In this chapter, you will learn everything about Entra ID join and security. We will cover the history of Entra ID and the different security aspects that you can configure to secure your Windows 10 or Windows 11 Enterprise devices within your organization.

In this chapter, we’ll go through the following topics:

• Microsoft Identity
• Entra ID
• Users and groups
• Entra ID join or Hybrid Entra ID – What’s the best option?
• Conditional Access
• BitLocker disk encryption
• Personal Data Encryption
• Self-service Password Reset
• Entra ID password protection
• Passwordless authentication
• What is and isn’t supported in each passwordless scenario
• Application Control for Business
• Windows Local Administrator Password Solution
• Microsoft Defender for Endpoint
• Screen capture protection and watermarking

Active Directory Domain Services (AD DS) has been on the market since the year 2000. As you might remember, it arrived with the first release of Windows 2000 Server.

The way it works is, you join your Windows client or server devices to Active Directory (AD) to take over its management layer via either group policies or security settings, or you use it to chain different AD environments to each other to delegate organization permissions to resources that are stored in a different AD environment – in different forests.

Within the context of Microsoft Intune, it’s possible for Intune to manage Windows devices that are both Hybrid Entra joined and Entra ID joined. Devices that are joined to AD DS and need to become available in Entra ID join as well are known as Hybrid Entra ID join. Before your business is ready to work natively in Entra ID, Hybrid Entra ID might be the best option to use as an interim solution.

Figure 13.1: Microsoft...

Previously known as Azure Active Directory (Azure AD), Microsoft Entra ID is a cloud-based directory and identity management service provided by Microsoft. It’s a multi-tenant service that amalgamates core directory services, application access management, and identity protection into one comprehensive solution.

Microsoft Entra ID offers several key features:

• Secure adaptive access: This feature safeguards access to resources and data with robust authentication and adaptive access policies that are risk-based, without compromising the user experience.
• Seamless user experiences: It offers a quick and easy sign-in experience across your multicloud environment, which not only keeps your users productive but also reduces the time spent managing passwords, thereby enhancing productivity.
• Unified identity management: It allows you to manage all your identities and access to all your applications in one central location, irrespective of whether...

Microsoft Entra Conditional Access is a powerful policy engine that plays a crucial role in enforcing security policies within organizations. Let’s break it down.

What is it?

• Conditional Access is Microsoft’s Zero Trust policy engine.
• It takes signals from various sources into account when making access decisions.
• Essentially, it’s like a set of if-then statements:
  • If a user wants to access a resource (like Microsoft 365), then they must complete a specific action.
  • For example, if a user wants to access an application, they might need to perform multifactor authentication to gain access.

What are the common signals?

• User or group membership: Policies can be targeted to specific users or groups, allowing fine-grained control over access.
• IP location information: Organizations can define trusted IP address ranges for policy decisions.
• Device attributes...

Cloud apps are Entra ID Enterprise applications that represent the Microsoft cloud or third-party applications. This could be, for example, Windows 365, AVD, a Software as a Service (SaaS) application, or Office 365 services.

To enforce different Conditional Access settings per cloud app(s), you can create different policies that only apply to that specific application to customize access:

Figure 13.20: Selecting cloud apps

Cloud apps are usually named after the service; otherwise, you have to select them according to the right app ID, such as 0af06dc6-e4b5-4f28-818e-e78e62d137a5.

Aside from filtering on cloud apps, you could also apply Conditional Access settings during actions, for example, the process of registering and joining devices to Microsoft Intune. You must then select user actions...

You can select the following options as Conditional Access grant settings, of which MFA is the most common one to use:

• Require MFA: Users must complete additional security requirements such as a phone call or text.
• Require device to be marked as compliant: The device must be Intune-compliant. If the device is non-compliant, the user will be prompted to bring the device under compliance.
• Require Hybrid Entra ID Joined device: Devices must be Hybrid Entra ID Joined to get access.
• Require approved client app: Device must use these approved client applications.
• Require app protection policy: The devices that you connect from must use policy-protected apps.

You could also select multiple controls, to force either multiple requirement options or one of multiple options, to provide access if multiple endpoint scenarios apply:

• Require all the selected controls
• Require one of the selected controls

  When selecting...

To block your users from adding additional work accounts to your corporate domain-joined, Entra ID joined, or Hybrid Entra ID Joined Windows devices, enable the following registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001.

This registry key can also be used to block domain-joined machines from inadvertently getting Entra ID registered with the same user account:

Figure 13.29: Use this account everywhere on your device

There is no central way to prevent a user from registering their BYOD device in Entra ID. If Entra ID automatic MDM enrollment is configured and the box for Allow my organization to manage my device is checked, the device will be enrolled into Microsoft Intune. Next, we will take a look at Self-service Password Reset (SSPR).

The SSPR feature allows businesses to give users the ability to reset their own passwords without any interaction with the service desk. This could massively reduce the number of support tickets in your organization as most users can recover themselves.

When a user enters their password too many times incorrectly, the account will go into a locked state. But with the SSPR service, the end user can still change the password, and here, they will be prompted for MFA during that process.

SSPR requires an Entra ID Premium P1 license, which comes with Microsoft 365 E3 or higher. Follow these steps to enable SSPR:

1. You must go to the Microsoft Entra admin center (https://entra.microsoft.com) to activate the feature.
2. In the Protection section, you will find Password reset.

Figure 13.30: Self service password...

Azure MFA keeps most intruders out – and proactively prevents other people from getting access to your environment with only the password. This isn’t enough, as there are more Microsoft services to leverage in order to secure your user accounts…

Avoid bad passwords with the Entra ID password protection feature. With Entra ID password protection, default global banned password lists are automatically applied to all users in an Entra ID tenant. You can define entries in a custom banned password list to support your own business and security needs.

Adding this feature would assure you, as an IT administrator, that the most common passwords – which are no different every year – stay in the past!

You can find the Password protection feature under Authentication methods in the Entra admin center. You can also change the lockout thresholds here.

Figure 13.32: Password protection

While reading the previous section, you might have thought, what about passwordless sign-in authentication? Good point!

Microsoft aims to make setting passwords easier; their strategy is a four-step approach where we deploy replacement offerings, reduce the password surface area, transition to passwordless deployment, and, finally, eliminate passwords.

Figure 13.33: Passwordless phases

Passwordless authentication is a way to log on to your Windows Enterprise endpoint without entering your password. One of the most common approaches to do this is via a so-called YubiKey security key. You have them for USB-C, USB, and other devices, such as an Apple device. Other options are to use text messages or the Microsoft Authenticator app.

Figure 13.34: YubiKey

Let’s talk about the YubiKey. The end user experience looks very similar to how you normally log on to Windows. While you normally log on with either Windows Hello or your...

To enable passwordless authentication, you have to go to the Microsoft Entra admin center. Then, follow these steps:

1. Go to Protection.
2. Open Authentication methods.
3. In the Manage menu, select Authentication methods.

Figure 13.37: Authentication methods

4. Click on FIDO2 Security Key.

Figure 13.38: Authentication methods – Policies

5. Enable the settings for (at least) sign-in and strong authentication.

Figure 13.39: FIDO2 Enable and Target

6. Once you have enabled the use of FIDO2 keys, you also need to configure the Configure setting:

Figure 13.40: FIDO2 security key configuration

You can also use a key restriction policy to specify what FIDO2 keys your end users can leverage in your tenant, by entering an allow or block list of devices with an Authenticator Attestation GUID (AAGUID).

The FIDO2 specification requires each security...

Passkeys offer a more secure and user-friendly way to log in to websites and applications compared to traditional passwords. Unlike passwords, which require memorization and manual input, passkeys are securely stored on a device and can utilize the device’s unlock features, such as biometrics or a PIN. This eliminates the need for additional sign-in challenges, making the authentication process quicker, safer, and more user-friendly.

Passkeys can be used with any applications or websites that support this feature, allowing you to create and sign in with Windows Hello. Once a passkey is established and saved with Windows Hello, you can use your device’s biometrics or PIN for sign-in. Alternatively, a companion device like a phone or tablet can also be used for sign-in. In order to use passkeys, you would need to be licensed for any of the following Windows licenses.

Starting with Windows 11, version 22H2, and the KB5030310 update, a web-based sign-in experience is now available on devices joined to Microsoft Entra. This new feature, known as web sign-in, opens up new sign-in options and capabilities. If Windows Hello doesn’t work for any reason, you can also use the Azure Authenticator app, or another alternative secure option.

Web sign-in, which is a credential provider, was first introduced in Windows 10, but it only supported Temporary Access Pass (TAP). However, with the launch of Windows 11, the scenarios and capabilities supported by web sign-in have been extended. For instance, users can now sign in using the Microsoft Authenticator app or a SAML-P federated identity.

Web sign-in is supported for the following Windows licenses.

BitLocker has been available since the first release of Windows Vista and gives the option to encrypt the drives attached to the endpoint. In most cases, BitLocker can work in conjunction with your endpoint that has a Trusted Platform Module (TPM) chip.

When your end users authenticate to their devices on a day-to-day basis, they will not be asked for the recovery key. But if you are moving the OS disk out of the endpoint and exchanging it for another device or getting a firmware upgrade, you might be asked for the BitLocker recovery key that is associated with your device disk to decrypt everything.

We covered in Chapter 7 how to configure BitLocker when doing Autopilot provisioning – it is no different from the way you need to do...

When a problem happens with your endpoint and you need to recover your drives, you most likely need your recovery key. Luckily, the BitLocker keys are automatically saved to Microsoft Entra but are visible in Microsoft Intune.

You can find the device’s BitLocker recovery keys under Devices | the user’s devices | Recovery keys in Microsoft Intune:

Figure 13.52: BitLocker recovery keys

If you have multiple recovery keys, it is most likely because your device has been reinstalled or the BitLocker keys have been rotated. A BitLocker key will never be deleted on the device object.

If you delete the Intune object for a Microsoft Entra joined device protected by BitLocker, the device deletion will trigger an Intune device sync and will remove the key protectors for the operating system volume.

This will end up in a scenario where BitLocker is in a suspended state on that volume.

Personal Data Encryption (PDE) is a security feature introduced in Windows 11 22H2 that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs in to the device. PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods, such as BitLocker. To use PDE, the following prerequisites must be met: it must be using Windows 11, version 22H2 and later, and the devices must be Microsoft Entra joined. Domain-joined and Microsoft Entra Hybrid joined devices aren’t supported.

Users must sign in using Windows Hello for Business:

...

Microsoft Defender for Endpoint is Microsoft’s Enterprise endpoint security platform that was created to help businesses prevent, investigate, detect, and respond to threats. This serves to increase the level of security of your whole endpoint configuration.

Microsoft Defender for Endpoint is a security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next-generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.

Figure 13.89: Microsoft Defender for Endpoint service architecture

Integration with Microsoft Intune

Microsoft Intune is becoming more and more prominent for customers who are using Windows 365/Azure Virtual Desktop as it provides a unified way of configuring and maintaining your physical and virtual cloud endpoint...

Security baselines are preconfigured groups of Windows settings that help you apply the security settings that are recommended by the relevant security teams. The baselines you deploy can be customized to enforce only the settings and values required by you.

There are multiple security-related settings in Windows as well as for Microsoft Edge for your endpoints. Another great asset is the option to do versioning and filtering based on different OSes or scenarios that have to be stricter. You no longer have to use GPOs to ensure the security settings on your endpoints – just create a security baseline profile and you’re all set.

Figure 13.91: MDM security baselines

This concludes this security baseline overview. Next, we will cover compliance policies.

We can define the rules and settings that users and devices must meet to be compliant. This can include actions that apply to non-compliant devices. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on non-compliant devices.

See the following example of how you can set the risk level within Microsoft Defender when your endpoint does not meet the compliance expectations. Your device will show up as a risk in Microsoft Defender for Endpoint as well as in Intune – marked as non-compliant.

Figure 13.92: Microsoft Defender for Endpoint compliance settings

Windows 365 delivers its own branded set of security baselines that includes different best practices that are optimized for cloud PC virtualized scenarios.

We highly recommend customers use these as they are based on experience from real-world implementations. You can use these policies to lower the risk while increasing the security boundaries of your cloud PCs.

You can use security baselines to get security recommendations that can help lower risk. The Windows 365 baselines enable security configurations for Windows 10, Edge, and Microsoft Defender for Endpoint. They include versioning features and help customers choose when to update user policies to the latest release.

Figure 13.93: Security baselines

This concludes the section on Windows 365 baselines. In the next section, we will cover Defender for Endpoint.

Microsoft Defender for Endpoint

In the next part of this section, we are going to explain how you can configure...

Follow these steps to proceed with the integration:

1. Open the Security Center portal: https://securitycenter.windows.com/.
2. Go to Settings.

Figure 13.100: Settings

3. Turn the slider next to Microsoft Intune connection to On.

Figure 13.101: Microsoft Intune connection

4. Click on Save preferences.

Figure 13.102: Preferences saved

5. At this point, Microsoft Defender integrates into Microsoft Intune. You can check the status in the Endpoint security menu.

   Figure 13.103: Connectors and tokens – Microsoft Defender for Endpoint

   MDM Compliance Policy Settings: When on, compliance policies using the device threat level rule will evaluate devices, including data from this connector. When off, Intune will not use device risk details sent over this connector during device compliance calculation for policies with a device threat...

Once the rollout and activation are done, and you have configured some security baselines and compliance profiles and assigned them to your desktops, you are ready to review your devices in the Microsoft Defender Security Center console. When you click on devices, you’re able to drill down into the different assessments and alerts if any are detected.

Security recommendations

Microsoft Defender also recommends activating different features to increase the security level of your desktops in the Security recommendations tab. In there, you can find multiple settings that you can directly enable and push into Intune when you set up the connection correctly to your Intune tenant environment.

Figure 13.119: Security recommendations

Windows Defender for Endpoint now supports the detection of keyloggers, meaning, on managed endpoints connecting to Windows 365 Cloud PCs protected with Defender for Endpoint, software that tries to hijack the user’s keyboard and mouse is no longer possible.

Figure 13.120: Keylogger protection

Windows 365: customer-managed keys support for data encryption

With Microsoft Purview Customer Key, customers can now use their own encryption key to protect their data at rest in cloud PC disks hosted in Microsoft’s data centers.

This allows you as a customer to manage the customer keys while also ensuring that the OS disk of the Windows 365 Cloud PC is encrypted!

Figure 13.121: Cloud PC encryption type

Screen capture protection and watermarking

Screen capture protection, in conjunction with watermarking, serves as a safeguard against the capture of sensitive data on client endpoints via certain operating system...

In this chapter, you’ve learned about the history of AD and about Entra ID, as well as what the options are to secure your identities better with Conditional Access and Microsoft Defender for Endpoint.

You learned how you can combine the force of Microsoft 365 E5 with device compliance on Microsoft Intune-managed devices with a Microsoft Defender for Endpoint risk score in a compliance policy to only allow access to corporate data by leveraging conditions all in the Microsoft Zero Trust security model.

In the next chapter, we’re going to take a deeper dive into how to monitor your Windows Enterprise endpoints with endpoint analytics.

1. Do you need a license in order to use Azure MFA?
   1. Yes
   2. No
2. What configuration profile setting is required to configure your Windows devices for Microsoft Defender for Endpoint?
   1. Endpoint collections and response
   2. Security assessment
   3. Endpoint detection and response
   4. Sample sharing for all files

1. (b)
2. (c)

If you want to learn more about Entra ID, Conditional Access, and Microsoft Defender for Endpoint after reading this chapter, please use one of the following free online resources:

• Microsoft Defender for Endpoint – Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog
• Practice security administration – Learn | Microsoft Docs: https://docs.microsoft.com/en-us/learn/modules/m365-security-threat-protect/practice-security-administration

Learn more on Discord

To join the Discord community for this book – where you can share feedback, ask questions to the author, and learn about new releases – follow the QR code below:

https://packt.link/SecNet