S33D Technology

💡 Did you know: The DoD publicly published a configuration guide to Microsoft Entra. Link in the Comments

The Defense Information Systems Agency (DISA) released, in February 2025, their first revision of their Microsoft Entra ID Security Technical Implementation Guide (STIG). Is it fantastic and will solve all of your problems? No. But it does push out some basic items that can secure your organization.

As is typical, they included the NIST SP 800-53 revision 4 and revision 5 references. These are great for everyone that need a reference of how to do something, and you don't know where to start for your CMMC/NIST compliance program.

STIGs are great resources that someone that is advanced and someone that is a novice can benefit from. Just like CIS Benchmarks.

Happy compliance. Reach out if you want to implement this or other security configurations in your organization and just need someone to speak to you about it before you start clicking buttons and brick a computer.

📝𝗛𝗼𝘄 𝗧𝗼: Managing App Protection Policies for Unmanaged Devices in Microsoft Intune

If you’re setting up an App Protection Policy (MAM) in Intune and want it to apply only to unmanaged devices (think personal phones or laptops that access corporate apps like Outlook, Teams, or OneDrive), you’ll notice that the old method of selecting 'Unmanaged Devices Only' is no longer available.

👉 Instead, Microsoft now requires you to:

Set Target to apps on all device types = Yes (𝘯𝘰 𝘸𝘢𝘺 𝘢𝘳𝘰𝘶𝘯𝘥 𝘵𝘩𝘪𝘴).

Create and assign a MAM Assignment Filter where:

🖱️ Property: deviceTrustType

🖱️ Operator: Equals

🖱️ Value: Azure AD registered

✅ Azure AD registered devices are typically personal BYOD devices, not fully managed corporate assets.

By filtering this way, you can tightly control which apps and devices are protected — without over-enforcing restrictions on corporate-managed devices that already meet compliance standards.

Key takeaway:

Don’t look for “𝘋𝘦𝘷𝘪𝘤𝘦 𝘔𝘢𝘯𝘢𝘨𝘦𝘮𝘦𝘯𝘵 𝘛𝘺𝘱𝘦” when filtering MAM policies anymore — use Device Trust Type and target Azure AD registered devices instead.

Security is constantly evolving, and small changes like this have a big impact when you're scaling secure access in hybrid environments.