Challenge: Separate subscriptions for multiple disciplines under the same Azure Active Directory Tenancy.
Required : Each subscription to have the same role assignments
Solution : Azure Blueprints to define a repeatable set of Azure resources
Azure Blueprints provides
- Role & Policy Assignments
- ARM templates
- And Resource Groups
Getting Started Azure Blueprints (PREVIEW)
Creating Blueprint Guide – Focused on Roles
Create a blue print, if your new, start with a sample predefined Blueprint.
For this example I have selected Resource Groups with RBAC (Role-based Access Control)
Create blueprint> Enter Name, Description and Definition Location
Next : Artifacts
Click Save Draft
How to Publish Blueprint
Click Blueprints > Blueprint Definitions > Select the version to publish
Click Publish blueprint.
Enter version and change notes > Click Publish
This feature looks to identify activity and assign a risk level. “Risk detection and remediation”
All features look to be available in Azure AD Premium P2 and restricted number of features in Azure Premium P1 and Basic/Free.
Key differences are the notifications options only in Azure AD Premium P2.
There are three default polices
- User Risk
- Sign-In Risk
Example of the Identity Protection Policies
Reference How To Guides :
- How To: Configure the Azure Multi-Factor Authentication registration policy
- How To: Configure and enable risk policies
- How To : Identity protection configure notifications
Problem : Azure Conditional Access + “New policy” is greyed out.
Reason : To use Azure Conditional Access Policies, you require “Azure AD Premium”
Solution : License and Setup Azure AD Premium. You are able to setup Azure AD Premium on a 30 Day trial before incurring additional costs
Activate using Free 30 day trial option shown below.
A good starting point for this exercise was to find the Microsoft Post on Mail Flow rules to inspect message attachments. Available here. There is also a good reference page on common blocking scenarios.
Recently some of our users received received PS1 files as attachments. We wanted to raise awareness to our users about PS1 files by adding an additional disclaimer in emails received with PS1 attached file types.
If you try to send a PS1 file as an attachment, you will often get a notification, but it allows you to send the email.
Users of Outlook might receive the email still and be notified of a potentially unsafe attachment. Which is good. But what if they weren’t using Outlook?
Web Mail “Outlook” will give you a “No Entry” sign
Challenge : How do we create a mail flow rule to add a disclaimer to inbound emails with PS1 files attached?
How to Guide : Create Mail Flow Rules
Start in “Microsoft 365 Admin Center” and browse to “Exchange” Admin Center
You can created new rules by selecting “Mail Flow” > “Rules” > “+”> “Create a new rule”
This example Appends the Disclaimer when a PS1 file is recieved
Additional options (Optional)
Rule is configured
.. Test Mail example sent to a Microsoft 365 Exchange Mail box – Disclaimer added. See example screen shot below.
Features available to improve security with mobile devices by using encryption and a password policy when connecting to Exchange Online (O365). Anyone who has been a Active Directory Admin will by default expect to configure additional security, the same logic should apply for the Office 365 admin / Exchange Online Admin.
How to configure, start in Exchange Admin Center
Browse “Mobile” and edit the “Default”
To apply additional security settings to mobile services by default. I’ve highlighted some more restrictive settings to configure from the default.
- Require Password
- Require an Alphanumeric Password
- Require Encryption
- Min Password Length
- Wipe Device on Sign-In Failures
- Sign In time
- Password Lifetime and Recycle Count
Intune – Mobile Device Management – App Protection Policy in Intune App Protection
Scenario – We want to securely publish a corporate app (OneDrive) to users who will be using their own mobile ( iOS) devices. We want to protect the corporate data used in the app and establish authentication before accessing it. Users should not be able to copy and paste data directly from the app on to their own device.
We need to create an an App Protection Policy in Intune App Protection.
For more in-depth detail:
Create an App Protection Policy
From the main Intune App Protection Home Screen: Select App protection policies -> Create policy -> iOS/iPadOS
Fill out the Name and Description screen and then click Next.
Select Unmanaged Apps in the Device Types drop down menu and select the Onedrive App in the Public apps section. Click Next
On the Data Protection Screen you can select from several controls on what users can and cannot do with the corporate data that the App access. Work with your IT Security and Data Protection team to understand what their requirements are. Click Next
The Access Requirements screen allows you to add a layer of authentication to opening the App on the users own device. You can choose between various PIN types and options – again work with your IT Security teams on what they require. Click Next
The Conditional launch screen allows you to be more granular on what conditions the Device and the App have to meet for the App to be launched (Min OS and Max PIN attempts for example). Click Next.
On the Assignments Page Select the Group who you want to apply this policy to and then click Next.
Review your setting on the Review + Create Screen and then click Create