Describe Security Compliance – Microsoft MS-900

In Microsoft 365, UEM capability is implemented in the Microsoft 365 Enterprise and Business Premium products and in the Enterprise Mobility + Security (EMS) product. Microsoft Intune is also available as a separate product in two plans and a suite that provides a range of capabilities. The Microsoft tools relevant to the UEM effort in an enterprise are as follows:

• Microsoft Entra ID (Azure Active Directory Premium) The cloud-based directory service that manages identities and provides authentication and authorization for all the Microsoft 365 applications and services, including all the endpoint management tools.
• Azure AD Connect An on-premises tool replicating user identities on AD DS domain controllers to Entra ID identities stored in the cloud so that users can sign in through the cloud and administrators can take advantage of the Entra ID identity security features. For more information, see “Microsoft 365 deployment” in Chapter 2, “Describe Microsoft 365 apps and services.”
• Microsoft Intune A cloud-based enterprise mobility management (EMM) service that enables administrators to enroll mobile devices, deploy apps, and enforce security policies.
• Configuration Manager An on-premises CMT that administrators can use to inventory computer hardware, deploy operating system images on internal workstations, manage applications, apply software updates, and enforce device compliance policies.
• Azure Information Protection (AIP) A cloud-based tool that enables users and administrators to apply classification labels to documents and implement various types of protection based on the labels, such as access restrictions and data encryption.
• Microsoft Advanced Threat Analytics (ATA) An on-premises platform that captures network traffic and log information and analyzes it to identify suspicious behaviors related to multiple phases of the attack process.
• Microsoft Defender for Endpoint A cloud-based service that discovers, configures, and monitors endpoints, providing capabilities such as vulnerability management and attack surface reduction.
• Microsoft Defender for Cloud Apps A cloud-based service that analyzes traffic logs and proxy scripts to identify the apps that users are accessing—including unauthorized apps—and enables administrators to sanction or unsanction individual apps and connect to APIs supplied by cloud app providers to perform cloud app security analyses.
• Microsoft Defender for Identity A cloud-based threat prevention, detection, and remediation engine that uses machine intelligence to look for security threats unique to the Azure environment by analyzing user behavior and comparing it to known attack patterns.

Note Microsoft ATA

For more information on Microsoft Advanced Threat Analytics, see the “Describe analytics capabilities in Microsoft 365” section in Chapter 2, “Describe Microsoft 365 apps and services”

Management of the various types of endpoints presents administrators with a variety of issues that they must address, including the following:

• User-owned devices When workers use their own devices, administrators must define a policy specifying what degree of control the organization will have over them and what company resources the devices will be permitted to access. This can be a difficult task because, while the organization must protect its resources, users are often unwilling to turn over full control of their property to the company. Windows Intune provides administrators with both Mobile Device Management (MDM) and Mobile Administration Management (MAM) capabilities, which provide different levels of management control to suit the needs of the organization and the users.
• Mobile device networking Mobile users often connect to outside wireless networks, such as those in coffee shops and other businesses, which are unsecured by the enterprise. This leaves the devices open to intrusion by outside persons, exposing them to threats that can jeopardize the device, the data stored on it, and the enterprise network. Administrators can use Microsoft Intune or other tools to create and enforce mobile device policies requiring devices to have malware prevention tools, software updates, and other forms of protection to repel threats.
• Device loss or theft Any mobile device is liable to be lost or stolen, with the accompanying danger that any sensitive data stored on the device might be compromised. Users might also leave the company under less-than-friendly circumstances, taking their personal devices with them. In some cases, the cost of replacing the device hardware can be less than that of identifying the data that has been lost and re-creating it. Administrators must prepare for these situations by devising a Microsoft Intune policy that remotely protects the organization’s resources, even when the mobile device is in hostile hands.
• Infected devices Mobile devices that become infected with malware while connected to outside networks can bring that infection into the enterprise, damage documents, and pass the infection along to other systems. Administrators must classify and protect all mobile devices connecting to the enterprise network as potential threats.
• Device data synchronization While data stored in the Microsoft cloud is replicated to multiple datacenters for protection, mobile devices working outside the company premises might not always be connected to the cloud. Therefore, when users work with company documents while offline, any revisions they make to the documents are not saved to the cloud or backed up until they next connect to a network. Therefore, this revised data can be lost if the device is damaged, lost, or stolen before it next connects to the cloud.
• Password changes One of the more common tasks for help desk personnel and administrators is changing users’ passwords. This task is even more common when Microsoft Entra ID Protection is configured to require a password change when their authentication-based risk levels reach a certain value. Self Service Password Reset (SSPR) enables users who have been successfully authenticated to change their passwords rather than require the intervention of an administrator.

Quick check

• Microsoft Intune—functioning independently—is classified as which of the following management tools?
• CMT
• EMM
• UEM
• MDM

Quick check answer

• Microsoft Intune is considered an enterprise mobility management tool (EMM) because it expands on mobile device management capabilities (MDM). However, Intune is cloud-based and cannot manage on-premises clients by itself, so it cannot be called a client management tool (CMT) or a unified endpoint management (UEM) tool.