Microsoft 365 · Entra ID · Intune · Security
Microsoft 365 Security
Practical guidance for IT teams managing Entra ID, Intune, and Conditional Access.
-
Require approved client app is retired on June 30: migrate now
Require approved client app is deprecated June 30. After that date, existing policies stop enforcing. Here is what to configure before the deadline.
-
Intune Multiple Managed Accounts: what admins need to know
Intune's MMA feature, rolling out in June 2026, lets users hold multiple MAM accounts in one app. Here's what admins managing external access need to know.
-
Conditional Access enforcement changes June 15: check your exceptions now
Apps could bypass Conditional Access by requesting minimal sign-in scopes. Non-excluded apps slipped through silently for years. Starting June 15, that stops.
-
AiTM Phishing Exposed (2/2): Stop Session Hijacking
Stop AiTM session hijacking with FIDO2, CAE, and token protection. Microsoft 365 configuration guide with 2 Sentinel queries and 7-step incident response.
-
Unmanaged Devices with Microsoft Intune (3/3): iOS
iOS MAM covers the full M365 app suite but requires Microsoft Authenticator as broker. 3 BYOD paths, the CA gap most organizations miss, and what goes wrong.
-
AiTM Phishing Exposed (1/2): How Session Hijacking Works
AiTM phishing doesn't bypass MFA. It waits for MFA to succeed, then takes what comes next. This is how the attack works and why standard MFA provides no protection against it.
-
Unmanaged Devices with Microsoft Intune (2/3): Android
Android MAM protects all Microsoft 365 apps on mobile, not just Edge. 3 BYOD paths, different control levels, and the CA gap most organizations miss.
-
Shadow AI Exposed (2/2): Building a Governance Program That Actually Works
Technical controls catch the visible surface. This part covers what a shadow AI governance program looks like in practice: approved AI catalog, the personal account problem, and a maintenance cycle that doesn't erode.
-
Unmanaged Devices with Microsoft Intune (1/3): Windows
Windows BYOD with Intune has three distinct paths. Most organizations configure the wrong one. MAM, MDM enrollment, Conditional Access, and the enrollment pitfalls clients hit in practice.
-
Social Engineering Exposed (3/3): Defence That Works
MFA alone won't stop a helpdesk attack. Here's what actually does: the process changes, Entra ID settings, and monitoring that holds up under pressure.
-
Shadow AI Exposed (1/2): What organizations don't know about the AI tools their employees use
Most shadow AI incidents start with a legitimate task. What actually ends up in those tools, why security controls miss it, and what the NSW government breach tells us.
-
Intune compliance policies: what they actually change in your organization
Most organizations running Microsoft 365 have devices connecting without any enforced security requirements. Intune compliance policies close that gap, and the impact goes further than the security team.
-
How to configure Intune compliance policies: step-by-step guide for all platforms
Configure Microsoft Intune compliance policies for Windows, macOS, iOS, and Android. Includes recommended settings per platform, Conditional Access wiring, report-only testing, and monitoring.
-
Social Engineering Exposed (2/3): The Helpdesk Attack
Attackers don't break MFA. They call your helpdesk and get it reset. Here's what that looks like in Entra ID, and why most tenants aren't built to catch it.
-
Shadow AI in Microsoft 365: Find and Block It with Purview
Shadow AI leaks data without triggering a single alert. Use Entra Internet Access, Defender for Cloud Apps, and Microsoft Purview to find and block it in 4 steps.
-
Intune MDM vs MAM: When to use which approach
MDM controls the device, MAM controls the data. A decision matrix for IT admins, including the June 30 Conditional Access deadline you can't miss.
-
Social Engineering Exposed (1/3): How attackers get in without breaking anything
MGM lost $100M. Odido lost 6.2M records. Uber's systems went dark. None required a technical exploit. Just a phone call. Here's how it works.