Inbound SMTP DANE with DNSSEC in Exchange Online

Intro This guide expains how to enable Inbound SMTP DANE with DNSSEC in your customers tenant.Domains to be configured for this, will be domains present in your customers tenant. Verify DNSSEC Update existing MX record TTL in DNS management system Enable DNSSEC for domain in Exchange Online Add new MX record to domain Verify new …
Continue reading Inbound SMTP DANE with DNSSEC in Exchange Online

Azure Virtual Deskop – AppAttach and MSIX AppAttach

Intro Before beginning, it is important to understand when to use the newest offer AppAttach or go with the older MSIX AppAttach.Below is a table comparing the two: In general use AppAttach, as long as you’re running Windows 11 Multi-Session or newer, as it is not available on Windows 10 Multi-Session. Prerequisites Install MSIX Packaging …
Continue reading Azure Virtual Deskop – AppAttach and MSIX AppAttach

Windows Hello for Business Cloud Kerberos Trust

Prerequisites and Requirements Link to full Microsoft article: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/#windows-server-requirements  AzureAD Kerberos object in Active Directory Link to full Microsoft article: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module  Windows Hello for Business Policy enable Link to full Microsoft article: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/configure Enable Windows Hello for Business in the tenant-wide policy.OBS: If any hybrid-joined devices are present in tenant, do not use this tenant-wide policy, but use account …
Continue reading Windows Hello for Business Cloud Kerberos Trust

Azure Virtual Desktop – Entra ID SSO – Complete Guide

This guide will walk through all the steps required for SSO to work, both within AVD session hosts (auto login to Microsoft applications running within AVD) and from clients to AVD session hosts, then connecting to them.If you only require SSO to work within AVD session hosts, you can skip step 12 (that links to …
Continue reading Azure Virtual Desktop – Entra ID SSO – Complete Guide

Move on from Exchange Online SMTP Basic Authentication with Client Submission

Intro Link to full Microsoft article:https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750 Microsoft are closed one of the older legacy protocols; SMTP with basic authentication.Due late september 2025, now is the time to prepare your systems for the decommission of SMTP relay using the old basic authentication. This article talks about a few ways to modernize sending mails. High volume email …
Continue reading Move on from Exchange Online SMTP Basic Authentication with Client Submission

Microsoft Defender for Endpoint – Use Microsoft Security API to export inventory

Intro This guide will assist in the proces of exporting inventory from Defender for Endpoint. This export will both export servers and clients that are registrered in Defender for Endpoint, since servers also registrer to the same inventory as clients. It can be useful then you want to export data about high exposure devices, or …
Continue reading Microsoft Defender for Endpoint – Use Microsoft Security API to export inventory

Azure Bastion

Deploy Azure Bastion to subscription No hassle of managing Network Security Groups (NSGs)You don’t need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each …
Continue reading Azure Bastion

Create custom Privileged Identity Management (PIM) group with approver

Description This guide will walk through the proces of creating custom PIM group that will give members eligility to elevate and become global admin. This guide will also outline how to setup approver as required step in the proces of elevation. Create groups Enable groups for PIM Setup PIM for the group that holds the …
Continue reading Create custom Privileged Identity Management (PIM) group with approver

Manage emergency access accounts in Microsoft Entra ID (Break glass)

Microsoft Learn source article: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access  This guide was originally written as an internal guide for infrastructure consultants to configure for customers. However I felt the need to share this approach, since break-glass is a concept widely debated, but very important to configure. I do also recommend the use of a direct partner of Microsoft, that can …
Continue reading Manage emergency access accounts in Microsoft Entra ID (Break glass)

Require Multifactor Authentication to register or join devices with Microsoft Entra

In Entra ID under Devices, All Devices and then Device Settings, you can enable: Require Multifactor Authentication to register or join devices with Microsoft Entra. However Microsoft recommends disabling this feature (enabled by default) and enforcing via a conditional access policy instead. This guide provides 2 ways of achieving that goal. Method 1: This method …
Continue reading Require Multifactor Authentication to register or join devices with Microsoft Entra