Add as a preferred source on Google


In-Depth

Cloud Expert Maps Intune Entra and Purview to a Layered Zero Trust Model

Key Takeaways

  • Principal Cloud Architect Joey D'Antoni says Intune has evolved beyond mobile device management into a broader policy enforcement and trust-signal platform that supports identity and data controls.
  • He describes a layered Zero Trust approach in which identity decisions, device/app trust and data protection work together across Microsoft Entra, Intune and Microsoft Purview.
  • He recommends a phased adoption roadmap that starts with identity and MFA, then moves to device compliance, app protection and data classification and data loss prevention.

Organizations are wrestling with inconsistent device compliance, complicated hybrid Windows environments, evolving security threats and rising expectations for seamless user experiences. Those pressures were the focus of the Microsoft Intune Deep Dive virtual summit held Jan. 30, an expert-led event positioned around "tried-and-true advanced configuration techniques, strategies for tackling identity and access management hurdles, and real-world tactics for securing apps and data." It's being made available for replay thanks to the sponsor, PDQ, a specialist in smarter device management for modern IT.

"Intune has really evolved to become something more than a traditional mobile device management solution. It has a policy, policy enforcement engine, a signal provider for identity decisions."

Joey D'Antoni, Principal Cloud Architect at 3Cloud

In the first session, "Securing the Modern Workplace: Intune Strategies for Identity, Apps, and Data Protection," presenter Joey D'Antoni, a principal cloud architect, outlined how Microsoft Intune can be used alongside Microsoft Entra and Microsoft Purview as part of a layered Zero Trust approach. "Intune has really evolved to become something more than a traditional mobile device management solution," D'Antoni said. "It has a policy, policy enforcement engine, a signal provider for identity decisions."

Microsoft Security Stack Overview
[Click on image for larger view.] Microsoft Security Stack Overview (source: Joey D'Antoni).

Zero Trust as the Organizing Framework
Zero Trust was the throughline of D'Antoni's talk. "Zero trust is really a security concept, but it's not a product or service," he said. "It's really a modern cyber security strategy that assumes no implicit trust, one of the not even within the corporate network itself, instead of us trusting devices, users or applications, by default, a zero trust approach is going to explicitly verify every access request, continually assess risk and enforce least privilege across the entire digital estate."

Zero Trust Applied to the Workplace
[Click on image for larger view.] Zero Trust Applied to the Workplace (source: Joey D'Antoni).

D'Antoni tied the need for that model to how attacks are commonly carried out in Microsoft environments. "One of the most common attack we see in Microsoft circles nowadays is it's really a token stealing is the thing we're kind of always kind of looking for," he said.

Conditional Access as a Practical Control Point
D'Antoni spent significant time on Conditional Access as a way to translate Zero Trust concepts into day-to-day enforcement, especially when it comes to sign-in risk and authentication requirements. "Conditional access can do things like this, user is logging in from an unusual location, and you can create a policy that says if they're logging in from an unusual location, maybe not just multi factor them, but make them use phishing resistant MFA," he said.

Entra Conditional Access: Practical Scenarios
[Click on image for larger view.] Entra Conditional Access: Practical Scenarios (source: Joey D'Antoni).

He also framed Conditional Access as a way to reduce user friction when configured thoughtfully. "You don't want to prompt your users to MFA 500 times a day because they're going to hate you," he said.

BYOD App Protection as a Fast Win
For organizations supporting personal devices, D'Antoni pointed to Intune app protection policies as a way to secure corporate data without full device enrollment. "We talked a little bit about this earlier, but this is something that's really easy to implement and can be the fastest win for organizations, because it doesn't require enrollment," he said.

App Protection Without Device Control (BYOD)
[Click on image for larger view.] App Protection Without Device Control (BYOD) (source: Joey D'Antoni).

As an example of how app-level controls can show up for end users, he noted, "If you've ever been unable to, like, copy text out of a team's message. This is usually that movable application management piece."

Purview Focuses on the Data Attackers Want
D'Antoni emphasized that the goal of many attacks is data access and exfiltration. "Attackers don't want devices, they're attacking your devices and phishing your users because they want to get access to data," he said.

Data Is the Real Target
[Click on image for larger view.] Data Is the Real Target (source: Joey D'Antoni).

He described Purview's labeling and related controls as foundational to applying protection across Microsoft 365 services and endpoints. "Sensitivity and labels that we talked about are really the foundational capability of that, because that's where you're going to start to apply encryption access restrictions and visual markings on that data," he said.

Data Protection with Microsoft Purview
[Click on image for larger view.] Data Protection with Microsoft Purview (source: Joey D'Antoni).

D'Antoni also described how labeling can restrict access when content is shared in the wrong way. "Because Microsoft had labeled that confidential was protected, and he hadn't granted me access the right way, he had just attached it to an email so it wouldn't let me unencrypt the file," he said.

Purview + Intune: Better Together
[Click on image for larger view.] Purview + Intune: Better Together (source: Joey D'Antoni).

End-to-End Flow: Sign-In to Protected Data
D'Antoni summarized the integrated approach as a sequence in which identity risk, device compliance, policy enforcement and data labeling operate together. "A user is going to sign in insurance going to evaluate the risk of that sign in," he said. "Intune is going to check the device. It's going to see if the device is compliant." He continued: "If the application is allowed, is going to be determined by conditional access." He also said, "And then the data is protected through purviews labeling."

End-to-End Example Scenario
[Click on image for larger view.] End-to-End Example Scenario (source: Joey D'Antoni).

A Phased Adoption Roadmap
D'Antoni recommended adopting the stack in phases rather than attempting an all-at-once rollout. "Identity is always the foundation," he said. "You want device compliance." He also said, "Protecting those apps and requiring specific sets of workloads is also something that's really important." He also said, "And then finally, data classification and data loss protection."

Recommended Adoption Roadmap
[Click on image for larger view.] Recommended Adoption Roadmap (source: Joey D'Antoni).

In his closing summary, D'Antoni reiterated the roles he assigned to each layer. "Entra is going to drive that access Intune is going to enforce trust, purview is going to help you protect your data," he said.

And More
While replays are fine, especially if timely (this was just today, after all), one of the best things about attending such online education summits and events is the ability to answer questions from the presenters, a rare opportunity for expert, real-world, one-on-one advice (not to mention the chance to win a great prize, in this case Bose noise-cancelling headphones, provided by sponsor PDQ, which also presented a session).

With that in mind, here are some upcoming virtual summits and webcasts from our parent company:

Featured

Most   Popular

Subscribe on YouTube