Certificate, a new tenant and Intune
Last Thursday I started studying because I’m going to take the SC-401 exam (Information Security Administrator) in a pretty short while, so part of building the tenant some of what I’m building might be connected to that.
I’m starting with SC-401 because I got it for free, and the plan is to use this time while I’m unemployed to get a few more certs.
If I get a job, I’ll still keep studying, but maybe on a slightly smaller scale.
The plan is to take SC-401, SC-300, SC-200, and SC-100 then maybe I’ll continue with AZ-500, but that feels pretty far off right now.
But like I said, some of what I’m doing might be connected to that. It’s a path I’m not totally new to, but
I’ve mostly just scratched the surface before now it’s becoming more real.
Based on the fact that I’m currently studying for SC-401, I chose test licenses for E5. But it’s not justifiable to keep those licenses, so I started thinking about what licenses I actually need.
I know that I currently need three users: one for myself personally, who will be the main user on devices and connected to the email I use most,
one for StackPride365, and one more that just needs access to apps.
Based on that, I started comparing licenses.
The one that only needs apps is easy – there’s a Microsoft 365 Apps for Business license that’s perfect for that.
My best tip if you have a small company and don’t have the ability to hire an IT department/person is that Microsoft 365 Business licenses are the most cost-effective option out there.
There are a few different versions, and depending a bit on your needs, you can choose one of them. But if you want a secure environment with managed devices, then Microsoft 365 Business Premium is absolutely the best value and is targeted at companies with fewer than 300 users.
You can’t customize it very much though, and since I want to set my own security policies and so on, it doesn’t work for all licenses in my case – but for the user that only needs apps, it works fine.
For StackPride365, I basically only need a mailbox. It might be enough with a shared one, or maybe an Exchange Online Plan 1.
I haven’t quite decided yet on what’s best, but Exchange Online Plan 1 is a good license if you just need a mailbox that you can log into with its own account.
When it comes to the main user, I can’t fully justify spending over 800 SEK a month right now as a job seeker, but I still want to build a secure MDM environment.
So I ended up going with a combo of Microsoft E3 and Enterprise Mobility + Security E5.
That gives me a bit of the best of both worlds – you get device security, the Windows license, the Office package, and more, but for a slightly lower price.
There are benefits to Microsoft E5 though – you get Power BI and even more security features for the user.
All license evaluations and decisions must be based on actual needs, but to be honest, many people are licensed incorrectly and don’t take advantage of what they’re paying for.
Then it was time to start connecting domains to the tenant.
The ones to be added were StackPride365.se/.com as well as bobin.se. However, I needed to move bobin.se to another DNS provider since I’m going to rebuild the entire bobin.se as well.
I set up:
Exchange
Exchange Online Protection
Intune and Mobile Device Management
and DKIM
for all the domains so I can use them effectively. This is really a combo of what I dream of for a company and my personal email – meaning it’s also part of my personal sphere, so there are adjustments I wouldn’t normally have made, but since this is my project, there are adjustments.
I also created users for the ones I need.
Two were the most important: one user who is a Global Admin and doesn’t have a license at all, and one user without MFA but with a very secure password – a kind of break-glass admin account.
Because you shouldn’t have Global Admin on your main account.
The idea with the break-glass account is that it should also have an MFA break-glass security key.
I just need to get another YubiKey.
From a security standpoint, it’s a better solution than having your regular account with a bunch of rights, because you have to consider what happens if someone actually gets access to that account.
I also created MFA policies for both admin and users.
I also had to disable the Microsoft Security Baseline. It’s actually a really great feature – if you don’t have someone working with security, I can highly recommend them.
I have also migrated the mailboxes from my old tenant. I used Purview and AZCopy to carry out the migration.
I’ve also started building the Intune environment for macOS – one of my sources of knowledge that has taught me a lot is IntuneStuff.
Normally, I would have tried connecting Apple Business Manager first, but since I need a DUNS number, I can’t start with that.
So instead, I began setting up some profiles:
- FileVault so that it’s encrypted and secure
- Platform SSO so we can use MS accounts on the MacBook
- MS Edge so it becomes a bit more secure and behaves the way I want
- MS Office so it becomes more secure and behaves the way I want
- MS Defender so we get security and antivirus and everything that comes with Defender
And I added the same apps too.
The journey continues for a stable tenant