Posts

Recently I read a great article from the Microsoft IAM Director Sue Bohn concerning a Conditional Access Q&A. One question was about the device platform feature - which let’s you apply a policy only to a specific device platform like iOS, Android or Windows 10. The detection of the device platform relies on the user agent string sent by the application or web browser. Because this one can be spoofed easily better configure your Conditional Access policies wisely. ...

A colleague recently asked me how to access the Microsoft Graph API using PowerShell without specifying his user account or credentials. So here’s a little post about the required configuration to authenticate against the OAuth 2.0 endpoint of Azure AD with an app registration. This is especially useful for automation services like Azure automation. At the end of this post you’ll find a PowerShell template. Gather application information Create a new client secret for your app and note down the following values: ...

I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to manage their Windows 10 devices - combined with hybrid user identities. Now I want to share the most common hurdles and my experiences with you. Just to make sure that you have the modern mindset - here’s a little quote to reconsider your hybrid strategy (if not already done): ...

Microsoft Defender ATP (MDATP) for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a little guide about the onboarding process with Microsoft Intune and the user experience. Prerequisites From a macOS endpoint perspective: macOS version 10.12 (Sierra) or newer No third party endpoint protection installed At least 1GB of free disk space macOS client enrolled in your Intune tenant If you want to enable macOS enrollment for your Intune tenant - I’ve written a post about the enrollment process. ...

As Microsoft starts to empower the integration for non Windows devices and also the available apps for macOS devices you might want to profit from your existing MDM solution of choice (Microsoft Intune) and enable features like conditional access or Windows Defender ATP on your macOS devices. This post covers the enrollment with the company portal app. If you want to enroll your devices with DEP (device enrollment program) you can find a great guide here. ...

When using your notebooks and portable devices together with a docking station your users might like to close the lid. The Windows 10 1903 release introduces additional power CSP settings. One of them allows you to configure the lid close action while on ac power - so the device doesn’t switch to hibernate mode as by default. Policy CSP configuration To configure this policy with Microsoft Intune use the following OMA-URI configuration within a new custom device configuration: ...

Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices. Updated on 12.07.2019: Included the Intune administrative template configuration The setting is officially described as follow: This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft) If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft) ...

Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon. Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune. ...

If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists. Intune device cleanup rule For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices. ...

If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. The problem is that even with group based licensing the UsageLocation property for each user must be set individually. Update: 13.01.2019: Since group based licensing is GA the tenant location is used if no UsageLocation is set on a user object. Use this guide if you want to manually assign licenses or override the tenant settings if you need to configure different UsageLocations. ...