Olivia
Online
Enrique Róo Moares
@eroomoares
Cloud Solution Architect | Microsoft 365 | Intune | Azure AD | Modern Workplace | Tweets are my own
Bassersdorf
Joined August 2013
316 Following
58 Followers
695 Posts
#Windows365 brings Context based redirections. Now you can block redirections of Drive/Clipboard/Peripherals from personal devices.
https://t.co/sYjWoiob6y
“RADIUS is the protocol that will never die” - Alan DeKok
So given that RADIUS is staying, what do we need to do to make it secure for the next 30 years?
https://t.co/eX572AtSPL
#Autopilot Device Preparation Policies are now generally available with #Windows365. Ensure your applications are installed and scripts are run before the #CloudPC is considered "provisioned":
https://t.co/AHFmAiOpIj
Start your free 50-hour trial of #Windows365 for #Agents and begin building agents in #Microsoft #Copilot #Studio
https://t.co/7D4Tabn8Zo
3.10.3 Released. Added Win32 app Install/Uninstall script support and Windows Quality Update Policies. Fixed category import, JSON property order for Git tracking + multiple documentation fixes. See https://t.co/fFctA4XZkj for more info
What’s new in Microsoft Intune – April https://t.co/SIMFcJyygN
I'm proud to announce that New Windows Application Inventory in Intune Released today!
1/2
Tired of forced reboots interrupting your users?
I built a solution using Intune's Win32 app framework to trigger graceful, user-aware restarts on demand - toast notification, snooze, grace period and all.
https://t.co/UawJfztp14
#Intune #MicrosoftIntune #PowerShell
Take a look at the investments we’re making in #MSIntune to help important changes move faster and more predictable
https://t.co/oAjdNZGF9u
#W365Agents Today, we’re bringing Windows 365 for Agents to public preview
https://t.co/Ivwq0T83z5
🔒 Secure Bits 💡
𝗬𝗼𝘂𝗿 𝘁𝗲𝗻𝗮𝗻𝘁 𝗵𝗮𝘀 𝗖𝗔 𝗺𝗶𝘀𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝘁𝗶𝗼𝗻. 𝗘𝘃𝗲𝗿𝘆 𝗮𝗱𝗺𝗶𝗻 𝗶𝘀 𝗹𝗼𝗰𝗸𝗲𝗱 𝗼𝘂𝘁. 𝗗𝗼 𝘆𝗼𝘂 𝗵𝗮𝘃𝗲 𝗮 𝘄𝗮𝘆 𝗯𝗮𝗰𝗸 𝗶𝗻?
Most organizations don’t — or think they do, until they discover their break-glass accounts are untested, unmonitored, or built on outdated guidance. You don’t want to find that out the hard way, and you definitely don’t want to go through Microsoft’s Tenant Recovery process.
🤔 𝗪𝗵𝘆 𝗰𝗮𝗿𝗲?
A lockout from a bad CA policy, a compromised admin, or a personnel emergency means opening a support ticket with Microsoft and waiting. In urgent situations, you don’t have 14 days for that process.
🧠 𝗪𝗵𝗮𝘁 𝘄𝗲 𝘀𝗲𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗶𝗲𝗹𝗱
•𝗕𝗿𝗲𝗮𝗸-𝗴𝗹𝗮𝘀𝘀 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 𝗮𝗿𝗲 𝗺𝗶𝘀𝘀𝗶𝗻𝗴 — Two geographically separated accounts is the baseline.
•𝗚𝗲𝗻𝗲𝗿𝗶𝗰 𝗻𝗮𝗺𝗲𝘀 — admin@…, info@… are not break-glass accounts.
•𝗙𝘂𝗹𝗹 𝗖𝗔 𝗲𝘅𝗰𝗹𝘂𝘀𝗶𝗼𝗻 𝗶𝘀 𝗱𝗲𝗮𝗱 — MFA is now enforced by Microsoft regardless.
•𝗪𝗲𝗮𝗸 𝗮𝘂𝘁𝗵 𝗺𝗲𝘁𝗵𝗼𝗱𝘀 — Phone or certificate-based auth will fail exactly when you need it.
•𝗨𝗻𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗲𝗱 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 — Any admin can edit or delete them.
•𝗡𝗼 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 — If someone touches these accounts, you should know immediately.
🛠️ 𝗖𝗿𝗲𝗮𝘁𝗲 𝘁𝘄𝗼 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀
Use descriptive names on onmicrosoft[.]com with a random string — e.g. [email protected]. Assign 𝗚𝗹𝗼𝗯𝗮𝗹 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗼𝗿 as a direct, permanent, active role. No eligibility.
🛠️ 𝗟𝗼𝗰𝗸 𝘁𝗵𝗲𝗺 𝗱𝗼𝘄𝗻
Place both accounts and their group inside an 𝗥𝗠𝗔𝗨 (requires Entra P1). Manage access via a custom PIM role — max 1-hour activation, approval required, auth context enforced (requires Entra P2).
🛠️ 𝗖𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
Scope a passkey profile to the break-glass group with specific AAGUIDs for your hardware keys (YubiKey, Token2). Enforce via a custom authentication strength in a dedicated CA policy. Exclude the group from all other CA policies — run a What If to verify only your two break-glass policies apply.
🛠️ 𝗦𝗲𝘁 𝘂𝗽 𝗮𝗹𝗲𝗿𝘁𝗶𝗻𝗴
Stream AuditLogs and SignInLogs to a Log Analytics Workspace (requires Azure subscription). KQL alert rule on the break-glass Object IDs — any event fires immediately.
🛡️ 𝗦𝘁𝗼𝗿𝗲, 𝘁𝗲𝘀𝘁, 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁
Each passkey + PIN in a separate physical location. Define who can trigger the procedure and under what circumstances. Test end-to-end at minimum every 180 days — Microsoft recommends 90. Pick your cadence, but validate.
💬 When was the last time you tested these accounts?
𝘈𝘶𝘁𝘩𝘰𝘳: Martin Strnad
PS: We will soon 𝗽𝘂𝗯𝗹𝗶𝘀𝗵 𝗳𝘂𝗹𝗹 𝗴𝘂𝗶𝗱𝗲 on this topic!
#EntraID #IdentitySecurity #ConditionalAccess #SecureBits #HorizonSecured
![horizon_secured's tweet photo. 🔒 Secure Bits 💡
𝗬𝗼𝘂𝗿 𝘁𝗲𝗻𝗮𝗻𝘁 𝗵𝗮𝘀 𝗖𝗔 𝗺𝗶𝘀𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝘁𝗶𝗼𝗻. 𝗘𝘃𝗲𝗿𝘆 𝗮𝗱𝗺𝗶𝗻 𝗶𝘀 𝗹𝗼𝗰𝗸𝗲𝗱 𝗼𝘂𝘁. 𝗗𝗼 𝘆𝗼𝘂 𝗵𝗮𝘃𝗲 𝗮 𝘄𝗮𝘆 𝗯𝗮𝗰𝗸 𝗶𝗻?
Most organizations don’t — or think they do, until they discover their break-glass accounts are untested, unmonitored, or built on outdated guidance. You don’t want to find that out the hard way, and you definitely don’t want to go through Microsoft’s Tenant Recovery process.
🤔 𝗪𝗵𝘆 𝗰𝗮𝗿𝗲?
A lockout from a bad CA policy, a compromised admin, or a personnel emergency means opening a support ticket with Microsoft and waiting. In urgent situations, you don’t have 14 days for that process.
🧠 𝗪𝗵𝗮𝘁 𝘄𝗲 𝘀𝗲𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗶𝗲𝗹𝗱
•𝗕𝗿𝗲𝗮𝗸-𝗴𝗹𝗮𝘀𝘀 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 𝗮𝗿𝗲 𝗺𝗶𝘀𝘀𝗶𝗻𝗴 — Two geographically separated accounts is the baseline.
•𝗚𝗲𝗻𝗲𝗿𝗶𝗰 𝗻𝗮𝗺𝗲𝘀 — admin@…, info@… are not break-glass accounts.
•𝗙𝘂𝗹𝗹 𝗖𝗔 𝗲𝘅𝗰𝗹𝘂𝘀𝗶𝗼𝗻 𝗶𝘀 𝗱𝗲𝗮𝗱 — MFA is now enforced by Microsoft regardless.
•𝗪𝗲𝗮𝗸 𝗮𝘂𝘁𝗵 𝗺𝗲𝘁𝗵𝗼𝗱𝘀 — Phone or certificate-based auth will fail exactly when you need it.
•𝗨𝗻𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗲𝗱 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 — Any admin can edit or delete them.
•𝗡𝗼 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 — If someone touches these accounts, you should know immediately.
🛠️ 𝗖𝗿𝗲𝗮𝘁𝗲 𝘁𝘄𝗼 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀
Use descriptive names on onmicrosoft[.]com with a random string — e.g. BreakGlass_c3287ba1@org.onmicrosoft.com. Assign 𝗚𝗹𝗼𝗯𝗮𝗹 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗼𝗿 as a direct, permanent, active role. No eligibility.
🛠️ 𝗟𝗼𝗰𝗸 𝘁𝗵𝗲𝗺 𝗱𝗼𝘄𝗻
Place both accounts and their group inside an 𝗥𝗠𝗔𝗨 (requires Entra P1). Manage access via a custom PIM role — max 1-hour activation, approval required, auth context enforced (requires Entra P2).
🛠️ 𝗖𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻
Scope a passkey profile to the break-glass group with specific AAGUIDs for your hardware keys (YubiKey, Token2). Enforce via a custom authentication strength in a dedicated CA policy. Exclude the group from all other CA policies — run a What If to verify only your two break-glass policies apply.
🛠️ 𝗦𝗲𝘁 𝘂𝗽 𝗮𝗹𝗲𝗿𝘁𝗶𝗻𝗴
Stream AuditLogs and SignInLogs to a Log Analytics Workspace (requires Azure subscription). KQL alert rule on the break-glass Object IDs — any event fires immediately.
🛡️ 𝗦𝘁𝗼𝗿𝗲, 𝘁𝗲𝘀𝘁, 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁
Each passkey + PIN in a separate physical location. Define who can trigger the procedure and under what circumstances. Test end-to-end at minimum every 180 days — Microsoft recommends 90. Pick your cadence, but validate.
💬 When was the last time you tested these accounts?
𝘈𝘶𝘁𝘩𝘰𝘳: Martin Strnad
PS: We will soon 𝗽𝘂𝗯𝗹𝗶𝘀𝗵 𝗳𝘂𝗹𝗹 𝗴𝘂𝗶𝗱𝗲 on this topic!
#EntraID #IdentitySecurity #ConditionalAccess #SecureBits #HorizonSecured](https://pbs.twimg.com/media/HGiXplLXIAAEu2y.jpg)
Enterprise state roaming is moving to Windows Backup for Organizations!
This is great news!
https://t.co/gXhVWWNYF3
#MSintune #Windows11
Auditing FIDO2 authentication for Windows Sign-in https://t.co/L0IULKXpDn
Windows 365 + Intune Advanced Endpoint Management Capabilities: Better Together #MSintune #Windows365
https://t.co/KSgTpz5GRL
How to migrate from classic #VPN to zero-trust network access (#ztna) with #Microsoft #Entra Private Access. #mobility #security #identity #DirectAccess #aovpn https://t.co/RmSkmprsqu
Windows 365 and Microsoft Intune Suite are stronger together.
Learn how Windows 365 fits cleanly into existing Intune workflows—supporting Zero Trust, modern management, and scalable operations, without added complexity: https://t.co/nTveM4o7m6
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.5M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.3M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.5M followers
Taylor Swift
@taylorswift13
81.3M followers
Lady Gaga
@ladygaga
72.8M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.6M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.3M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.6M followers