In my lab, I defined a Conditional Access Policy (CAP) that only allows MFA registration from one of my trusted locations (which I’ve also defined in AAD).
In this case, the policy definition structure for the “Locations” condition in CA is akin to a ‘whitelist’ model - you block access from everywhere (in this case, to security registration), but then you “exclude” the policy from applying within ‘All trusted locations.’
Intune - Administrative Templates
This one has also been a frequent customer request: “For decades, we’ve defined our policy settings for Windows via GPOs. Why can’t we mirror those GPO settings easily for deployment to Windows via Intune?”
Intune Configuration Profiles now include “Administrative Templates” support and there is a spot in the UI where those settings are all listed, searchable and sortable. Of course, as new ADMX files are released, Intune will reflect those updates, too.
BONUS - the Office ADMX settings are in there, too!
Azure Information Protection - Log Analytics and Centralized Client Logging
If you’ve been a reader of my previous posts, you know that I bring up auditing from time to time and I consider end-to-end auditing a pre-requisite for any enterprise solution. I want to be able to answer: “Who, what, where, when and why.” Answering ‘why’ can be difficult because ‘intent’ is usually in a person’s brain and not captured in an audit log. However, as you’ll see, with AIP logging, we can even answer ‘why’ sometimes.
In older versions of the AIP client, we only logged client activities in the local Event Log on the specific PC. In order to ‘centralize’ end-user AIP activities, one needed to setup Event Log Forwarding from all the target PCs. Don’t get me wrong, Event Log Forwarding is a helpful feature, but it’s certainly not ‘cloud-first; mobile-first.’
The AIP Product Group is not a team who sits on their heels (except Moser), so, they developed the AIP Log Analytics capability to improve on things.
All of the Product Groups do a heck of a job bringing out updates and new, progressive features to these cloud services each month - and they keenly listen to your Uservoice feedback to prioritize improvements and features - so keep on providing that feedback!
Starting with AIP client v22.214.171.124, activities are logged in the local system’s Event Log AND that log data can also be sent up to an Azure Log Analytics workspace you create in your Azure tenant. Once the data is there, we provide some nice UIs and filters so you can visualize your data and glean immediate insights (the raw data is also accessible from there, if you want to ‘roll your own’ queries).
NOTE – If you're wondering about the latency here, from end-point to cloud, it's brief – less than a minute to a few minutes vs hours or 1x per day. Take a look at the portal log entry time-stamp below and the corresponding event log entry. It's quick.
Below is a drill-down for the above “’Downgrade label” Activity entry (top-most in the logs)
A sensitive Excel file had been labeled and encrypted (“Credit Card” was the label before and it had protection)
The user manually ‘downgraded’ the file’s label to “Public” - which doesn’t have protection.
In my policy settings, if a user downgrades or removes a label, the user is required to justify the change, answering to some degree ‘why?’
End-user UI prompt:
AIP Activity Logs Portal UI:
NOTE – Here’s the corresponding local PC event log entry:
Drill-down details for files from one of the “Locations” above (a user’s OneDrive for Business site):
NOTE – The red boxes log another label downgrade action, so again, we require the user to justify the change – and log the ‘why’
If you like this stuff (and I know you do, or you wouldn’t be reading this), there are TONS more capabilities like these in the “value meal” that is the EMS suite which is also rolled up into the bigger “value meal” of Microsoft 365.
As I mentioned at the beginning of this post, many organizations own some/most/all of these capabilities. If you aren’t sure how to deploy or even how to get started, you’re not alone - and we can help!
If you could use some assistance, reach out. Microsoft offers many avenues from self-help, such as our deployment docs/guidance (AAD, Intune, AIP), to collaboration with our FastTrack program, Premier Services (hit up your Technical Account Manager), as well as Microsoft Partners.