Hi folks – this morning, I’m taking a little side-trip away from my series about the modern Microsoft productivity platform for a brief review of a handful of new or lesser-known gems.
I’m going to touch on four capabilities, all of which are part of the “E3” license-class of EMS/M365 (as such, I bet many of you own/have access to these now).
Azure AD - Dynamic Groups for Devices
Dynamic groups are neat – as you’d expect, the membership is populated (and de-populated) based on attributes of in-scope objects (users or devices) - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule
For devices, there are numerous ways to use dynamic groups, such as our AutoPilot PC deployment system. It can leverage dynamic device groups to target the “right” deployment profiles to the “right” devices - https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group
In my lab environment, I have that setup, but I also setup my own dynamic device groups to filter Intune Policies.
First, I created “Device Categories” in Intune for “Field Device” and “Corporate Device” types.
As users enroll devices into Intune, they are prompted to select ‘Field Device’ or ‘Corporate Device.’ This sets a tag on the device itself and on the device object in Intune.
Intune policies are then assigned to those groups accordingly:
Azure AD - Secure MFA registration
This one has been brought up frequently: “Provide controls for MFA registration based on CA ‘Conditions’ (such as trusted/compliant device, trusted networks, etc.).”
In my lab, I defined a Conditional Access Policy (CAP) that only allows MFA registration from one of my trusted locations (which I’ve also defined in AAD).
In this case, the policy definition structure for the “Locations” condition in CA is akin to a ‘whitelist’ model - you block access from everywhere (in this case, to security registration), but then you “exclude” the policy from applying within ‘All trusted locations.’
Intune - Administrative Templates
This one has also been a frequent customer request: “For decades, we’ve defined our policy settings for Windows via GPOs. Why can’t we mirror those GPO settings easily for deployment to Windows via Intune?”
Intune Configuration Profiles now include “Administrative Templates” support and there is a spot in the UI where those settings are all listed, searchable and sortable. Of course, as new ADMX files are released, Intune will reflect those updates, too.
BONUS - the Office ADMX settings are in there, too!
Azure Information Protection - Log Analytics and Centralized Client Logging
If you’ve been a reader of my previous posts, you know that I bring up auditing from time to time and I consider end-to-end auditing a pre-requisite for any enterprise solution. I want to be able to answer: “Who, what, where, when and why.” Answering ‘why’ can be difficult because ‘intent’ is usually in a person’s brain and not captured in an audit log. However, as you’ll see, with AIP logging, we can even answer ‘why’ sometimes.
In older versions of the AIP client, we only logged client activities in the local Event Log on the specific PC. In order to ‘centralize’ end-user AIP activities, one needed to setup Event Log Forwarding from all the target PCs. Don’t get me wrong, Event Log Forwarding is a helpful feature, but it’s certainly not ‘cloud-first; mobile-first.’
The AIP Product Group is not a team who sits on their heels (except Moser), so, they developed the AIP Log Analytics capability to improve on things.
Starting with AIP client v184.108.40.206, activities are logged in the local system’s Event Log AND that log data can also be sent up to an Azure Log Analytics workspace you create in your Azure tenant. Once the data is there, we provide some nice UIs and filters so you can visualize your data and glean immediate insights (the raw data is also accessible from there, if you want to ‘roll your own’ queries).
NOTE – Here’s the corresponding local PC event log entry:
If you like this stuff (and I know you do, or you wouldn’t be reading this), there are TONS more capabilities like these in the “value meal” that is the EMS suite which is also rolled up into the bigger “value meal” of Microsoft 365.
As I mentioned at the beginning of this post, many organizations own some/most/all of these capabilities. If you aren’t sure how to deploy or even how to get started, you’re not alone - and we can help!
If you could use some assistance, reach out. Microsoft offers many avenues from self-help, such as our deployment docs/guidance (AAD, Intune, AIP), to collaboration with our FastTrack program, Premier Services (hit up your Technical Account Manager), as well as Microsoft Partners.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.