Weekly Roundup

WeeklyUpdate-July1stWeek

Field Notes & Fellow Travelers: What I’m Reading This Week | Modern Workplace Security
HomeWeekly Roundup › Field Notes & Fellow Travelers
Weekly Roundup · Jul 2026

Field Notes & Fellow Travelers: What I’m Reading This Week

A look back at what’s gone up on this site the last two weeks, plus a spotlight on an Intune MVP whose read on the E3/E5 licensing change is worth your time — with the real, unfiltered version of his opinion.

#intune #mvp-spotlight #threat-intel #licensing #community

I usually keep this site focused on my own lab notes, but every so often it’s worth stepping back and pointing at what the rest of the community is doing — partly because good ideas deserve a signal boost, and partly because writing this kind of roundup forces me to actually articulate what I’ve been building here instead of just shipping posts and moving on.

So this one’s in two halves: first, a quick recap of what went up on Modern Workplace Security the last couple of weeks, and second, a proper spotlight on an actual Microsoft MVP whose take on the Intune Suite licensing change lines up with — and in a couple of places sharpens — what I wrote myself.

01What’s New Here

Two posts anchor the last two weeks, and they couldn’t be more different in tone — one’s an incident-response deep dive, the other’s a licensing-and-lab-testing piece. Together they’re a decent snapshot of what this site is actually for.

01

Anatomy of a Teams Vishing Attack

Security News · Jul 8, 2026 · 15 min read

A full breakdown of a live campaign tracked by Unit 42: a phishing PDF primes the target, an external Teams call from a spoofed “System Administrator” account talks the victim into handing over screen control, and the chain ends with EtherRAT — a Node.js-based RAT that resolves its command-and-control address from an Ethereum smart contract instead of a domain you can sinkhole.

The point I kept coming back to while writing it: there’s no exploit anywhere in this chain. Every stage works because a person trusted a caller, which puts the fix squarely in Entra external-access settings, Conditional Access, and Intune app control — not a patch Tuesday.

02

Intune Suite Is Now Baked Into Your E3/E5 License

Microsoft Intune · Jun 30, 2026 · 17 min read

I ran Endpoint Privilege Management, Advanced Analytics, and Cloud PKI in my own lab before writing this one, mostly because the announcement coverage everywhere else stopped at the feature list. The short version of my conclusion: it’s a genuinely good move from Microsoft, but “free” still means a real governance project if you want EPM to do anything more than hand out a more auditable version of local admin.

⚡ Field Note

If you only read one of these two, make it the vishing post. The E3/E5 licensing change is a planning exercise you have weeks to get right. The Teams social-engineering pattern is something your users could be handed today.


02MVP Spotlight: Sander Rozemuller

I follow a fairly short list of people closely on the Intune side, and Sander Rozemuller — Microsoft MVP, and someone who delivers this stuff daily at an MSP through his site IntuneStuff.com — is near the top of it. What I like about his writing is the same thing I try to do here: he doesn’t just repeat the announcement, he goes and checks it against a real tenant before publishing.

SR

Sander Rozemuller

Microsoft MVP · Modern Workplace Architect at Arxus · Belgium

His June post on the Intune Suite / M365 E3-E5 bundling change is a good companion read to my own — same topic, different vantage point, and he went straight to the product team for clarity rather than guessing at what “eligible” actually means in practice.

He says he’d rather not pass guesswork on to customers, which is exactly the instinct that makes a post worth reading instead of skimming. — paraphrased from Unlock the Glorious Microsoft Intune Suite, IntuneStuff.com

His bottom line lands close to mine: the entry condition for the bundling is more generous than most headlines suggested — if EMS E3 or ME5 is already in the tenant, you’re in, with no bundle migration and no seat minimum required. Where his post adds something mine doesn’t is the roundup of other MVPs’ angles on individual Suite features, which is worth bookmarking if you want more than one practitioner’s read before you brief your own team.

Where we agree

  • The licensing change is a genuine cost win for tenants already paying for the Suite add-on separately on E5 — cancel the add-on, move on.
  • “Eligible” doesn’t mean “already live.” Both of us are telling readers to check the M365 admin center rather than assume a calendar date flips a switch in every tenant at once.
  • This is a moment to have a licensing conversation with finance, not just file an IT ticket.

Where I’d add a note

His piece is aimed more at the licensing mechanics — who’s eligible, what “eligible” means, when it lands. Mine leans harder into what happens after it lands: whether EPM and Enterprise App Management are actually ready to replace a third-party PAM tool or packaging tool on day one. Read his first for the licensing clarity, then mine for the lab-tested rollout sequencing. They’re built to be read together.

2
practitioner takes, one topic
0
marketing fluff tolerated
1
licensing conversation you now need to have

03Why I’m Doing MVP Spotlights

Partly selfish, partly not. The selfish part: I learn faster by explaining where my read on something diverges from a practitioner I respect, and writing it down here forces the comparison to be specific instead of vague. The less selfish part: most people managing Intune, Defender, or Purview day to day don’t have time to read six blogs a week. If I can point at the two or three posts actually worth their attention, that’s a better use of this site than another feature-list recap.

If you’re one of the people who reads this site regularly, tell me who else I should be featuring. I’d rather run this as an ongoing series than a one-off.

💬 Get In Touch

Know an MVP or practitioner blog I should cover next? Drop it in the comments on the site, or find me on LinkedIn.


Sources: Modern Workplace Security (modernworkplacesecurity.com), original posts linked above; IntuneStuff.com, Sander Rozemuller, June 19, 2026. Indicators and claims current as of publication — verify against live sources before citing further.

A
Written by
Anand Kumar
Microsoft Security Consultant and IT EUC Engineer with 15+ years helping organisations modernise endpoint management and lock down Microsoft 365 using Zero Trust principles.

1 Comment

  1. E
    ExoWatts July 11, 2026

    Great content! Keep up the good work!

Leave a Comment

Your email address will not be published. Required fields are marked *