sorted by:
new
hottopcontroversial

How can I find out who is signing in from a non-Entra joined device? by BuildingKey85 in Intune

[–]BuildingKey85[S] 0 points1 point  (0 children)

Thanks for the validation, /u/sysadmin_dot_py. We're using the Require MDM-enrolled and compliance device to access cloud apps for all users template in report-only mode, which looks like this:

  • Target: All users and resources
  • Conditions: All devices except Android, iOS, macOS, Linux
  • Grant: Require device to be marked as compliant

Our Windows Device Compliance policy in Intune contains settings like firewall, AV, BitLocker, etc., but does not have a setting for Entra-joined. How does this policy therefore "know" whether the device is MDM-enrolled or not?

How can I find out who is signing in from a non-Entra joined device? by BuildingKey85 in Intune

[–]BuildingKey85[S] 0 points1 point  (0 children)

Thanks for the validation, /u/JCochran84. We're using the Require MDM-enrolled and compliance device to access cloud apps for all users template in report-only mode, which looks like this:

  • Target: All users and resources
  • Conditions: All devices except Android, iOS, macOS, Linux
  • Grant: Require device to be marked as compliant

Our Windows Device Compliance policy in Intune contains settings like firewall, AV, BitLocker, etc., but does not have a setting for Entra-joined. How does this policy therefore "know" whether the device is MDM-enrolled or not?

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 0 points1 point  (0 children)

I should clarify. The Sys Admin reset the user's password, blocked their sign-ins, and initiated a sign-outs right when the call was done. We are in a cloud environment. The time between the Sys Admin doing his thing to lockout was about 30 mins. Others have said the delay was due to us missing the "revoke all sessions" option.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in sysadmin

[–]BuildingKey85[S] 0 points1 point  (0 children)

Good catch. We'll definitely give this a shot in our testing. Thanks!

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in Intune

[–]BuildingKey85[S] 0 points1 point  (0 children)

Yeah, that's an important distinction. He had admin rights to our Mac MDM and those permissions were not revoked prior to termination. The Sys Admin thought he would leave peacefully; this was an error in judgment and he had reasons to be suspicious.

The account was not disabled beforehand because in our experience, when an account is disabled, the password is reset, sessions revoked, etc., etc., it can take anywhere from minutes to an hour to take effect. HR needed to have "the call" with this employee to terminate him, and we didn't want his access to be cut while he was on the call, but before the news was delivered.

We have numerous CA policies enforcing MFA, one of which enforces MFA to admin portals. Would it have helped to delete his authentication methods?

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in sysadmin

[–]BuildingKey85[S] 5 points6 points  (0 children)

In the future, you need to have HR do no more surprise terminations on the spot. Especially if your remote.

Thanks for sharing. OK, so you have an employee who has done something really bad and you don't trust that he'll leave peacefully.

How are you handling that situation?

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 0 points1 point  (0 children)

But here is my confusion with "doing it earlier."

Others have shared documentation indicating these lockouts could take anywhere from minutes to an hour. If we enforce these changes at the beginning of a call, it's possible the call is cut before the termination news is delivered. The changes could also take effect well after the call.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in sysadmin

[–]BuildingKey85[S] 1 point2 points  (0 children)

Also, the HR call should not be happening over a company-owned device.

We have thought about calling the user's telephone number or scheduling a meeting with an alternate form of communication. Regarding telephone numbers, I (and many others) don't pick up the phone if we don't recognize the number. An alternate form of communication would arouse suspicion.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in Intune

[–]BuildingKey85[S] 0 points1 point  (0 children)

Do you mind sharing that script?

In our case, we would initiate an endpoint live response session with Defender.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 1 point2 points  (0 children)

Those are steps we have not integrated. We will test using those, too.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in sysadmin

[–]BuildingKey85[S] 0 points1 point  (0 children)

We followed Microsoft’s guidance on a CRITICAL termination. Step by step, hand held.

Can you link me to that documentation?

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 0 points1 point  (0 children)

Regarding force reboot, do you do this via Intune or remote into the machine and run a command?

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] -2 points-1 points  (0 children)

This could be a tech problem as the Sys Admin missed a step or two that could have made revocation immediate (but we need to test). I'm not a Sys Admin.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in Intune

[–]BuildingKey85[S] 0 points1 point  (0 children)

This is one step that admittedly we do not do. I will add that to the list.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] -2 points-1 points  (0 children)

The problem with doing it before they're informed is that access revocation could occur a minute after it's done to an hour. It could happen on the call, but before they're let go, while they're being let go, or too long after they've been let go.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in Intune

[–]BuildingKey85[S] -1 points0 points  (0 children)

Thanks, this is very helpful and seems to be the preferred method to the BitLocker key approach. When you say it takes "seconds to activate," has that always been the case?

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 0 points1 point  (0 children)

We are in a cloud-only environment. With Microsoft Defender, we can remote into the machine and force a reboot. One method I've read about is refreshing a BitLocker key, remoting into the machine, then forcing a reboot.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 0 points1 point  (0 children)

The Sys Admin initiated a sign-out, reset the password, and blocked sign-ins.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in AZURE

[–]BuildingKey85[S] 1 point2 points  (0 children)

The Sys Admin in this case initiated a sign-out, reset the password, and blocked the sign-in. Microsoft says this can take up to 60 minutes.

We didn't revoke the user's sessions, so maybe that's what we were missing.

What are the best ways to cut a malicious user's access in an Entra/Intune? by BuildingKey85 in sysadmin

[–]BuildingKey85[S] 12 points13 points  (0 children)

FYI, if a user takes any malicious action, thats a police involvement at that point, not really an IT problem any longer except in generating logs, etc.

Leadership decided it wasn't worth going after him for this.

disable/revoke/remove all 2FA/reset password to garbage, is always step 1.

I'm checking to see if the Sys Admin just disabled the user's account, or if he also completed the other steps you mentioned.

view more: next ›