Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Read more…

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Read more…

Connect to Exchange Online with Powershell, Modern Authentication and Conditional Access

Introduction

This is not one of the usual topics I blog about, but nonetheless it’s quite relevant. If you leverage Conditional Access to protect your corporate resources, good chances are that you are blocking legacy authentication (or at least that is something you should consider doing).

If you also fancy connecting to Exchange Online using Powershell for automation reasons, another good chance is that this is done with basic/legacy authentication. This is obviously a conflict with my first statement, so I figured it would make a good blog post to describe how to connect to Exchange Online automated with Modern Authentication while being protected by Conditional Access.

Read more…

Azure AD Application Proxy, Single Sign-On and Conditional Access

Introduction

As the topic suggests, the following post will be about the Azure AD Application Proxy feature – a feature within Azure Active Directory. I haven’t blogged specifically about this feature before, but I do think it deserves a mention here as well.

I will go into details on how to provide secure remote access to an internal IIS website, and give an example on how to add single sign-on to that experience while protecting everything with Conditional Access.

This post will be followed up with a continuation, where everything will be put to use on a mobile device with a Microsoft Intune managed Edge browser. Curious? Read on and stay tuned 🙂

The end result where an internal IIS is reachable from www

Read more…

Block access to company resources if running an out-of-date iOS version using Microsoft Intune and Conditional Access

Introduction

Do you need a simple, but yet effective way of forcing people into updating iOS on their company enrolled Apple devices? Simply block access to company resources if iOS is not up to date. Here is how you can do that using Microsoft Intune and Conditional Access in Microsoft Azure.

Peek into Microsoft Intune and the device compliance policies

Read more…

Conditional Access: Restrict access to company resources and only grant access to trusted IPs

Introduction

I have previously given a few examples on use cases for Conditional Access, and I admit, for the Conditional Access newbie, the options available can seem daunting. So how about a very simple scenario, where access to company resources are blocked, if not coming from a trusted IP?

Imagine service accounts running some Powershell scripts for automation in your Azure/O365 tenant or other accounts who are never meant to be used outside of your organization. Simply block those from authenticating in Azure/O365 if not coming from your headquarter public IP. This is how you can do just that, using Conditional Access.

Illustration of the conditions of a Conditional Access rule. In this scenario, location is in focus

Read more…

Microsoft Intune and Conditional Access in a Co-management scenario

Introduction

Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.

So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.

Read more…

Conditional Access: Restrict access to Exchange Online and only grant access to company enrolled devices using the Outlook app

Introduction

Long title, but that’s actually what this post is going to cover; how you can secure the access to company e-mail accounts and only allow access to such, if coming from an enrolled (compliant) Intune device and that device uses the Outlook app.

In this scenario, we only uses iOS devices and of such only allow enrollment of iOS devices, but this can of course be android and Windows as well. Everything in this post is achievable with the use of Microsoft Intune and Conditional Access in Azure. Curious? Read on 🙂

Read more…

Conditional Access: Require MFA for accessing Exchange Online Webmail if browsing from a private device

Introduction

While brewing on a much more detailed post on how I moved my devices from Intune Hybrid with ConfigMgr to Intune standalone, I thought I’d share how you can offer webmail for your users, while requiring MFA (Multifactor Authentication) if not coming from a company device, using Conditional Access.

In this post I will only cover the actual steps in Intune, but for this to work, you will have to have your Windows devices registered with Azure AD. There will be some requirement for your on-prem AD and for your ADFS, if that’s how you federate with Azure/O365. These requirements are explained in details in this Microsoft article: https://docs.microsoft.com/da-dk/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup

Read more…