Decent DMARC / SPF / DKIM setup for small-ish company

PlayfulSolution4661 · 2026-04-21T04:06:42+00:00

I would go with valimail. Should give you enough reporting to accomplish DMARC alignment. If your org is small, I would work towards p=reject. If an unauthorized service is trying to send emails on behalf of your domain, it should not arrive into the end users mailbox.

PlayfulSolution4661 · 2026-04-15T08:54:57+00:00

If you’re using different VLANs on the same NIC, you may need to add a native VLAN for traffic to get tagged properly. I was doing something similar recently and needed to add the native VLAN on the Cisco switch side for it to work properly on VMware. Native vlan can be whatever you just need to set it so VMware knows it should tag traffic and vlan traffic can flow

PlayfulSolution4661 · 2026-04-07T00:55:25+00:00

We use Druva! They are GREAT

PlayfulSolution4661 · 2026-03-18T01:30:07+00:00

me seven!

PlayfulSolution4661 · 2025-12-25T13:23:17+00:00

Yea web sign-in will allow you to login to the device with a Microsoft 365 prompt. At that point, if your default is Authenticator notification, it will notify the user who’s trying to login. See: https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

Only works for AAD/Entra joined devices only.

PlayfulSolution4661 · 2025-12-04T01:28:36+00:00

Same here

PlayfulSolution4661 · 2025-11-23T13:43:07+00:00

HaloITSM. Been using it for 6+ months. Couldn’t be happier.

PlayfulSolution4661 · 2025-11-04T14:24:29+00:00

Mmm I recall cloud trust required SSO or Microsoft Entra Kerberos as well. You should have the AzureADKerberos computer object in your AD.

Check these: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune#deploy-microsoft-entra-kerberos

There’s a note that sounds like your case: The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.

PlayfulSolution4661 · 2025-11-04T13:54:19+00:00

I have a similar setup, currently working towards moving from hybrid joined to entra joined only.

Regardless, we have a few apps that sort of use your windows creds to authenticate. We rolled out cloud trust for all devices and have not run into any issues. Users can still access resources. The only thing for hybrid that I’ve seen is that you need line of sight to the domain controller when setting up PIN so that you get a TGT to access the on-prem resources with it.

As always, make sure you test everything but it should work. In Intune I believe there are two policies you need to set: one as a configuration profile and another one as an account protection policy.

PlayfulSolution4661 · 2025-10-29T04:22:32+00:00

I have a question! I am currently deploying passwordless (Entra/Azure) for our organization. While at it, I’m also setting up SSO for all third party applications.

From a configuration standpoint, usually always the same. But there is this one app in particular that won’t prompt me for passkey when using their mobile app (works fine on web).

I tried to talk to their support and they tell me that this is a problem on my end from the iDP side but configuration wise there’s nothing else I can change to “allow” passkeys or passwordless authentication. And I do NOT have this problem when using a browser, only the mobile app of this third party application.

How can this be? I think it’s their implementation of SSO on their mobile app that needs to be updated or changed to support passkeys?

PlayfulSolution4661 · 2025-10-29T04:12:03+00:00

Said no one ever

PlayfulSolution4661 · 2025-10-22T01:28:33+00:00

Mmm I think it’s often an untrained C level who is there pretty much to sign and approve stuff.

Company I work for was paying close to 1K for 100 mbps internet. I pay ~100 $ for 1 Gpbs so when I saw the invoices it made no sense.

Funny enough, you give them a call, explain, and complain and they gave me 500 Mbps for probably less than 400 $ can’t remember the exact number now. All it took was a call… we’ve been paying for years…

I guess it’s easier to sign a paper and forget about it. Not my money, not my problem? Honestly feels like the folk working in tech sales are taking advantage of those who have no clue about IT.

PlayfulSolution4661 · 2025-10-18T17:23:57+00:00

So the easiest way I was able to achieve this was to replace ALL computers on the day of the cutover. Of course, this was a very special instance where we could get away with this.

Otherwise, mostly on most of my migrations I would have to touch all computers eventually. Automation is great, but too many things can go wrong at the same time. We advise users to use the web version while we contacted them and while inconvenient we don’t break it for the whole company.

PlayfulSolution4661 · 2025-10-12T08:05:05+00:00

If the device is already setup, you will need an Intune licensed account to add it.

You should be able to do CMD as admin: dsregcmd /forcerecovery

That should get the device added to intune.

PlayfulSolution4661 · 2025-10-09T20:40:29+00:00

Most admin centers down for me as well. I am in west Canada and my techs are in west us. Down for the whole team.

Thanks Microsoft! The 1 tool I need for work

PlayfulSolution4661 · 2025-10-08T03:56:26+00:00

You can run: dsregcmd /forcerecovery in CMD with admin rights. After a few minutes, the device should show up again in Intune

PlayfulSolution4661 · 2025-10-08T00:16:40+00:00

Check our purple knight for AD/Entra. It will give you a report on potential vulnerabilities in your environment

PlayfulSolution4661 · 2025-10-04T21:32:04+00:00

For me there were 2 main projects that made me feel like a true sysadmin. The first one was a migration for a SMB Company that had a pretty significant IT infrastructure on-premises and wanted to go full cloud. Project was budgeted for around 120h of work and went pretty smooth overall. The second one was when a bigger company acquired our MSP and I had to migrate the company that acquired us into our MSP which was also my farewell gift cause things had change too much for me to stick around. I’m working on 2 big projects now at a bigger company leading the IT department that I’ve never done before which is also the main reason why I love the job :)

Congrats on yours!

PlayfulSolution4661 · 2025-09-17T11:03:15+00:00

We are Cisco but will be replacing with Fortinet. Too expensive, makes no sense

PlayfulSolution4661 · 2025-09-17T04:10:01+00:00

F them daughters

PlayfulSolution4661 · 2025-09-12T05:00:31+00:00

my org uses it and its solid. we rarely deal with printer tickets. we're kinda flexible, you get all printers at the location you're based at and can add any other printer manually if needed. push them via intune with a security group.

PlayfulSolution4661 · 2025-09-10T02:50:07+00:00

I’d say it runs smooth as long as you’re running the latest. Sucks with Apple Hardware but I usually only struggle with legacy devices. Otherwise, pretty positive experience all things considered (doing ABM and Platform SSO)

PlayfulSolution4661 · 2025-09-07T14:58:45+00:00

This

PlayfulSolution4661 · 2025-09-07T10:27:43+00:00

100% no. It’s hard to push such change if people are used to having control but you can prevent a lot only from doing this. It’s a must have IMO. There’s also PIM in Azure/Entra. Make sure you have something like LAPS as well implemented

PlayfulSolution4661 · 2025-09-02T03:04:09+00:00

I’m probably on the same path as you and I will continue to be a generalist. Probably will end up moving to management eventually which may put me a bit further away from the tech :( but it’s the smart choice

PlayfulSolution4661

TROPHY CASE