Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. ๐Ÿ™‚

Read more…

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Read more…

Script Update: Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

Introduction

If you already use or intend to use my script, which reminds users to update iOS with e-mails and custom notification, you will want to use the updated script. ๐Ÿ™‚

I obviously put the script to use in production, and quickly realized that the script also picks up obsolete devices. This is not ideal, as you might end up in a situation where a user is reminded by e-mail, to update a device which is obsolete and no longer in use.

So the script has been updated to cater for this situation, and now only picks up devices which has been syncing with Microsoft Intune within the last 2 days.

Read more…

Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

Introduction

**Minor update**: https://www.imab.dk/script-update-automatically-remind-users-to-update-ios-with-e-mails-and-custom-notifications-using-microsoft-intune-powershell-sdk/

Long title! It could have been even longer, but I struggled to squeeze in that the e-mail also is sent over Office 365 and the entire deliciousness is running on a schedule with Azure Automation. ๐Ÿ™‚

The story here is, that iOS is getting updates quite frequently, and a lot of enterprises (including myself), are managing those iOS devices as private BYOD devices enrolled through the Company Portal. As of such, keeping the devices up to date is the end-user’s responsibility and something that’s often forgotten and neglected.

So what if we could send those devices and users a kind reminder automatically, both as a custom notification directly on the device, but also as an e-mail? Microsoft Intune Powershell SDK to the rescue!

Read more…

A brief first look on Microsoft Defender ATP Tamper Protection

Introduction

Late last night my time, Tamper Protection in the Microsoft Defender stack went Generally Available.

In short and as the name implies, this is a feature which essentially locks Microsoft Defender and prevents your security settings from being tampered with, including changes made by an administrator.

From a security perspective, this is a great and welcomed addition – let’s take a closer look. ๐Ÿ™‚

PS. I did find some oddities in some of the behavior when trying to disable Microsoft Defender through Group Policy. More on that in the end of the post.

Read more…

Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. ๐Ÿ™‚

Read more…

Configure OneDrive Known Folder Move with Administrative Templates in Microsoft Intune

Introduction

Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?

Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move.ย Exciting!

While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.

Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/

Read more…

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on ๐Ÿ™‚

Read more…

Connect to Exchange Online with Powershell, Modern Authentication and Conditional Access

Introduction

This is not one of the usual topics I blog about, but nonetheless it’s quite relevant. If you leverage Conditional Access to protect your corporate resources, good chances are that you are blocking legacy authentication (or at least that is something you should consider doing).

If you also fancy connecting to Exchange Online using Powershell for automation reasons, another good chance is that this is done with basic/legacy authentication. This is obviously a conflict with my first statement, so I figured it would make a good blog post to describe how to connect to Exchange Online automated with Modern Authenticationย while being protected by Conditional Access.

Read more…

Connect to Microsoft Graph for Intune with Powershell ISE Add-ons

Introduction

If you are working with Microsoft Intune on a daily basis, chances are that you are familiar with the awesome Powershell Intune Graph script samples over at GitHub: https://github.com/microsoftgraph/powershell-intune-samples.

I have previously blogged specifically about putting 2 of the scripts to use here:

If you are less familiar with Powershell, the script samples might seem a bit intimidating and difficult for some to put to use. The new Microsoft.Graph.Intune PowerShell Module to the rescue!

Now, this post is not about using the actual module, but how you with a single click can connect to the Graph API and gain access to all the available cmdlets in a very easy and sufficient way.

Read more…