Hey everyone! I'm diving into Intune to upgrade our small retail business's IT setup from locally-managed PCs to a more robust model with Intune and Defender. I'm the only IT person here, and we have around 15 employees. While I have experience with M365, Intune is a new venture for me. I've already spent a week familiarizing myself with it, leveraging Business Premium for policy enforcement, linking Defender for Business, and testing Autopilot on a couple of devices. However, I have some uncertainties and concerns that I hope to get your feedback on before I proceed with the rollout next month.
Here are my main questions:
1. **Licensing:** I'm considering using F3 licenses for our retail staff who don't use Office often. With additional Defender for Business licenses, this could be more affordable than Business Premium. Are there any drawbacks I'm not aware of?
2. **MFA Implementation:** My boss is worried that Multi-Factor Authentication (MFA) will slow down operations, especially for staff who only sign in while on-site. I'd like to enforce MFA but do you think it's possible to balance security with usability, perhaps by using Conditional Access? What's the best way to handle MFA without causing too much friction?
3. **Password Management:** Currently, our team is just using sticky notes and documents for passwords. I'd love to implement something like Bitwarden later, but wonder if a combination of Windows Hello and Edge's built-in password manager is a safe interim solution?
I've been following this subreddit for a while and would really appreciate any guidance or personal experiences you can share about implementing these changes effectively!
1 Answer
Honestly, you're running into a lack of management backing for security necessities. If security can't get funded, it’s likely to be seen as an inconvenience rather than a priority. You definitely made the right call on mixed licensing; your F3 + Defender P1 combo is sensible given your situation, but ensure you're clear with your management about the needs of a secure infrastructure. Also, if your MSP isn't pushing security discussions, that’s a red flag.
You’re spot on about the boss's perspective on MFA. I agree with you that you should explore alternatives first, maybe MS Authenticator could be the sweet spot if you can get staff on board with it. A document explaining its benefits in layman’s terms might help ease them into it.