- 13 Aug 2024
- 4 Minutes to read
- PDF
Microsoft Provisioning FAQ
- Updated on 13 Aug 2024
- 4 Minutes to read
- PDF
This article lists some of the most commonly asked questions regarding Red Canary and provisioning for Microsoft Defender for Endpoint (MDE).
In order for Red Canary’s security analysts to log into a user’s MDE console, Microsoft requires the user to give permission to the Red Canary tenant, which contains all of our trusted and verified Red Canary employees.
Please open a support case if there are any further questions we can help with.
FAQ
Does the tenant ID that Red Canary provides represent a separate tenant for each user?
No. The redcanary.com tenant ID represents Red Canary’s corporate tenant, which is managed by Red Canary.
How many users are in the Entra ID tenant/directory? What is the role of the personnel?
The tenant has users who are strategically enabled to have Microsoft Entra ID accounts due to their role. This consists of Red Canary employees who require access to your tenant/directory to help with detection and troubleshooting.
Can I set up two roles, one without live response and one with live response that requires justification?
Yes. You can configure roles both ways. Live Response is currently not a prerequisite for Red Canary to perform our service, but it gives our Threat Hunting team on-demand access to a device via a remote shell using the customer MDE console. This helps us to respond and contain threats instantaneously.
Can you automatically assign a license using Entra ID?
From the Entra ID Admin Center, Red Canary recommends assigning licenses via a group. You can do this as long as you’re a license admin within Entra ID for your organization. For more information, see Assign or unassign licenses for users in the Microsoft 365 admin center in Microsoft’s documentation.
Can single sign-on set up be applied to computers without a federated server?
Yes. In the context of Entra ID SSO, single sign-on can be applied when cloud applications federation protocols are used. However, use Entra ID App Proxy for on-premise.
Is there quality documentation on Microsoft InTune set up and registration?
Red Canary recommends reviewing Microsoft InTune documentation. The deployment planning guide for Microsoft InTune is thorough and covers migration and configuration scenarios, costs and licensing, policies, and rollout plans.
Is pushing group policy in a hybrid environment done through on-premise Microsoft Active Directory or InTune?
Red Canary recommends that you use Microsoft InTune (which is part of Microsoft Endpoint Manager) whenever possible as it has more configuration choices. However, you can use either.
How does conditional access work? If we don't want to require multi-factor authentication for all staff on campus, how can we set this up?
Conditional access policies are configured through the Entra ID. Click Conditional Access, and then click New Policy to create a conditional access. Various actions and conditions can be assigned to specific users or groups in this manner. Learn more about creating a conditional access policy.
How does MDE licensing work for a computer shared by 20 or more users?
Official Microsoft guidelines recommend that you can use up to 5 devices per user account associated with MDE. If you have additional questions, reach out to Microsoft for guidance on your specific scenario.
What is the advantage of the Microsoft E5 security add-on over Microsoft E3?
For a full matrix of Microsoft licensing that we find helpful, see The Complete Office 365 and Microsoft 365 Licensing Comparison from Infused Innovations. This explains the differences between the Microsoft licensing levels.
How do we block the Microsoft store? Is this a group policy setting?
Using a Group Policy Object (GPO) or Device Restriction Settings in Microsoft InTune is the most efficient way to accomplish this.
What are the differences between Entra ID P1 and P2?
For a full matrix of Microsoft licensing that we find helpful, see The Complete Office 365 and Microsoft 365 Licensing Comparison from Infused Innovations. This explains the differences between the Microsoft licensing levels.
What advanced security reporting is included in E3? How does this differ from E5 or E5 security?
For a full matrix of Microsoft licensing that we find helpful, see The Complete Office 365 and Microsoft 365 Licensing Comparison from Infused Innovations.This explains the differences between the Microsoft licensing levels.
If admins have E5 licenses, can they track the compliance of users without E5, or do they require E5 licenses as well?
For features to be fully enabled, each user must have a license assigned to that particular user. This ensures that metrics and tooling are enabled properly inside of M365 to support this user. There are exceptions to this based on the various technologies available, but compliance is also a consideration.
What is the best way to group sensors dynamically?
The easiest way to dynamically group sensors is to use a reporting tag.
Are there any considerations with Automate interfering with MDE?
Automate actions will queue in MDE through the API.
How can a user continue remediation once an endpoint is isolated? What is the access to the endpoint the user will have?
MDE is still able to monitor the endpoint after isolation. For more information, see Isolate devices from the network in Microsoft Documentation.
If a user has Defender and the ability to group endpoints is not available, can they use reporting tags to do this? Is there another way the user can do this?
When we sync endpoints, we will populate the Red Canary “Sensor Group” field with whatever value the user has configured as the “Machine Group Name” in Defender.
Are there any considerations for MDE response actions? Will the actions interfere with Red Canary's automated capabilities?
Red Canary response actions use MDE response capabilities, so there shouldn't be any issues when using both.
Where can I find information about my MDE plan?
Microsoft offers multiple plans for MDE. Learn more about your MDE plan here.