Featured Microsoft Entra Intune

Top 10 Entra & Intune Security Tips

by Niklas Tinner 5 min read

Introduction

This post is a collaboration with Indefent where you will see the first 5 tips around Microsoft Entra and Intune in my post and the others in his blog post:

http://www.indefent.com/top-10-entra-intune-security-tips/

Let's jump right into it:

1: Intune compliance default setting

First off; Assuming your Intune devices have no compliance policy assigned, how would you imagine they would show up in the portal? Not compliant, right? Well, Microsoft sees this differently.

To verify/change this behavior go to the Intune compliance settings:

Read more:

Intune compliance intro
Introduction Most organizations have compliance requirements for dozens of topics, spanning both technical and non-technical domains, as they are in a complex landscape of regulations, standards, and best practices to ensure the integrity, security, and conduct of their operations. This post is just picking one technical subject out of it,
OceanleafNiklas Tinner

2: Entra Authentication Methods

There are still a lot of tenants out there who rely on weak multi-factor authentication methods. Keep in mind, this is the hierarchy in terms of security:

You should configure your enabled Authentication Methods and ultimately force FIDO2 or Passkeys for robust identity security - read more in this dedicated blog post:

Entra Authentication Overview
Introduction Microsoft Entra is a cloud-based identity provider (IdP) that powers every authentication and many authorization processes in the Microsoft cloud ecosystem. To verify your identity, you need to provide a secret, which only you * know (a password credential) * have (a physical item) * are (biometrics) to authenticate with Microsoft Entra.
OceanleafNiklas Tinner

3: Entra Authentication Strength

Multi-factor authentication is mandatory these days. However, as described before, there are weaker and stronger MFA methods. To enforce MFA with Conditional Access we all know this setting:

This setting requires any MFA method, without specific requirements. In Entra we have Authentication strengths to enforce specific methods, such as Phishing-resistant MFA or passwordless options. Microsoft offers these strengths built-in:

Use these strengths, instead of "Require multi-factor authentication" in your Conditional Access policies:

Read more:

Advanced Conditional Access
Introduction Conditional Access is the heart of identity security in every Microsoft tenant. In my previous blog post I explained fundamental concepts and how to get started with it: Conditional Access - The ultimate starter guideIntroduction In today’s world, workforce is more distributed and the security landscape keeps evolving.
OceanleafNiklas Tinner

4: Entra Log Analytics + KQL

Many customers don't save their logs to an Azure Log Analytics Workspace. In my opinion this should be mandatory, because:

  • Default logs are only stored for 30 days
  • In case of a security incident you need more and better insights
  • Built-in filters and search is poor
  • Use KQL and Azure Workbooks, as shown below for custom reports:

Configure in Entra Health & Diagnostics and connect it to a Log Analytics Workspace:

⚠️
Keep in mind, that for any Azure Log Analytics Workspace you should configure the
-Data Retention: Defines how long logs are stored
-Daily cap: Defines how much data can be ingested per day (will save your budget)

Read more:

Logs & Monitoring in Entra ID
💡Azure Active Directory (AAD) was renamed to Entra ID. However the content of this post is still accurate. Understanding processes in any type of system or orchestration is central to future adaptation and change. It helps to see if everything works fine or determine interruptions or problems. Also, for investigation
OceanleafNiklas Tinner

5: Intune Security Baselines

Many customers solely use Intune for device staging and configuration management. However, security should be at top of mind - a modern endpoint security architecture should incorporate the following technologies:

Security baselines provide an orientation around security frameworks, that you can follow along. Deep dive into my dedicated post:

Dive into Microsoft Security Baselines
❗This post is a best-practice and recommendation source without any liability. Please ensure the enterprise grade system security strategy with your CISO and consult other professionals when you want to build up PAWs. Introduction In my blog posts I often mention the Microsoft Security Baselines and the Microsoft Security Configuration
OceanleafNiklas Tinner

powered by Oceanleaf

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
OceanleafNiklas Tinner
Read more posts by this author

Niklas Tinner

The link has been copied!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.