Modern Device Management with Microsoft 365 Business Premium–Part 1

The way that devices running Windows 10, iOS, Android and MacOS get managed with Microsoft 365 Business Premium can be daunting to those who aren’t familiar with it. The common way that it is explained is from the inside out, that is via policies in Intune first, rather than starting with the big picture and working in.

I therefore thought that I’d do my best to explain it from what I see is a more logical way to understand what is going on.

image

The starting point is the Microsoft 365 Business Premium tenant in which everything lives.

image

Inside a Microsoft 365 Business Premium tenant is an Azure AD tenant. See my article:

Deploy Office 365 and Azure together

for more information.

image

Inside the Azure AD tenant is Active Directory (AD) (i.e. Azure AD).

image

Inside Azure AD are user identities (i.e. login credentials).

image

Also inside Azure AD are devices.

image

The first type of device that can be used, are devices that are totally stand alone. They have no connection to the tenant or are joined in any way. Given a larger canvas, these would live outside the tenant, however for convenience and space, I’ll simply represent them where they are.

If you want to access Microsoft 365 Business Premium services on such devices, you typically do so just using a browser. There is no device (MDM) or application management (MAM) of these devices as well as no compliance to ensure they meet requirements like an up to date operating system.

image

The next set of devices are those that are simply ‘registered’ with Azure AD. You do this by following these steps:

Register your personal device on your organization’s network

for more information see:

Azure AD registered devices

Once a device is registered it will appear in Azure AD.

image

You typically find that in the Azure Portal under the Azure Active Directory service and then selecting Devices as shown above.

image

You will see that registered devices are displayed as Azure AD registered as shown above.

Azure AD registered devices typically have no application control (MAM), no device management (MDM) or compliance. The one advantage you do get over stand alone devices is that access to Microsoft 365 resources, like files, is easier and subject to less prompts to enter credentials.

Registered Azure AD devices are a typical scenario you see for BYOD in a pure Office 365 environment. That is, environments WITHOUT Intune.

image

The final type of devices are Azure AD Joined devices. The way that you join a device to Azure AD is covered here:

Join your work device to your organization’s network

and for more information about Azure AD joined devices see:

Azure AD joined devices

image

Azure AD joined devices will be shown as above with the join type as Azure AD joined. You will also note that these devices have MDM (device) management being Office 365 Mobile and a field for whether they are Compliant.

image

If you select an Azure AD joined device you largely get an inventory, as shown above, of that device, plus the ability to Enable, Disable and Delete the device via the top menu. Another benefit is the ability to capture BitLocker keys as well, which are shown at the bottom of the device if BitLocker is configured on the device.

Thus, the benefits of Azure AD joined devices is that they have some basic device management (via Office 365 mobile) as well as ability to be check for compliance. You can also, for example, do a device level wipe (i.e. factory reset) which you can’t do with the prior device connection methods. Azure AD Joined devices are also able to have easier access to Microsoft 365 services as with the previous two device connection methods.

Azure AD joined devices are a typical scenario you see for company issued devices in a pure Office 365 environment. That is, environments WITHOUT Intune where the company provides the device to employees.

Thus, Office 365 has a basic MDM and compliance capability which is detailed here:

Set Up Basic Mobility and Security

How you configure the Office 365 Mobile policies is found here:

Create device security policies in Basic Mobility and Security

You may need to use the direct URL:

https://protection.office.com/devicev2

to see these.

image

If you look at what these policies provide you see

image

for Access Requirements and

image

for Configurations.

Both of these options are quite limited and don’t provide any specific device OS/type targeting. They also roll compliance (Access requirements) and configuration together into a single policy, which lacks a certain amount of flexibility. In essence then, this is why the out of the box device management that comes with Office 365, known as Office 365 Mobile is ‘basic’. This is why something with more power and granularity is required if you are serious about device management.

You will note that, Office 365 Mobile management does not provide any real application management (MAM). This prevents doing things like push install to devices.

In summary, what has been covered so far is the out of the box device management capabilities you get with all Office 365 tenants. We can extend this much further using Microsoft 365 Business Premium and the power of Intune to manage devices. However, I’ll save that for an upcoming article as I want to break these concepts up into digestible chunks for people. So next we’ll take a look at how we can extend this basic device configuration using Intune.

A couple of new additions to Azure Sentinel

If you have a look inside your Azure Sentinel console you should some new options.

image

The first is a new option in the Office 365 Data connector to allow you to bring Teams data from the Office 365 Unified Audit Log into Sentinel. All you need to do to enable this is open the Office 365 connector and select the Teams check box as shown above.

image

Once the data starts flowing in, the you’ll be able to run Kusto queries on the log data as shown above. This query will produce a quick report of all the Teams sessions over the last day. The KQL for this is:

OfficeActivity

| where TimeGenerated >= ago(1d)

| where RecordType == “MicrosoftTeams”

| summarize count () by UserId

| sort by count_

With Teams data now flowing into Sentinel you can start creating all sorts of interesting reports.

image

The next new item is the Entity behavior as shown above. Here is what it does:

image
image

Basically, it is going to give you the ability to be more granular when looking at data as well as providing more AI (Artificial Intelligence) across that data looking for anomalies.

image

Just scroll down the page and Turn it on.

image

Now when you visit the link you’ll see:

image

and selecting an account will show you information like:

image

Which is a great summary for that user over the time period you selected.

image

The Threat intelligence option provides the above options, which to be honest, I haven’t fully figured out how to use effectively yet. I may not as yet have enough data in this tenant to make full use of it. I’ll have to wait and see.

Overall some really handy additions to Azure Sentinel that I’d be encouraging you to take advantage of to improve you security analysis. If you are looking to get started with Azure Sentinel, don’t forget my online course:

https://www.ciaopsacademy.com/p/getting-started-with-azure-sentinel

Updated CIAOPS PowerShell course

I am pleased to announce that I have updated my online PowerShell course for Microsoft 365. A lot has changed in recent times so I’ve been through the content and updated it as well as add lots more lessons and resources. The only thing that hasn’t changed is the price. That remains at US$39!

You can view the course content and sign up here:

https://www.ciaopsacademy.com/p/powershell-for-microsoft-365

Of course, if you are eligible CIAOPS Patron, you’ll also get immediate access to the course for free as part of your benefits.

The idea with the course is not to give you a deep dive into all the workings of PowerShell. It is designed to get you up and running using PowerShell with Microsoft 365 as quickly as possible. No pre-existing knowledge is assumed. I’m aiming to bring out more advanced courses, but this course is the foundation on which courses will be built.

As I have said many times here, PowerShell is a KEY skill for any IT Pro going forward in the Microsoft Cloud space. It allows you to do things faster and more consistently, just to name two benefits. If you haven’t taken the step to learning PowerShell then invest in yourself and you future and do so!

Need to Know podcast–Episode 249

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about what Office 365 Alerts is and provide some best practice suggestions.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-249-azure-information-protection/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

FAQ 14

CIAOPS Patron Community

Azure Information Protection

@directorcia

Announcing the CIAOPS Azure Sentinel online course

pexels-mike-350784

If you want to get started with Azure Sentinel and don;t know quite where, then I have created an online course just for you.

You’ll find it here:

https://www.ciaopsacademy.com/p/getting-started-with-azure-sentinel/

Azure Sentinel is a cloud based security information and event management (SEIM) tool that you can easily connect to various data sources, both on premises and in the cloud. Once events are flowing you can then use Sentinel to analyse and report on those events quickly and easily as well as take automated actions if desired.


This course is aimed at helping you get up and running with Azure Sentinel quickly by introducing you to its main features and then showing you how to configure the most important settings to get it working for business.


If you want to quickly and easily ingest security logging data, analyse, report and act on that then Azure Sentinel is for you and this course will show you how to get up and running quickly. Inside you’ll find video tutorials, references, best practices, how-to’s and more.

I’ll continue to add more material to the course but once you sign up you’ll always have access to all the content.

Look out for more online courses coming soon.

Determining legacy authentication usage

I’ve spoken previously about the need to eliminate basic authentication from your environment:

Disable basic auth to improve Office 365 security

The unfortunate reality is that some legacy applications could be using and can ONLY use legacy auth! So, you don’t want to necessarily disable it across your tenant without first understand who or what maybe using legacy auth.

image

One way you can see this is by navigating to your Azure Active Directory in the Azure portal for your tenant. You then need to select the Sign-ins options on the left under the Monitoring heading towards the bottom as shown above. You should then see a list of events display on the right. At the top of this pane select the Columns menu item.

image

From the pane that appears from the right ensure you have the option Client app selected, as shown above.

image

Next, select the Add filters button at the top of the list of events as shown above. From the list that appears select Client app and then the Apply button at the bottom.

image

A Client app option should now appear at the top of the list as shown. It will typically show None Selected.

image

Select the new Client app button and a list of items will be displayed as shown above. From this list, select all the items under the Legacy Authentication Clients heading.

image

When you now click away, the list of events should be filtered to only those events that match the use of Legacy Authentication. You can select any of these to get more information about the event including who or what generated this.

Armed with this knowledge you can now start working whether upgrades or additional configuration is required in your environment to minimise the attack surface area of Legacy Authentication in your environment.

Protecting your Microsoft 365 environment using Azure AD Privileged Identity Management (PIM)

If you are managing a Microsoft 365 environment my recommendation is to do so using a Microsoft 365 E5 SKU, no matter what else in in that tenant. The reason for having at least one Microsoft 365 E5 SKU in your environment is that it provides a wealth of additional features that directly benefit administrators. One of these is Azure AD Privileged Identity Management (PIM).

image

In a nutshell, PIM allows you to do just-in-time (JIT) role escalation. This means that users can be given the permissions they need to do things, only when the need them. It means that you don’t need to have users with standing global administrator access, they can be escalated only when they actually need those privileges. Standing elevated privileges is something that you should be looking to minimise or eliminate in your environment so that if an account does get compromised it won’t have access to the ‘family jewels’. PIM is also a way to potentially minimise the threat of a ‘rogue administrator’ given that it can have an approval process tied to it as well. Most important, all PIM actions are audited in detail which is always handy to have.

PIM is a feature of Azure AD P2 and as mentioned, included in Microsoft 365 E5. Best practice is to ensure you have an ‘emergency break-glass’ administration account tucked away as a backup before you start restricting existing administrators with PIM. Once you have both the license and a ‘get out of jail’ account you are ready to use PIM.

A good example to help you understand the benefits of PIM is to illustrate how I use it myself in my own production environment. The account that I use for my day to day work used to be a global administrator but best practices dictates that it really shouldn’t be. However, given the number of browser sessions I have open already I didn’t want to add yet another one to be checking administrative tenant level ‘stuff’. PIM to rescue! With PIM, my account can stay as a member account by default and I can escalate it to be a global administrator as needed.

image

One of the things I like to check is Microsoft Cloud App Security for my tenant. As you can see above, by default, I now have no privileges.

To elevate my privileges I follow this process:

Activate my Azure resource roles in Privileged Identity Management

 image

This means that I login to the Azure Portal and then navigate to Azure AD roles in PIM as shown above. Here I can see that I can activate the Global administrator role by selecting the Activate link as shown.

image

When I do this a dialog box appears and my credentials are verified. You can enable the requirement to again prompt for MFA during this validation process if you wish. That means, even if I am already logged in successfully, I need to complete an MFA challenge again to proceed.

I can now select the time required to complete my work up to a pre-defined Duration limit. Here I’m going to select the full 8 hours for a full work day at my desk. I also need to provide a Reason for elevation. This information will be recorded and held with the auditing information. This means I can track when and why I elevated.

When complete, I press the Activate button at the bottom of the page to continue.

image

The activation request is then processed according to pre-define rules. In my case, I have elected to have automatic approvals but you can refer approvals to a third party if you wish for greater protection.

image

In about 30 seconds my activation is complete and if I now look in the Active roles area of the console I see that I am indeed a global administrator.

image

If I now refresh my Microsoft Cloud App Security page, you see that I can get access as a normal administrator. This is also the same with all the other administrator areas in the tenant thanks to undergoing the elevation to a Global Administrator thanks to PIM.

The good thing is now I can work using my normal account, check and monitor what I need to without using a different account. I can also rest easy that after the 8 hour time limit my account will again be de-activated back to being a member user. Thus, at the end of the day, I simply shut down and the account will automatically be de-activated for me without me needing to remember to do it. I can of course, manually de-activate the account at any time if I wish, say if I needed to go out somewhere. It is also easy enough for me to re-activate again if I need to do any additional work.

image

What I also like is the audit logging as shown above. Having it all in one place in the PIM console makes it easy for me to verify what has been happening with the process over time.

So in summary, I am using PIM to elevate my normal work account to an escalated level as needed during the day. This means that I don’t have to maintain standing administrator access for the account but I still have the convenience of using it to perform administrator roles as needed.

To set this up for yourself, you’ll need M365 E5 or Azure AD P2 as well as a ‘break-glass’ account. Then you’ll need to configure the roles you wish to escalate to via:

Configure Azure resource role settings in PIM

You can get quite granular here if you wish, but my advice is that you keep it simple to start with and go from there. For me, I just wanted the simple process of becoming a ‘normal’ global administrator.

You can have multiple roles, with different access for different users if you wish. In my case, I’m just focusing on the role of the tenant administrator. As I said, you can also have approvals sent to a third party or parties if you want for an extra level of protection if desired. There lots of settings you can customise with PIM.

Using PIM now gives me extra level of protection when it comes to administration rights. It means my production user isn’t a global administrator by default. I can however, use that same account as a global administrator, by going through a simple automated escalation process that requires MFA for greater security. Additional benefits include that I get great auditing and tracking, I can manually de-activate those rights at any point and those rights will also be automatically de-activated for me after a specified time limit and I also get alerting.

If you want to make your Microsoft 365 environment, especially you administrator logins, more secure then I suggest you take a look at PIM. Even for a small environment like mine, it is great value.

Create a Bing Custom Search

I detailed in a previous article how I had created a custom search:

A dedicated Microsoft Cloud Search Engine

The benefits were that I could target it to a specific set of URL’s to search through when producing a result. It also eliminated many of the commercial elements you see in common search engines. This makes it much cleaner and faster.

The good news is that you too can easily go and create your own custom search. Before you do so however, you will need to have an Azure subscription as there are generally costs that are incurred depending on the functionality you desire. the Custom Search capability is found under Cognitive Services in Azure. However, the easiest way to start creating your own custom search is to visit:

https://www.customsearch.ai/

and sign in with your tenant credentials.

image

You’ll come to the above screen first. Simply select I agree and then the Agree button below to continue.

image

You can go through he Welcome messages if you wish.

image

Next, select the Create new instance button at the bottom of the page.

image

Give your instance a name (here Demo) and select Ok.

image

You’ll then end up on the above page where you can input the URLs you wish to have be part of your custom search.

image

Just keep adding the URL’s you desire. As you do you’ll notice a yellow banner appear at the top of the page as shown above. This is a reminder that you need to Publish your results for them to be visible to others.

image

When you do elect to publish you will see the above dialog. Press the Publish button to continue.

image

You should begreeted with a successful result, as shown above. You can return and keep editing the environment or you can select the Go to production environment option.

image

In the production environment, if you now select the Host UI menu option on the left, the windows on the right will show you a dialog box towards the button as shown above. Copy this URL.

image

If you Paste this URL into a new browser window, you should see your custom search engine as shown above.

Pretty easy to get going right?

image

If you navigate to the Azure portal and search for Cognitive services you should see your new Bing CustomSearch as shown above, along with any other services that utilise Cognitive Services (here a Q and A bot).

You can go in here and customise different aspects of your Custom Search, which I’ll cover off in up coming articles. However, hopefully, you see how easy it is to get started creating a Custom Search in Azure. Remember, you can always test out what I have created using this here:

https://bit.ly/ciasearch