Microsoft Cloud Best practices


I get asked quite regularly about best practices for the Microsoft Cloud so what I have done is start a new file in my GitHub repository here:

where you’ll find links to articles from Microsoft and others (i.e. NIST, CIS, etc) around best practices for the Microsoft Cloud.

Let me know if you have any more and I’ll add them.

Handy Azure Sentinel workbook


If you have a look at the available workbooks in Azure Sentinel, you should find a Data collection health monitoring workbook under Templates as shown above. It is easy to Save this to your environment (in the lower right after selecting the workbook).


If you View the workbook. You’ll need to select the Subscription and Workspace at the top of the page. Once you have done this you should start seeing the values for your environment as shown above.

If you have a look in the Overview section and then the Is billable field as shown above. That is something that is handy to know as not all services ingested into Azure Sentinel incur a cost.


Pricing can be found here:

If you scroll down to the bottom of the screen you see the above:

What data can be ingested at no cost with Azure Sentinel?

Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center, Microsoft Cloud App Security, and Azure Information Protection can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics.

Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics.


What other charges should I be aware of when using Azure Sentinel?

Any Azure services that you use in addition to Azure Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, etc.

For a good introduction to Sentinel have a look at my previous article:

Another great security add on for Microsoft 365

and an online course I created:

Getting started with Azure Sentinel

Using the Data collection health monitoring workbook now makes it easy to see what you are exactly you are being billed for. All you need to do is just add it to your own workbooks. Here is great video overview:

Need to Know podcast–Episode 256

We’ve crossed the 8 bit barrier and now into 16 bit episode numbers! I’ll give you a quick round up of what I thought was the most important announcements from Microsoft and where you can go to get all the information Microsoft recently provides about its products. Then I’ll speak with Microsoft MVP Lars Klint about his project with llamas. Yup, that’s the animal, not some secret code word. So listen in for some fun as well as interesting take away Lars has to share in this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.




Introducing llama cam

llama cam

Lars Klint blog

Ignite book of news

Ignite on demand sessions

New management capabilities for Microsoft Defender Antivirus in Microsoft 365 Business Premium

Announcing Microsoft 365 Lighthouse for Managed Service Providers serving small & medium customers

Seven ways we’re empowering every person and every organization to thrive in a new world of work

Discover the new Teams feature that supports social-emotional learning

Microsoft Defender for Endpoint adds depth and breadth to threat defense across platforms

Announcing SharePoint Syntex

Celebrating the top OneDrive moments from Microsoft Ignite 2020

SharePoint admin and migration announcements at Ignite 2020

What’s New in Microsoft Teams

Collaboration, communication and knowledge sharing with Microsoft Teams, SharePoint, Project Cortex

Modern Device Management with Microsoft 365 Business Premium–Part 8

Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1

Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2

Intune MAM – Modern Device Management with Microsoft 365 Business premium – Part 3

Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4

Baselines – Modern Device Management with Microsoft 365 Business Premium – Part 5

Deployment – Modern Device Management with Microsoft 365 Business Premium – Part 6

Autopilot admin – Modern Dev Management with Microsoft 365 Business Premium – Part 7

In the previous post I detailed Windows Autopilot from the administrator’s point of view. What does it look on the device side?


Just before the Autopilot Reset is selected in the EndPoint Manager portal as shown above, let me show you one quick configuration I’ve also done in Windows Hello for Business to make life that little bit easier.


In Devices | Enroll Devices | Windows enrollment select Windows Hello for Business as shown above.


I have set the Configure Windows Hello for Business to be Disabled. Because I’m using a machine WITHOUT a TPM chip here (i.e. a Virtual Machine), it means that if Windows Hello for Business is enabled I’m going to need to go through the process of registering a device PIN. For now, to keep it as simple as possible, I want that Disabled.

Of course, I have also completed the Autopilot enrolment process and created an Autopilot device policy as detailed in the previous part in the series. Note, that a user has also already been assigned to this device. This means that the machine will be joined to Azure AD using this assigned user. That means they will not need to input their credentials during the process.


After selecting Autopilot Reset in Endpoint Manager I am asked to confirm the process as shown above. Take careful note here of what Autopilot does to that machine.

Select Yes to continue.


Once I select Autopilot Reset in Endpoint Manager, any active user will receive the above message that they have 45 minutes before the targeted machine is forcibly rebooted. I will fast track that process by manually rebooting the workstation to commence the Autopilot reset process.


If the devices is at the lock screen you will see the above message when the Autopilot process commences.


The workstation will then reboot and commence a Windows ‘refresh’ of the device, effectively doing a clean installation of Windows 10.









It will then complete the Autopilot configuration as seen above. You will note here that no user input is required. The reason for this is in Endpoint Manager a user has already been assigned to the device.


Not long after, you’ll will then end up with the ability to login to the workstation, as shown above.



When you do, you’ll be taken through the normal first run Windows experience as shown above.


The standard desktop should appears and all the device policies, Intune, Endpoint Security, etc will commence application to the device. Thus, it is just like you did a manual device join to Azure AD but you DIDN’T! Autopilot did all the hard work for you!

This is an example of how easy modern device management cam make your life once you set it up. If there is a problem with a machine, don’t waste long hours troubleshooting! Do an Autopilot reset to get a fresh version with everything deployed and accessible from the cloud. Easy! Need to reprovision an existing machine for a new user? Autopilot Reset again. Easy! the list goes on and on for the benefits of Windows Autopilot.

Although not yet available, what would you say if the same Autopilot concept was coming to both iOS and Android? Roll on modern device management is what I would say.

Modern Device Management with Microsoft 365 Business Premium – Part 9

Modern Device Management with Microsoft 365 Business Premium–Part 2


Modern Device Management with Microsoft 365 Business Premium–Part 1

I covered the basic overview and out of the box device management you get with pure Office 365. In this article I want to start digging into the more advanced features you get by using Intune which is part of Microsoft 365 Business Premium.


Microsoft has a service called Endpoint Manager that allows advanced device configuration and management. You access this via:


Intune is now part of Endpoint Manager, so you use that to gain access to the Intune configuration.


Part of the Intune configuration capability is device management, this is more advanced than the basic options in pure Office 365 that were detailed in the previous article.


To have devices managed by Intune they first need to go through a specific Intune enrolment process.


Intune device enrolment can only be achieved once devices have been joined to Azure AD. Both registered and stand alone devices cannot be managed at a device level via Intune, only those devices that have been fully joined to Azure AD can be enrolled in Intune for device management.


If you look at your Azure AD in the Azure portal you’ll see the option Mobility (MDM and MAM). If you select that, you’ll probably see a Microsoft Intune option on the right as shown above.


If you select that Intune option and you don’t have a license for Intune you’ll be greeted with something like the above. What this is telling you is that automatic enrolment of device requires an Intune license.


If you do however have a license for Intune you’ll see the above instead. This allows you to select which groups (None, Some, All) that will automatically be enrolled in both device management (MDM) and application management (MAM). You could still of course, manually enrol if you wished but by adding an Intune license you now get the ability to automatically enrol devices into Intune management once you have joined these devices to Azure AD.

So the, typical steps so far have been:

1. Join device to Azure AD

2. Have it automatically commence device enrolment in Intune

You will find the configuration for Intune enrolment by navigating to Endpoint Manager:


and then go to the Devices option from the menu on the left then Enroll devices as shown above.


The first major difference you’ll now see is that you have enrolment options for Windows, Apple and Android as well as the ability to enforce restrictions and allocate managers. Each operating system will have it’s own enrolment capabilities and options. For example, it is here that you configure Windows Autopilot and Windows Hello for Business if you wanted, as they are considered potentially part of any advanced device enrolment.

I’ll look at covering off many of these different enrolment options in future articles, however I do want to call your attention that to enrol Apple devices you will need to set up a free Apple certificate beforehand. I have detailed that process previously here:

Adding an Apple Certificate to Intune


You can get an overview of the device enrolment status in your environment (i.e. successes and failures) via Endpoint Manager | Devices | Overview | Enrollment status as shown above. You’ll also see any Enrollment alerts on the very next tab to the right.


Once devices have successfully completed enrolment, they will commence device compliance.


You can configure device compliance policies via Endpoint Manager | Devices | Compliance policies as shown above.


Here you create as many different Compliance policies as you wish. Typically, you have one per device operating system, however you can have more if you wish. A good example of why you might have two Windows 10 policies is to handle machines that have and those than don’t have TPM capabilities. Disk encryption is a compliance setting you can check for and enforce. However, you may not want to enforce full disk encryption via BitLocker for machines that don’t have inbuilt TPM chips for example. Thus, two separate compliance policies would be required. One to check machines with a TPM capability and one for those without.


If you select the Create Policy option, as shown above, you’ll be able to select from a range of platforms (OS’s).


The compliance options available will vary by device operating system, but an example of some of the Windows 10 options you can configure in the policy are shown above.

The main idea here is to configure appropriate checks via policies for each device operating system. Devices that fail these checks are considered and marked as ‘non-compliant’ and further action can then be taken. An example of an action that can be taken on a device that is ‘non-compliant’ is to exclude it from accessing Microsoft 365 information. A good example of this is a policy that prevents devices that have been jailbroken or have unsupported operating systems from being able to access corporate data.


You can get an overview of the device compliance status in your environment by navigating to Endpoint Manager | Devices | Overview | Compliance status as shown above.


Once compliance policies have been applied to a device, the final part of adding devices to Intune device management is the application of configuration policies.


These policies are found by navigating to Endpoint Manager | Devices | Configuration policies as shown above.


When you create a new policy via the Create profile button from the menu as shown above you again need to select the device operating system and then the profile. The number, types and content of these profile will vary by operating system but for example allow to to do things like control when anti virus scans run, control photo uploads, enforce pin locks and so much more.

Here you will typically have lots of policies including different policies for different groups of users, different operating systems and so on.


Above is an example of the options that are available in an Android Device Restriction configuration policy.

In summary, this article has covered the process of enrolling in advanced device management (MDM) using Intune. The process is:

1. Join devices to Azure AD

2. Devices complete Intune enrolment

3. Devices have Intune compliance policies applied

4. Devices have Intune configuration policies applied

After this process, devices are considered to fully ‘device’ managed by Intune. That is MDM is now done via Intune.

Note, MDM is for devices that are Azure AD joined and require full control of the device down to the operating system. This means the business has full control of the device. That may not be desired for users who bring their own devices (BYOD). Such devices can be managed by application management (MAM) which will be the focus of the next article.

Modern Device Management with Microsoft 365 Business premium – Part 3

Modern Device Management with Microsoft 365 Business Premium–Part 1

The way that devices running Windows 10, iOS, Android and MacOS get managed with Microsoft 365 Business Premium can be daunting to those who aren’t familiar with it. The common way that it is explained is from the inside out, that is via policies in Intune first, rather than starting with the big picture and working in.

I therefore thought that I’d do my best to explain it from what I see is a more logical way to understand what is going on.


The starting point is the Microsoft 365 Business Premium tenant in which everything lives.


Inside a Microsoft 365 Business Premium tenant is an Azure AD tenant. See my article:

Deploy Office 365 and Azure together

for more information.


Inside the Azure AD tenant is Active Directory (AD) (i.e. Azure AD).


Inside Azure AD are user identities (i.e. login credentials).


Also inside Azure AD are devices.


The first type of device that can be used, are devices that are totally stand alone. They have no connection to the tenant or are joined in any way. Given a larger canvas, these would live outside the tenant, however for convenience and space, I’ll simply represent them where they are.

If you want to access Microsoft 365 Business Premium services on such devices, you typically do so just using a browser. There is no device (MDM) or application management (MAM) of these devices as well as no compliance to ensure they meet requirements like an up to date operating system.


The next set of devices are those that are simply ‘registered’ with Azure AD. You do this by following these steps:

Register your personal device on your organization’s network

for more information see:

Azure AD registered devices

Once a device is registered it will appear in Azure AD.


You typically find that in the Azure Portal under the Azure Active Directory service and then selecting Devices as shown above.


You will see that registered devices are displayed as Azure AD registered as shown above.

Azure AD registered devices typically have no application control (MAM), no device management (MDM) or compliance. The one advantage you do get over stand alone devices is that access to Microsoft 365 resources, like files, is easier and subject to less prompts to enter credentials.

Registered Azure AD devices are a typical scenario you see for BYOD in a pure Office 365 environment. That is, environments WITHOUT Intune.


The final type of devices are Azure AD Joined devices. The way that you join a device to Azure AD is covered here:

Join your work device to your organization’s network

and for more information about Azure AD joined devices see:

Azure AD joined devices


Azure AD joined devices will be shown as above with the join type as Azure AD joined. You will also note that these devices have MDM (device) management being Office 365 Mobile and a field for whether they are Compliant.


If you select an Azure AD joined device you largely get an inventory, as shown above, of that device, plus the ability to Enable, Disable and Delete the device via the top menu. Another benefit is the ability to capture BitLocker keys as well, which are shown at the bottom of the device if BitLocker is configured on the device.

Thus, the benefits of Azure AD joined devices is that they have some basic device management (via Office 365 mobile) as well as ability to be check for compliance. You can also, for example, do a device level wipe (i.e. factory reset) which you can’t do with the prior device connection methods. Azure AD Joined devices are also able to have easier access to Microsoft 365 services as with the previous two device connection methods.

Azure AD joined devices are a typical scenario you see for company issued devices in a pure Office 365 environment. That is, environments WITHOUT Intune where the company provides the device to employees.

Thus, Office 365 has a basic MDM and compliance capability which is detailed here:

Set Up Basic Mobility and Security

How you configure the Office 365 Mobile policies is found here:

Create device security policies in Basic Mobility and Security

You may need to use the direct URL:

to see these.


If you look at what these policies provide you see


for Access Requirements and


for Configurations.

Both of these options are quite limited and don’t provide any specific device OS/type targeting. They also roll compliance (Access requirements) and configuration together into a single policy, which lacks a certain amount of flexibility. In essence then, this is why the out of the box device management that comes with Office 365, known as Office 365 Mobile is ‘basic’. This is why something with more power and granularity is required if you are serious about device management.

You will note that, Office 365 Mobile management does not provide any real application management (MAM). This prevents doing things like push install to devices.

In summary, what has been covered so far is the out of the box device management capabilities you get with all Office 365 tenants. We can extend this much further using Microsoft 365 Business Premium and the power of Intune to manage devices. However, I’ll save that for an upcoming article as I want to break these concepts up into digestible chunks for people. So next we’ll take a look at how we can extend this basic device configuration using Intune.

Modern Device Management with Microsoft 365 Business Premium–Part 2

A couple of new additions to Azure Sentinel

If you have a look inside your Azure Sentinel console you should some new options.


The first is a new option in the Office 365 Data connector to allow you to bring Teams data from the Office 365 Unified Audit Log into Sentinel. All you need to do to enable this is open the Office 365 connector and select the Teams check box as shown above.


Once the data starts flowing in, the you’ll be able to run Kusto queries on the log data as shown above. This query will produce a quick report of all the Teams sessions over the last day. The KQL for this is:


| where TimeGenerated >= ago(1d)

| where RecordType == “MicrosoftTeams”

| summarize count () by UserId

| sort by count_

With Teams data now flowing into Sentinel you can start creating all sorts of interesting reports.


The next new item is the Entity behavior as shown above. Here is what it does:


Basically, it is going to give you the ability to be more granular when looking at data as well as providing more AI (Artificial Intelligence) across that data looking for anomalies.


Just scroll down the page and Turn it on.


Now when you visit the link you’ll see:


and selecting an account will show you information like:


Which is a great summary for that user over the time period you selected.


The Threat intelligence option provides the above options, which to be honest, I haven’t fully figured out how to use effectively yet. I may not as yet have enough data in this tenant to make full use of it. I’ll have to wait and see.

Overall some really handy additions to Azure Sentinel that I’d be encouraging you to take advantage of to improve you security analysis. If you are looking to get started with Azure Sentinel, don’t forget my online course:

Updated CIAOPS PowerShell course

I am pleased to announce that I have updated my online PowerShell course for Microsoft 365. A lot has changed in recent times so I’ve been through the content and updated it as well as add lots more lessons and resources. The only thing that hasn’t changed is the price. That remains at US$39!

You can view the course content and sign up here:

Of course, if you are eligible CIAOPS Patron, you’ll also get immediate access to the course for free as part of your benefits.

The idea with the course is not to give you a deep dive into all the workings of PowerShell. It is designed to get you up and running using PowerShell with Microsoft 365 as quickly as possible. No pre-existing knowledge is assumed. I’m aiming to bring out more advanced courses, but this course is the foundation on which courses will be built.

As I have said many times here, PowerShell is a KEY skill for any IT Pro going forward in the Microsoft Cloud space. It allows you to do things faster and more consistently, just to name two benefits. If you haven’t taken the step to learning PowerShell then invest in yourself and you future and do so!