The New Signature blog will play host to a series from a Senior Learning & Adoption Associate. Working as part of our learning team brings with it many questions for business IT-stakeholders and end users just like you. In this series, we will bring forward some of the most commonly asked questions and highlight the answers from our expert. Our first installment revolves around security management.
Question one: If multiple Intune policies are deployed to the same device how do I know which settings will get applied?
Answer one: When two Intune policies are deployed to the same device, the evaluation for which setting is applied is done at the individual setting level. Here is how that evaluation plays out:
- Compliance policy settings always have precedence over configuration policy settings.
- The most restrictive compliance policy setting is applied if evaluated against the same setting in a different compliance policy.
- If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict will be displayed in the Intune console. You must manually resolve such conflicts.
- Further information about other types of policy conflict and application can be found here.
For example, let’s look at the password settings for two policies that are both deployed to the same device:
- Compliance Policy A: Minimum password length = 6
- Compliance Policy A: Minimum password length = 4
In this scenario the minimum password length required on the device would be 6 characters.
Question two: If I activate Multi-Factor Authentication (MFA) for Privileged Identity Management (PIM) role activation, does it also enforce MFA for other authentications by the that user?
Answer two: One of the ideas behind PIM is to have IT administration accounts run under a normal, user-level security context by default. When the users of those accounts need to carry out an administrative function that requires them to act as administrators, they must then enter credentials and authenticate. Once authenticated, the account is temporarily elevated into the security context of an administrative user so that the admin-level actions can be performed. By enforcing MFA for Privileged Identity Management, you require the user to provide two forms of authentication at the point when they try to elevate their account. This is easy to implement within the PIM console, and can help improve security within your organization. However, the MFA requirement for PIM only applies at the point of account elevation. When the user logs onto other elements of the O365 service they are not required to provide a second authentication factor (MFA), unless, you have also set up MFA for non-PIM scenarios, which is certainly worthy of consideration. Note: Privileged Identity Management (PIM) is available with the Premium P2 edition of Azure Active Directory online.
Question Three: Which role can manage the Azure AD Privileged Identity Management (PIM) feature, and how does this relate to the global administrator role?
Answer Three: The first user to enable Azure AD Privileged Identity Management (PIM) for an organization is required to be a global administrator, and that user becomes the first Security Administrator. Other global administrators, however, do not have access to PIM by default, so they cannot manage temporary assignments. To give access to PIM, the first user can assign the others to the Security Administrator role. This assignment must be done from within PIM itself, and cannot be changed via PowerShell or other portals. Find more information here and here.