Role Based Access Control: A Configuration Manager Favourite, Now in Intune

Role Based Access Control (RBAC) has been a favourite feature of the System Center Configuration Manager community since its introduction, and now it’s available in Intune. RBAC in Intune enables you to easily define who can perform various Intune tasks within your organization, and who those tasks apply to. RBAC gives you greater flexibility and control while ensuring your IT administrators have the necessary permissions to perform their job.

Integration with Azure AD Directory Roles for high level access control

The new Intune admin experience on Azure delivers deeper levels of integration with Azure Active Directory, which includes Azure AD Groups as well as integration with Azure AD Directory Roles. This integration provides the underpinnings of Intune’s RBAC capabilities and our overall permissions management story. RBAC for Intune starts by leveraging four Azure AD Directory Roles that define high level administrative access to Intune workstreams and tasks:

  • Global Administrator / Company Administrator: users in this role have access to all administrative features in Azure AD, including conditional access. They can also manage all of Intune.
  • User Administrator: users in this role can manage users and groups but cannot manage all of Intune.
  • Intune Service Administrator: users in this role can manage all of Intune, including management of users and devices, as well group creation and management. This role does not allow for management of Azure AD’s Conditional Access settings.
  • Conditional Access Administrator: users in this role can manage Azure AD’s Conditional Access policies, but not all of Intune.

Continue reading → Role Based Access Control: A Configuration Manager Favourite, Now in Intune

New Policy Recommendations in Office 365 Data Loss Prevention

Microsoft have announced the release of new DLP recommendations for unprotected sensitive information in Office 365. This insight-driven recommendation helps you keep your sensitive content secure when its stored and shared in Office 365 by informing you when there’s a possible gap in your DLP policy coverage – they even provide an “easy button” to turn on a customized DLP policy to keep that content protected.

 To see the recommendation, visit the Office 365 Security and Compliance Center homepage at https://protection.office.com and look for the “Recommended for you” section on the right side. (If you don’t see it yet – click “+More”) If you have content that isn’t protected by one of the top 5 sensitive information types, you’ll see a breakdown of what kind of content was detected, and an option to “Get started” for more details.

 

DLP recommendations 1.pngDLP recommendations 2.png

Implement password synchronization with Azure AD Connect sync

What is password synchronization

The probability that you’re blocked from getting your work done due to a forgotten password is related to the number of different passwords you need to remember. The more passwords you need to remember, the higher the probability to forget one. Questions and calls about password resets and other password-related issues demand the most helpdesk resources.

Password synchronization is a feature used to synchronize user passwords from an on-premises Active Directory instance to a cloud-based Azure AD instance. Use this feature to sign in to Azure AD services like Office 365, Microsoft Intune, CRM Online, and Azure Active Directory Domain Services (Azure AD DS). You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance. Continue reading → Implement password synchronization with Azure AD Connect sync

Azure AD Automated Expiration for Office 365 Groups is now in Public Preview

One of the coolest collaboration features in Office 365 is Office 365 groups. Employees can create these groups on the fly and use them to collaborate with their co-workers on projects, sharing team documents, emails and calendars. These groups are easy and fast to create and judging by their usage telemetry, they are VERY popular.

However as the number of Office 365 groups increases, it can create a bit of a mess, for instance when a project is completed but the group is still hanging around. To help address that issue, Microsoft just turned on the public preview of Office 365 groups expiration! Continue reading → Azure AD Automated Expiration for Office 365 Groups is now in Public Preview

Step-By-Step: Intro to Managing Azure AD via PowerShell

As IT Professionals know, time is never on our side.  Hence the reason PowerShell is so important.  It provides a quicker way of completing tasks and can even provide some automation if harnessed correctly.  This Step-By-Step will detail how to get started in harnessing PowerShell to manage an Azure Active Directory instance and detail day to day operation related commands to get you started.

In order to use PowerShell with Azure AD, first we need to install Azure Active Directory Module in local computer. there is two version of Azure active directory PowerShell module. One was made for the Public Preview and the latest one released after announces Azure AD GA. You can download module from http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx

It is highly recommended to replace it with the new version should you have already installed an older version.

Once installed let’s check its status. Continue reading → Step-By-Step: Intro to Managing Azure AD via PowerShell

How to Use Azure Active Directory Conditional Access to Enforce Multi-Factor Authentication for Unmanaged Devices

Microsoft provides some different options for securing Office 365 and Azure applications with multi-factor authentication (MFA). For your end users you can choose from:

MFA for Office 365, which provides basic MFA functionality for Office 365 applications only.
Azure MFA, which provides more advanced functionality, including the option to configure trusted IPs.
The trusted IP feature is attractive because it allows you to define IP address ranges, such as those of your corporate network, from which you will “trust” the logins and not prompt for MFA codes. This is useful for decreasing the annoyance factor of MFA for your end users, but doesn’t solve the problem for all types of organizations. For example, a staff of roaming sales people will frequently be accessing their applications from outside the corporate network, which will cause them to be repeatedly prompted for MFA codes. Yes there are some apps where you can “remember” the device and avoid repeated prompts, but not all apps provide that. App passwords, which are separate passwords for a user that bypass MFA, are also not practical in all cases as they become difficult to manage over time. Continue reading → How to Use Azure Active Directory Conditional Access to Enforce Multi-Factor Authentication for Unmanaged Devices

An update to Azure AD Conditional Access for Office.com

What’s changed?

On August 24th, a change will roll out that requires users to satisfy any policies set on Exchange Online and SharePoint Online when accessing Office.com. For example, if a policy requiring multi-factor authentication (MFA) or a compliant device has been applied to SharePoint or Exchange, this policy will also apply to users signing into Office.com.

Continue reading → An update to Azure AD Conditional Access for Office.com