Skip to main content

Posts

Microsoft Purview Endpoint DLP for MacOS

Get onboarded The first step is to get the macOS device enrolled in Intune for easy management. To do so, follow this guide: https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp The guide is a little out of date, but the principals work all the same. Now to get the device onboarded into Microsoft Purview. https://learn.microsoft.com/en-us/microsoft-365/compliance/device-onboarding-offboarding-macos-intune?view=o365-worldwide As you will have seen in the article above, onboarding uses the same mechanism for onboarding macOS to MDE. Once the configuration profiles are installed as seen in Intune > Devices > macOS > macOS devices > click the device name > Device configuration . They should have a nice green tick next to the word “Succeeded” under the “State” header. I had a bit of a brain spasm with the naming, I would use Microsoft’s naming suggestion as seen in their guide.   Create the DLP policy To configure the DLP
Recent posts

Session control policies in Microsoft Defender for Cloud Apps - block copy, cut, and paste in web apps

In this article, I attempt to outline the process for creating session control policies using Conditional Access (CA) and Microsoft Defender for Cloud Apps or MDA for short. When I first set this up, I was unaware of the need to have a user sign in between setting up the CA policy and setting up the policy in MDCA which then allows session control policies to be applied. I will guide you through this, the policy setup and testing.  An overview of the setup process looks like this: 1. Setup the CA policy 2. Have a user login 3. Apply the MDA access policy and add your conditions.  4. Test it 1. Setup the CA policy Pre-requisites: -  a. the app should be available as an "Enterprise App" in Azure AD. Secondly, the app should support and be configured for SAML SSO.  b. Azure AD P1 licenses are required. My understanding was always that MDA required Microsoft 365 E5 or equivalent licenses for applying policies, but Microsoft states in the following article that Azure AD P1 license

Priviledged Identity Management in Azure AD

What is it? Privileged Identity Management or PIM is a service that provides just in time access to privileged roles in Azure and Azure AD. It does this with an approval process which can be manual or automatic. This article will concentrate solely on the Azure AD setup and management of PIM.  What is required? An Azure P2 license. This can be purchased as a standalone license or as part of the EMS E5 license suite. A Global Administrator account will have access to administer PIM by default, but an account can also be added to the Privileged Identity Administrator role for this purpose. A good understanding of the process, which accounts will be managed this way, and why is required is important. It is also necessary to identify who will be responsible for approving, renewing, and reviewing privileged accounts in Azure Active Directory.   Where do I find PIM? PIM can be found by logging into https://portal.azure.com and searching for PIM and clicking on "Azure AD Privileged Iden