Microsoft 365 Endpoint Administration: Key Concepts for MD-102

By /

Applies to: Microsoft 365 | Microsoft Intune | Microsoft Entra ID | Microsoft Defender for Endpoint

This article covers core endpoint administration concepts including Microsoft Store for Business roles, Azure AD Connect, BitLocker policy, Conditional Access, device restrictions, Safe Links, and Windows Update. These are practical topics every Endpoint Administrator needs to understand.

In this article

  • Microsoft Store for Business roles
  • Azure AD Connect cloud sync
  • BitLocker encryption via Intune
  • Conditional Access for MFA
  • Device type and compliance restrictions
  • SharePoint admin role assignments
  • Safe Links configuration
  • Windows Update best practices
  • Microsoft Defender for Office 365 preset security

Microsoft Store for Business roles

Microsoft Store for Business lets you purchase, manage, and assign apps to users in your organization.

The Admin role is the most appropriate when a user needs to:

  • Purchase apps from Microsoft Store.
  • Manage store availability for all items.
  • Assign licenses to users.

Following the principle of least privilege, assign only the roles that are needed. The Admin role covers all these tasks without granting unnecessary access.

RoleCan purchase appsCan assign appsCan manage store settings
Basic PurchaserYesNoNo
Device Guard SignerNoNoNo
AdminYesYesYes
Billing ManagerYesNoNo

Azure AD Connect cloud sync

When setting up Azure AD Connect cloud sync in an on-premises Active Directory environment, the component you install and the server you install it on matters.

For an environment with:

  • Server1 โ€” Windows Server 2022 (Domain controller)
  • Server2 โ€” Windows Server 2016 (Member server)
  • Server3 โ€” Server Core, Windows Server 2022 (Member server)

You should:

  • Install the Azure AD Connect provisioning agent.
  • Install it on Server2 only โ€” a supported member server running a full GUI installation of Windows Server.[!NOTE]
    The Azure AD Connect provisioning agent cannot be installed on a domain controller or a Server Core installation. Always use a supported member server with a full GUI.

Enable BitLocker encryption via Intune

To automatically enable BitLocker Disk Encryption on all Windows 10 devices enrolled in Microsoft Intune, create a device configuration profile.

  1. Open the Microsoft Intune admin center.
  2. Go to Devices > Configuration profiles.
  3. Select Create profile.
  4. Choose Windows 10 and later as the platform.
  5. Choose Endpoint protection as the profile type.
  6. Configure Windows Encryption (BitLocker) settings.
  7. Assign the profile to the target device group.[!IMPORTANT]
    Do not use an ASR policy, app configuration policy, or compliance policy for enabling BitLocker. A device configuration profile with Endpoint protection settings is the correct approach.

Conditional Access for selective MFA

When you have multiple apps and MFA is only required for one of them, use Conditional Access policies rather than enabling MFA for all users globally.

Conditional Access lets you:

  • Target specific users or groups.
  • Target specific cloud apps.
  • Define conditions such as device platform, location, and sign-in risk.
  • Require MFA only when conditions are met.

To configure this:

  1. Open the Microsoft Entra admin center.
  2. Go to Protection > Conditional Access.
  3. Create a new policy.
  4. Set the target app, users, and conditions.
  5. Under Grant, select Require multi-factor authentication.
  6. Save and enable the policy.[!TIP]
    Configuring MFA from the Enterprise applications blade or from the authentication settings applies it broadly. Use Conditional Access for granular, app-specific MFA control.

Device type restrictions and device limit restrictions

In Microsoft Endpoint Manager, device restrictions control which platforms can enroll and how many devices a user can enroll.

Device type restrictions

PriorityNameAllowed platformAssigned to
1TypeRest1Android, Windows (MDM)Group1
2TypeRest2iOSGroup2

Device limit restrictions

PriorityNameDevice limitAssigned to
1LimitRest17Group2
2LimitRest210Group1
3LimitRest35Group3

For users in multiple groups, the highest priority (lowest number) policy that applies to the user wins.

[!NOTE]
Evaluate each user against their group memberships and identify which restriction policy applies first by priority order.

Assigning admin roles in Microsoft 365

When a new security administrator needs to manage Office 365 settings for Microsoft Teams, SharePoint, and OneDrive, assigning the SharePoint Administrator role alone is not enough.

The SharePoint Administrator role only covers SharePoint and OneDrive settings. It does not cover Teams or all Microsoft 365 services.

[!WARNING]
Assigning a single limited role when broader access is needed will result in the user being unable to manage all required services. Review the full scope of each admin role before assigning.

To compare the current Safe Links configuration against Microsoft recommended settings, use Microsoft Secure Score.

Microsoft Secure Score:

  • Evaluates your current security configuration.
  • Compares it to Microsoft recommended baselines.
  • Provides actionable improvement items.
  • Tracks your score over time.[!NOTE]
    Microsoft Purview focuses on compliance and data governance. Azure AD Identity Protection focuses on identity risk. Use Microsoft Secure Score for a broad security posture comparison across services.

Windows Update best practices

When a new Windows 10 device needs to get up to date while minimizing the number of updates installed, the recommended approach is to install the latest feature update and all quality updates released since version 2004.

OptionUpdates installedRecommended?
All feature updates since 2004 + all quality updatesLarge numberNo
Latest feature update onlyIncompleteNo
Feature updates since 2004 + latest quality update onlyPartialNo
Latest feature update + all quality updates since 2004Minimal, up to dateYes

This gets the device fully current in the fewest update operations.

Microsoft Defender for Office 365 preset security policy

When a Built-in protection preset security policy is applied to a Microsoft 365 subscription, it applies a baseline set of protections automatically.

Preset security policies include:

  • Standard protection โ€” balanced settings for most organizations.
  • Strict protection โ€” more aggressive settings for high-risk environments.
  • Built-in protection โ€” applies basic Defender protections as a baseline safety net.[!NOTE]
    Built-in protection is applied automatically and covers users not targeted by Standard or Strict policies. It cannot be disabled but can be supplemented with custom policies.

Related content

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Start typing and press enter to search

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top