EntraID

[[TOC]]

DSC in Azure
– https://learn.microsoft.com/en-us/azure/automation/automation-dsc-onboarding

https://learn.microsoft.com/en-us/azure/governance/machine-configuration/whats-new/migrating-from-azure-automation
https://www.powershellgallery.com/packages/BaselineManagement/4.1.1
https://learn.microsoft.com/en-us/powershell/module/grouppolicy/backup-gpo?view=windowsserver2022-ps
https://learn.microsoft.com/en-us/powershell/dsc/quickstarts/gpo-quickstart?view=dsc-1.1
https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/
https://www.tenable.com/audits/CIS_Microsoft_Windows_Server_2022_Benchmark_v2.0.0_L1_MS
https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/import-a-gpo-from-a-file-ed
https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/export-a-gpo-to-a-file

EndPoint DLP
https://learn.microsoft.com/en-us/purview/endpoint-dlp-get-started-jit?tabs=purview

Exchange:
https://learn.microsoft.com/en-us/defender-office-365/quarantine-shared-mailbox-messages

Defender:
https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure

https://blueprint.asd.gov.au/configuration/intune/devices/scripts/userapplicationhardening-removefeatures/
https://github.com/R33Dfield

NIEWE Items:
https://mark911.wordpress.com/2023/04/01/how-to-automatically-install-winget-and-upgrade-applications-using-winget-and-powershell-script-in-windows-10/
https://konbert.com/convert/excel/to/json
https://intuneassignmentchecker.ugurkoc.de/
https://ugurkoc.de/get-all-assignments-in-intune-for-a-user-group-or-device/
https://support.microsoft.com/nl-nl/office/meertalige-sharepoint-sites-pagina-s-en-nieuws-maken-2bb7d610-5453-41c6-a0e8-6f40b3ed750c?ui=nl-nl&rs=nl-nl&ad=nl#bkmk_muitranslations

URL
https://www.anoopcnair.com/azure-virtual-desktop-session-host-to-azure-ad/
https://www.anoopcnair.com/avd-azure-ad-joined-vm-login-issue-error-0x9735/
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities
https://www.ciraltos.com/azure-virtual-desktop-the-sign-in-method-youre-using-isnt-allowed/#:~:text=The%20error%20was%20caused%20by,to%20Azure%20AD%20joined%20devices.

INTUNE
https://memv.ennbee.uk/posts/updating-windows-store-apps/
https://github.com/Weatherlights/Winget-AutoUpdate-Intune/tree/main/Sources/WAU
https://winget.run/pkg/Microsoft/Teams

AVD
https://learn.microsoft.com/en-us/azure/virtual-desktop/multimedia-redirection?tabs=edge

KB URL

• https://learn.microsoft.com/en-us/defender-office-365/email-authentication-arc-configure
• https://mha.azurewebsites.net/
• https://kinsta.com/knowledgebase/dmarc-fail/

Defender:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
https://learn.microsoft.com/en-us/defender-endpoint/onboard-windows-server#windows-server-onboarding-overview
https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints
https://learn.microsoft.com/en-us/defender-endpoint/onboard-windows-server#windows-server-onboarding-overview
https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2#step-3-add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution

##Users ###Setup break glass accounts his page describes the configuration of break glass accounts within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon Blueprint for Secure Cloud.

###Users settings This page describes the configuration of user settings within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon Blueprint for Secure Cloud.

Setup configuration for Rubicon’s Cloud Blueprint for the Microsoft Entra admin portal at the following URL: https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/UserSettings

###User Features This page describes the configuration of user features within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon’s Blueprint for Secure Cloud.

The below tables outline the as built configuration for Rubicon’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Entra admin portal at the following URL: https://portal.azure.com/#view/Microsoft_AAD_IAM/FeatureSettingsBlade

###Per-user MFA

Setup configuration for Rubicon Cloud Blueprint for the Microsoft Entra admin portal at the following URL: https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx

Groups

This page describes the configuration of group settings within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon’s Blueprint for Secure Cloud.

###Setup baseline groups The following groups need to be created for Rubicon’s Secure Cloud Blueprint:

bl-sg-devices-windows-mdm:

(device.deviceModel -ne "Virtual Machine") and (device.managementType -eq "MDM")

bl-sg-devices-windows-autopilot:

(device.devicePhysicalIDs -any _ -contains "[ZTDId]")

bl-sg-devices-windows-avd:

(device.deviceModel -eq "Virtual Machine")

bl-sg-devices-windows-byod:

(device.deviceTrustType -match "workplace") -and (device.deviceOSType -eq "Windows")

bl-sg-users-guests:

(user.userType -eq "guest")

bl-sg-users-members:

(user.userType -eq "member")

###General Microsoft Entra ID provides several ways to manage access to resources, applications, and tasks. With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of Zero Trust.

Setup configuration for Rubicon’s Cloud Blueprint for the Microsoft Entra admin portal at the following URL: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/General

###Expiration This page describes the configuration of group expiration within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon’s Blueprint for Secure Cloud.

Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and Power BI.

The below tables outline the as built configuration for Rubicon’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Entra admin portal at the following URL: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/Lifecycle

###Naming policy This page describes the configuration of naming policies within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon’s Blueprint for Secure Cloud.

The below tables outline the as built configuration for Rubicon’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Entra admin portal at the following URL: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/NamingPolicy

##Devices A device identity is an object in Microsoft Entra ID. This device object is similar to users, groups, or applications. A device identity gives administrators information they can use when making access or configuration decisions.

There are three ways to get a device identity:

• Microsoft Entra registration
• Microsoft Entra join
• Microsoft Entra hybrid join

###Device Settings This page describes the configuration of device settings within Microsoft Entra ID associated with systems built according to the guidance provided by Rubicon Blueprint for Secure Cloud.

Setup configuration for Rubicon Cloud Blueprint for the Microsoft Entra admin portal at the following URL: https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/DeviceSettings

Microsoft Entra join and registration settings | Item | Value | |———–|:———–:| | Users may join devices to Microsoft Entra | All | | Users may register their devices with Microsoft Entra | All | | Require Multifactor Authentication to register or join devices with Microsoft Entra | No | | Maximum number of devices per user | Unlimited |

Local administrator settings | Item | Value | |———–|:———–:| | Global administrator role is added as local administrator on the device during Microsoft Entra join (Preview) | No | | Registering user is added as local administrator on the device during Microsoft Entra join (Preview) | None | | Enable Microsoft Entra Local Administrator Password Solution (LAPS) | Yes |

Other settings | Item | Value | |———–|:———–:| | Restrict users from recovering the Bitlocker key(s) for their owned devices | No |

###Enterprise state roaming Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Enterprise State Roaming is available to any organization with a Microsoft Entra ID P1 or P2 or Enterprise Mobility + Security (EMS) license.

The below tables outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Entra admin portal at the following URL: https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/RoamingSettings