Getting new users quickly up-and-running with Temporary Access Pass

This week is a little follow-up on a post of a couple of months ago and about connecting pieces of the puzzle. That post was around Temporary Access Pass (TAP). Even though that post was focused on Windows devices, it did provide some hints for using TAP on mobile devices (Android, iOS) also. An often seen and heard challenge is related to getting new user up-and-running. Especially when requiring Multi-Factor Authentication (MFA) for device enrollment, or when trying to work completely passwordless. Those scenarios introduce chicken-and-egg situations as a device must be registered for usage with MFA and the registration requires MFA, or when trying to work passwordless and an authentication method must be registered to be able to work passwordless. So, to get a …

Read more

Getting started with Continuous Access Evaluation

This week is all around an Azure AD functionality that tightly integrates with Conditional Access (CA) and that provides a near real time experience with enforcing access to resources and applications. That functionality is Continuous Access Evaluation (CAE). CAE was introduced almost a year ago to Azure AD tenants with CA enabled and provides that near real time experience. That experience is created by enabling a communication between the different Microsoft services and Azure AD. That communication provides a lot of magic that results in the new real time experience. This post starts with a quick introduction in CAE, followed with the steps to enables this functionality (while in preview). This post ends with showing the near real time user experience. Important: At the moment …

Read more

Using authentication contexts to add step-up authentication to specific SharePoint sites

This week is all about authentication contexts. Authentication contexts are another great feature for Condition Access policies. That feature enables IT administrators to further secure data and actions in apps, by providing a step-up authentication. Those apps can be custom apps, SharePoint sites, Privileged Identity Management (PIM), and even apps protected by Microsoft Cloud App Security (MCAS). The focus of this post is on authentication contexts with SharePoint sites. This post starts with an introduction to authentication contexts, followed with the different activities to create authentication contexts, to assign Conditional Access policies to authentication contexts and to tag SharePoint sites with authentication context. This post ends with experiencing authentication contexts. Important: At the moment of writing, authentication contexts are still public preview. For Azure AD …

Read more

Using filters for devices as condition in Conditional Access policies

This week is also all about filters. Last week was about filters for assigning apps, policies and profiles to specific devices in Microsoft Intune and this week is about filters for devices as a condition in Conditional Access policies. Filters for devices are a nice addition to Conditional Access policies to only target specific devices. A great option for addressing specific scenarios. This post starts with a short introduction about filters for devices, followed with the steps for configuring a filter within a Conditional Access policy. This post ends with the administrator experience. Important: At the moment of writing, filters for devices are still public preview. For Azure AD features that means that the feature is provided without a service level agreement, and that the …

Read more

Conditional access and registering or joining devices to Azure AD

This week is all about registering and joining devices to Azure Active Directory (Azure AD). More specifically, about requiring multi-factor authentication (MFA) when registering or joining devices to Azure AD. Starting with March 2021, Azure AD contains a new feature in Conditional Access (CA) that provides more flexibility for requiring MFA when registering or joining devices to Azure AD. That new feature is the Register or join devices user action. This post will start with a short introduction about that new user action, followed with the steps to configure that user action. This post will end with a look at sign-in logs. Important: The Register or join devices user action is also the new recommended method for enforcing MFA when registering or joining a device …

Read more

Using Setup Assistant with modern authentication

This week is all about the support for a new authentication method when using Automated Device Enrollment (ADE). That new authentication method is Setup Assistant with modern authentication and is available for iOS/iPadOS devices running version 13.0 and later and for macOS devices running version 10.15 and later. Setup Assistant with modern authentication enables organizations to require authentication with Azure AD, including the ability to require MFA, and enables users to immediately use their device. This post provides an introduction to this new authentication method, followed with the steps to configure an enrollment profile with this new authentication method. This post ends with a quick look at the enrollment experience when using Setup Assistant with modern authentication. Note: At the moment of writing Setup Assistant …

Read more

Getting started with Shared iPad devices

This week is all around Shared iPad devices with Microsoft Intune. Shared iPad is an iPadOS configuration that easily lets multiple user share the same iPad. That configuration enables a personal experience for a user, on a device that is shared between multiple users. That personal experience enables users to be more productive, as users can simply pick-up where they left off previously. This post will start with a short introduction to Shared iPad devices, followed with the configuration steps for those devices. This post will end by describing and showing the user experience with Shared iPad devices. Introduction to Shared iPad devices With shared devices, this post is referring to company-owned multi-user devices that can be used – depending on the use case – …

Read more

Federated authentication for Managed Apple IDs

This week is all about federated authentication for Managed Apple IDs. When using Microsoft Intune for managing Apple devices, the use of Managed Apple IDs is adding more and more value to the solution. That value gets even more when those Managed Apple IDs are federated with Azure AD. That would provide the user with a single account to remember and to use. Together that brings a very nice experience to Apple devices that are using federated Managed Apple IDs and are managed with Microsoft Intune. In this post I’ll discuss and describe the following information regarding Managed Apple IDs: What are Managed Apple IDs and why using them? Federated authentication for Managed Apple IDs Automatically provisioned users from Azure AD Provisioned user with federated …

Read more

Using sensitivity labels to manage access to SharePoint sites on unmanaged devices

This week is a follow-up on my post of a few weeks ago about accessing SharePoint and OneDrive content on unmanaged devices. That post showed how to use the SharePoint admin center to manage the organiztion-wide access control for unmanaged devices and showed how to use PowerShell to manage the site-level access control for unmanaged devices. This post will show something similar to that PowerShell configuration, in a way that this will also provide a method for managing access for unmanaged devices on a site-level. The main difference is that this post will look at a new (currently in public preview) feature that is added to sensitivity labels. That feature enables the administrator to configure Site and group settings for sensitivity labels. Within that configuration …

Read more