Event details
15 Comments
So I used the ZT Assessment tool and a lot of tests passed while some failed and some were skipped. I was not able to use the aka.ms/GetStartedWithCopilotSecurityandInTune link so can someone please help me with the correct link. I would really appreciate it!
So I used the ZT Assessment tool and a lot of tests passed while some failed and some were skipped. I was not able to use the aka.ms/GetStartedWithCopilotSecurityandInTune link so can someone please help me with the correct link. I would really appreciate it!
- Pearl-Angeles
Community Manager
We appreciate your participation! Friendly reminder that Q&A is open through this Friday at 12p PT.
Below are the questions the panelists answered live, along with associated timestamps:Question – Systems Architect for ~200 users in fully cloud M365 environment. What is Microsoft's or your own opinions on enforcing Zero Trust with CA policies? I took over an existing CA setup a year ago and although it works, it's very dependent on static grouping and I want something that can be easily scaled without relying on not missing adding someone to a group. – answered at 2:23.
Question – One shortcoming for Intune management is a standardized connectivity test that reports on connectivity issues and helps Intune admins check and act on connectivity issues; it would even enable security admins and network admins to smoke test Intune pro-actively when making changes and thus avoid disruptions for Intune. What is the Intune team's opinion on this? – answered at 9:11.- For more info, read the blog Support tip: Aligning network policy with Microsoft Intune and Zero Trust
Question – I love the Zero Trust Workshop Assessment and workbook, but it is overwhelming. Is there a recommended approach to tackling the "to do" list? – answered at 18:09.
- Go to the Microsoft Zero Trust Workshop & the Intune Advanced Analytics to learn more.
Question – Using GSA for part of my Zero trust solution. Global Secure Access on BYOD (Android and iOS) not depending on the Microsoft Defender app is needed. Maybe an app just for GSA, similar to Windows. Asking users to install the Microsoft Defender app on their BYOD device is way too much. For my organization, GSA on Android was blocked, issues with Android version 15 and many other issues and just never working on some devices. Recommendation for Android welcome!! – answered at 24:04.
- Pearl-Angeles
That’s a wrap-- thank you for joining us! We appreciate your engagement and hope the discussion was helpful. Don’t miss the last AMA in today’s Tech Community Live, starting at 10:30 AM PT: AMA: Copilot/agentic-centered endpoint management.
Using GSA for part of my Zero trust solution. Global Secure Access on BYOD (Android and iOS) not depending on the Microsoft Defender app is needed. Maybe an app just for GSA, similar to Windows. Asking users to install the Microsoft Defender app on their BYOD device is way too much. For my organization, GSA on Android was blocked, issues with Android version 15 and many other issues and just never working on some devices. From creating Intune App Configuration to enforcing GSA with CA policies, any recommendation for Android is very welcome.
- Pearl-Angeles
- Pearl-Angeles
Welcome to today's AMA on Best practices for applying Zero Trust using Intune! To participate, simply scroll down and add your questions as comments on this page. Our team of experts will be answering as many questions as possible during the session.
on December 4th of last year, Microsoft announced Intune Endpoint Privileged management was coming to M365 E5 customers, any idea (ballpark) when that would be coming? I checked my panel today and its still not available to use.
https://www.microsoft.com/en-us/microsoft-365/blog/2025/12/04/advancing-microsoft-365-new-capabilities-and-pricing-update/
- Jason_Sandys
Microsoft
Hi JamesCFI,
There are no specific timelines to share at this time as to when this will be enabled in customers tenants that have M365 E5 licensing. Please have this discussion with your account team as they have been given guidance and are best equipped to handle this and discussion and question with customers.
Systems Architect for ~200 users in fully cloud M365 environment. What is Microsoft's or your own opinions on enforcing Zero Trust with CA policies? I took over an existing CA setup a year ago and although it works, it's very dependent on static grouping and I want something that can be easily scaled without relying on not missing adding someone to a group. Is this something CoPilot can help with?
- Pearl-Angeles
Thanks for your participation in today's AMA! Your question was addressed at 2:23.
Our network is built around Zero Trust. Intune is our device management tool (Windows devices). Intune features require a lot of URL's to be whitelisted which makes supporting Intune in a Zero Trust network a challenge; more: when Microsoft changes Intune IP or URLs, or from our side, the network team makes changes we are not aware of.
One shortcoming for Intune management is a standardized connectivity test that reports on connectivity issues and helps Intune admins check and act on connectivity issues; it would even enable security admins and network admins to smoke test Intune pro-actively when making changes and thus avoid disruptions for Intune. What is the Intune team's opinion on this?
- Pearl-Angeles
Thanks for your question! The panelists covered this topic at 9:11 during the live AMA.
- Francesco Scarpello
This is a very valid concern and one we hear frequently: traditional networks built on perimeter defense (trust everything inside, rather than based on identity, device health and compliance signals), struggle to maintain allow list for cloud services as they need to maintain static IP address lists. Intune endpoint IPs can change, especially CDN based services. The reason why they can change is to strengthen security, improve resilience, and scale globally. Intune is designed to operate over dynamic, cloud-native endpoints, and forcing it through static IP allow lists, centralized proxies, or TLS inspection creates fragility and operational risk. Microsoft explicitly recommends:
- Domain-based egress policies (FQDN) instead of static IP allow lists, because Intune and M365 endpoints change frequently and are CDN-backed
- Bypassing SSL/TLS inspection for Microsoft endpoints that don’t support it, as inspection often breaks enrollment, check-in, and policy delivery
- Local internet breakout where possible, rather than hairpinning traffic through centralized VPNs or proxies
For more information Support tip: Aligning network policy with Microsoft Intune and Zero Trust | Microsoft Community Hub
On the point of a standardized connectivity test: today, Microsoft publishes Intune endpoint documentation (Network endpoints for Microsoft Intune - Microsoft Intune | Microsoft Learn), but Intune does not rely on a single “connectivity probe” by design. Zero Trust shifts enforcement and validation to identity, device health, and compliance signals, not network reachability alone. In other words, if identity and device trust are verified, the network should largely become a fast, transparent transport layer rather than a control plane.
In response on the AMA session where they suggested I point out what I would expect as a tool, I would mean a command-line tool to test under SYSTEM and USER context (Windows devices).
- SYSTEM context: testing of network endpoints required URL per Service Category (e.g. AutoPilot, Device Registration...) needed to enable managing the device with Intune (the 'essentials'); URLs for interactive features (edge, office) are not needed in this context. This test would confirm admins, security and network team that basic connectivity through firewall and proxy is confirmed or if not, which URLs have an issue.
Examples in the community exist, like https://github.com/Azure-Samples/TestDeviceRegConnectivity and https://manima.de/2024/08/intune-network-requirements-everything-i-learned/ - USER context: same test (optionally interactive), including tests for all Intune network endpoints for all Service Categories (so including URLs for interactive user features). Confirms complete connectivity. A good example for Microsoft 365 is the https://connectivity.office.com/
The tool/script would add value in a Zero-Trust world where other security tools on the Windows client try to limit network and Internet access and could break basic Intune connectivity.
- SYSTEM context: testing of network endpoints required URL per Service Category (e.g. AutoPilot, Device Registration...) needed to enable managing the device with Intune (the 'essentials'); URLs for interactive features (edge, office) are not needed in this context. This test would confirm admins, security and network team that basic connectivity through firewall and proxy is confirmed or if not, which URLs have an issue.
