compliance
10 TopicsConditional Access - Policy AND'ing - Registering Security Info
Hi All, I've been working away trying to solve an issue but haven't found a way around it just yet. The aim is to let an users on BYOD use TAP on a non-compliant device to setup their security info, but then for all other actions to have MFA+Compliance enforced from desktops. Three CA Policies from the templates articles with a tweak for passwordless: - Secure Registration Policy (MFA+TAP Auth Strength) - Device Compliance (MFA+TAP Auth Strength + Compliance) - Intune Enrollment (MFA+TAP Auth Strength) I'm noting a few outcomes here: Device Compliance (AND grant control) - User with a BYOD Device and TAP, can't enroll in MFA as the device isn't compliant, they cant workplace join the device either - User on an enrolled device, can use TAP to reset/create their MFA control Device Compliance (OR grant control) - User with a BYOD Device and TAP, can workplace join and register their security info without issues - User with an enrolled device has no issues using TAPto reset/create their MFA control. This makes sense with the AND'ing of policies, however for the registration method i'm wanting to let the user in on their BYOD device to register their security control, once done they can workplace join with no issues to access resources. The sign-in logs, always show the device compliance policy as hit, this is expected, the login shows a success for passwordless + tap but fails the compliance strength as expected. It doesn't look like its the device enrolment side of things, purely the registration portal getting in the way wanting the compliant device. Does anyone else have similar requirements and have a way to do this without a manual exclusion group? Thanks!641Views0likes0CommentsMicrosoft Unified Labeling
Migrated from AIP to Microsoft Unified Labeling and I want to create the following policy for emails: the default policy is public but IF is an email to out of organization AND has an attachment, add the other classification label! is there any solution or idea? Thanks!1.3KViews0likes1CommentAssigning Sensitivity Label via Unattended Script
I've come across an interesting problem recently. I have a requirement to set a group sensitivity label as part of an unattended automation script which I'm using application permissions and Graph calls with. Things I've tried: Setting the label via application permissions using Graph- this fails as the sensitivity label attribute is not available using app-only permissions Setting via delegated permissions using Graph - this fails as it turns out setting a label is not supported, only viewing Setting via Exchange Online PoSh V2 with Certificate auth - this fails as you need to be logged in as a user with a mailbox Settingvia Exchange Online PoSh V2 with delegated permission - not possible I believe I might be missing something, any ideas? BTW I'm really trying to avoid allowing basic auth and storing credentialsSolved2.5KViews0likes3CommentsGeting an error while creating the AD account if the Name of the Lecturer has some special Charakter
I have a Dynamics CRM with some Entries for Lecturer, I did some Microsoft Flows to automtizise the procress of Creating AD Account and Office 365 -> Moodle Connections. However I ofc geting an error while creating the AD account if the Name of the Lecturer has some special Charakters. example: LastName: Reuter Firstname: Lucien André Firstproblem the Space between Lucien and And... This was easy to care with a replace concat(replace(triggerBody()?['firstname'],' ','.'),'.',replace(triggerBody()?['lastname'],' ','.'),'@Domain') But I cant find an easy solution for all the special Charakters like ´`^ and since we have some polish lecturer all the diffrents version of Ł ect..837Views0likes0CommentsGet a real report of users with MFA enabled.
Hello folks 🙂 I have a problem, we are in the process to enable MFA in our organization (more than 250 users) and now we are finishing this project, the problem now is that we don't have a real scope of the current status because in the Azure Portal (Autenticación multifactor (windowsazure.com)) who set up thisthrough MyAccount.Microsoft.com > Security Info > Update Info - the Azure portal continues to show that MFA it is not enabled yet if functions;even if is required to configure or access certain account settings to the useres. Is there any other way to get the actual status of who has MFA enabled?26KViews0likes2CommentsOffice 365 Mobile device management authentication
Hello, following scenario: User have Office 365 E1 and Azure AD P1 license. We have configured Office 365 "MDM", not the Intune MDM, only O365 MDM. We want, that only trusted mobile devices (iOS and Android) can access O365 data. For trusted devices, which are comliant, the user should not be asked for credentials every XX days. Is it possible configure this without MS Intune? At the moment user is asked every 14 days for credentials. Can we use Azure AD Conditional Access with O365 MDM? Regards Marc3.6KViews0likes4CommentsMCAS Deployment Webinar Series
Want to learn how to deploy Microsoft Cloud App Security (MCAS)? Our webinar series will walk you through it: https://aka.ms/MCASWebinar The series will be hosted by our engineering team on Tuesdays (3:00 pm ET / 12:00 PM PT) and Thursdays (10:00 AM GMT) between March 12th and April 18th. The topics covered in this series are: 1) Use Microsoft Cloud App Security to protect your sensitive information anywhere in the cloud. 2) Leverage state of the art threat detection capabilities to quickly detect and remediate threats across your cloud apps. 3) Monitor and control user actions across your cloud apps in real-time using Conditional Access App Control. 4) Discover the use of Shadow IT in your organization, evaluate the risks and start managing them. 5) Stay protected across all your apps, by connecting 3rd party applications. 6) Simplify your SecOps' life by automating security workflows with Cloud App Security and Microsoft Flow. We hope you'll join us!775Views0likes0CommentsConditional policies in Azure AD vs. Intune
We are planning to deploy ODB for about 10000 users. The main issue right now is controlling the access and dealing with compliance. There are a few things that I need some clarification on; The end goal here is to have MFA prompts for internal/external users who try access SPO/ODB from outside of trusted networks, regardless of the devices being managed/unmanaged. First; We already have MFA set up over here with DUO Mobile Security; Can the same MFA be used for O365 when users access resources outside of the trusted network? Secondly; For Device management (MDM) there is Airwatch in place already that has all the managed devices registered. We are intending to use Azure Conditional access control for this scenario but the documentation says that the MDM used for this is Intune, my question is can the current MDM Airwatch be used to feed information to Azure AD policies about a device being compliant or not? This is what we intend to apply to control access from unmanaged devices that are not on the network. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference2.9KViews0likes3CommentsIssue with activating Azure Rights Management in hybrid environent
Hello, We have a client that we have the ARM templates working in Exchange online but they continue to get errors with their local Outlook clients trying to access them. In a hybrid environment what else is needed to get the local versions of Outlook to work? They are using Outlook 2016 and have E3 subscription. Thanks, James1.2KViews1like1CommentPreview of Azure AD Conditional Access Policies for devices, users and applications
The folks at Microsoft identity division have just released the preview of Azure AD Conditional Access Policies for devicesm, users and applications in protecting the resource - this includes Office 365! More details on this new feature in the link below. https://techchirag.com/2016/08/10/preview-of-azuread-conditional-access-policies-for-devices-users-and-applications-office365/1.6KViews3likes4Comments