Category: Azure Active Directory

Remote anything: Publish complex ‘full-path’ web applications with Azure AD Application Proxy

On By Ronny de JongIn Azure Active Directory, Azure AD Application Proxy, Hybrid Identity, IdentityLeave a comment

These days where households are rapidly turning into remote offices the need to make business applications available as if they were available from the office is on the rise. Azure AD Application Proxy lends perfectly to secure unlock on-premise web applications in an ease and safe manner.

In this post I’ll explain how successfully publish on-premise SAP instance with a complex home page URL, which seem challenging at first sight. After reading this post not anymore!

Continue reading “Remote anything: Publish complex ‘full-path’ web applications with Azure AD Application Proxy”

Troubleshooting: Endpoint Configuration Manager Device Collection Membership Synchronization

On By Ronny de JongIn Azure Active Directory, Azure AD, Configuration Manager, Identity, Modern Management, Windows 102 Comments

Device collection membership Synchronization to Azure AD security groups (aka Azure AD Group sync) is introduced since 1906 and offers a multitude of new management options. Meanwhile a lot has been written and resulted in some great blog posts by various community peers like Nickolaj Andersen, Nick Hogarth as well as by Microsoft Docs.

What these resources have in common is they all describe how to enable and configure Azure AD group sync. In this blog post I’ll go in to more details what’s behind the scenes, how device collection synchronization works and what actions you can take in the event of troubleshooting is desired.

Continue reading “Troubleshooting: Endpoint Configuration Manager Device Collection Membership Synchronization”

Revise your OneDrive (Sync) restrictions when shifting to a Modern Workplace!

On By Ronny de JongIn Azure Active Directory, Azure AD, Microsoft Intune, Modern Management, Office 365, Windows 10Leave a comment
OneDrive client is unable to sync your folders.

What is a modern workplace these days without having your personal- or group data synced to OneDrive and taking the full advantage Microsoft’s cloud storage has to offer!? One of the most asked feature is silently configuring your OneDrive client to automatically synchronize your (personal) data. Continue reading “Revise your OneDrive (Sync) restrictions when shifting to a Modern Workplace!”

Microsoft keeps its Password-less promise and ships native FIDO2 support to Azure AD & Windows 10

On By Ronny de JongIn Azure Active Directory, Azure AD, Enterprise Mobility, Identity, Microsoft Intune, Modern Management, Password-less, Windows 10, Windows Hello for Business14 Comments

Microsoft continues to deliver it’s password-less promise and introduces native FIDO2-based authentication to Windows 10 & Azure AD.

“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

Bill Gates, RSA 2004

Continue reading “Microsoft keeps its Password-less promise and ships native FIDO2 support to Azure AD & Windows 10”

Improved MDM diagnostics from Windows 10 Insider Preview #16232

On By Ronny de JongIn Azure Active Directory, Cloud, Conditional Access, Enterprise Mobility, Intune, Microsoft Intune, Windows 10, Windows 10 Mobile2 Comments

Note: the content in this blog post may subject to change as it’s based on Windows 10 Insider Preview build 16232/16237.

In the early days of Windows 8.x modern management made it’s appearance but due it’s limitations at that time not widely adopted.

Traditional vs Modern

The introduction of Windows 10 as the cloud OS with tight integration of Azure AD changed this rapidly. Combined with configuration service provider (CSP) modern management provides increased capabilities and therefore closing the gap with traditional management.

Another often-heard challenge of modern management is the troubleshooting part. This can sometimes be challenging as it is experienced as a black box. Common tools  (e.g. Event Viewer, PowerShell, WMI) are sometimes cryptic and thus challenging to interpret, until today!

Troubleshooting

To illustrate the ease of troubleshooting (low entry), we configured a custom policy by Microsoft Intune which configures Windows Defender Application Guard (currently in preview) and check the process of the policy being applied on our endpoint .

Microsoft Intune Custom Policy

Once assigned the policy in Microsoft Intune we triggered a policy refresh cycle.

Updated interface

Update Management Profile GUI

In the updated GUI we can now determine which policy categories are configured, including our Windows Defender Application Guard (AppHVSI) policy. Besides the outline of the policy categories we can also determine the installed applications. 

 Improved Management Profile GUI PolicyManager MDM Category

Management Diagnostic log files

The updated GUI goes beyond just displaying what is configured/applied and provides the ability drill down to our MDM configuration. The MDM configuration can be exported in a management log file which is exported in HTML format to C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html

MDM Diagnostics GUI

The MDM diagnostic log file provides general information of your system. However the most interesting part is yet to come.

Base MDM Diagnostic Information

First of all it provides insights of the configuration sources and resource (CSPs) and  whether it’s a device- or user based policy. The Resource section correlates to the various policies and installed apps. I highlighted a guid which correlates to an installed application.

MDM Configuration Sources

Further it provides a detailed list of which policy categories are deployed by your MDM solution. These categories are listed in the updated interface I mentioned before. Further this section provides the detailed configuration of your policies.

In our scenario we deployed Windows Defender Application Guard policy. It shows you the policy area, default value, current value and whether it’s a device- or user based policy.  It confirms the custom Windows Defender Application Guard Policy has been landed and successfully applied.

MDM Managed Policies

When looking under the hood we’ve the confirmation here too, Windows Defender Application Guard is configured properly. And mentioned earlier you’ll find the policy categories once again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\AppHVSI

PolicyManager MDM Registry

Complementary to the Windows Defender Application Guard CSP configuration you can keep track of the group policy (backed ADMX) equivalent.

PolicyManager MDM Group Policy

Installed Applications

As mentioned before the MDM diagnostic log file also includes the list of installed applications through MDM channel.

Managed Applications by MDM

Finally, we also have access to settings which are not set via CSP.

Unmanaged MDM Policies

Summary

The updated interface in this Windows 10 preview build is a simple as ingenious extension and help us to get useful insights to troubleshoot your modern management end-points.

Sources

Introduction to configuration service providers (CSPs) for IT pros

https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers

WindowsDefenderApplicationGuard CSP

https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp

Continue reading “Improved MDM diagnostics from Windows 10 Insider Preview #16232”

Control Access to SharePoint Online/OneDrive from unmanaged devices

On By Ronny de JongIn Andriod, Azure Active Directory, Azure AD, Conditional Access, Enterprise Mobility, Intune, iOS, Windows 101 Comment

In a mobile-first cloud first world the need of accessing corporate resources on unmanaged devices is rising. This is the cutting edge of managing your corporate data (keeping it safe) and give your users the freedom to be productive on any device.

With Conditional Access we can control access to corporate data (such as Exchange Online, SharePoint Online, Yammer, Delve, Teams, etc.) based on a device (health) status such as being managed or complaint. These scenarios (conditions) are based on devices being managed by your company (MDM managed). With the introduction of Session Controls, organizations are enabled to grant limited access to corporate resources without losing control on unmanaged devices.

Conditional Access Session Controls

Continue reading “Control Access to SharePoint Online/OneDrive from unmanaged devices”

One license solution rule them all: Azure AD Group Based Licensing!

On By Ronny de JongIn Azure, Azure Active Directory, Enterprise Mobility, Intune, Microsoft Intune, Office 3651 Comment

A long awaited feature became this week available in the new Azure portal: Azure AD Group Based licensing. With this we have an one-stop-shop to assign licenses on a per user- or group based. azure-ad-group-based-licensing-1

Azure AD Group Based licensing was already available in the classic Azure portal,  however it was limited to  Azure AD Premium, Azure Rights Management, Microsoft Intune and Enterprise Mobility + Security licenses.  For other licenses like Office 365 we were designated to the Office 365 Admin portal or custom (automated) solutions such as PowerShell or Graph API. Continue reading “One license solution rule them all: Azure AD Group Based Licensing!”

Top 3 feature enhancements of Windows 10 Creators Update

On By Ronny de JongIn Azure, Azure Active Directory, Configuration Manager, Enterprise Mobility Suite, Microsoft Intune, Windows 10, Windows 10 MobileLeave a comment

Yesterday I received an update of the Windows Insiders Program which contains some great improvements which I’d to share with you. Hereby some highlights.

Mobile application management

With the Creators Update we’re introducing mobile application management, a new feature that will protect data on personal devices without requiring the device to be enrolled in a Mobile Device Management solution. As employees use their own devices at work more and more, we are providing IT with oversight to apply policies to the applications employees use to be productive. This helps keep corporate data more secure without taking on the added responsibility of managing employees’ personal devices.

 

Continue reading “Top 3 feature enhancements of Windows 10 Creators Update”

Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access

On By Ronny de JongIn Azure Active Directory, Azure AD, Cloud, Configuration Manager, Enterprise Data Protection, Enterprise Mobility Suite, Intune, Microsoft Intune, Office 365, Windows 10, Windows 10 Mobile, Windows Information Protection1 Comment

Recently Microsoft announced Microsoft Teams, a new chat-based platform in Office 365. For all mobile platforms (Android, iOS and Windows 10 Mobile) Microsoft released an native app, including a desktop app for Windows 10 and Mac OS X. The Microsoft Teams apps can be downloaded here. After I installed the Microsoft Teams desktop app on Windows 10 I bumped into the following funny message ‘Yikes! Looks like someone pulled the plug on the internet’.

clip_image001

Continue reading “Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access”