Wednesday, June 27, 2018

Securing Intune Enrolment



I have been working a lot with Intune for Android & IOS MDM. This post is focused on securing enrollment for Android & IOS devices. There are different methods available for Windows 10 devices which will be covered in a later post.

The Intune enrollment process can be secured via Conditional Access & Azure MFA and Microsoft have an article available HERE that describes how to secure the Intune Enrollment APP via Azure MFA.

But first we need to secure the Azure MFA registration process, If an attacker has obtained a user's credentials and the user that has been compromised has not registered for MFA, the attacker could use his\her phone to register for MFA.

So there are 3 methods to secure the MFA registration process.


  1. Multi-factor authentication registration policy 
  2. User risk Sign In Policy
  3. Populating the phone numbers as described in this ARTICLE
If using method 3 and using a text message or call authentication process, The organisation admins can populate the mobile phone number per user and manage the MFA registration process.

Some helpful commands

##Using MSONLINE module, Query what the existing MFA auth method is
get-msoluser -UserPrincipalName sean@contoso.com | Select-Object -ExpandProperty StrongAuthenticationMethods

##Using MSONLINE module to cancel existing MFA Auth methods
set-msoluser -UserPrincipalName sean@contoso.com -StrongAuthenticationMethods $null

##Export all MFA enabled users to a csv
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName | export-csv "CSV PATH"

Once we have followed the guidelines in the Microsoft article to secure the Intune enrollment process with MFA , We can proceed to create our policy for Android & IOS

In the conditional access policy for Android & IOS devices, The final actions are listed below, Devices must be compliant but the compliance enrollment process is secured with MFA












Wednesday, May 9, 2018

Automate OneDrive for Business Hold with Azure Automation

I was working on a project for a customer recently that wanted to automate the process of placing ODFB sites on hold the same way we can automate all Exchange Online mailboxes being placed on hold.

So I created a script and uploaded it to Technet Gallery , Available HERE

Readiness Toolkit to assess application compatibility for Office 365 ProPlus


Microsoft recently released a new Readiness Toolkit to assess application compatibility for Office. The toolkit can be downloaded HERE.

This blog post describes how I used this toolkit to gather analysis for approx 1500 machines.


  1. Install the toolkit on a Windows client.
  2. Create a network share and provide sufficient permissions for each client machine and user. Then copy all of the files from the local installation to the file share.
  3. Create a new folder in the file share called readiness.
  4. Add this executable as an exclusion to your endpoint protection service 'Readinessreporter.exe' 
  5. Create a .bat file : '\\fileshare\ReadinessReportCreator.exe -mru -addinscan -output \\fileshare\readiness\ -silent'
  6. Add the .bat file into a group policy start up script
  7. After a number of days when client machines have logged on, Their will be a sufficient number of .json files.
  8. Launch the readiness toolkit and choose the option
    'Previous readiness results saved together in a local folder or network share'
  9. This will then produce the report
This toolkit is very useful for providing a detailed report on add-ins and macros. The most common Office applications that use specific add-ins are Word and Excel. A use case where this type of report becomes critical is for legal organisations that use case management systems or document management systems.
































Friday, March 30, 2018

Block native mail app on Apple IOS using Azure conditional access policies


I recently set up EMS for a customer and they wanted to ensure all ios native mail apps were blocked and that all client phones must use the Microsoft Outlook app and that devices are enrolled before they can access corporate email.

Azure conditional access policies make this really simple and the following screenshots ill show how we can create this conditional policy.

Browse to the Azure Active Directory admin center / Azure Active Directory/ Conditional Policies

   Firstly Create the Policy

    Next we assign what users the policy will be applied to

   Select the cloud app - Exchange Online

    Select the client app - Active Sync


    Select the controls to enforce

Finally save & enable the policy


Now when a client attempts to setup and use the native Apple IOS app , this message will appear in the end users mailbox, the native app will be unusable for sending and receiving messages. The user can then proceed with the device enrollment process.