10Sep2019
04Sep2019
Windows Hello for Business: Azure AD Join vs. Hybrid Join
Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound to the device itself. When you...
04Sep2019
How to prevent users from circumventing MAM by going through OWA on mobile devices
One of my smart co-workers pointed out that my Conditional access baseline policies, as written, actually leave open the possibility that users could simply use OWA on their mobile devices, instead of using the Outlook app. And that means a user could bypass your protections such as encryption of app data,...
03Sep2019
PSA: Careful with MAM – there might be more to it than you think
I have written extensively on Mobile Application Management (MAM), as an alternative to Mobile Device Management (MDM). When implemented properly, it is the perfect solution for protecting company data on unmanaged devices (e.g. BYOD situations). But therein lies the rub....
27Aug2019
Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 2: Apps and Data
Last time we looked at some additional identity-based protections that are possible via additional subscriptions like Enterprise Mobility + Security E5 (which contains Azure AD Premium P2). In this post, we'll work within the same framework, but shift our focus from identity, towards protections which can be applied to apps and...
20Aug2019
Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity
As I have previously pointed out on this blog before, all of the best security products, like Microsoft Cloud App Security or Microsoft Defender Advanced Threat Protection, are held hostage in E5 plans. But there is a really big cost delta in the SMB space between...
24Jul2019
Updates coming soon to the Azure AD Best practices checklist
Update: The best practices checklists and guides are now available. I will be updating the best practices checklist and guide for Azure AD again soon, but I wanted to post a couple of notes about the coming changes--since...
18Jul2019
A Reader’s input for your consideration: Blocking unsupported devices with Conditional access
Consider the following scenario (from a reader who wished to remain anonymous): Let's say you have implemented my recommended baseline policies for Conditional access, which require Windows & Mac computers to become managed/compliant with Intune, and iOS...
15Jul2019
Microsoft 365 Device Management / Intune best practices checklist
Update: Downloadable, printable copies of the Microsoft 365 Best practices checklists and guides are now available. Thanks for your support! Similar to the checklist...
01Jul2019