03Oct2019
30Sep2019
Windows Information Protection done right, part 1: education and background
A while back I mentioned that WIP policies are not something you should turn on blindly, as they can have disastrous consequences. That is true, when implemented without a plan. However, it is also a very powerful tool that is included with all Microsoft 365 subscriptions (yes, even Business). So...
19Sep2019
Devices still matter, Part 2: How attackers can use YOUR device
So based on our last post, we now know that MFA and Conditional Access can help prevent a lot of different scenarios involving "any old" devices. That leaves one other avenue for attackers then... Why bother trying to gain new access through any device when there are perfectly...
10Sep2019
Revisiting Baseline Policies in Microsoft 365
Microsoft has been doing more to make secure configurations easier to implement for admins. But, from my testing and experience, I still have reservations about some of them. Let's review. Conditional Access Baseline Policies There are presently four baseline policies available under Azure AD > Security > Conditional Access. Require MFA for admins...
04Sep2019
Windows Hello for Business: Azure AD Join vs. Hybrid Join
Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound to the device itself. When you...
04Sep2019
How to prevent users from circumventing MAM by going through OWA on mobile devices
One of my smart co-workers pointed out that my Conditional access baseline policies, as written, actually leave open the possibility that users could simply use OWA on their mobile devices, instead of using the Outlook app. And that means a user could bypass your protections such as encryption of app data,...
03Sep2019
PSA: Careful with MAM – there might be more to it than you think
I have written extensively on Mobile Application Management (MAM), as an alternative to Mobile Device Management (MDM). When implemented properly, it is the perfect solution for protecting company data on unmanaged devices (e.g. BYOD situations). But therein lies the rub. You need to implement it properly. I can't blame you...
27Aug2019
Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 2: Apps and Data
Last time we looked at some additional identity-based protections that are possible via additional subscriptions like Enterprise Mobility + Security E5 (which contains Azure AD Premium P2). In this post, we'll work within the same framework, but shift our focus from identity, towards protections which can be applied to apps and...
20Aug2019
Protecting extra-sensitive accounts and data sets in Microsoft 365, Part 1: Identity
As I have previously pointed out on this blog before, all of the best security products, like Microsoft Cloud App Security or Microsoft Defender Advanced Threat Protection, are held hostage in E5 plans. But there is a really big cost delta in the SMB space between the Business plan and...
24Jul2019