Block Access From Unmanaged Devices To SharePoint
From SharePoint Admin Center > Polices > Access Control
Click Unmanaged Devices
Note “To use this setting, get a subscription to Enterprise Mobility + Security and assign a license to yourself. ” See Microsoft Endpoint Manager | Microsoft 365 for more information
Select Block Access > Save
Block Access From Unmanaged Devices To SharePoint Specific Sites and Limit access using PowerShell.
Examples block download, save and print on unmanaged devices for a specific SharePoint site (SharePoint, OneDrive)
Limit access to a single site: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy AllowLimitedAccess
Block access to a single site: Set-SPOSite -Identity https://<SharePoint online URL>/sites/<name of site or OneDrive account> -ConditionalAccessPolicy BlockAccess
Update multiple sites at once: (Get-SPOSite -IncludePersonalSite
$true -Limit all -Filter
“Url -like ‘-my.sharepoint.com/personal/'”) | Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
MS-101: Microsoft 365 Mobility and Security
#MS365 #Security #365Security #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #Microsoft365 #MicrosoftCloud #Microsoft #alwaysbelearning #MS101 #EXAM #PASSED
Today I’m looking at Microsoft 365 Enterprise Mobility + Security E3 and E5 Licenses and trying to work out which licenses I need and what the differences are. I’ve reviewed the guide on features and pricing, visit compare-plans-and-pricing
There are four key areas for Enterprise Mobility + Security:
- Identity and access management
- Managed mobile productivity
- Information protection
- Identity driven security
If you business it focused on Enterprise Mobility + Security E5 licenses but you need to save costs, its certainly worth reviewing what features your using and what is available / partially included in an Enterprise Mobility + Security E3 license. Microsoft would describe the differences as “Enterprise Mobility + Security E5 includes new and advanced security capabilities that make up our holistic and innovative approach to security for the mobile enterprise. Some E5 capabilities were previously only available as standalone products, such as Microsoft Cloud App Security, or as products in preview, such as Microsoft Azure Active Directory Identity Protection, Azure Active Directory Privileged Identity Management, and Azure Information Protection.”
A break down of the Key Additional Features in E5 and not in E3.
This is a quick break down of the additional features in the E5 license you don’t get in E3 currently. (Please check again, this is not a live feature list)
- Register MFA – All Users
- Password changed (High risk users)
- Require MFA for medium to high risk users
- Manage, Control and monitor important information or resources
- Automate the classification and labelling process ( Personal interpretation, not sure if that terminology is correct)
- Azure identity Protection which can be leveraged in CA. Identity Protection Policies example
- CASB Cloud Access Security Broker
- Detect, Identify Abnormalities, Advanced Attacks
So does you business have any other 3rd party tools already providing the features of E5? It might be worth noting some components Enterprise Mobility + Security E5 can be purchased separately, but the logic is a suite gives more value in a bundle.
Another good option to get hands on and try the full E5 license, why not run a PoC to see if the features of Enterprise Mobility + Security E5 with a free Trial (90 days offered when I wrote this)?
I hope this post helped, additional information is available direct from the Microsoft Site.
Apologise if any information is incorrect, this is just a personal review and no way related to Microsoft.
PASSED the Microsoft 365 Identity and Services Exam.
#Microsoft #Certified #Professional
Features available to improve security with mobile devices by using encryption and a password policy when connecting to Exchange Online (O365). Anyone who has been a Active Directory Admin will by default expect to configure additional security, the same logic should apply for the Office 365 admin / Exchange Online Admin.
How to configure, start in Exchange Admin Center
Browse “Mobile” and edit the “Default”
To apply additional security settings to mobile services by default. I’ve highlighted some more restrictive settings to configure from the default.
- Require Password
- Require an Alphanumeric Password
- Require Encryption
- Min Password Length
- Wipe Device on Sign-In Failures
- Sign In time
- Password Lifetime and Recycle Count
Start in Microsoft 365 Admin Centre and browse to Azure Active Directory
Browse all services and click “App Registrations”
Click “New Registration”
Enter application details and URL
To setup calendar sharing in Office 365 with another External Office 365 Exchange go to the Exchange Admin Center.
You have the option to add an individual or an organisation. See example below
For further information visit: https://docs.microsoft.com/en-us/exchange/sharing/organization-relationships/create-an-organization-relationship
So you have decided to increase security by adding a banned password list but the option in Azure Active Directory admin center is greyed out. Problem is licensing. This feature is only available in Azure AD P1 Licenses as part of the Enterprise Mobility and Security E3.
The problem greyed out Password Protect
The issue, licenses, and no Enterprise Mobility and Security E3.
Upgrade to Enterprise Mobility and Security E3 License (please confirm further before purchasing)
Example Password List to Ban
Password_123, Manch35t3r, 123456, password, 123456789, 12345, 12345678, qwerty, 1234567, 111111, 1234567890, 123123, abc123, 1234, password1, iloveyou, 1q2w3e4r, 000000, qwerty123, zaq12wsx, dragon, sunshine, princess, letmein, 654321, monkey, 27653, 1qaz2wsx, 123321, qwertyuiop, superman, asdfghjkl
Dynamic membership rules for groups in Azure Active Directory and automatic licensing.
Configured in Azure Active Directory Admin Center.
Add New Group
Select Dynamic User or Device
Example Looks for a property “Sunderland”
Users created with City “Sunderland”, will be added automatically to this group.
Next step, edit the Group “Sunderland Office” by clicking on it.
Click “Licenses” and “+ Assignments”
Select the license and options to assign and save
For more information visit
Intune – Mobile Device Management – App Protection Policy in Intune App Protection
Scenario – We want to securely publish a corporate app (OneDrive) to users who will be using their own mobile ( iOS) devices. We want to protect the corporate data used in the app and establish authentication before accessing it. Users should not be able to copy and paste data directly from the app on to their own device.
We need to create an an App Protection Policy in Intune App Protection.
For more in-depth detail:
Create an App Protection Policy
From the main Intune App Protection Home Screen: Select App protection policies -> Create policy -> iOS/iPadOS
Fill out the Name and Description screen and then click Next.
Select Unmanaged Apps in the Device Types drop down menu and select the Onedrive App in the Public apps section. Click Next
On the Data Protection Screen you can select from several controls on what users can and cannot do with the corporate data that the App access. Work with your IT Security and Data Protection team to understand what their requirements are. Click Next
The Access Requirements screen allows you to add a layer of authentication to opening the App on the users own device. You can choose between various PIN types and options – again work with your IT Security teams on what they require. Click Next
The Conditional launch screen allows you to be more granular on what conditions the Device and the App have to meet for the App to be launched (Min OS and Max PIN attempts for example). Click Next.
On the Assignments Page Select the Group who you want to apply this policy to and then click Next.
Review your setting on the Review + Create Screen and then click Create