Platform

Identity and access management

The ABAC settings for the identity and access management for all implementation types can be found below. This includes Azure Active Directory, Active Directory Identity Protection, Multi-factor authentication, Microsoft 365 Groups and hybrid identity configuration (for Hybrid implementation types only). Please note, if a setting is not mentioned in the below, it should be assumed to have been left at its default setting.

Azure Active Directory

The following ABAC settings outlines the Azure Active Directory configuration for all implementation types.

Azure Active Directory > Properties

  • Name: <Agency Name>
  • Country or Region: Australia
  • Location: Australian datacenters
  • Notification language: English
  • Technical Contact: <username>@<Agency>.gov.au
  • Global privacy contact: Not configured
  • Privacy Statement URL: Not configured
  • Access management for Azure Resources: No

Azure Active Directory > Users > User settings > Enterprise applications

  • Enterprise applications
    • Users can consent to apps accessing information on their behalf: No
    • Users can add gallery apps to their access panel: No
  • Admin consent requests
    • Users can request admin consent to apps they are unable to consent to: No
    • Select users to review admin consent requests: Not configured
    • Selected users will receive email notifications for requests: Not configured
    • Selected users will receive request expiration reminders: Not configured
    • Consent request expires after (days): Not configured
  • Office 365 Settings
    • Users can only see Office 365 apps in the Office 365 portal: No

Azure Active Directory > Users > User settings

  • App registrations
    • Users can register applications: No
  • Administration portal
    • Restrict non-administrator access to Azure AD administration portal: Yes
  • LinkedIn account connections
    • Allow users to connect work or school account with LinkedIn: No

Azure Active Directory > Users > User settings > External collaboration settings

  • Guest user access: Guest users have limited access to properties and memberships of directory objects
  • Guest invite settings
    • Guest invite restrictions:
      • Only users assigned to specific admin roles can invite guest users: Checked
      • Enable guest self-service sign up via user flows: No
    • Guests can invite: No
    • Enable guest self-service sign up via user flows: No
  • Collaboration restrictions
    • Allow invitations only to the specified domains (most restrictive): Selected
    • Target domains:
      • <Agency>.gov.au

Azure Active Directory > External Identities > Configured identity providers

  • Email one-time passcode for guests
    • Enable email one-time passcode for guests effective now: Checked

Azure Active Directory > Groups > General

  • Self Service Group Management
    • Owners can manage group membership requests in the Access Panel: No
    • Restrict user ability to access groups features in the Access Panel. Administrators (Global, Group and User Admin) will have access regardless of the value of this setting: Yes
  • Security Groups
    • Users can create security groups in the Azure portals: No
  • Microsoft 365 Groups
    • Users can create Microsoft 365 groups in Azure portals: No

Azure Active Directory > Groups > Expiration

  • Group lifetime (in days): 365
  • Email contact for groups with no owners: Office365_Group_Expiration@<Agency>.gov.au
  • Enable expiration for these Microsoft 365 groups: All

Azure Active Directory > Groups > Naming policy

  • Blocked words: Not configured

Azure Active Directory > Custom domain names

  • <Agency>.gov.au (Primary)
  • <Agency>.onmicrosoft.com

Azure Active Directory > Company branding

  • Locale: Default
    • Sign-in Page background image (1920x1080px): Generic Australian Government Background
    • Banner logo (280x60px): Generic Australian Government Logo
    • Username hint: user@agency.gov.au
    • Sign-in page text: <insert agency logon banner/disclaimer warning message> Note: User terms are configured using Conditional Access Policies.
    • Sign-in page background color: -
    • Square logo image (240x240px): Generic Australian Government Logo
    • Square logo image, dark theme (240x240px): -
    • Show option to remain signed in: No

Azure Active Directory > Devices > Device settings

  • Users may join devices to Azure AD: All
  • Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication: No
  • Maximum number of devices per user: Unlimited
  • Additional local administrators on all Azure AD joined devices: -
  • Enterprise State Roaming: -

Azure Active Directory > Devices > Enterprise State Roaming

  • Users may sync settings and app data across devices: All

Azure Active Directory > Password reset > Properties

  • Self-service password reset enabled: All

Azure Active Directory > Password reset > Authentication methods

  • Number of methods required to reset: 2
  • Methods available to users: Mobile app notification, Email, Mobile phone

Azure Active Directory > Password reset > Registration

  • Require users to register when signing in?: Yes
  • Number of days before users are asked to re-confirm their authentication information: 180

Azure Active Directory > Password reset > Notifications

  • Notify users on password resets?: Yes
  • Notify all admins when other admins reset their password?: Yes

Azure Active Directory > Password reset > Customization

  • Customize helpdesk line: No

PowerShell (MSOL) > Disable Self-Service user creation

  • Allow users to Email verify: Disabled
  • Allow Ad Hoc self-service sign-up: Disabled
Set-MsolCompanySettings -AllowEmailVerifiedUsers $false -AllowAdHocSubscriptions $false

Microsoft 365 groups

The following ABAC settings outlines the Microsoft 365 groups configuration for all implementation types.

Azure Active Directory > Groups > General

  • Self Service Group Management
    • Owners can manage group membership requests in the Access Panel: No
    • Restrict user ability to access groups features in the Access Panel. Administrators (Global, Group and User Admin) will have access regardless of the value of this setting.: Yes
  • Security Groups
    • Users can create security groups in Azure portals: No
    • Owners who can assign members as group owners in Azure portals: All
  • Microsoft 365 groups
    • Users can create Microsoft 365 groups in Azure portal: No
    • Owners who can assign members as group owners in Azure portal: All

Azure Active Directory > Groups > Naming policy

  • Group naming policy: Agency to define

Azure Active Directory > Groups > Expiration

  • Group lifetime (in days): 365
  • Email contact for groups with no owners: Office365_Group_Expiration@<Agency>.gov.au
  • Enable expiration for these Microsoft 365 groups: All

Azure Active Directory > Groups

  • Group Name: grp-<Agency Acronym>O365-Outlook
    • Implementation types: all
    • Membership type: Assigned
    • Source: Cloud
    • Type: Office
    • Email: grp-<Agency Acronym>o365-outlook@<Agency>.gov.au
    • Members: <Agency User>
    • Owners: <Agency User>
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None
  • Group Name: grp-<Agency Acronym>o365-Teams
    • Implementation types: all
    • Membership type: Assigned
    • Source: Cloud
    • Type: Office
    • Email: grp-<Agency Acronym>o365-teams@<Agency>.gov.au
    • Members: <Agency User>
    • Owners: <Agency User>
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None
  • Group Name: rol-Agency-administrators
    • Implementation types: all
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members: None admin accounts
    • Owners: <Agency Owner> (Admin)
    • Group membership: None
    • Applications: None
    • Licenses: Microsoft 365 E5
    • Azure role assignment: None
  • Group Name: rol-Agency-users
    • Implementation types: Hybrid
    • Membership type: Assigned
    • Source: Windows server AD
    • Type: Security
    • Members: None admin accounts
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: Microsoft 365 E5
    • Azure role assignment: None
  • Group Name: rol-Agency-users
    • Implementation types: Cloud
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members: None admin accounts
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: Microsoft 365 E5
    • Azure role assignment: None
  • Group Name: grp-Conditional_Access_Exclude
    • Implementation types: Hybrid
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members
      • Break Glass account
        • break.glass_priv1
        • break.glass_priv2
      • AAD Connect Synchronization accounts (hybrid implementation types only)
        • Sync_<AAD Server 1>_<account GUID>
        • Sync_<AAD Server 2>_<account GUID>
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None
  • Group Name: grp-Conditional_Access_Exclude
    • Implementation types: Cloud
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members
      • Break Glass account
        • break.glass_priv1
        • break.glass_priv2
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: `None
  • Group Name: rol-AgencyName-o365groupcreators
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members: <Agency User>
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None
  • Group Name: rol-ATPUsers
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members: <Agency User>
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None
  • Group Name: rol-ATPViewers
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members: <Agency User>
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None
  • Group Name: rol-Agency-log-admin
    • Membership type: Assigned
    • Source: Cloud
    • Type: Security
    • Members: <Agency User>
    • Owners: None
    • Group membership: None
    • Applications: None
    • Licenses: None
    • Azure role assignment: None

Delegate Office 365 Group Creation

Delegation of 365 Group creation is set through Azure AD (preview module) PowerShell for Graph. For reference see manage creation of groups.

$GroupName = "rol-<AgencyName>-o365groupcreators"
$AllowGroupCreation = $False

Connect-AzureAD

$settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
if(!$settingsObjectID)
{
  $template = Get-AzureADDirectorySettingTemplate | Where-object {$_.displayname -eq "group.unified"}
  $settingsCopy = $template.CreateDirectorySetting()
  New-AzureADDirectorySetting -DirectorySetting $settingsCopy
  $settingsObjectID = (Get-AzureADDirectorySetting | Where-object -Property Displayname -Value "Group.Unified" -EQ).id
}

$settingsCopy = Get-AzureADDirectorySetting -Id $settingsObjectID
$settingsCopy["EnableGroupCreation"] = $AllowGroupCreation

if($GroupName)
{
  $settingsCopy["GroupCreationAllowedGroupId"] = (Get-AzureADGroup -SearchString $GroupName).objectid
}
 else {
  $settingsCopy["GroupCreationAllowedGroupId"] = $GroupName
}
Set-AzureADDirectorySetting -Id $settingsObjectID -DirectorySetting $settingsCopy

(Get-AzureADDirectorySetting -Id $settingsObjectID).Values

Emergency access admin accounts

The following ABAC settings outlines the emergency access admin (break glass) accounts configuration for all implementation types.

Azure Active Directory > Users > Break Glass > Profile

  • Name: Break Glass
  • User Principal Name: break.glass_priv<number>@<Tenant Name>.onmicrosoft.com
  • User Type: Member

Azure Active Directory > Users > Break Glass > Assigned roles

  • Active assignments: Global Administrator

Azure Active Directory > Users > Break Glass > Groups

  • Name: Excluded from CA, rol-Agency-administrators, <Agency Name>, All Users

Azure Active Directory > Users > Break Glass > Licenses

  • Products: None
  • Assignment Paths: Inherited (rol-Agency-administrators)

Azure Active Directory Identity Protection

The following ABAC settings outlines the Identity Protection configuration for all implementation types.

Azure Active Directory > Security > Identity Protection > MFA registration policy

  • Policy name: Multi-factor authentication registration policy

Azure Active Directory > Security > Identity Protection > MFA registration policy > Assignments

  • Users: Included: All Users
  • Excluded: Office365_Conditional_Access_Exclude

Azure Active Directory > Security > Identity Protection > MFA registration policy > Controls

  • Access: Require Azure MFA registration
  • Enforce Policy: On

Azure Active Directory > Security > Identity Protection > Sign-in Risk policy

  • Include users: All users

  • Exclude users

    Implementation Accounts to exclude
    Cloud-native break.glass_priv1@<Agency>.onmicrosoft.com
    break.glass_priv2@<Agency>.onmicrosoft.com
    Hybrid break.glass_priv1@<Agency>.onmicrosoft.com
    break.glass_priv2@<Agency>.onmicrosoft.com
    Sync_<account_1>_<account guid>@<Agency>.onmicrosoft.com
    Sync_<account_2>_<account guid>@<Agency>.onmicrosoft.com

    Sign-in risk settings: Medium and above

  • Access: Allow access (Require MFA)
  • Enforce policy: On

Azure Active Directory > Security > Identity Protection > User Risk Policy

  • Include users: All users

  • Exclude users

    Implementation Accounts to exclude
    Cloud-native break.glass_priv1@<Agency>.onmicrosoft.com
    break.glass_priv2@<Agency>.onmicrosoft.com
    Hybrid break.glass_priv1@<Agency>.onmicrosoft.com
    break.glass_priv2@<Agency>.onmicrosoft.com
    Sync_<account_1>_<account guid>@<Agency>.onmicrosoft.com
    Sync_<account_2>_<account guid>@<Agency>.onmicrosoft.com

    User risk setting: Medium and above

  • Access: Allow access (with require password change selected)
  • Enforce policy: On

Azure Active Directory multifactor authentication

The following ABAC settings outlines the multifactor authentication configuration for all implementation types.

Azure Active Directory > Users > Per-user MFA

  • App passwords: Do not allow users to create app passwords to sign in to non-browser apps
  • Trusted IPs: Not configured
  • Verification options: Notification through mobile app, Verification code from mobile app or hardware token
  • Remember multi-factor authentication: Not configured

Azure Active Directory > Security > Multi-Factor Authentication > Fraud alert

  • Allow users to submit fraud alerts: On
  • Automatically block users who report fraud: On
  • Code to report fraud during initial greeting: 0

Hybrid Identity - Azure AD Connect (hybrid implementation types only)

The following ABAC settings outlines the Azure AD connect configuration for hybrid implementation types only.

Primary Azure AD Connect settings

  • Installation Mode: Custom
  • SQL Mode: Local DB
  • Directory to connect to: <Agency>.gov.au
  • Source of truth for account information: On-Premises Active Directory (<Agency>.gov.au)
  • User sign-in method
    Selected - Pass-through authentication
    Not selected – Password Hash Synchronization
    Not selected – Federation with AD FS
    Not selected – Federation with PingFederate
    
  • Enable Single Sign-on: Enabled
  • Directory Type: Active Directory
  • Forest for Configured Directories: <agency_forest_name>.local
  • Active Directory UPN Suffix: <Agency>.gov.au
  • Azure AD Domain: Verified
  • Attribute used for login: userPrincipalName (User ID)
  • Domain and OU filtering
    • Directory: <agency_forest_name>.local
    • Sync selected domains and OUs:
      Department
      . Groups
      .  . Admin
      .  . Security Access
      . Users
      .  . Admin
      .  . General
      .  . Service Accounts
      . Computers
      
    • How users should be identified in your on-premises directories: Users are represented only once across all directories
    • How users should be identified with Azure AD: ms-DS-Consistency-Guid
    • Filter users and devices: Synchronize all users and devices
  • Optional Features
    • Exchange hybrid deployment: Enabled
    • Exchange Mail Public Folders: Disabled
    • Password hash synchronization: Disabled
    • Password writeback: Disabled
    • Group writeback: Disabled
    • Azure AD app and attribute filtering: Enabled
    • Azure AD Apps: The following applications are enabled:
      Office 365 ProPlus
      Exchange Online
      SharePoint Online
      Lync Online
      Azure RMS
      Intune
      Dynamics CRM
      3rd party application
      

Standby Azure AD Connect settings:

  • Source of truth for account information: On-Premises Active Directory (<Agency>.gov.au)
  • User sign-in method
    Selected - Pass-through authentication
    Not selected – Password Hash Synchronization
    Not selected – Federation with AD FS
    Not selected – Federation with PingFederate
    
  • Enable Single Sign-on: Enabled
  • Directory Type: Active Directory
  • Forest for Configured Directories: <agency_forest_name>.local
  • Active Directory UPN Suffix: <Agency>.gov.au
  • Azure AD Domain: Verified
  • Attribute used for login: userPrincipleName (User ID)
  • Domain and OU filtering
    • Directory | <agency_forest_name>.local
    • Sync selected domains and OUs
      Department
        . Groups
        .  . Admin
        .  . Security Access
        . Users
        .  . Admin
        .  . General
        .  . Service Accounts
        . Computers
      
    • How users should be identified in your on-premises directories: Users are represented only once across all directories
    • How users should be identified with Azure AD: ms-DS-Consistency-Guid
    • Filter users and devices: Synchronize all users and devices
  • Optional Features
    • Exchange hybrid deployment: Enabled
    • Exchange Mail Public Folders: Disabled
    • Password hash synchronization: Disabled
    • Password writeback: Disabled
    • Group writeback: Disabled
    • Azure AD app and attribute filtering: Enabled
    • Azure AD Apps: The following applications are enabled:
      Office 365 ProPlus
      Exchange Online
      SharePoint Online
      Lync Online
      Azure RMS
      Intune
      Dynamics CRM
      3rd party application
      

The following table describes the Azure AD attributes being synchronized via Azure AD Connect.

Attribute IsExported IsMandatory
accountEnabled TRUE TRUE
accountName TRUE FALSE
altRecipient TRUE FALSE
assistant TRUE FALSE
authOrig TRUE FALSE
c TRUE FALSE
cloudUserCertificate TRUE FALSE
cloudUserSMIMECertificate TRUE FALSE
cn TRUE FALSE
co TRUE FALSE
company TRUE FALSE
countryCode TRUE FALSE
dLMemRejectPerms TRUE FALSE
dLMemSubmitPerms TRUE FALSE
department TRUE FALSE
description TRUE FALSE
deviceId TRUE FALSE
deviceOSType TRUE FALSE
deviceTrustType TRUE FALSE
displayName TRUE FALSE
distinguishedName TRUE FALSE
domainFQDN TRUE FALSE
domainNetBios TRUE FALSE
employeeID TRUE FALSE
extensionAttribute1 TRUE FALSE
extensionAttribute10 TRUE FALSE
extensionAttribute11 TRUE FALSE
extensionAttribute12 TRUE FALSE
extensionAttribute13 TRUE FALSE
extensionAttribute14 TRUE FALSE
extensionAttribute15 TRUE FALSE
extensionAttribute2 TRUE FALSE
extensionAttribute3 TRUE FALSE
extensionAttribute4 TRUE FALSE
extensionAttribute5 TRUE FALSE
extensionAttribute6 TRUE FALSE
extensionAttribute7 TRUE FALSE
extensionAttribute8 TRUE FALSE
extensionAttribute9 TRUE FALSE
facsimileTelephoneNumber TRUE FALSE
givenName TRUE FALSE
hideDLMembership TRUE FALSE
homePhone TRUE FALSE
info TRUE FALSE
initials TRUE FALSE
ipPhone TRUE FALSE
isIntuneManagedDevice TRUE FALSE
l TRUE FALSE
legacyExchangeDN TRUE FALSE
mail TRUE FALSE
mailNickname TRUE FALSE
managedBy TRUE FALSE
manager TRUE FALSE
member TRUE FALSE
middleName TRUE FALSE
mobile TRUE FALSE
msDS-HABSeniorityIndex TRUE FALSE
msDS-PhoneticDisplayName TRUE FALSE
msExchArchiveGUID TRUE FALSE
msExchArchiveName TRUE FALSE
msExchAssistantName TRUE FALSE
msExchAuditAdmin TRUE FALSE
msExchAuditDelegate TRUE FALSE
msExchAuditDelegateAdmin TRUE FALSE
msExchAuditOwner TRUE FALSE
msExchBlockedSendersHash TRUE FALSE
msExchBypassAudit TRUE FALSE
msExchBypassModerationLink TRUE FALSE
msExchCoManagedByLink TRUE FALSE
msExchDelegateListLink TRUE FALSE
msExchELCExpirySuspensionEnd TRUE FALSE
msExchELCExpirySuspensionStart TRUE FALSE
msExchELCMailboxFlags TRUE FALSE
msExchEnableModeration TRUE FALSE
msExchExtensionCustomAttribute1 TRUE FALSE
msExchExtensionCustomAttribute2 TRUE FALSE
msExchExtensionCustomAttribute3 TRUE FALSE
msExchExtensionCustomAttribute4 TRUE FALSE
msExchExtensionCustomAttribute5 TRUE FALSE
msExchHideFromAddressLists TRUE FALSE
msExchImmutableId TRUE FALSE
msExchLitigationHoldDate TRUE FALSE
msExchLitigationHoldOwner TRUE FALSE
msExchMailboxAuditEnable TRUE FALSE
msExchMailboxAuditLogAgeLimit TRUE FALSE
msExchMailboxGuid TRUE FALSE
msExchModeratedByLink TRUE FALSE
msExchModerationFlags TRUE FALSE
msExchRecipientDisplayType TRUE FALSE
msExchRecipientTypeDetails TRUE FALSE
msExchRemoteRecipientType TRUE FALSE
msExchRequireAuthToSendTo TRUE FALSE
msExchResourceCapacity TRUE FALSE
msExchResourceDisplay TRUE FALSE
msExchResourceMetaData TRUE FALSE
msExchResourceSearchProperties TRUE FALSE
msExchRetentionComment TRUE FALSE
msExchRetentionURL TRUE FALSE
msExchSafeRecipientsHash TRUE FALSE
msExchSafeSendersHash TRUE FALSE
msExchSenderHintTranslations TRUE FALSE
msExchTeamMailboxExpiration TRUE FALSE
msExchTeamMailboxOwners TRUE FALSE
msExchTeamMailboxSharePointLinkedBy TRUE FALSE
msExchTeamMailboxSharePointUrl TRUE FALSE
msExchUserHoldPolicies TRUE FALSE
msOrg-IsOrganizational TRUE FALSE
msRTCSIP-ApplicationOptions TRUE FALSE
msRTCSIP-DeploymentLocator TRUE FALSE
msRTCSIP-Line TRUE FALSE
msRTCSIP-OptionFlags TRUE FALSE
msRTCSIP-OwnerUrn TRUE FALSE
msRTCSIP-PrimaryUserAddress TRUE FALSE
msRTCSIP-UserEnabled TRUE FALSE
oOFReplyToOriginator TRUE FALSE
objectSid TRUE FALSE
onPremisesUserPrincipalName TRUE FALSE
otherFacsimileTelephoneNumber TRUE FALSE
otherHomePhone TRUE FALSE
otherIpPhone TRUE FALSE
otherMobile TRUE FALSE
otherPager TRUE FALSE
otherTelephone TRUE FALSE
pager TRUE FALSE
physicalDeliveryOfficeName TRUE FALSE
postOfficeBox TRUE FALSE
postalCode TRUE FALSE
preferredLanguage TRUE FALSE
proxyAddresses TRUE FALSE
publicDelegates TRUE FALSE
pwdLastSet TRUE FALSE
registeredOwnerReference TRUE FALSE
reportToOriginator TRUE FALSE
reportToOwner TRUE FALSE
securityEnabled TRUE FALSE
sn TRUE FALSE
sourceAnchor TRUE TRUE
st TRUE FALSE
streetAddress TRUE FALSE
targetAddress TRUE FALSE
telephoneAssistant TRUE FALSE
telephoneNumber TRUE FALSE
thumbnailPhoto TRUE FALSE
title TRUE FALSE
unauthOrig TRUE FALSE
url TRUE FALSE
usageLocation TRUE FALSE
userCertificate TRUE FALSE
userPrincipalName TRUE TRUE
userSMIMECertificate TRUE FALSE
wWWHomePage TRUE FALSE

Authentication method (pass through agent)

The following ABAC settings outlines the AD Connect authentication method configuration for hybrid implementation types only.

  • Authentication Method: PTA
  • Number of PTA servers: 3
  • Add Proxy settings
    • Add the following text to the end of the file C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config to enable proxy settings. This file needs to be opened as “administrator” context.
    <system.net>
      <defaultProxy enabled="true" useDefaultCredentials="true">
        <proxy
          usesystemdefault="true"
          proxyaddress="http://<proxyserveraddress>:8080"
          bypassonlocal="true"
        />
      </defaultProxy>
    </system.net>
    
  • Required Protocols
    • Enable outbound HTTP – 80 (TCP/UDP)
    • Enable outbound HTTPS – 443 (TCP/UDP)
  • Register PTA Connector
    • Execute the following power shell command to register PTA connector:
    cd C:\Program Files\Microsoft Azure AD Connect Authentication Agent
    
    ./RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" -moduleName "PassthroughAuthPSModule" -Authenticationmode Credentials -Usercredentials $cred -Feature PassthroughAuthentication
    

Privileged identity management

The ABAC settings for the Agency Privileged Identity Management for all implementations types can be found below. This includes Authentication Administrator, Azure Information Protection Administrator, Global Administrator, Exchange Administrator, Helpdesk Administrator, Intune Administrator, Office Apps Administrator, Power BI Administrator, Power Platform, Privileged Role Administrator, Security Administrator, Security Operator, SharePoint Administrator, Teams Communications Administrator, Teams Communications Support Engineer, Teams Communications Support Specialist, Teams Service Administrator and User Administrator settings. Please note, if a setting is not mentioned in the below, it should be assumed to have been left at its default setting.

Authentication administrator

Azure AD Privileged Identity Management > Azure AD roles > Roles > Authentication Administrator > Role settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Not checked
    • Expire eligible assignments after: 6 month(s)
    • Allow permanent active assignment: Not checked
    • Expire active assignments after: 1 month(s)
    • Require Azure Multi-Factor Authentication on active assignment: Checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Azure information protection administrator

Azure AD Privileged Identity Management > Azure AD roles > Roles > Azure Information Protection Administrator > Role settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Global administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Global Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Exchange administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Exchange Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Helpdesk administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Helpdesk Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Intune administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Intune Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Office Apps administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Office Apps Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Power BI administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Power BI Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Power Platform administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Power Platform Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Privileged role administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Privileged Role Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Security administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Security Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Security Operator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Security Operator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

SharePoint administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > SharePoint Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Teams communications administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Teams Communication Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Teams communications support engineer

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Teams Communications Support Engineer > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Teams communications support specialist

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Teams Communications Support Specialist > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Teams service administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > Teams service Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

User administrator

Azure Active Directory > Identity Governance > Azure AD roles > Azure AD roles > Roles > User Administrator > Role Settings

  • Activation
    • Activation maximum duration: 10 hours
    • On activation, require: Azure MFA
    • Require justification on activation: Checked
    • Require ticket information on activation: Not checked
    • Require approval to activate: Not checked
    • Select approvers(s):
      • Members: None
      • Groups: None
      • If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
  • Assignment
    • Allow permanent eligible assignment: Checked
    • Expire eligible assignments after: Not configured
    • Allow permanent active assignment: Checked
    • Expire active assignments after: Not configured
    • Require Azure Multi-Factor Authentication on active assignment: Not checked
    • Require justification on active assignment: Checked
  • Notification
    • Send notifications when members are assigned as eligible to this role
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when members are assigned as active to this role:
      • Role assignment alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to the assigned user (assignee)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve a role assignment renewal/extension
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
    • Send notifications when eligible members activate this role:
      • Role activation alert
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Notification to activated user (requestor)
        • Default recipients: Checked
        • Additional recipients: Not configured
        • Critical emails only: Not checked
      • Request to approve an activation
        • Default recipients: Checked
        • Additional recipients: Only designated approvers can receive this email
        • Critical emails only: Not checked

Licensing

The following table describes the user (rol-Agency-users) licensing settings for all implementation types that are configured within the tenant available at Azure Active Directory > Groups > All groups > rol-Agency-users > Licenses > Microsoft 365 E5

Item Configuration
Azure Active Directory Premium P1 On
Azure Active Directory Premium P2 On
Azure Advanced Threat Protection On
Azure Information Protection Premium P1 On
Azure Information Protection Premium P2 On
Azure Rights Management On
Common Data Service On
Common Data Service for Teams On
Customer Lockbox On
Data Classification in Microsoft 365 On
Exchange Online (Plan 2) On
Graph Connectors Search with Index On
Information Barriers On
Information Protection for Office 365 - Premium On
Information Protection for Office 365 - Standard On
Insights by MyAnalytics Off
M365 Communication Compliance On
Microsoft 365 Advanced Auditing On
Microsoft 365 Apps for enterprise On
Microsoft 365 Audio Conferencing On
Microsoft 365 Defender On
Microsoft 365 Phone System Off
Microsoft Azure Multi-Factor Authentication On
Microsoft Bookings Off
Microsoft Cloud App Security On
Microsoft Communications DLP On
Microsoft Customer Key Off
Microsoft Data Investigations On
Microsoft Defender For Endpoint On
Microsoft Defender for Identity On
Microsoft Defender for Office 365 (Plan 2) On
Microsoft Endpoint DLP On
Microsoft Excel Advanced Analytics On
Microsoft Forms (Plan E5) On
Microsoft Information Governance On
Microsoft Insider Risk Management On
Microsoft Intune On
Microsoft Kaizala Pro Off
Microsoft ML-based classification On
Microsoft MyAnalytics (Full) Off
Microsoft Planner On
Microsoft Records Management On
Microsoft StaffHub Off
Microsoft Stream for O365 E5 SKU On
Microsoft Teams On
Office 365 Advanced eDiscovery On
Office 365 Cloud App Security On
Office 365 Privileged Access Management On
Office 365 SafeDocs On
Office for the web On
Power BI Pro On
PowerApps for Office 365 Plan 3 Off
Power Automate for Office 365 Off
Power BI Pro Off
Power Virtual Agents for Office 365 Off
Premium Encryption in Office 365 On
Project for Office (Plan E5) On
SharePoint (Plan 2) On
Skype for Business Online (Plan 2) Off
Sway On
To-Do (Plan 3) On
Universal Print Off
Whiteboard (Plan 3) On
Windows 10 Enterprise On
Windows Update for Business Deployment Service On
Yammer Enterprise Off

The following table describes the admin (rol-Agency-administrators) licensing settings for all implementation types that are configured within the tenant.

Azure Active Directory | Groups | All groups > rol-Agency-administrators | Licenses > Microsoft 365 E5

Item Configuration
Azure Active Directory Premium P1 On
Azure Active Directory Premium P2 On
Azure Advanced Threat Protection On
Azure Information Protection Premium P1 On
Azure Information Protection Premium P2 On
Azure Rights Management On
Common Data Service Off
Common Data Service for Teams Off
Customer Lockbox On
Data Classification in Microsoft 365 On
Exchange Online (Plan 2) Off
Graph Connectors Search with Index Off
Information Barriers On
Information Protection for Office 365 - Premium On
Information Protection for Office 365 - Standard On
Insights by MyAnalytics Off
M365 Communication Compliance On
Microsoft 365 Advanced Auditing On
Microsoft 365 Apps for enterprise Off
Microsoft 365 Audio Conferencing Off
Microsoft 365 Defender On
Microsoft 365 Phone System Off
Microsoft Azure Multi-Factor Authentication On
Microsoft Bookings Off
Microsoft Cloud App Security On
Microsoft Communications DLP On
Microsoft Customer Key Off
Microsoft Data Investigations On
Microsoft Defender For Endpoint On
Microsoft Defender for Identity On
Microsoft Defender for Office 365 (Plan 2) On
Microsoft Endpoint DLP On
Microsoft Excel Advanced Analytics Off
Microsoft Forms (Plan E5) Off
Microsoft Information Governance On
Microsoft Insider Risk Management On
Microsoft Intune Off
Microsoft Kaizala Pro Off
Microsoft ML-based classification On
Microsoft MyAnalytics (Full) Off
Microsoft Planner Off
Microsoft Records Management On
Microsoft StaffHub Off
Microsoft Stream for O365 E5 SKU Off
Microsoft Teams Off
Office 365 Advanced eDiscovery On
Office 365 Cloud App Security On
Office 365 Privileged Access Management On
Office 365 SafeDocs On
Office for the web Off
Power BI Pro Off
PowerApps for Office 365 Plan 3 Off
Power Automate for Office 365 Off
Power BI Pro Off
Power Virtual Agents for Office 365 Off
Premium Encryption in Office 365 On
Project for Office (Plan E5) Off
SharePoint (Plan 2) Off
Skype for Business Online (Plan 2) Off
Sway Off
To-Do (Plan 3) Off
Universal Print Off
Whiteboard (Plan 3) Off
Windows 10 Enterprise Off
Windows Update for Business Deployment Service Off
Yammer Enterprise Off

Windows Information Protection

Application protection policies

The following ABAC settings outlines the application protection policy configuration for all implementation types.

Microsoft Endpoint Manager > Client apps > App protection policies > Windows Information Protection > Properties

  • Name: Windows Information Protection
  • Description: Application Protection policies
  • Enrollment state: With enrollment
  • Targeted apps
    • Protected apps:
      Office-365-ProPlus-1810-Allowed.xml
      Recommended-Denied-Office-365-ProPlus-1810.xml
      MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml
      Microsoft OneDrive
      Notepad
      Microsoft Paint
      Microsoft Remote Desktop
      Microsoft Teams
      Microsoft Azure Information Protection
      Microsoft Edge
      Microsoft People
      Word Mobile
      Excel Mobile
      PowerPoint Mobile
      OneDrive App
      OneNote
      Mail and Calendar for Windows 10
      Microsoft Photos
      Groove Music
      Microsoft Movies and TV
      Microsoft Messaging
      Company Portal
      
    • Exempt apps: -
  • Required settings
    • Windows Information Protection mode: Block
    • Corporate identity: <Agency>.gov.au
  • Advanced settings
    • Network perimeter
      • Type: Cloud resources
      • Name: Office365
      • Value:
        Agency.sharepoint.com|Agency-my.sharepoint.com|Agency-files.sharepoint.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com|www.yammer.com|yammer.com|persona.yammer.com|outlook.office.com|outlook.office365.com|attachments.office.net|Agency.crm.dynamics.com|Agency.visualstudio.com|Agency.powerbi.com
        
      • Enterprise Proxy Servers list is authoritative (do not auto-detect): Off
      • Enterprise IP Ranges list is authoritative (do not auto-detect): Off
    • Data protection
      • Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data: Not configured
      • Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile: Off
      • Revoke encryption keys on unenroll: On
      • Show the enterprise data protection icon: On
      • Use Azure RMS for WIP: Off
      • Allow Windows Search Indexer to search encrypted items: On
      • Encrypted file extensions: -
  • Assignments
    • Included groups: rol-Agency-administrators, rol-Agency-users
    • Excluded groups: -
  • Scope tags: Default

Microsoft Endpoint Manager > Client apps > App protection policies > iOS App Protection Policy > Properties

  • Name: iOS App Protection Policy
  • Description: App management for Apple
  • Platform: iOS/iPadOS
  • Apps
    • Target to apps on all device types: Yes
    • Device types: -
    • Public apps:
      Adobe Acrobat Reader
      Microsoft Dynamics 365
      Microsoft Dynamics 365 for phones
      Skype for Business
      Microsoft Excel
      Microsoft Edge
      Microsoft Outlook
      Microsoft PowerPoint
      Microsoft Word
      Microsoft OneNote
      Microsoft Planner
      Microsoft Power BI
      Azure Information Protection
      Microsoft SharePoint
      Microsoft OneDrive
      Microsoft Teams
      Microsoft Stream
      Microsoft To-Do
      Microsoft Visio Viewer
      
    • Custom apps:
      com.adobe.acrobatdc.intune
      com.microsoft.rdc.ios  Microsoft Dynamics 365
      
  • Data protection
    • Data Transfer
      • Backup org data to iTunes and iCloud backups: Block
      • Send org data to other apps: Policy managed apps
      • Select apps to exempt:
        • Name 1: Default
        • Value 1: tel;telprompt;skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;
        • Name 2: Apple Maps
        • Value 2: maps
        • Name 3: Google Maps
        • Value 3: comgooglemaps
      • Save copies of org data: Block
      • Allow user to save copies to selected services: OneDrive for Business, SharePoint
      • Receive data from other apps: Policy managed apps
      • Restrict cut, copy, and paste between other apps: Policy managed apps with paste in
      • Cut and copy character limit for any app: 0
      • Third party keyboards: Block
    • Encryption
      • Encrypt org data: Require
    • Functionality
      • Sync app with native contacts app: Block
      • Printing org data: Block
      • Restrict web content transfer with other apps: Microsoft Edge
      • Org data notifications: Block org Data
  • Access requirements
    • PIN for access: Require
    • PIN type: Numeric
    • Simple PIN: Block
    • Select minimum PIN length: 4
    • Touch ID instead of PIN for access (iOS 8+/iPadOS): Block
    • PIN reset after number of days: Yes
    • Number of days: 365
    • App PIN when device PIN is set: Require
    • Work or school account credentials for access: Require
    • Recheck the access requirements after (minutes of inactivity): 30
  • Conditional launch
Setting Value Action
Max PIN attempts 5 Reset PIN
Offline grace period 720 Block access (minutes)
Offline grace period 90 Wipe data (days)
Jailbroken/rooted devices   Block access
Min OS version 12.0 Block access
  • Assignments
    • Included groups: rol-Agency-administrators, rol-Agency-users
    • Excluded groups: grp-Windows-10-Devices
  • Scope tags: Default

Threat protection

Microsoft Defender for Endpoint

The following ABAC settings outlines the Microsoft Defender for Endpoint policy configuration for all implementation types.

Microsoft 365 Defender > Settings > Endpoints

General

  • Data retention
    • Data Storage: US
    • Data Retention: 180 days
  • Email notifications: Not Configured
  • Advanced features
    • Automated Investigation: On
    • Live Response: On
    • Live Response for Servers: On
    • Live Response unsigned script execution: Off
    • Restrict correlation to within scoped device groups: Off
    • Enable EDR in block mode: On
    • Automatically Resolve Alerts: On
    • Allow or block file: On
    • Custom network indicators: On
    • Tamper protection: On
    • Show user details: On
    • Skype for Business integration: On
    • Microsoft Defender for Identity integration: On
    • Office 365 Threat Intelligence connection: On
    • Microsoft Defender for Cloud Apps: On
    • Microsoft Secure Score: On
    • Web content filtering: On
    • Download quarantined files: On
    • Share endpoint alerts with Microsoft Compliance Center: On
    • Microsoft Intune connection: On
    • Device discovery: On
    • Preview features: On
    • Microsoft Threat Expert: Not configured
  • Auto remediation
Rank Device group Remediation level
1 Windows 10 Full - Remediate threats automatically
Last Ungrouped devices (default) Full - Remediate threats automatically

Permissions

  • Roles
    • Microsoft Defender for Endpoint administrator (default)
      • Assigned user groups: rol-Agency-security-defenderatp-admins
    • Microsoft Defender for Endpoint Viewer
      • Description: Viewer privileges
      • View Data
        • Security operations
        • Threat and vulnerability management
      • Assigned user groups: rol-Agency-security-defenderatp-viewer
    • Microsoft Defender for Endpoint Remediation
      • Description: Investigate and remediate alerts
      • View Data
        • Security operations
        • Threat and vulnerability management
      • Active remediation actions
        • Security operations
        • Threat and vulnerability management - Exception handling
        • Threat and vulnerability management - Remediation handling
      • Alerts investigation
      • Live response capabilities
        • Advanced
      • Assigned user groups: rol-Agency-security-defenderatp-remediation
  • Device groups
    • Device group name: Windows 10
      • Rank: 1
      • Automation level: Full - Remediate threats automatically
      • Members:
        Name Starts with <Agency 3 characters>
        And Domain Starts with <Not configured>
        And Tag: Starts with <Not configured>
        And OS In <Not configured>
        
      • User access
        • Azure AD user groups with access to this machine group: rol-Agency-security-defenderatp-admins, rol-Agency-security-defenderatp-viewer, rol-Agency-security-defenderatp-remediation
    • Device group name: Ungrouped devices (default)
      • Rank: Last
      • Automation level: Full - Remediate threats automatically
      • User access
        • Azure AD user groups with access to this machine group: rol-Agency-security-defenderatp-admins, rol-Agency-security-defenderatp-viewer, rol-Agency-security-defenderatp-remediation

APIs

  • SIEM
    • General
      • Application URI: https://WindowsDefenderATPSiemConnector
      • Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • Authorisation server URL: https://login.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/token
      • Resource: https://graph.windows.net
      • Client secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      • Choose the SIEM you want to configure and download details to file.: <Agency SIEM>

Rules

  • Custom detections: Not configured
  • Alert suppression: Not configured
  • Indicators: Not configured
  • Process Memory Indicators: Not configured
  • Web content filtering
    • Policy name: Adult Sites
      • Blocked categories:
        Cults
        Gambling
        Nudity
        Pornography/Sexually explicit
        Sex education
        Tasteless
        Violence
        
      • Scope: All devices
    • Policy name: High Traffic Sites
      • Blocked categories:
        Download sites
        Image sharing
        Peer-to-peer
        Streaming media & downloads
        
      • Scope: All devices
    • Policy name: Legal Liability
      • Blocked categories:
        Child abuse images
        Criminal activitiy
        Hacking
        Hate & intolerance
        Illegal drug
        Illegal software
        School cheating
        Self-harm
        Weapons
        
      • Scope: All devices
  • Automation uploads
    • Content analysis: On
    • File extension names: wsf,tcl,sys,scr,'',job,ws,ko.gz,vbe,bat,ps1,vb,com,air,cpl,exe,rb,cmd,msi,url,reg,gadget,dll,ko,js,pl,sh,rgs,inf,vbs,elf,py
    • Memory Content Analysis: On
  • Automation folder exclusions: Not configured

Device management

  • Onboarding
    • Select operating system to start offboarding process: Windows 10
    • Deployment method: Intune
  • Offboarding
    • Select operating system to start offboarding process: Windows 10
    • Deployment method: Intune

Microsoft Cloud App Security

The following ABAC settings outlines the Microsoft Cloud App Security configuration for all implementation types.

https://portal.cloudappsecurity.com/ > Settings

  • System
    • Organization details
      • Organizations display name: AGENCY
      • Environment name: AGENCY ENVIRONMENT NAME
      • Managed Domains: <Agency>.onmicrosoft.com, <Agency>.gov.au
    • Mail settings
      • Email sender identity: Default settings
    • Export settings
      • Export settings: None
    • Automatic sign out
      • Sign out when a user is inactive for: After 15 Minutes
  • Cloud Discovery
    • Snapshot reports: Not configured
    • Continuous reports
      • Report name: Application Group
        • Comment: This report captures information on the User Group Application (Cloud App Security)
        • Data sources: All data sources
        • Filters: User Group > Application (Cloud App Security)
      • Report name: External Users
        • Comment: This report captures information on the External Users group
        • Data sources: All data sources
        • Filters: User Group > External users
      • Report name: Windows 10 Endpoint Users
        • Comment: This report will capture information for Windows 10 Endpoint users.
        • Data sources: Win10 Endpoint Users
      • Report name: Cloud App Security Conditional Access App Control
        • Comment: Cloud App Security Conditional Access App Control
        • Data sources: Cloud App Security Proxy
    • Automatic log upload
      • Data sources
        • Name: Win10 Endpoint Users
          • Source: Windows Defender Advanced Threat Protection
          • Receiver type: Built-in
        • Name: Cloud App Security Proxy
          • Source: Cloud App Security Conditional Access App Control
          • Receiver type: Built-in
      • Log collectors: Not configured
    • App tags
      • Sanctioned:
        Microsoft Skype for Business
        Microsoft SharePoint Online
        Office 365
        Microsoft Exchange Online
        Microsoft Teams
        Microsoft Power BI
        Microsoft OneDrive for Business
        Microsoft Cloud App Security
        Microsoft Azure
        
      • Unsanctioned: Not configured
      • Monitored: Not configured
      • Restricted: Not configured
    • Exclude entities: Not configured
    • Microsoft Defender for Endpoint
      • Block unsanctioned apps: Checked
    • User enrichment
      • Enrich discovered user identifiers with Azure Active Directory usernames: Checked
    • Anonymization: Not configured
  • Threat Protection
    • Microsoft Defender for Identity integration: Checked
    • Azure AD Identity Protection: Checked
    • App Governance: Not configured
  • Information Protection
    • Admin quarantine folder location: https://<Agency>.sharepoint.com/sites/mcas
    • User notification: Not configured
    • Microsoft Information Protection
      • Automatically scan new files for Microsoft Information Protection classification labels and content inspection warnings: Checked
      • Only scan files for Microsoft Information Protection classification labels and content inspection warnings from this tenant: Checked
    • Files
      • Enable file monitoring: Enabled
  • Conditional Access App Control
    • Default behavior
      • During system downtime: Allow access
    • User monitoring: Not configured
    • Device identification: Not configured

Settings (Cog) > Manage admin access

  • User: <Agency User>
  • Email: <agency_username>@<Agency>.gov.au
  • Role: Global Admin
  • Permission: Full access

Settings (Cog) > User groups

User Type Source app Status
Office 365 (Default) administrator Automatic Office 365 Imported successfully
External users Automatic All apps Imported successfully
Application (Cloud App Security) Automatic All apps Imported successfully

Settings (Cog) > App connectors

Application Status Selected Components
Office 365 (Collaboration) Connected Azure AD Users and groups
Azure AD Management events
Azure AD Sign-in events
Azure AD Apps
Office 365 activities
Office 365 files
Microsoft Azure (Cloud computing platform) Connected Not Applicable

Settings (Cog) > Security extensions

  • API tokens: Not configured
  • External DLP: Not configured
  • Playbooks: Not configured

Home > Discover > Cloud app catalog

Microsoft Volume Licensing
Microsoft Graph
Microsoft Intune
Microsoft App Source
Microsoft Support
Microsoft Tech Community
Microsoft 365 Admin Center
Microsoft Project
Microsoft Secure Score
Microsoft Dynamics
Microsoft Project Portal
Microsoft Word Online
Microsoft Excel Online
Microsoft PowerPoint Online
Microsoft Outlook Online
Microsoft Skype for Business
Microsoft Office Online
Microsoft Defender Security Center
Microsoft Visual Studio
OneDrive Admin Center
Microsoft SharePoint Online
Microsoft Office 365 Planner
Office 365
Microsoft Office 365 Admin Center
Office Help & Training
Microsoft Stream
Microsoft Exchange Online
Microsoft PowerApps
Microsoft Flow
Microsoft Teams
Microsoft Power BI
Microsoft OneDrive for Business
Microsoft Cloud App Security
Security and Compliance
Microsoft Azure

Home > Control > Policy

  • Default Policies Active: 26
  • Default Policies Disabled: 3
  • Create activity policy
    • Policy name: Break Glass Account 1 Activity
    • Policy severity: Medium
    • Category: Privileged accounts
    • Description: This policy monitors break glass account called "break.glass_priv1@<Agency>.onmicrosoft.com" for all logon activity
    • Account to monitor: break.glass_priv1@<Agency>.onmicrosoft.com
    • Act on activity: Single activity
    • Policy Filters
      • Office 365
        SAS:EndAuth
        WindowsAuthenticationController:usernamemixed
        OrgIdWsTrust2:extsts
        WindowsAuthenticationController:sso
        DebugMode:Set
        Federation:oauth2claimsprovider
        ForeignRealmIndexLogonInitialAuthUsingSAML20PostSimpleSign
        SSO Logon
        bind:BindComplete
        OAuth2:Authorize
        Federation:oauth2msa
        WsFederation:wsfederation
        OAuth2:Token
        Federation:oauth2
        bind:Bind
        OrgIdWsFederation:federation
        LOGIN
        UserInfo:Index
        ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken
        DeviceAuth:ReprocessTls
        KeyDataService:GetKeyData
        WindowsAuthenticationController:windowstransport
        PasswordLogonCookieCopyUsingDAToken
        Login:login
        SAS:ProcessAuth
        Consent:Set
        Login:resume
        Saml2:processrequest
        PIA:PIAProcessAuth
        OAuth2:DeviceAuth
        cmsi:Cmsi
        PasswordLogonSilentReAuthUsingDAToken
        ForeignRealmIndexLogonCookieCopyUsingDAToken
        OAuth2:ApproveSession
        Consent:Grant
        Login:reprocess
        MessagePrompt:MessagePrompt
        OrgIdWsFederation:postsrfactionhandler
        DeviceAuth:PKeyAuth
        SAS:BeginAuth
        OrgIdWsTrust2:process
        PasswordLogonInitialAuthUsingPassword
        ForeignRealmIndexLogonCookieCopyUsingSha1RememberMyPassword
        kmsi:kmsi
        SSPR:end
        WindowsAuthenticationController:sso
        PasswordLogonInitialAuthUsingADFSFederatedToken
        DeviceAuth:ReprocessTls
        KeyDataService:GetKeyData
        OrgIdWsTrust2:extsts
        OAuth2:Authorize
        SidToName:SidToName
        SAS:ProcessAuth
        
      • Azure
        OAuth2:DeviceAuth
        SAS:BeginAuth
        PIA:PIAProcessAuth
        DeviceAuth:ReprocessTls
        KeyDataService:GetKeyData
        OAuth2:Token
        Login:reprocess
        MessagePrompt:MessagePrompt
        Federation:oauth2claimsprovider
        Federation:oauth2
        Consent:Grant
        Login:reprocess
        SAS:EndAuth
        OrgIdWsFederation:postsrfactionhandler
        Login:login
        bind:Bind
        SAS:ProcessAuth
        SSPR:end
        WindowsAuthenticationController:usernamemixed
        OAuth2:DeviceAuth
        OAuth2:ApproveSession
        WsFederation:wsfederation
        KeyDataService:GetKeyData
        Consent:Set
        OAuth2:Token
        LOGIN
        PIA:PIAProcessAuth
        DeviceAuth:PKeyAuth
        OrgIdWsFederation:federation
        Login:resume
        kmsi:kmsi
        LOGIN
        
      • Microsoft
        OAuth2:DeviceAuth
        Login:resume
        Consent:Grant
        SAS:BeginAuth
        WsFederation:wsfederation
        OAuth2:Authorize
        Saml2:processrequest
        login
        Login:reprocess
        Federation:oauth2claimsprovider
        Federation:oauth2
        OrgIdWsTrust2:process
        kmsi:kmsi
        SAS:EndAuth
        LOGIN
        Login:login
        DeviceAuth:ReprocessTls
        MessagePrompt:MessagePrompt
        SAS:ProcessAuth
        Consent:Set
        WindowsAuthenticationController:usernamemixed
        
    • Alerts
      • Create an alert for each matching event with the policy’s severity: Configured
      • Send alert as email: Not configured
      • Send alert as text message: Not configured
      • Send alerts to Power Automate: Not configured
    • Governance actions
      • All apps: Not configured
      • Office 365: Not configured
  • Create activity policy
    • Policy name: Break Glass Account 2 Activity
    • Policy severity: Medium
    • Category: Privileged accounts
    • Description: This policy monitors break glass account called "break.glass_priv2@<Agency>.onmicrosoft.com" for all logon activity
    • Account to monitor: break.glass_priv2@<Agency>.onmicrosoft.com
    • Act on activity: Single activity
    • Policy Filters
      • Office 365
        SAS:EndAuth
        WindowsAuthenticationController:usernamemixed
        OrgIdWsTrust2:extsts
        WindowsAuthenticationController:sso
        DebugMode:Set
        Federation:oauth2claimsprovider
        ForeignRealmIndexLogonInitialAuthUsingSAML20PostSimpleSign
        SSO Logon
        bind:BindComplete
        OAuth2:Authorize
        Federation:oauth2msa
        WsFederation:wsfederation
        OAuth2:Token
        Federation:oauth2
        bind:Bind
        OrgIdWsFederation:federation
        LOGIN
        UserInfo:Index
        ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken
        DeviceAuth:ReprocessTls
        KeyDataService:GetKeyData
        WindowsAuthenticationController:windowstransport
        PasswordLogonCookieCopyUsingDAToken
        Login:login
        SAS:ProcessAuth
        Consent:Set
        Login:resume
        Saml2:processrequest
        PIA:PIAProcessAuth
        OAuth2:DeviceAuth
        cmsi:Cmsi
        PasswordLogonSilentReAuthUsingDAToken
        ForeignRealmIndexLogonCookieCopyUsingDAToken
        OAuth2:ApproveSession
        Consent:Grant
        Login:reprocess
        MessagePrompt:MessagePrompt
        OrgIdWsFederation:postsrfactionhandler
        DeviceAuth:PKeyAuth
        SAS:BeginAuth
        OrgIdWsTrust2:process
        PasswordLogonInitialAuthUsingPassword
        ForeignRealmIndexLogonCookieCopyUsingSha1RememberMyPassword
        kmsi:kmsi
        SSPR:end
        WindowsAuthenticationController:sso
        PasswordLogonInitialAuthUsingADFSFederatedToken
        DeviceAuth:ReprocessTls
        KeyDataService:GetKeyData
        OrgIdWsTrust2:extsts
        OAuth2:Authorize
        SidToName:SidToName
        SAS:ProcessAuth
        
      • Azure
        OAuth2:DeviceAuth
        SAS:BeginAuth
        PIA:PIAProcessAuth
        DeviceAuth:ReprocessTls
        KeyDataService:GetKeyData
        OAuth2:Token
        Login:reprocess
        MessagePrompt:MessagePrompt
        Federation:oauth2claimsprovider
        Federation:oauth2
        Consent:Grant
        Login:reprocess
        SAS:EndAuth
        OrgIdWsFederation:postsrfactionhandler
        Login:login
        bind:Bind
        SAS:ProcessAuth
        SSPR:end
        WindowsAuthenticationController:usernamemixed
        OAuth2:DeviceAuth
        OAuth2:ApproveSession
        WsFederation:wsfederation
        KeyDataService:GetKeyData
        Consent:Set
        OAuth2:Token
        LOGIN
        PIA:PIAProcessAuth
        DeviceAuth:PKeyAuth
        OrgIdWsFederation:federation
        Login:resume
        kmsi:kmsi
        LOGIN
        
      • Microsoft
        OAuth2:DeviceAuth
        Login:resume
        Consent:Grant
        SAS:BeginAuth
        WsFederation:wsfederation
        OAuth2:Authorize
        Saml2:processrequest
        login
        Login:reprocess
        Federation:oauth2claimsprovider
        Federation:oauth2
        OrgIdWsTrust2:process
        kmsi:kmsi
        SAS:EndAuth
        LOGIN
        Login:login
        DeviceAuth:ReprocessTls
        MessagePrompt:MessagePrompt
        SAS:ProcessAuth
        Consent:Set
        WindowsAuthenticationController:usernamemixed
        
    • Alerts
      • Create an alert for each matching event with the policy’s severity: Configured
      • Send alert as email: Not configured
      • Send alert as text message: Not configured
      • Send alerts to Power Automate: Not configured
    • Governance actions
      • All apps: Not configured
      • Office 365: Not configured

Cloud Discovery > Score metrics

General
  • Category importance: Low (x1)
Field Importance N/A values
Founded Medium (x2) Excluded N/As
Holding Medium (x2) Excluded N/As
Domain registration Medium (x2) Excluded N/As
Consumer popularity Medium (x2) Excluded N/As
Security
  • Category importance: Medium (x2)
Field Importance N/A values
Data-at-rest encryption method Medium (x2) Excluded N/As
Multi-factor authentication Medium (x2) Excluded N/As
IP address restriction Medium (x2) Excluded N/As
User audit trail Medium (x2) Excluded N/As
Admin audit trail Medium (x2) Excluded N/As
Data audit trail Medium (x2) Excluded N/As
Data classification Medium (x2) Excluded N/As
Data-at-rest encryption Medium (x2) Excluded N/As
User-roles support Medium (x2) Excluded N/As
Valid certificate name Medium (x2) Excluded N/As
Trusted certificate Medium (x2) Excluded N/As
Encryption protocol Medium (x2) Excluded N/As
Heartbleed patched Medium (x2) Excluded N/As
HTTP security headers Medium (x2) Excluded N/As
Support SAML Medium (x2) Excluded N/As
Enforce transport encryption Medium (x2) Excluded N/As
Penetration Testing Medium (x2) Excluded N/As
Requires user authentication Medium (x2) Excluded N/As
Password Policy Medium (x2) Excluded N/As
Compliance
  • Category importance: Medium (x2)
Field Importance N/A values
FINRA Medium (x2) Excluded N/As
FISMA Medium (x2) Excluded N/As
GAAP Medium (x2) Excluded N/As
HIPAA Medium (x2) Excluded N/As
ISAE 3402 Medium (x2) Excluded N/As
ISO 27001 Medium (x2) Excluded N/As
ITAR Medium (x2) Excluded N/As
SOC 1 Medium (x2) Excluded N/As
SOC 2 Medium (x2) Excluded N/As
SOC 3 Medium (x2) Excluded N/As
SOX Medium (x2) Excluded N/As
SSAE 16 Medium (x2) Excluded N/As
Safe Harbor Medium (x2) Excluded N/As
PCI DSS version Medium (x2) Excluded N/As
ISO 27018 Medium (x2) Excluded N/As
GLBA Medium (x2) Excluded N/As
FedRAMP level Medium (x2) Excluded N/As
CSA STAR level Medium (x2) Excluded N/As
Privacy Shield Medium (x2) Excluded N/As
ISO 27017 Medium (x2) Excluded N/As
FFIEC Medium (x2) Excluded N/As
  • Category importance: Medium (x2)
Field Importance N/A values
Data ownership Medium (x2) Excluded N/As
DMCA Medium (x2) Excluded N/As
Data retention policy Medium (x2) Excluded N/As
GDPR – Report data breaches Medium (x2) Excluded N/As
GDPR – Data protection Medium (x2) Excluded N/As
GDPR – User ownership Medium (x2) Excluded N/As

Log Analytics

The following ABAC settings are required for Log Analytics log aggregation for Azure AD and Endpoint Manager. The Agency requires an Azure subscription to support this configuration.

https://portal.azure.com/ > Log Analytics workspaces > Create Log Analytics Workspace

The following tables describe the Log Analytics settings that are configured within the Log Analytics Workspace for all implementation types.

Item Configuration
Workspace Name agency-log-workspace
Azure Subscription Agency subscription
Region Australia Central
Log retention Retention Period: 1 year
Data Volume Cap: Off
Log Analytics Contributor Group rol-Agency-log-admin

Microsoft Endpoint Manager

Endpoint Manager admin center > Reports > Diagnostic settings

Item Configuration
Diagnostic Setting Name Send to Log Analytics
Log AuditLogs
SignInLogs
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs
ProvisioningLogs
Destination details Send to Log Analytics Workspace (agency-log-workspace)

Azure Active Directory

Azure Active Directory > Monitoring > Diagnostic settings

Item Configuration
Diagnostic Setting Name Send to Log Analytics
Log AuditLogs
SignInLogs
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs
ProvisioningLogs
RiskyUsers
UserRiskEvents
Destination details Send to Log Analytics Workspace (agency-log-workspace)

Client configuration

Intune configuration

All Windows 10 client configuration is accomplished via Microsoft Intune policies for all implementation types. Hybrid implementation types may use a combination of Group Policy and MECM to configure clients in addition to Intune policies. These Intune configuration policies are detailed in separate documents that are explained in table below.

The following table describes the additional Intune Configuration Documents required for the blueprint for all implementation types.

Section Description Document Name
Device enrollment Automatic Enrolment, Enrolment Status page, Deployment Profiles DTA – ABAC - Intune Enrolment
Device compliance Device compliance policies DTA – ABAC - Intune Compliance
Device configuration Configuration Profiles, PowerShell scripts DTA – ABAC - Intune Configuration
Device security Windows 10 Security Hardening (ACSC), Microsoft Defender Configuration, Microsoft Edge Configuration DTA – ABAC - Intune Configuration
Client apps Win32 Apps, Web links, Windows MSI Line of Business apps, Office 365 installation, Windows Information Protection DTA – ABAC - Intune Applications
Conditional Access Conditional Access policies DTA – ABAC - Conditional Access Policies
Software Updates Windows 10 update rings and updates configuration DTA – ABAC – Intune Software Updates

Intune Co-management configuration (Hybrid implementation types only)

The following configuration is required for Intune Co-management is for Hybrid implementations only.

Microsoft Endpoint Manager > Quick Start > Account Details

  • Account Name: <Agency>.gov.au
  • Account status: Active
  • Account location: Australia 0101

Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune

  • MDM user scope: All
  • MDM terms of use URL: https://portal.manage.microsoft.com/TermsofUse.aspx
  • MDM discovery URL: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
  • MDM compliance URL: https://portal.manage.microsoft.com/?portalAction=Compliance
  • MAM user scope: None
  • MAM terms of use URL: <Blank>
  • MAM discovery URL: https://wip.mam.manage.microsoft.com/Enroll
  • MAM Compliance URL: <Blank>

Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune Enrollment

  • MDM user scope: All
  • MDM terms of use URL: https://portal.manage.microsoft.com/TermsofUse.aspx
  • MDM discovery URL: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

MECM admin console > About Microsoft Endpoint Configuration Manager

  • Version: 2107
  • SOE Name: Intune Auto Enrolment
  • Enrolled Device Types: Windows 10 | Version 21H1 | Build 19043

MECM admin console > Administration > Overview > Cloud Services > Co-management

  • Name: CoMgmtSettingsProd
  • Description: Co-management Production policy
  • Tenant onboarding: AzurePublicCloud
  • Enablement
    • Automatic enrollment in Intune: All
  • Workloads
    • Compliance policies: Intune
    • Device Configuration: Configuration Manager
    • Endpoint Protection: Configuration Manager
    • Resource access policies: Configuration Manager
    • Office Click-to-run apps: Configuration Manager
    • Windows Update policies: Configuration Manager

MECM admin console > Monitoring > Overview > Co-Management

Co-Management monitor screen is showing

  • Green for Client OS Distribution,
  • Blue for Co-management Enrollment Status

Printing

The following table outlines the client printing configuration per implementation type.

Implementation Item Configuration
All Printer addition restrictions Device Restrictions Intune Policy will be used to prevent addition and delivery of new printers via DNS name of printer: Endpoint Manager Admin center > Devices > Device Restrictions > Printer > Add New Printers: Block
All Shared Printer Connections Prevent user install via Intune policy CSP: Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
Cloud-native Driver Delivery Intune application deployment (*.intunewin) via script or native printer installation utility will be used for printer driver installation.
Hybrid Driver Delivery Existing MECM solution will be utilised in driver delivery for local printers.
Point to Print is enabled through GPO for printer driver installation from network printer queues.
All External Printer Connectivity External Printer Connectivity will be via an Always On VPN.
All Hybrid Cloud Print Not Configured.

End user internet access

The following table outlines the client internet access configuration scenarios per implementation type.

Implementation Item Configuration
All Internet Access Mechanism As per agency pattern for Internet access.
All Web Proxy Configuration Proxy can be configured in Intune via the NetworkProxyCSP: *./Vendor/MSFT/NetworkProxy or depending on the Agency internet access pattern.
Cloud-native DNS Provider Existing on-premises Active Directory DNS services will be utilised.
Hybrid DNS Provider As per agency pattern for DNS services.
All Office 365 Endpoint connectivity As per agency pattern for internet browser connectivity. Optimisation of traffic is required and recommended, see Office 365 URLs and IP address ranges for which categories are recommended for optimisation, and those that are compatible with ExpressRoute (if applicable).
Cloud-native Office 365 Authentication Traffic Configured to traverse the web proxy (if part of Agency pattern). Cloud-native implementation types without a proxy that supports SSL inspection will not be able to implement tenancy whitelisting feature.
Hybrid Office 365 Authentication Traffic Existing on-premises proxy will be utilised for Hybrid implementation types.
Cloud Windows Updates Client Devices will retrieve updates direct from Microsoft. Windows Update for Business Update Rings are configured in Intune as per the Software Updates ABAC.
Hybrid Windows Updates Existing MECM/WSUS solution will be utilised for update retrieval.
Hybrid Agencies may wish to transition over to Windows Update Rings in Intune (Windows Update for Business) by moving the Windows Update Policy slider to Intune. For more information on this configuration pattern see Windows Update for Business with management solutions.

Application control

The ABAC settings for the Agency Application Control can be found below. Please note, if a setting is not mentioned below, it should be assumed to have been left at its default setting.

Windows Defender Application Control

MECM managed installer (Hybrid implementation types)

The ABAC settings for MECM managed installer are applicable to hybrid implementation types only.

  • Device Collection
    • Name: WDAC-DeploymentCollection
    • Description: Collection used to deploy Managed Installer WDAC policy
    • Limiting collection: All Desktop and Server Clients
    • Membership Rule
      • Type: Query rule
      • Name: Windows 10 Machine Query
      • Query: select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation%" and SMS_R_System.OperatingSystemNameandVersion like "%10.0%"
    • Use incremental updates for this collection: enabled
    • Schedule a full update on this collection: enabled
  • Application Control Policy
    • Name: Agency-WDAC-ManagedInstaller
    • Description: -
    • Enforcement mode: Enforcement enabled - Only allow trusted executables to run
    • Authorize software that is trusted by the Intelligent Security Graph: Disabled
    • Trusted files or folders: Add as required
    • Deployment collection: WDAC-DeploymentCollection
    • Schedule: Simple schedule

Intune WDAC Base Policy

For all implementation types, it is recommended to deploy WDAC configuration through Intune configuration profiles:

  • ABAC configuration for this item can be found within the Intune Configuration ABAC.
  • Instructions on generating base policy that is used to generate the binary format policy file can be found within the Client Devices ABAC.

Configuration Profiles using Custom OMA-URI policy:

  • OMA-URI: ./Vendor/MSFT/ApplicationControl/Policies/*Policy GUID*/Policy
  • Data type: Base64
  • Certificate file: upload the binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64.

Note, the Policy GUID can be found within the policy file’s <policyID> xml block which can be viewed prior to converting to .bin format using ConvertFromCIPolicy. Additional policies as supplementals can be deployed using this method rather than maintaining a larger base policy.

Found an issue with the material above or have general feedback? Let us know over on Github.