Skip to main content

Report-only mode, and some more handy reporting functionality for Conditional Access and Azure AD

During its annual Microsoft Ignite 2019 conference this week, Microsoft announced a new feature for Conditional Access called Report-Only mode in preview.

So, what is Report-only mode?

Report-Only mode is a new option within a Conditional Access policy. Besides the option to turn the conditional access policy on or off, the option to Report-only has been added.

New Report-only option
Read More

What are Guided Scenarios in Microsoft 365 Device Management/Intune?

While browsing the new Microsoft 365 Device Management portal I noticed the following option: “Guided scenarios (preview)”. From the What’s new in Intune page it seems that this functionality was released in the release of October 14th 2019.

Disclaimer: This post is written on Oktober 29th 2019 and reflects the state of this functionality at this point in time.

Guided scenarios (preview) in the Microsoft 365 Device Management Portal

So, what’s a guided scenario, you might ask, Microsoft explains it as following: “A guided scenario is an end-to-end experience in Intune where you can tackle a big task, in a single workflow. Assemble policies, apps, assignments, and other management objects into a reusable collection that you can deploy as many times as you want.”

Technically, Guided scenario’s provide a way to create a policy set based on a scenario, something I already blogged about here: “So what are policy sets?

Read More

iOS restore behaviour when re-enrolling devices with backup data into Intune

While implementing Intune at my customers I rarely encounter green field implementations where computers and mobile devices are newly delivered and no data needs to be restored on the device. Most of the time, the devices are already in use and we need to figure out some strategy to deal with the data from the device, before we re-install the device and bring it under management.

For iOS devices I recently did some testing about the possiblities of restoring iTunes backup to devices which are re-enrolled into Intune, therefore receiving a Management Profile.

Read More

What are Intune Policy Sets?

Starting with the Intune release from October 14th 2019, Microsoft made available a new functionality called “Policy Sets”.   Even though there a now (at time of writing this article) still in preview, they are a very welcome addition to the Intune options available.

Added November 29th: Please make sure to also read about Guided scenario’s – a preview feature in Intune which makes it possible to create policy sets based on predefined scenarios – What are Guided Scenarios in Microsoft 365 Device Management/Intune?

Disclaimer: This post is written on Oktober 25th 2019 and reflects the state of this functionality at this point in time.

So what are policy sets?

Read More

Extending Conditional Access to Microsoft Cloud App Security using Conditional Access App Control

In my blog article series on Conditional Access Demystied I mentioned that Conditional Access can be used to route sessions toward Microsoft Cloud App Security (MCAS). In this article I will go into more detail on what MCAS is, and how to setup Conditional Access App Control.

Disclaimer: This article discusses the full option MCAS product, there are some other flavors providing partial functionality like Office 365 Cloud App Security and Cloud App Discovery (CAD). For information about licensing, see the Microsoft Cloud App Security licensing datasheet.

What is Microsoft Cloud App Security (MCAS)?

Read More

Litetouch deployment failed, Return Code = -2147467259 0x80004005 when installing Surface Pro 6 devices using MDT

TL;DR; – When reinstalling Windows on a Surface Pro 6 and it fails, make sure that you “temporarely” disable the ” Enable boot configuration lock” option and try again.

At one of my customers we are using MDT to install Surface Pro 6 devices in order to make sure that the latest version of Windows 10 is available when starting the Out of the Box Experience (OOBE).

While testing this solution, we experienced some machines starting to fail to install Windows 10, where MDT would exit with the following error code:  Litetouch deployment failed, Return Code = -2147467259  0x80004005

Time for a deepdive:

Read More

Ask yourself if you still really need ADFS

In Q1 2017 Microsoft released the Pass Through Authentication (PTA) functionality as part of Azure AD connect. With the release of Azure Active Directory (Azure AD) Pass-through Authentication allowed for your users to sign in to both on-premises and cloud-based applications using the same passwords without the need to implement a Active Directory Federation Services (ADFS) environment.

With this options we now have the following authentication options available when setting up a hyrid identiy:

Read More

Conditional Access demystified, part 8: Resources and further references

This article is the last part of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

In the last part of this series I will summarize some of the sources I used for writing this series of articles.

Read More

Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

This article is part 7 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 8: Resources and further references

When you want to integrate other products into your Conditional Access environment you can use “Custom controls” to include products from other vendors into your Conditional Access conditions. If a custom control is used the browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. If the user was successfully authenticated or validated, the user continues in the Conditional Access flow. More information and some samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls – https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview but very promising for 3rd party vendors who want to integrate with Conditional Access.

Read More

Conditional Access demystified, part 6: Troubleshooting Conditional Access

This article is part 6 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

In this part of the series we will go into more detail on where we can find information which can help us to troubleshoot Conditional Access policies.

Read More