2. Security Microsoft Defender for Endpoint Roles and Device Group Access

In this article of the Defender series, I would like to discuss about the MDE RBAC to reflect the least access principal.

This will cover the Roles for MDE and Device Group Access

As you may know the Least Privileged Access principal is in play for MDE as for any other M365/ Azure resource.

Defining the roles and who has access in essential before you move with the product. This means not everyone will get the highest privileges. There can be other IT Teams that needs only to view data and report etc.

You must be a Global Administrator or a Security Administrator to access the MDE portion of the portal.

However those 2 main admins will be able to activate ad create roles in the MDE it self as there can be other teams that needs to access the portal.

How to enable Roles?

In the M365 Defender Portal, go to Settings > Endpoints > Go to Roles under Permissions

You will see below. Click on Roles

Once the Roles are activated you can now add them below

You can leave the Administrator role as it as and start adding the roles as below from Add Item option

Hover over the features to see what’s covered with every feature

Once you have selected the options, go to the next tab Assigned user groups

Select the group below and add ad press Save

Setup Device Group Access

Device group access defines which admin groups will get to access the device groups specified in the MDE.

Device groups will be discussed a bit later, but I will touch base them.

In Endpoints, go to Device Groups under Permissions

Click on a device group and if you go to User Access Tab, now you can define which user groups has access to manage the devices.

The user groups that are in the User Access list are the groups that were defined under Roles

So basically this goes hand in hand as the user groups should be able to access the Devices in order to investigate issues

Check the below screenshot You will see the same user group we added earlier which is now available to give access to this device group

At this stage you have successfully defined the RBAC roles and provided Device Group permissions and safely advise the teams to start using them.

1. Introduction to Microsoft Defender for Endpoint

To make things simpler I will be calling this as MDE. Of course that the industry level acronym for Defender for Endpoint. In an age where security is the very soul of the tech industry and basically any industry, Microsoft Defender is the champion as it’s built with the latest and greatest.

MDE is not just an antivirus product, but it has all the bells and whistles where it stands as an EDR solution (Endpoint Detection and Response)

Continue reading “1. Introduction to Microsoft Defender for Endpoint”

Manage Continues Access Evaluation behaviour via Conditional Access Polices

When I first had a play with CAE for the 1st time, I wrote about on the importance of this setting and how to enable it in your environment. Please check the previous article below.

Continue reading “Manage Continues Access Evaluation behaviour via Conditional Access Polices”

Microsoft Endpoint Manager Shared Multi-User Device Profiles

In this article, I’m planning on uncovering a configuration profile in MEM which is known as the Shared Multi-User Device Profiles.

These profiles can be used and applied to the devices in the fleet which will be used by many users periodically and does not require to retain the data in the disk and have device restrictions over usage.

You can setup the login account in the Guest mode and have the option to enable the “Guest” account in the local computer.

Continue reading “Microsoft Endpoint Manager Shared Multi-User Device Profiles”

Azure AD Break Glass Account: What to consider when creating one and how to monitor sign ins

With the growing threats around the world everyday, bad actors are targeting Microsoft 365 ecosystem like never before. Attacks are taking place everyday and if and when they have breached in, their end goal is to go for the “keys to the kingdom”. Usually its just the end of the story when they get them. Meaning the bad actors can basically do whatever the can and harm that companies M365 related activates or ask for a ransom to release the accounts. Either way its not for the organization and admins should have a proper and a quick way to recover the accounts ASAP.

Continue reading “Azure AD Break Glass Account: What to consider when creating one and how to monitor sign ins”

Azure AD Hidden Gems. Azure AD Temporary Access Pass

Temporary Access Pass or TAP, is a cool Azure AD feature which is still in Preview, but I see huge wins if Microsoft put this in to general availability so that the IT admins can provide uninterupted security over user accounts.

In real life, users may forget to bring the mobile phone to office or maybe out of battery so they can’t get in to the Authenticator app to complete the MFA challange.

When a user fails to complete a strong authentication step such as FIDO2 or Multi Factor, Temporary Access Pass can deply to save the day.

In this way if the user doesnt have the ability to complete the strong authentication, IT doesn’t need to take them out from the MFA Conditinal Access Policy for an example. Users have the option of entering the re-usable or one-time TAP to get in.

Continue reading “Azure AD Hidden Gems. Azure AD Temporary Access Pass”

My blog is now among the top 100 Azure blogs

My blog https://shehanperera.com was selected to be among the top 100 Azure blogs. This is a great honor and a motivational boost to keep doing what I’m doing and share my knowledge about the technology.

I would like to thank FeedSpot for the consideration.

Please check https://blog.feedspot.com/microsoft_azure_blogs/ for the listed blogs.

Thank you and Keep Learning!

feature image: Light Vectors by Vecteezy

Another Reason Why The AVD Session Hosts Are Failing To Load FSLogix User Profiles

Azure Files plays a big role in the Azure Virtual Desktop depolyments and for FSLogix to work in the intended way, the storage account needs to be joined to the domain. It can be either extending the on-premises domain to Azure by setting up a domain controller in the respective region or by setting up Azure AD Domain Services feature.

In my case, I setup a Windows Server 2019 domain controller in the same region that I setup the Azure Virtual Desktop environment.

Continue reading “Another Reason Why The AVD Session Hosts Are Failing To Load FSLogix User Profiles”

FIX: Windows 2019 CIS Benchmark Image Stopping the Azure VM Becoming the NTP Server After Transferring the PDC Emulator

In a Windows Domain environment the time is always working in a hierarchical manner. Server that holds the PDC emulator role holds the NTP Server and the other DCs will sync time from it and the members will sync time from those domain controllers.

At times you have to change the FSMO Roles to a differnt DC and most oftenly that server can be a VM sitting in Azure.

In most cases the VMs spinning up in the Azure environment must adhear to security policies and a well known benchmarking framework is the CIS Benchmarking images (Center for Internet Security). This has the policies defined and vetted into the server images and will be activated once the server is up and running.

Continue reading “FIX: Windows 2019 CIS Benchmark Image Stopping the Azure VM Becoming the NTP Server After Transferring the PDC Emulator”

How to Assign Admin Roles to Azure AD Groups with Access Reviews and Just in Time Access?

As of July 31 2021, this feature in Generally Available and was notified in the M365 Admin Center with the message MC274516

This approach is how you assign roles to Azure AD Groups along with the Privileged Identity Management features Just in Time access and Access Reviews options.

Continue reading “How to Assign Admin Roles to Azure AD Groups with Access Reviews and Just in Time Access?”

So I created My 1st Power Automate Flow To Send Personalized Reminders To Teams

First of all I must say that I’m not a hardcore developer. If an expert see this, I’m sure they will find many points that needs improvement. You are welcome to comment and point out any issues in this or any improvements.
Still a Power Platform novice and a citizen developer 🙂 And I’m sure there are many ways to achieve this as well.

This lead to an interesting back story where I thought maybe a combo of Power Automate, SharePoint Lists, Teams and Outlook will help to resolve a real life matter.

Continue reading “So I created My 1st Power Automate Flow To Send Personalized Reminders To Teams”

How to analyze Conditional Access Policies with ‘Report Only’ Mode?

Conditional Access Polices can be setup in 3 main modes. On/ Off/ Report Only.

On and Off modes are self explanatory where “Report Only” mode needs additional work. This post will go in detail on how to use the Report Only mode before you actually switch to ON.

Continue reading “How to analyze Conditional Access Policies with ‘Report Only’ Mode?”