Using authentication strengths in Conditional Access policies

This week is all about a nice feature of Conditional Access. Not a particular new feature, but an important feature for a solid passwordless implementation. That feature is authentication strengths. Authentication strengths is a Conditional Access control that enables IT administrators to specify which combination of authentication methods should be used to access the assigned cloud apps. Before authentication strengths, it was not possible to differentiate between the different authentication methods that can be used as a second factor. Now with authentication strengths, it enables organizations to differentiate the available authentication methods between apps, or to simply prevent the usage of less secure MFA combinations (like password + SMS). With that, it opens a whole new world of potential scenarios that can be easily addressed. …

Read more

Using Conditional Access for Remote Help

This week is a short post about a small nice addition to Remote Help. That small nice addition, however, can be an important piece towards the solid zero trust implementation within the organization. That addition is the ability to use Conditional Access specifically for Remote Help. That doesn’t mean, however, that Conditional Access was not applicable towards Remote Help before. When assigning a Conditional Access to all cloud apps that would (and will always) also include Remote Help. The main change is that it’s now possible to create a service principal for the Remote Assistance Service that can be used as a cloud app in the assignment of a Conditional Access policy. That enables organizations to create a custom Conditional Access policy specifically for Remote …

Read more

Resetting the managed local administrator password when using Windows LAPS

This week is a quick follow-up on the post of last week. Last week was all about getting started with Windows Local Administrator Password Solution (Windows LAPS), while this week is more specifically focussed on rotating the managed local administrator password. There are multiple methods for rotating – and with that, resetting – that managed local administrator password. In the end, that all comes down to the same, or similar, technology that’s used to achieve that goal. Besides that, it’s also good to know what doesn’t work when the password of the local administrator account is managed. This post will show just that, followed with the different methods for rotating the managed local administrator account. Manually resetting the password via Computer Management Before using Windows …

Read more

Getting started with Windows Local Administrator Password Solution

This week is all about another nice feature that was recently introduced in Windows, Microsoft Intune, and Azure AD. That feature is Windows Local Administrator Password Solution (Windows LAPS). Windows LAPS is basically the evolution of the already existing LAPS solution for domain joined Windows devices. Big difference, however, is that Windows LAPS is now a built-in solution in Windows that can be configured via Microsoft Intune and that can use Azure AD as a storage location for the local administrator password. Windows LAPS can be used to manage the password of a single local administrator account on the device. The most obvious account for that would be the built-in local administrator account, as that account can’t be deleted and has full permissions on the …

Read more

Excluding Azure file shares from Conditional Access policies requiring MFA

This week is another short follow-up on the last couple of weeks. While the last couple of weeks were all about configuring the authentication on Azure file shares and on mapping Azure file shares, this week is all about the exclusion for multi-factor authentication (MFA). During the initial post, about using Azure AD Kerberos authentication for Azure file shares, it was mentioned that Azure AD Kerberos doesn’t support using MFA for accessing Azure file shares. The steps to prevent that, just weren’t described. And based on comments and feedback, it’s good to still walk through the steps for configuring that exclusion. This post will briefly discus the challenge, followed with the steps to create the exclusion for Azure file shares. This post will end with the …

Read more

Easily managing Universal Print printers on Windows 11 devices

This week is al about Microsoft Universal Print. Not, however, about the concept, the connectors, the printers, or the printer shares. Just about the configuration, via Microsoft Intune, on Windows devices. And in particular, at this moment, Windows 11 devices. Windows 11 devices now contain the UniversalPrint CSP that can be used to easily configure Universal Print printers on Windows devices. That replaces the existing Universal Print printer provisioning tool and provides a direct configuration (and integration) option with Microsoft Intune. Based on the provided configurations it retrieves the required printer information from the Universal Print service and installs the printer on the Windows device. This post will go through the available settings in the UniversalPrint CSP and the configuration via Microsoft Intune. Important [Updated: 16-08-22]: Eventually …

Read more

Allowing users to opt-in for Windows Insider Preview Builds

This week is all about providing users with a method to deliberately opt-in for running Windows Insider Preview Builds. That option to opt-in is created by using an access package. That makes this post basically a combination between an earlier post about allowing users to opt-in for Windows 11 and an earlier post about managing Windows Insider Preview Builds. By default, many organizations prevent users from simply enabling and using Windows Insider Preview Builds. Often the main reason is to prevent unpredicted and unwanted issues from happening on the devices of users. Using an access package makes sure that the user consciously chooses to use Windows Insider Preview Builds, possibly in combination with the approval of a manager and in combination with sharing information in …

Read more

Managing Windows Insider Preview Builds within the organization

This week is al around managing Windows Insider Preview Builds. Even though it’s not a new subject, it’s good to at least get a refresher. Especially when mentioning the Windows Insider Preview for Business program, as it’s often still unknown. The fun part, however, is that it’s actually pretty simple to get started. For organizations, the Windows Insider Preview for Business program enables them not having to register each device or user in the program and to easily set important policies around preview builds. The only requirement is to register an Azure AD tenant, so it can be used for authentication.This post walks through that requirement and more, as prequisites for configuring Windows Insider Preview Builds within the organization, followed with the steps for creating …

Read more

Allowing users to opt-in for Windows 11 by using access packages

This week is all about providing users with an easy method to opt-in for using Windows 11. That easy method can be created by using standard functionality that is provided by Azure AD entitlement management – an identity governance feature – and that can be used to automate access request workflows, access assignments, reviews, and expiration. More specifically, entitlement management introduces the concept of an access package and those packages provide an easy method to govern access. In a way, an access package can be used to create a simple automated flow to allow users to opt-in for Windows 11. That can be achieved adding the user to an Azure AD group and using that group for the assignment of a feature update deployment. This …

Read more

Getting new users quickly up-and-running with Temporary Access Pass

This week is a little follow-up on a post of a couple of months ago and about connecting pieces of the puzzle. That post was around Temporary Access Pass (TAP). Even though that post was focused on Windows devices, it did provide some hints for using TAP on mobile devices (Android, iOS) also. An often seen and heard challenge is related to getting new user up-and-running. Especially when requiring Multi-Factor Authentication (MFA) for device enrollment, or when trying to work completely passwordless. Those scenarios introduce chicken-and-egg situations as a device must be registered for usage with MFA and the registration requires MFA, or when trying to work passwordless and an authentication method must be registered to be able to work passwordless. So, to get a …

Read more