Azure AD

Windows 10 and MAM-WE – Part 2: End-user experience

by

This week part 2 of my blog post about Windows 10 and MAM-WE. Last week it was about the configuration, this week it’s about the end-user experience. I’ll start this post with a short introduction about the settings that are configured for the end-user experience in this post. After that I’ll show the end-user experience with the enrollment, with accessing data and after enrollment. Introduction As I explained last week, there are a few Important settings that should be considered. The end-user experience shown throughout this post is based on the following configuration: Allowed apps: Microsoft Edge, PowerPoint Mobile, Excel Mobile, Word Mobile, IE11, Microsoft Remote Desktop, Microsoft Paint, Microsoft OneDrive, Notepad; Required settings: Windows Information Protection mode: Allow Overrides; Advanced settings: Network boundary: All …

Read more

Windows 10 and MAM-WE – Part 1: Configuration

by

This week another blog post about Windows 10. This time in combination with mobile app management without enrollment (MAM-WE). Due to the size of the blog post, I’ve decided to divide this post in 2 parts. This weeks post will provide a short introduction, followed by the required configurations. Next weeks blog post will be about the end-user experience. Introduction MAM-WE, for Windows 10, relies on Windows Information Protection (WIP) in combination with a new enrollment flow in Windows 10, version 1703. That new enrollment flow enables users to enroll their personal device for receiving only MAM policies. Those MAM policies are only applicable to activities performed by the work account and do not apply to the personal account. The part that makes it a …

Read more

Conditional access and named locations

by

This week another blog post about a recently introduced feature that can be used in commination with conditional access, named named locations. Within conditional access policies, named locations can be used like trusted IPs. The complication with trusted IPs was that it’s actually a feature configuration of multi-factor authentication. That did not really make a lot of sense. In this post I’ll look at the configuration of named locations and how those configurations can be used within a conditional access policy. A very good scenario for named locations in a conditional access policy is using Office 365 in a terminal services environment. It enables organizations to make an exclusions for a specific named location. In this post I’ll use an example that will blocks access …

Read more

Conditional access and Google Chrome on Windows 10

by

This week a short blog post to create some awareness about conditional access for Google Chrome on Windows 10. Starting with Windows 10, version 1703, it’s now possible to use Google Chrome in combination with conditional access. It will no longer simply being blocked. This can be achieved by installing and enabling the Windows 10 Accounts extension in Google Chrome. The screenshot below contains the name and URL of the extension. Introduction The Windows 10 Accounts extension for Google Chrome provides a single sign-on experience, to supported websites, to end-users that have a Microsoft supported identity on Windows 10,. Also, the Windows 10 Accounts extension for Google Chrome is required when the organization has implemented conditional access policies, to get the expected end-user experience. Currently, …

Read more

Conditional access and app enforced restrictions

by

This blog post is about a recently introduced feature in conditional access, named Session controls. More specific, the Session control of app enforced restrictions. Session controls enable a limiting experience within a cloud app. The great thing about Session controls is is that those controls are enforced by the cloud apps and that those controls rely on additional information provided by Azure AD to the cloud app, about the session. In other words, these controls can be used to require Azure AD to pass the device information to the cloud app. This enables the cloud app to know if the user is coming from a (non-)compliant device or (non-)domain joined device. Currently Session controls are only supported with SharePoint Online as the cloud app. In …

Read more

Require multi-factor authentication for enrollment

by

This week’s blog post will continue about conditional access. However, this time I’m going to look at a specific scenario in which conditional access is the key to making it easy to solve. This week I’m going to show three options, well actually only two, for requiring multi-factor authentication (MFA) during the enrollment of a device. First I’m going through the different configuration options and after that I’ll show the end-user experience per configuration option. Configuration options Now let’s start by having a look at the different configuration options. When I’m looking at the different configuration options, I want to look a little bit further than just the Microsoft Intune enrollment. I also want to include the Azure AD join, as it’s a common additional …

Read more

Conditional access is getting better and better and better

by

Yeah, I know, I’ve been using similar blog post titles recently. And yes, it might sound cheesy. However, looking specifically at conditional access, it’s easy to say that the current evolution, in the Azure portal, is better than it is in the Azure classic portal, which is better than it is in the Intune Silverlight portal. Based on that, maybe  “The evolution of conditional access” would have been a nice title also. In this post I will go through a little bit of history of conditional access, followed by going through the enhanced capabilities of conditional access in the Azure portal. Little bit of history Let’s start by looking at a little bit of history of conditional access. No, I won’t put all the evolutions …

Read more

Conditional access for managed apps

by

After a great MVP Summit and a session at a great Experts Live, it’s finally time for a new blog post. This blog post will be about conditional access for managed apps (MAM CA). About a month ago, I did a first post about this feature when it was still in preview. The good news is that the first part of this feature is now production ready for all tenants. In this post I’ll go through an introduction of MAM CA, the flow of MAM CA, the prerequisites of MAM CA, the configuration of MAM CA and the end-user experience of MAM CA. Introduction By now, I think, everybody should be familiar with the mobile app management without enrollment (MAM-WE, previously also referred to as …

Read more

Conditional access for published ConfigMgr reports

by

This week another post about the world of conditional access in Azure AD. Last week I started with looking at conditional access for Yammer. This week I’ll add-on to that idea by publishing a custom application, in this case my ConfigMgr reports, and apply conditional access to that configuration. To make it even better, it even allows a single sign-on configuration. In other words, I can use pre-authentication on Azure AD and use that token for the single sign-on experience of the end-user in the published application. Really nice! Prerequisites Before starting with the configuration, it’s important to know that his post does require two important prerequisites to be in place, which are not part of this post. Azure AD Application Proxy: This component is …

Read more

Conditional access for Yammer

by

This week I’ll open a new world of conditional access. The world of conditional access in Azure AD. I’ll open that world of conditional access by looking at conditional access for Yammer. Conditional access for Yammer cannot be configured through the Microsoft Intune administration console. However, that doesn’t mean that conditional access for Yammer doesn’t exist. The configuration of conditional access for Yammer is available through the Azure Management portal. In this post I’ll go into more detail about conditional access via Azure AD, the required configurations and the end-users experience. Introduction About a month ago Microsoft released conditional access policies as a preview feature in Azure AD for iOS, Android and Windows (Windows 7, Windows 8.1 and Windows 10, build 1607). These policies can …

Read more