In this chapter, you will learn everything about Azure Active Directory (AAD) and security. We will cover the history of AAD and the different security aspects that you can configure to secure your Windows 10 Enterprise devices within your organization.

In this chapter, we'll go through the following topics:

• Microsoft Identity
• AAD
• Users and groups
• Hybrid AAD
• Conditional Access
• BitLocker disk encryption
• Self-service password reset
• AAD password protection
• Password-less authentication
• What is and isn't supported in each password-less scenario
• Microsoft Defender for Endpoint

Active Directory Domain Services (AD DS) has been on the market since the year 2000. As some of you might remember, it arrived with the first release of Windows 2000 Server.

The way it works is, you join your Windows client or server devices to Active Directory (AD) to take over the management layer of it via either group policies or security settings, or you use it to chain different AD environments to each other to delegate organization permissions to resources that are stored in a different AD environment – in different forests.

Within the context of Microsoft Endpoint Manager (MEM), it's possible to connect to Windows devices that are both AD DS- and AAD-joined. Devices that are joined to AD DS and need to become available in AAD as well are known as hybrid AAD-joined (HAADJ). Before your business is ready to work natively in AAD, hybrid AAD might be the best option to use as an interim solution. Let's talk more about this in the next...

AAD provides single sign-on (SSO) and multi-factor authentication (MFA) to Windows 10 Enterprise and MEM to help protect your users from 99.9 percent of cybersecurity attacks.

AAD is the evolution of traditional AD (AD DS) and makes it possible to do the following:

• SSO simplifies access to your apps from anywhere.
• Conditional Access and MFA help to protect your environment from outside intruders.
• As a single identity platform, it lets you engage with internal and external users more securely.
• Developer tools make it easy to integrate identity into your apps and services.

Let's look at AAD users next.

AAD users

AAD users include the account settings of a user in your organization and only live in the Microsoft Azure cloud. Creating and deleting users can be done by using either the AAD Global Administrator role or an account that has the account administrator role-based access control (RBAC) role assigned.

Figure...

Conditional Access is the tool used by AAD to bring signals together, make decisions, and enforce organizational policies. It is at the heart of the new identity-driven control plane.

Figure 13.14 – Conditional Access

Administrators must have two primary goals:

• Empower users to be productive wherever and whenever.
• Protect the organization's assets.

You can apply the right access controls when needed to keep your organization secure and stay out of your users' way when not needed with the help of Conditional Access policies.

Figure 13.15 – Conditional Access workflow

Next, we will look at user and group scoping in a Conditional Access policy.

Users and groups

Conditional Access allows you to control user access based on user and group assignments. The creation of a Conditional Access policy starts with filtering based on the following conditions:

• None
• All...

Cloud apps are AAD Enterprise applications that represent the Microsoft cloud or third-party applications. This could be, for example, Windows 365, a Software as a Service (SaaS) application, or Office 365 services.

To enforce different Conditional Access settings per cloud app(s), you can create different policies that only apply to that specific application to customize access:

Figure 13.17 – Selecting cloud apps

Cloud apps most likely are named after the service; otherwise, you have to select them according to the right app ID, such as 0af06dc6-e4b5-4f28-818e-e78e62d137a5.

Aside from filtering on cloud apps, you could also apply Conditional Access settings during actions, for example, the process of registering and joining devices to MEM. You must then select user actions instead of cloud apps:

• Register security information
• Register or join devices

Figure 13.18 – User actions

Next...

You can select the following options as Conditional Access grant settings, of which MFA is the most common one to use:

• Require MFA: Users must complete additional security requirements such as a phone call or text.
• Require device to be marked as compliant: Device must be Intune-compliant. If the device is non-compliant, the user will be prompted to bring the device under compliance.
• Require HAADJ device: Devices must be HAADJ to get access.
• Require approved client app: Device must use these approved client applications.
• Require app protection policy: The devices that you connect from must use policy-protected apps.

You could also select multiple controls, to force either multiple requirement options or one of multiple options, to provide access if multiple endpoint scenarios apply:

• Require all the selected controls
• Require one of the selected controls

  Note

  When selecting MFA and devices marked as compliant, you could lock yourself out...

To block your users from adding additional work accounts to your corporate domain-joined, AAD-joined, or HAADJ Windows 10 devices, enable the following registry key. This policy can also be used to block domain-joined machines from inadvertently getting AAD registered with the same user account: HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001.

Figure 13.26 – Use this account everywhere on your device

There is no central way to prevent a user from registering their BYOD device in AAD. If AAD automatic MDM enrollment is configured and the checkmark for Allow my organization to manage my device is set, the device will be enrolled into Microsoft Intune. Next, we will take a look at self-service password reset (SSPR).

The SSPR feature allows businesses to give users the ability to reset their own passwords without any interaction with the service desk. This could massively reduce the number of support tickets in your organization as most users can recover themselves.

When a user enters their password too many times incorrectly, the account will go into a locked state. With the SSPR service, the end user can then change the password and will be prompted for MFA during that process.

Note

Before users can unlock their account or reset a password, they must register their contact information.

SSPR requires an AAD Premium P1 license, which comes with Microsoft 365 E3 or higher.

You must go to AAD in the Azure portal (https://portal.azure.com/#home) to activate the feature.

Figure 13.27 – Self service password reset enabled

It's also possible to make SSPR available for AAD group members only – via the Selected...

Azure MFA keeps most intruders out – and proactively prevents other people from getting access to your environment with only the password. This isn't enough, as there are more Microsoft services to leverage in order to secure your user accounts.…

Avoid bad passwords with the AAD password protection feature. With AAD password protection, default global banned password lists are automatically applied to all users in an AAD tenant. You can define entries in a custom banned password list to support your own business and security needs.

Adding this feature would assure you, as an IT administrator, that the most common passwords – which are no different every year – stay in the past!

You can find the Password protection feature under Authentication methods in the Azure portal. You can also change the lockout thresholds here.

Figure 13.29 – Password protection

Note

Password protection...

While reading the previous section, you might have thought, what about password-less sign-in authentication? Good point!

Microsoft aims to make setting passwords easier; our strategy is a four-step approach where we deploy replacement offerings, reduce the password surface area, transition to password-less deployment, and finally, eliminate passwords.

Figure 13.30 – Password-less phases

Password-less authentication is a way to log on to your Windows 10 Enterprise endpoint without entering your password. One of the most common approaches to do this is via a so-called YubiKey security key. You have them for USB-C, USB, and other devices, such as an Apple device. Other options are to use text messages or the Microsoft Authenticator app.

Figure 13.31 – YubiKey

Let's talk about the YubiKey. The end user experience looks very similar to how you normally log on to Windows. While you are...

To enable password-less authentication, you have to go to the Azure portal and open AAD. Then, follow these steps:

1. Go to Security.
2. Open Authentication methods.
3. Under the Manage menu, select Authentication methods.

   Figure 13.34 – Authentication methods

4. Click on FIDO2 Security Key.

   Figure 13.35 – Authentication methods – Policies

5. Enable the settings for (at least) sign-in and strong authentication.

Figure 13.36 – FIDO2 security key configuration

You can also use a key restriction policy to specify what FIDO2 keys your end users can leverage in your tenant, by entering an allow or block list of devices with an Authenticator Attestation GUID (AAGUID).

The FIDO2 specification requires each security key provider to provide an AAGUID during attestation. An AAGUID is a 128-bit identifier indicating the key type, such as the make and model.

You're now done with the...

BitLocker has been available since the first release of Windows Vista and gives the option to encrypt the drives attached to the endpoint. In most cases, BitLocker can work in conjunction with your endpoint that has a Trusted Platform Module (TPM) chip.

As long as you can authenticate to your device and you are not moving the OS disk out of the endpoint and exchanging it for another device, it's unlikely that you will ever need the BitLocker key that is associated with your device disk to decrypt everything. The help desk operator role will be able to access all the keys to restore:

1. To enable BitLocker for your Windows 10 or Windows 11 endpoints, you have to go to Endpoint security, followed by Disk encryption.

   Figure 13.38 – Endpoint security – Disk encryption

   Note

   BitLocker is not supported on Windows 365 as of yet.

2. Click on Create Policy.
3. Select Windows 10 and later as the platform with BitLocker for Profile.

   Figure...

When a problem happens with your endpoint and you need to recover your drives, you most likely need your recovery key. Luckily, the BitLocker keys are automatically saved to MEM.

You can find the device's BitLocker recovery keys under Devices | the user's devices | Recovery keys in MEM:

Figure 13.42 – BitLocker recovery keys

Enter the recovery key in the key field of Windows 10 and you are good to go!

Figure 13.43 – BitLocker recovery

You can search the device's BitLocker recovery keys under Devices | BitLocker keys without knowing the device name, in the AAD admin center.

Figure 13.44 – Searching for BitLocker keys

This concludes the section on BitLocker management in Microsoft Intune. Next, we will cover Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is Microsoft's Enterprise endpoint security platform that was created to help businesses prevent, investigate, detect, and respond to threats. This serves to increase the level of security of your whole endpoint configuration.

Microsoft Defender for Endpoint is a security solution that includes risk-based vulnerability management and assessment, attack surface reduction, behavioral-based and cloud-powered next-generation protection, endpoint detection and response (EDR), automatic investigation and remediation, managed hunting services, rich APIs, and unified security management.

Integration with MEM

MEM becomes more and more prominent for customers who are using Windows 365/Azure Virtual Desktop as it provides a unified way of configuring and maintaining your physical and virtual cloud endpoint as well as other devices such as mobile.

Microsoft Defender for Endpoint integrates seamlessly into MEM...

Security baselines are preconfigured groups of Windows settings that help you apply the security settings that are recommended by the relevant security teams. The baselines you deploy can be customized to enforce only the settings and values required by you.

There are multiple security-related settings in Windows as well as for Microsoft Edge for your endpoints. Another great asset is the option to do versioning and filtering based on different OSes or scenarios that have to be stricter. You no longer have to use GPOs to ensure the security settings on your endpoints – just create a security baseline profile and you're all set.

Figure 13.46 – MDM security baselines

This concludes this security baseline overview. Next, we will cover compliance policies.

We can define the rules and settings that users and devices must meet to be compliant. This can include actions that apply to noncompliant devices. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on noncompliant devices.

See the following example of how you can set the risk level within Microsoft Defender when your endpoint does not meet the compliance expectations. Your device will show up as a risk in Microsoft Defender for Endpoint as well as in Intune – marked as non-compliant.

Figure 13.47 – Microsoft Defender for Endpoint compliance settings

Note

More information on compliance policies can be found in Chapter 10, Advanced Policy Management.

Windows 365 delivers its own branded set of security baselines that include different best practices that are optimized for cloud PC virtualized scenarios.

We highly recommend customers use these as they come from experience from real-world implementations. You can use these policies to lower the risk while increasing the security boundaries of your cloud PCs.

You can use security baselines to get security recommendations that can help lower risk. The Windows 365 baselines enable security configurations for Windows 10, Edge, and Microsoft Defender for Endpoint. They include versioning features and help customers choose when to update user policies to the latest release.

Figure 13.48 – Security baselines

Requirements for Defender for Endpoint

In the next part of this section, I'm going to explain how you configure Microsoft Defender for Endpoint via MEM to secure your virtual or physical Windows endpoints...

Follow these steps to proceed with the integration:

1. Open the Security Center portal: https://securitycenter.windows.com/.
2. Go to Settings.

   Figure 13.55 – Settings

3. Turn the slider next to Microsoft Intune connection to On.

   Figure 13.56 – Microsoft Intune connection

4. Click on Save preferences.

   Figure 13.57 – Preferences saved

5. At this point, Microsoft Defender integrates into MEM. You can check the status in the Endpoint security menu.

   Figure 13.58 – Connectors and tokens – Microsoft Defender for Endpoint

   Note

   When on, compliance policies using the device threat level rule will evaluate devices, including data from this connector. When off, Intune will not use device risk details sent over this connector during device compliance calculation for policies with a device threat level configured. Existing devices that are not compliant due to risk levels obtained...

Once the rollout and activation are done, and you have configured some security baselines and compliance profiles and assigned them to your desktops, you are ready to review your devices in the Microsoft Defender Security Center console. When you click on devices, you're able to drill down into the different assessments and alerts (if any) being detected.

Security recommendations

Microsoft Defender also recommends activating different features to increase the security level of your desktops in the Security recommendations tab. In there, you can find multiple settings that you can directly enable and push into Intune when you set up the connection correctly to your Intune tenant environment.

Figure 13.73 – Security recommendations

In this chapter, you've learned about the history of AD and about AAD, and what the options are to secure your identities better with Conditional Access and Microsoft Defender for Endpoint.

You learned how you can combine the force of Microsoft 365 E5 with device compliance on Microsoft Intune-managed devices with a Microsoft Defender for Endpoint risk score in a compliance policy to only allow access to corporate data by leveraging conditions all in the Microsoft zero-trust security model.

In the next chapter, we're going to take a deeper dive into how to monitor your Windows 10 Enterprise endpoints with Endpoint analytics.

1. Do you need a license in order to use Azure MFA?
   1. Yes
   2. No
2. What configuration profile setting is required to configure your Windows 10 devices for Microsoft Defender for Endpoint?
   1. Endpoint collections and response
   2. Security assessment
   3. Endpoint detection and response
   4. Sample sharing for all files

1. (B)
2. (C)

If you want to learn more about AAD, Conditional Access, and Microsoft Defender for Endpoint after reading this chapter, please use one of the following free online resources:

• Microsoft Defender for Endpoint – Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog
• Practice security administration – Learn | Microsoft Docs: https://docs.microsoft.com/en-us/learn/modules/m365-security-threat-protect/practice-security-administration