Automatically remove and disable unwelcome objects from privileged on-premises Active Directory groups using Microsoft Sentinel

May 24, 2024October 23, 2023 by Martin Bengtsson

Introduction

Active Directory is a prime target for attackers – and for most organizations something that’s considered the crown jewels. This is due to Active Directory still being the bread and butter for most organizations in regard to authentication and authorization.

When it comes to security, automation is your best friend and keeping a close eye on privileged group membership should be on top of your list.

This post will walk you through, how you can make sure no unwelcome objects make their way into privileged groups in on-premises AD, by leveraging Microsoft Sentinel and its option to run playbooks automated.

This breaks down to Microsoft Sentinel generating an alert, which triggers the associated Playbook, which triggers a Logic app, which triggers a Runbook in an Automation Account, which ultimately runs a PowerShell script on an on-premises server.

Big shout out to my colleague Christian Frohn Petersen who assisted in setting up the prerequisites for this solution. 🙂

Escrow BitLocker recovery keys to Azure AD during Feature Update to Windows 11

June 9, 2022 by Martin Bengtsson

Introduction

As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.

In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.

For your convenience, find links to my previous Windows 11 posts here:

Using Filters with Conditional Access: Protect your privileged users with an additional layer of security

September 7, 2021September 7, 2021 by Martin Bengtsson

Introduction

So, I’m quite far behind in my blogging schedule, and I’m merely picking up on a feature which released in preview back some time in May. Luckily, this doesn’t impact the importance of the topic, and therefore I’m still putting it out there.

A neat example of putting Filters to use with Conditional Access, is by protecting your privileged users, like your Global Administrators, with an additional layer, only allowing access to resources if coming from specific devices.

Curious? This post will walk you through how to achieve just that. 🙂

Setting up Microsoft Tunnel Gateway with Microsoft Endpoint Manager and Linux VM(s) in Azure

December 5, 2020December 4, 2020 by Martin Bengtsson

Introduction

I typically blog about topics, that I’m currently addressing in my own daily work, and this time is no different.

Covid-19 surely has a saying on this particular topic as well, and empowering our users to do more, working securely from home and remote, is key.

In that regard, we needed a simple VPN solution for our iOS devices, and while making my way through the setup and configuration of Microsoft Tunnel Gateway, I decided it was worth blogging as well.

This post will walk you through everything you need know, in order to successfully setup Microsoft Tunnel Gateway as a proof of concept.

This includes:

Creating the VM(s) in Azure
Assigning static public IP
Hardening of the inbound traffic
Configuring public DNS record
SSH’ing to the Linux server
Installing Docker on Linux
Setting up configuration in Microsoft Endpoint Manager
Installing Microsoft Tunnel on Linux
- Copying down TLS certificate to Linux
Deploying VPN profile in Microsoft Endpoint Manager
Verifying connection to VPN on iOS is successful

Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

February 24, 2020February 5, 2020 by Martin Bengtsson

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. 🙂

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

January 4, 2020January 3, 2020 by Martin Bengtsson

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Script Update: Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

December 16, 2019December 16, 2019 by Martin Bengtsson

Introduction

If you already use or intend to use my script, which reminds users to update iOS with e-mails and custom notification, you will want to use the updated script. 🙂

I obviously put the script to use in production, and quickly realized that the script also picks up obsolete devices. This is not ideal, as you might end up in a situation where a user is reminded by e-mail, to update a device which is obsolete and no longer in use.

So the script has been updated to cater for this situation, and now only picks up devices which has been syncing with Microsoft Intune within the last 2 days.

My original and still valid post on how to use the script here: https://www.imab.dk/automatically-remind-users-to-update-ios-with-e-mails-and-custom-notifications-using-microsoft-intune-powershell-sdk/

Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

June 9, 2021December 1, 2019 by Martin Bengtsson

Introduction

**Minor update**: https://www.imab.dk/script-update-automatically-remind-users-to-update-ios-with-e-mails-and-custom-notifications-using-microsoft-intune-powershell-sdk/

Long title! It could have been even longer, but I struggled to squeeze in that the e-mail also is sent over Office 365 and the entire deliciousness is running on a schedule with Azure Automation. 🙂

The story here is, that iOS is getting updates quite frequently, and a lot of enterprises (including myself), are managing those iOS devices as private BYOD devices enrolled through the Company Portal. As of such, keeping the devices up to date is the end-user’s responsibility and something that’s often forgotten and neglected.

So what if we could send those devices and users a kind reminder automatically, both as a custom notification directly on the device, but also as an e-mail? Microsoft Intune Powershell SDK to the rescue!

A brief first look on Microsoft Defender ATP Tamper Protection

October 17, 2019October 16, 2019 by Martin Bengtsson

Introduction

Late last night my time, Tamper Protection in the Microsoft Defender stack went Generally Available.

In short and as the name implies, this is a feature which essentially locks Microsoft Defender and prevents your security settings from being tampered with, including changes made by an administrator.

From a security perspective, this is a great and welcomed addition – let’s take a closer look. 🙂

PS. I did find some oddities in some of the behavior when trying to disable Microsoft Defender through Group Policy. More on that in the end of the post.

Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

August 7, 2019August 6, 2019 by Martin Bengtsson

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. 🙂