Learning Path 5:

Manage authentication
and compliance
MD-102 Microsoft 365 Endpoint Administrator

© Copyright Microsoft Corporation. All rights reserved.

Learning Path Agenda

• Protect identities in Azure Active Directory (Entra ID)

• Enable organizational access

• Implement device compliance

• Generate inventory and compliance reports

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Protect identities
in Active Directory (Entra ID)

© Copyright Microsoft Corporation. All rights reserved.

Module 1: Protect identities in Azure Active Directory
(Entra ID)
• Explore Windows Hello for Business

• Deploy Windows Hello

• Manage Windows Hello for Business

• Explore Azure AD (Entra ID) identity protection

• Manage self-service password reset in Azure AD (Entra ID)

• Implement multifactor authentication

© Copyright Microsoft Corporation. All rights reserved.

Explore Windows Hello for Business

• Windows Hello for Business replaces passwords with strong two-factor authentication on PCs
and mobile devices
• Windows Hello lets users authenticate to:
– A Microsoft account

– An Active Directory account

– A Microsoft Azure Active Directory (Entra ID) account

– Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0
authentication (in progress)
• Windows Hello provides reliable, fully integrated biometric authentication based on facial
recognition or fingerprint matching

© Copyright Microsoft Corporation. All rights reserved.

Deploy Windows Hello

You can choose between three deployment models:

• Cloud only deployment – For organizations who only have cloud identities and don’t access
on-premises resources
• On-premises deployment – For organizations that don’t have cloud identities or use
applications hosted in Azure AD (Entra ID)
• Hybrid deployment – For organizations that have both on-premise and cloud infrastructure

© Copyright Microsoft Corporation. All rights reserved.

Manage Windows Hello for Business

Intune device configuration profiles You can manage Windows Hello for
settings include: Business in three ways:
• PIN min/max length • Group Policy
– User Configuration>Administrative
• PIN complexity/expiration/history
Templates>Windows Component>Windows
• TPM/Biometric Hello for Business

• Certificates • Intune (Modern) Management

– Device configuration profiles

– Device enrollment policies

• Windows Hello for Business certificate

© Copyright Microsoft Corporation. All rights reserved.

Explore Azure AD (Entra ID) identity protection

In addition to protecting devices and critical data, it’s also necessary to protect user identities.
Azure AD (Entra ID) Identity Protection is a feature of the Azure AD (Entra ID) Premium P2
license that is targeted at users of Microsoft 365 and other Microsoft cloud services.
Azure AD (Entra ID) Identity Protection provides you with the ability to:
• Proactively recognize potential security risks and identify vulnerabilities in your organization

• Automatically apply responses and actions when suspicious activity is detected

• Properly investigate incidents and take actions to resolve them

Azure AD (Entra ID) Identity Protection can notify administrators, try to remediate the risk,
increase the authentication security requirements, or take other actions defined by the
risk policy.

© Copyright Microsoft Corporation. All rights reserved.

Manage self-service password reset in Azure AD (Entra ID)

Self-service password reset: Self-service password reset requires that

• AD DS in Windows Server does not
you define alternative authentication
natively support it methods, including:
• Azure AD (Entra ID) supports it by default • Office phone

• You must enable this functionality in the • Mobile phone

Azure (Entra) portal • Alternative email address
• Users can register for self-service password • Security questions
reset functionality, change their password,
and set up alternative methods of verifying
identity using the Azure AD (Entra ID)
application portal

© Copyright Microsoft Corporation. All rights reserved.

Implement multi-factor authentication

MFA requires an additional Multi-factor security MFA comes as part of the

form of authentication: solution: following offerings:

• Mobile app authentication • For cloud-only apps • Azure Active Directory

(Entra ID) Premium licenses
• Phone call • For on-premises apps
• MFA for Microsoft 365
• Text message
• Azure Active Directory
• Third-party OAuth token
(Entra ID) Global
Administrators

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge Check

questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 2: Enable
organizational access

© Copyright Microsoft Corporation. All rights reserved.

Module 2: Enable organizational access

• Enable access to organization resources

• Explore VPN types and configuration

• Explore Always On VPN

• Deploy Always On VPN

© Copyright Microsoft Corporation. All rights reserved.

Enable access to organization resources

• Windows Server has a Remote Access server role that can be configured as a server that
terminates and routes VPN connections from the internet or other external networks
• The Remote Access server role is a logical grouping of these network access technologies:
– Remote Access Service (RAS)

– Routing

– Web Application Proxy

• When you install the DirectAccess and VPN (RAS) role services, you are deploying the Remote
Access Service Gateway (RAS Gateway)
• You can deploy the RAS Gateway as a single tenant RAS Gateway virtual private network (VPN)
server, a multitenant RAS Gateway VPN server, and as a DirectAccess server

© Copyright Microsoft Corporation. All rights reserved.

Explore VPN types and configuration

Virtual private networks (VPNs) are point-to-point In Windows 11 and later, the built-in plug-in and the
connections across a private or public network, such Universal Windows Platform (UWP) VPN plug-in
as the internet. A VPN client uses special TCP/IP or platform are built on top of the Windows VPN
UDP-based protocols, called tunneling protocols, to platform
make a virtual call to a virtual port on a VPN server.

© Copyright Microsoft Corporation. All rights reserved.

Explore Always On VPN

• Always On VPN is a direct successor of DirectAccess technology that allows users to stay
connected to their internal network whenever they're connected to the internet.
• It provides a single, cohesive solution for remote access and supports domain-joined,
nondomain-joined (workgroup), or Azure AD – Joined Windows 10 or 11 devices.
• Always On VPN has many benefits over the Windows VPN solutions of the past including
simpler deployment and more flexibility for clients.
• Active Directory Domain Services (AD DS) or Group Policy can’t be used to deploy and manage
Always On VPN. Microsoft Configuration Manager, Microsoft Intune, or PowerShell must
be used.
• Windows Server 2022 and later, with the Routing and Remote Access role installed, supports
Always On VPN technology.

© Copyright Microsoft Corporation. All rights reserved.

Deploy Always On VPN

When preparing for Always On VPN deployment,

you should ensure that you have following
components in place
• Active Directory domain infrastructure
• Active Directory-based public key infrastructure (PKI)
• Physical server to install Network Policy Server (NPS)
• Remote Access as a RAS Gateway VPN
• Perimeter network that includes two firewalls
• Physical server or VM on your perimeter network with
two physical Ethernet network adapters to install
Remote Access as a RAS Gateway VPN server
• Membership in Administrators
• Management platform of your choice

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge Check

questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 3: Implement
device compliance

© Copyright Microsoft Corporation. All rights reserved.

Module 3: Implement device compliance policies

• Protect access to resources using Intune

• Explore device compliance policy

• Deploy a device compliance policy

• Explore conditional access

• Create conditional access policies

© Copyright Microsoft Corporation. All rights reserved.

Protect access to resources using Intune

• Allow access to e-mail and documents only from devices that are managed by MDM and
comply with company policy, such as by specifying that user passwords must be complex, local
data on devices must be encrypted, the use of multi-factor authentication (MFA), and the latest
updates are installed.
• Define company policies by using the Device Security policy in Microsoft 365 or Device
Compliance in Intune.
• Use Conditional Access policies to control access to e-mail, documents, and other cloud apps as
well as evaluate sign-in risk, device type, location, and client apps.
• If a device isn't enrolled to Intune, its compliance can’t be evaluated, but you can prevent access
to mailboxes, documents, and cloud apps from such devices.

© Copyright Microsoft Corporation. All rights reserved.

Explore device compliance policy
• Consists of rules that include:
– Password settings
– Encryption settings
– Jail-broken or rooted devices
– The min/max operating-system version
– The maximum Mobile Threat Defense level

• Device compliance policies can be used with or without conditional access

• Deployed based on the user, not on the device
• Monitored from the Device Compliance Dashboard
• Noncompliant actions:
– Notify end users via email
– Mark device noncompliant

• It’s recommended that you use Azure AD (Entra ID) groups for users and devices to apply Intune policies.

© Copyright Microsoft Corporation. All rights reserved.

Deploy a device
compliance policy
Device compliance policy prerequisites:
• Licensed for Azure AD (Entra ID) Premium P1 or
Azure AD (Entra ID) Premium P2 and Intune
• Devices run on a supported platform
• Devices must be enrolled in Intune

Define general compliance settings

• Enable marked devices with no policy assigned
• Enhanced jailbreak detection
• Compliance status for devices that do not report

You can deploy compliance policy to users in

user groups or devices in device groups.
© Copyright Microsoft Corporation. All rights reserved.
Explore conditional access

• Provides policy-based granular access to resources

• Allows users to work from essentially anywhere on most devices while helping to maintain
security
• Requires Intune and Azure AD (Entra ID) for mobile devices

• Guides the user through fixing a denied access request

• Common scenarios for conditional access are:

– Conditional access based on app

– Conditional access based on network

– Conditional access based on device trust

© Copyright Microsoft Corporation. All rights reserved.

Create conditional access policies

• You use conditions and controls to create conditional access policies.

• Conditions can be based on the:
– Device platform that is accessing the data
– Location from where the data is being accessed
– Client applications that are used to access the data

• Controls include:
– Blocking access
– Granting access if one or more additional requirements are met

• Configure conditional access from the Intune console in the Microsoft Intune admin center,
including more granular control such as:
– Allow or block certain platforms
– Immediately block devices that are not managed by Intune

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge Check

questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Module 4: Generate
inventory and
compliance reports

© Copyright Microsoft Corporation. All rights reserved.

Module 4: Generate inventory and compliance reports

• Report enrolled devices inventory in Intune

• Monitor and report device compliance

• Build custom Intune inventory reports

• Access Intune using Microsoft Graph API

© Copyright Microsoft Corporation. All rights reserved.

Report enrolled devices inventory in Intune

You can download reports (csv format) for For richer reports:
all your devices and applications within • Use Intune Data Warehouse and Power BI
the Intune Portal
• Microsoft Graph API lets you access all
You can also download Audit logs which Intune data
provide a record of activities that generate – Create reports using Power BI or Excel
a change in Intune. based on the data
– Microsoft Graph also enables you to script
almost everything in Azure AD (Entra ID)
and Intune

© Copyright Microsoft Corporation. All rights reserved.

Monitor and report device compliance

You can perform basic

device monitoring
in Intune

Device Compliance
• Summary and
aggregate views
• Select filters and define
search criteria
• View individual devices

• View device compliance

trends over time

© Copyright Microsoft Corporation. All rights reserved.

Build custom Intune inventory reports

Intune Data Warehouse stores

Intune historical data

Use Power BI to load data and

generate reports
• Import Power BI file
• Connect to data using
OData link

Use the Power BI Intune

Compliance app
• Uses the web version of Power
BI and allows for customization
and sharing of pre-configured
reports focused on device
compliance reporting

© Copyright Microsoft Corporation. All rights reserved.

Access Intune using Microsoft Graph API

© Copyright Microsoft Corporation. All rights reserved.

Knowledge Check

Test your knowledge by answering the Knowledge Check

questions at the end of this Learn module

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Practice Labs:

• Configuring Multi-factor Authentication

• Configuring Self-service password reset for user
accounts in Azure AD
• Configuring and validating device compliance
• Creating device inventory reports

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we learned to:

• Protect identities in Azure Active Directory (Entra ID)

• Enable organizational access
• Implement device compliance
• Generate inventory and compliance reports

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.