Top 5 No-Brainers Security Features in Microsoft Intune

Nicolas PilonApp Protection Policies, Azure, Cloud, Conditional Access, EMS, Intune2 Comments

By 2019, when you plan to deploy modern device management solutions in your company, the security must be a priority. The cloud is accessible from anywhere on the planet and mobility allows users to connect from anywhere. Also, our society is changing and our lifestyle habits as well. Users that have access to corporate data without being forced to connect to the corporate network, is much more convenient.

Before you start registering devices in Microsoft Intune, it’s important to set up the Intune portal safely. Moreover, the different operating system platforms, and the types of devices that connect to your network or cloud applications is important as well.

Microsoft Intune is a leader in MDM solution and it contains strong security capabilities that you can’t miss like role-based administrative control (RBAC), enrollment restrictions, compliance policy and a couple more.

On several occasions, we have noticed that companies do not use proper security features with Microsoft 365. Are you planning to use Microsoft Intune in the future or you already use it?

Some settings are pretty easy to configure and others will require a little bit of testing to make sure it doesn’t affect productivity negatively. We highly recommend that you take the time to evaluate those settings.

In this post, I will explain my top 5 no-brainers features in Microsoft Intune that must be configured in your organization.

  • Roled-based administrative control (RBAC)
  • Enrollment restrictions
  • Compliance policy
  • App Protection policy
  • Conditional access

Administrative Roles (RBAC)

First of all, you must secure the Intune admin portal so that no unwanted users manage your service or modify your settings without realizing it. Role-based administration control (RBAC) in Intune helps you control who can, or can’t perform various tasks. Thus, it’s not a new concept for SCCM admins, RBAC has been in SCCM for a long time ago.

If you’re the only employee that manage Intune in your company, it’s ok to be the only Intune administrator in your team. Also, this administrative role is a directory role in Azure AD.

Meanwhile, for some companies with multiple IT department, it’s normal to separate tasks and roles. In fact, the level of knowledge can be different between colleagues so you can make sure that you assign the proper access to your teammates by creating different admin profiles.

  • To create a RBAC role, navigate to and select Intune blade
  • Go to RolesAll Roles, if you want to create a new custom role, click on Add
  • To assign a user to a role, select the built-in or custom role and click Assignments

With a Scope or Tags, you can define the visibility of resources assign to a specific role. Like in this example, you will likely want to use scope or tags for a team that only manage mobile devices or Windows 10.

Enrollment Restrictions

Secondly, you configure the admin portal and after, it’s now time to configure the platforms that you want to accept in Intune. Do you want to only accept iOS and company devices? How many devices a user can enroll devices with the same identity?

You will configure those restrictions in the Enrollment Restrictions blade in Intune.

  • In Microsoft Intune under Device Enrollment, there’s a blade named Enrollment Restrictions.

For this purpose, we suggest that you block all the platforms that you don’t want to support in your organization to improve the chances of not having unwanted enrollments. Does your company allow employees to enroll in their personal devices? Block them via Enrollment Restrictions.

enrollment restrictions intune

In brief, device limit restriction is the number of devices you accept per user. By default, the number is 15 but you can lower between 1-5 depending on your company device reality.

Important Info
The number of devices has a small impact on security unless you set the limit to 1. There are other security mechanisms such as conditional access and MFA that can block a hacker from enrolling a device.

Compliance Policy

Thirdly, let’s talk about compliance policy. This feature defines the rules and settings that a user or device must meet to be compliant. Consequently, the conditional access consumes that compliant state and it gives you access to corporate data or not. What will happen if you don’t configure compliance policy?

These kinds of devices will be able to connect to your environment:

  1. Rooted or jailbroken
  2. Devices with old OS versions
  3. Devices with a high threat level
  4. Devices with weak passcode
  5. Devices with unwanted apps

Accordingly, all enrolled devices in Azure has a compliance status, even if there’s no assigned policy. Furthermore, the status became more important if you don’t mark devices with no compliance policy assigned as compliant.

  • To configure this setting, navigate to Microsoft Intune, Device Compliance and Compliance policy settings.
  • Select Not Compliant at Mark devices with no compliance policy assigned as
Compliance Policy Intune
If you leave default setting at Compliant, you enable all devices to access your corporate data from any devices. We highly suggest that you change it to Not Compliant and configure at least a compliance policy.
  • To create a Compliance Policy, navigate to Microsoft Intune, Device compliance and Policies
  • Click on Create Policy and configure your policy
  • Assign the policy to your users

App Protection Policies

After securing the administrative console, enrollment restrictions and compliance, it’s time to protect corporate data on the devices.

Do you think is acceptable that an employee can transfer a file in One Drive for Business to DropBox app? Therefore, protecting corporate data is really important and we suggest you decrease the chance of data leak within your devices even if it’s a corporate device.

Mobile Application Management (MAM) is the predecessor of the Intune App Protection Policies. What it is exactly? It’s a mechanism that creates a container in your device and application if necessary. It separates personal to company data with other apps as well as within the same app. For example, a user can use Outlook app for both ends but the user won’t be able to copy paste data from company account to Hotmail account.

Conditional access

To achieve this goal, set up an App Protection Policy by navigating to Microsoft Intune, Client Apps and App Protection Policies

Security Features Microsoft Intune

Especially, if you plan to enforce App Protection Policies for mobile devices, make sure that you enforce Outlook app to all users. Don’t forget that email is the most cloud app use in companies than make sure Outlook app is enforced for a better protection over your emails. Some companies use mail native and app protection policy is not supported.

In conclusion, there’s a couple of settings you can configure, like blocking printing, forcing a pin to access the app or adding conditional launch like minimum OS version.

Security Features Microsoft Intune

For more information about Intune App Protection Policy, take a look to this Microsoft Docs.

Conditional Access

The last feature after securing applications is for sure, the conditional access. Why? It’s the control that allows or block access to cloud services. In particular, you can base your controls with user attributes, device state, app policy, network location or a risk.

Since the beginning, conditional access must be automatic and part of all onboarding plan with Microsoft 365. It’s the least understood feature in business, and yet it’s the most important. In other words, not using conditional access is like removing the doorman in a bar so that everyone can enter your bar without verification.

In fact, there are some connectors with third-party solutions you can use as a source of information for your compliance policies and conditional access rules.

Of course, start to educate your users to embrace MFA so you can enforce the usage of multi-factor authentication with the Microsoft Authenticator App and raise the level of protection in your environment.

  • To create a conditional access rule, navigate to Microsoft Intune, Conditional Access and click New Policy

Rules of thumb to follow:

  1. To make it works, you need to select at least one app, a user or group, and one access control
  2. Block access control wins with multiple policies applied to the same user
  3. Use Block access control with moderation
  4. Avoid using all users, all apps and all device platforms
  5. What if tool is your best friend
  6. Test your policy with a small group before going at large
  7. Do not over-use the amount of rule, keep it simple

Make sure these situations are covered for a bullet proof:

  1. Devices enroll in Intune are compliant
  2. Windows devices are hybrid joined
  3. Unknown devices, guest users and user-device risks are challenged
  4. Unwanted platforms and legacy authentication are blocked
  5. Approved client apps are enforced

Security Features Microsoft Intune Overview

Finally, computer security is very important and should not be taken lightly. Wearing a safety hat should be part of every IT decision you make without affecting, of course, productivity.

I hope this top 5 no-brainers will help you better secure your devices with Microsoft Intune. What is your top security features?

2 Comments on “Top 5 No-Brainers Security Features in Microsoft Intune”

  1. Hi Nicolas,

    Security being implemented in MDM is definitely important to security admins within an organization.
    I have been trying to hammer home to folks about protecting the organization in scenarios where the end-user is USB attaching his mobile device to his Windows computer if for nothing else to power up the device.
    The scary part is that the mobile devices (apple a bit less than android or windows but still do-able) becomes a USB thumb drive.
    With very little know how, an end-user can steal as much data as they want (over a very fast pipe) and there is zero auditing going on.
    Our solution (called secRMM) which addresses this security hole is integrated with Intune (and we are trying to get deeper integration…stay tuned) and we even just finished sending our security events into “Azure Monitor Logs” which is an event repository that is also used by Intune.
    Just an FYI for anyone else reading this great blog.
    Take care

Leave a Reply