licensing is tough and vague but something we must deal with while implementing
our solutions. I’m also aware that some of the features I describe on my blog
are only available in the most expensive licensing options Microsoft provides,
making some of the features I describe not usable for some of my readers.
administer Microsoft 365 services like Azure Active Directory (AzureAD),
Exchange Online (EXO), SharePoint Online (SPO), Intune and many other products
the license requirements for your administrative accounts are extra vague. I’ve
Microsoft in December last year to clarify this, but until now no response
some fragmented information available in the Microsoft documentation, that in
combination with some other information to be found on the internet, like on
twitter concludes that the license requirements are indeed very vague and could
really use some official documentation from Microsoft to clear things up.
in known, is that when asked about licensing requirements for the online
services provided by Microsoft the statement returned is: “When the user benefits from
the service, a license is required”
see what I found available online and see if it makes sense in some way…
At our last Windows
Management User Group Netherlands meeting, we had the honor to have Sami Laiho, one of the world’s leading
professionals in the Windows OS and Security flying over to the Netherlands and
present for our user group. In his presentation titled: “Securing Windows
in 2020 and forward”, Sami made us aware that by implementing some simple
Applocker policies on our Modern Workplace and by making sure that the user
working on the device has no
admin rights, we can seriously improve our security. In his presentation
Sami referred to a quote from Mikko Hyppönen (Chief Research Officer at
F-Secure): “Make your security better than your
blogpost I will share my experience with implementing Applocker policy within
my own tenant, and how I started to use these principles myself which
eventually led by removing my account from the local administrator group.
Disclaimer: This blogpost provides a very
simplistic way of enabling Applocker policies, in the real world there are some
caveats which must be addressed when implementing Applocker. I will
address those caveats later in this post
default, on Windows 10 devices which are Azure AD joined, the user performing
the join is added to the Local Administrator group. Besides the user and the
local administrator (which is disabled by default), two other SIDs are added
without any friendly name which explain who they are. So where are those SIDs
When you create an
Intune tenant within your environment, you execute the creation with an account
which is Global Administrator within Azure Active Directory. And in my work as
an indendent consultant I see a lot of companies which keep using the account
with Global Administator rights to manage their Microsoft Intune environment as
While for initially
setting up some Azure AD functionality Global Administrator rights might be
needed, this is only the case during the setup phase. Once you have implemented
your environment, you hardly ever need the Global Administrator rights and for
most tasks they are not needed perse. Think of the Global Administrator rights
as an equivalalent of the Forest Administrator/Schema Administrator group
within Active Directory.
Disclaimer: This post is written on December 4th 2019 and reflects the state of this functionality at that point in time.
One of the
disadvantages of being an experienced consultant in IT is the fact that once in
a while you need to re-learn. With re-learn I mean that for some concepts it’s
easier to understand how it works if you come from no-experience. I’ve
experienced this with quite some Microsoft products as well. If you know the
old version, switching to concepts in a new version might not be that easy
compared to when you get to know the new version without any prior knowledge.
I also experienced
this “challenge” lately when trying to figure out when to assign
applications or configuration to either User Groups or Device Groups.
While browsing the
new Microsoft 365 Device Management portal I noticed the following option:
“Guided scenarios (preview)”. From the What’s
new in Intune page it seems that this functionality was released in the
release of October 14th 2019.
Disclaimer: This post is written on Oktober 29th 2019 and reflects the state of this functionality at this point in time.
So, what’s a guided
scenario, you might ask, Microsoft explains it as following: “A guided scenario is an end-to-end experience in
Intune where you can tackle a big task, in a single workflow. Assemble
policies, apps, assignments, and other management objects into a reusable
collection that you can deploy as many times as you want.”
Technically, Guided scenario’s provide a way to create a policy set based on a scenario, something I already blogged about here: “So what are policy sets?“
Intune at my customers I rarely encounter green field implementations where
computers and mobile devices are newly delivered and no data needs to be
restored on the device. Most of the time, the devices are already in use and we
need to figure out some strategy to deal with the data from the device, before
we re-install the device and bring it under management.
For iOS devices I
recently did some testing about the possiblities of restoring iTunes backup to
devices which are re-enrolled into Intune, therefore receiving a Management
Starting with the Intune
release from October 14th 2019, Microsoft made available a new
functionality called “Policy Sets”.
Even though there a now (at time of writing this article) still in
preview, they are a very welcome addition to the Intune options available.
When you want to integrate other products into your Conditional Access
environment you can use “Custom controls” to include products from
other vendors into your Conditional Access conditions. If a custom control is
used the browser is redirected to the external service, performs any required
authentication or validation activities, and is then redirected back to Azure
Active Directory. If the user was successfully authenticated or validated, the
user continues in the Conditional Access flow. More information and some
samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls
– https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview
but very promising for 3rd party vendors who want to integrate with Conditional
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.