS...
20Jun2019
A framework for implementing device-based Conditional access with Microsoft Intune
I recently shared a set of scripts to help make deployment of Intune a bit quicker. Today I just want to cover a framework which can be used for deploying device-based conditional access in conjunction with your baseline policy set. The main crux of the issue, which I have...
09May2019
Three ways to disable basic authentication and legacy protocols in Exchange Online
One of the most common (and often successful) attacks we see in the wild is a simple brute force / password spray against weak accounts. Especially against shared mailboxes. From that foothold, the most common next step attackers will take is to send out spam/phishing emails from the compromised account,...
21Mar2019
My favorite Conditional Access Policies for the SMB
It's not even a question in my mind anymore--every org who moves their email and other data sets into Office 365 should be protected with Enterprise Mobility + Security (also available in Microsoft 365 Enterprise plans). If you are in the Business subscription of Microsoft 365, this means adding Azure...
11Mar2019
Super-charging security on non-Microsoft 365 E5 plans
This article was updated in April of 2020Microsoft 365 E5 is the Cadillac of plans. Basically every product in the 365 universe is bundled into this level subscription, and that includes a ton related to security.Recently, Microsoft
01Mar2019