Is there a way to deploy a standard M365 Update channel to clients via Intune but also permit users to change to a different channel if they choose? (We have the monthly channel set in the App deployment via Intune and set in M365 Admin channel) Are there any security concerns with permitting users to choose a different update channel?

Can you give a quick description of how Lighthouse can also be used not only to manage Office 365, but to also create new user accounts in On-prem hybrid environments and sync to Azure using Automation through Azure Arc?

Hi - I am interested in deploying the cloud PKI infrastructure for Intune to a customer who uses cloud only Windows devices but wishes to authenticate their Wi-Fi and VPN using certificates from the computers and users. https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-deployment The VPN accesses a few servers in an AzureAD DS or in a legacy AD lifted to run on Azure cloud machines. They have no legacy Certificate Authority and as a small company of between 20 and 50 users and client workstations, cannot afford third party solutions for RADIUS which are all the instructions I find when searching the web for practical step by step implementation instructions like this from Oliver Kieselbach: https://oliverkieselbach.com/2024/03/04/how-to-configure-cloud-pki-certificate-based-wifi-with-intune/ My issue when reading through the Microsoft learning documentation I find that it wants another separate PKI or CA service is needed (or a certificate from the third party Radius service?) - I thought that was they whole point of the Cloud PKI service - not to have to have another one? "When connecting to a relying party such as a Wi-Fi access point or VPN server, an SSL/TLS connection is first established by the managed Intune device when attempting to connect. Microsoft Cloud PKI doesn't provide these TLS/SSL certificates. You must obtain these certificates through another PKI or CA service." From: https://learn.microsoft.com/en-us/mem/intune/protect/microsoft-cloud-pki-deployment#ensure-chain-of-trust Can you help me with this as I don't understand why the cloud PKI alone would not be sufficient to provide the Root and intermediate root certs exported and uploaded to the VPN gateway/firewall and the network access point controllers for Wi-Fi when combined perhaps with the Microsoft cloud NPS extension service, but then again that also needs an on prem AD with Radius server and presumably a CA server? https://learn.microsoft.com/en-us/entra/architecture/auth-radius I am happy to use SAML and SSO in Entra for the VPN which may negate the requirement for RADIUS and NPS, but how would that work for Wi-Fi? Is that also possible?