User Profile
JJGuirola
MicrosoftJoined 3 years ago
User Widgets
Recent Discussions
Enhancing Secure Remote Work with Windows 365 and Microsoft Entra Suite
(Windows 365, Microsoft Entra Suite) Contributors: Juan José Guirola Sr. (Security GBB for Advanced Identity) Tenney Bartenfelder (GBB – Advanced Identity) Summary The document discusses the benefits of using Windows 365 and Microsoft Entra Suite to enhance secure remote work environments across various industries. Importance of Secure Remote Work: Remote work offers flexibility and access to a global talent pool but also introduces risks such as data breaches and cyber threats, making secure remote work crucial for business continuity. Windows 365 Cloud PC: Windows 365 provides a full Windows environment streamed from the cloud, offering centralized security, data protection, conditional access, integration with Microsoft security tools, remote management, and scalability. Microsoft Entra Suite Features: Microsoft Entra Suite includes Private Access, Internet Access, ID Governance, ID Protection, Verified ID, and Least Privilege Access, providing comprehensive security for modern workplaces. Global Consulting Firm Case Study: A global consulting firm improved security, scalability, user experience, and identity governance by adopting Windows 365, Microsoft Entra Private Access, and Microsoft Entra Identity Governance. Manufacturing Company Case Study: A manufacturing company addressed data security, scalability, user experience, identity governance, and internet threats by implementing Windows 365 Cloud PC, Microsoft Entra Private Access, Internet Access, and Identity Governance. Healthcare Provider Case Study: A healthcare provider ensured secure remote access, data security, scalability, user experience, identity governance, and verifiable identity by using Windows 365, Microsoft Entra Private Access, Internet Access, Identity Governance, and Verified ID. Comparison with Traditional Virtual Desktop Solutions: Windows 365 offers simplicity, per-user licensing, seamless Microsoft integration, scalability, robust security, and consistent user experience compared to traditional virtual desktop solutions. Comparison with Other IAM Solutions: Microsoft Entra Suite provides identity-centric Zero Trust Network Access, Secure Web Gateway, automated identity lifecycle management, digital identity verification, least privilege access, and advanced threat detection compared to other IAM solutions. Comparison with Other SASE Solutions: Other SASE solutions may offer strong security and scalability but often lack the seamless integration with Microsoft 365 and other productivity tools that Microsoft Entra Suite provides. Conclusion: Windows 365 and Microsoft Entra Suite offer robust, scalable, and integrated solutions for secure remote work, enhancing productivity and security in hybrid work environments. Main Document In today’s digital age, remote work has become a staple for many organizations. However, with the flexibility of remote work comes the challenge of ensuring security across various devices and networks. This is where solutions like Windows 365 and Microsoft Entra Suite come into play, offering robust security features that help organizations maintain productivity without compromising on security. The Importance of Secure Remote Work Remote work offers numerous benefits, including increased flexibility, reduced commute times, and the ability to tap into a global talent pool. However, it also introduces risks such as data breaches, unauthorized access, and cyber threats. Ensuring secure remote work is crucial to protect sensitive information and maintain business continuity. Windows 365: A Secure Cloud PC Solution Windows 365 transforms the traditional desktop experience by streaming a full Windows environment from the cloud to any device. Here are some key benefits: Centralized Security: Windows 365 leverages Microsoft Zero Trust security model, which includes identity verification and risk factor, device health validation, and least-privilege access to ensure that only authorized users can access Cloud PCs. Data Protection: Data is stored in the cloud, not on local devices, reducing the risk of data loss or theft. With features like virtual Trusted Platform Module (vTPM) and Secure Boot, Windows 365 ensures that data is encrypted, both in transit and at rest, and protected from malware and other threats. Conditional Access: Administrators can set Conditional Access policies to control who can access the Cloud PCs and under what conditions, enhancing security by ensuring that access is granted only from compliant devices and locations. Integration with Microsoft Security Tools: It integrates seamlessly with Microsoft Defender for Endpoint, providing advanced threat protection and security management capabilities. Remote Management: IT Administrators can manage and configure Cloud PCs remotely using tools like Microsoft Intune, simplifying the management of security policies and compliance. Scalability and Flexibility: Windows 365 allows organizations to quickly scale up or down based on their needs, providing flexibility to support a dynamic workforce while maintaining security standards. Microsoft Entra Suite: Comprehensive Security for Modern Workplaces Microsoft Entra Suite offers a unified approach to identity and network access security, making it easier for organizations to implement a Zero Trust security model. Key features include: Microsoft Entra Private Access: This feature provides identity-centric Zero Trust Network Access (ZRNA) to secure access to private applications and resources. It helps reduce operational complexity and costs by replacing legacy VPNs. Microsoft Entra Internet Access: An identity-centric Secure Web Gateway (SWG) that protects against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. It ensures secure access to SaaS applications and internet traffic. Microsoft Entra ID Governance: A comprehensive identity governance and administration solution that automates the identity and access lifecycle. It ensures that the right people have the right access to the right apps and services at the right time. Microsoft Entra ID Protection: This advanced identity solution block’s identity compromise in real-time using high-assurance authentication methods, automated risk and threat assessment, and adaptive access policies powered by advanced machine learning. Microsoft Entra Verified ID: A managed verifiable credentials service based on open standards that enables real-time identity verification in a secure and privacy-respecting way. It includes premium capabilities like Face Check for streamlined remote onboarding and self-service recovery of passwordless accounts. Least Privilege Access: Automates the access lifecycle to ensure users have the minimum necessary access to perform their roles, helping to prevent lateral movement in case of a breach. Improved User Experience: Enhances the user experience with faster and more secure sign-in via paswordless authentication, single sign-on for all applications, and superior performance. It also provides a self-service portal for managing access requests and approvals. Reduced Complexity and Cost: By integrating multiple security tools into one suite, Microsoft Entra Suite reduces the complexity and cost of managing security tools from multiple vendors. Sample Use Cases Case Study: A Global Consulting Firm Background: A global consulting firm with offices in multiple countries needed a secure and scalable solution to support its remote workforce. The firm faced challenges with its existing VPN-based remote access solution, which was not adequately equipped to handle the increased demand for remote work and stringent security requirements. Additionally, the firm required robust identity governance to manage the lifecycle of user identities and ensure compliance with various international regulations. Challenges: Data Security and Compliance: Ensuring the protection of sensitive client data and compliance with various international regulations. Scalability: The need to quickly scale remote access solutions to accommodate a growing number of remote consultants. User Experience: Providing seamless and efficient user experience for consultants accessing critical applications and client data remotely. Identity Governance: Managing the lifecycle of user identities, including the creation, updating, and removal of access rights, to ensure that consultants had appropriate access based on their roles and responsibilities. Management Complexity: Reducing the complexity of managing a diverse IT environment with multiple security and access control solutions. Solution: The consulting firm adopted Windows 365, Microsoft Entra Private Access, and Microsoft Entra Identity Governance to address these challenges. Windows 365 Scalability: Enabled the firm to quickly scale virtual desktops based on demand, providing flexibility for remote and hybrid work. Centralized Management: Simplified IT management with centralized control over updates, patches, and configurations. Consistent User Experience: Delivered seamless user experience across devices, ensuring consultants could access critical applications and client data efficiently. Microsoft Entra Private Access: Zero Trust Security: Implemented Zero Trust principles to secure access to private applications and resources, ensuring only authorized users could access sensitive information. Conditional Access: Used Conditional Access policies to control access based on user identity, device health, and location, enhancing security. Identity Protection: Leveraged advanced identity protection features to detect and respond to potential security threats in real-time. VPN Replacement: Replaced the legacy VPN solution with Microsoft Entra Private Access, providing secure access to private corporate resources without the need for a traditional VPN. Microsoft Entra Identity Governance: Identity Lifecycle Management: Automated the creation, updating, and removal of user identities based on signals from HR systems, ensuring that consultants had the right access from day one and that access was revoked promptly when they left the organization. Access Lifecycle Management: Managed access rights across various resources, ensuring that consultants had appropriate access based on their roles and responsibilities. This included automated access reviews and entitlement management to maintain compliance and security. Privileged Access Management: Secured privileged accounts by implementing policies for just-in-time access and monitoring privileged activities to prevent misuse. Outcome: Enhanced Security: The firm achieved a higher level of security with Zero Trust principles, protecting sensitive client data and ensuring compliance with international regulations. Improved Performance: Consultants experienced improved performance and reliability with Windows 365, enabling them to work efficiently from any location. Scalability and Flexibility: The firm could easily scale its virtual desktop infrastructure to meet changing demands, supporting a dynamic workforce. Streamlined Management: IT teams benefited from simplified management and centralized control, reducing administrative overhead and improving operational efficiency. By integrating Windows 365, Microsoft Entra Private Access, and Microsoft Entra Identity Governance, the global consulting firm successfully created a secure, scalable, and efficient remote work environment, enhancing productivity and ensuring compliance with industry regulations. Case Study: A Manufacturing Company Background: A global manufacturing company with multiple production facilities and offices worldwide needed a secure and scalable solution to support its remote workforce and 3 rd party access. The company faced challenges with its existing remote access infrastructure, which was not adequately equipped to handle the increased demand for remote work and stringent security requirements. Additionally, the company required robust identity governance to manage the lifecycle of user identities, including joiner, mover, and leaver scenarios, and to control access to internal resources and mitigate internet threats. The company was intrigued by the Entra Private Access ability to provide per app VPN functionality to restrict 3 rd parties from lateral movement on their network. Challenges: Data Security and Compliance: Ensuring the protection of sensitive manufacturing data and compliance with various international regulations. Scalability: The need to quickly scale remote access solutions to accommodate a growing number of remote employees. User Experience: Providing a seamless and efficient user experience for employees accessing critical applications and data remotely. Identity Governance: Managing the lifecycle of user identities, including the creation, updating, and removal of access rights, to ensure that employees had appropriate access based on their roles and responsibilities. Internet Threats: Protecting against malicious internet traffic and ensuring secure access to SaaS applications and internet resources. Management Complexity: Reducing the complexity of managing a diverse IT environment with multiple security and access control solutions. Solution: The manufacturing company adoptedWindows 365 Cloud PC,Microsoft Entra Private Access,Microsoft Entra Internet Access, andMicrosoft Entra Identity Governanceto address these challenges: Windows 365 Cloud PC: Scalability: Enabled the company to quickly scale virtual desktops based on demand, providing flexibility for remote and hybrid work. Centralized Management: Simplified IT management with centralized control over updates, patches, and configurations. Consistent User Experience: Delivered seamless user experience across devices, ensuring employees can access critical applications and data efficiently. Microsoft Entra Private Access: Zero Trust Security: Implemented Zero Trust principles to secure access to private applications and resources, ensuring only authorized users could access sensitive information. Conditional Access: Used Conditional Access policies to control access based on user identity, device health, and location, enhancing security. VPN Replacement: Replaced the legacy VPN solution with Microsoft Entra Private Access, providing secure access to private corporate resources without the need for a traditional VPN. Microsoft Entra Internet Access: Secure Web Gateway: Provided identity-centric Secure Web Gateway (SWG) to protect against malicious internet traffic and ensure secure access to SaaS applications and internet resources. Threat Protection: Enhanced protection against internet threats, ensuring that employees can safely access the internet and SaaS applications. Microsoft Entra Identity Governance: Identity Lifecycle Management: Automated the creation, updating, and removal of user identities based on signals from HR systems, ensuring that employees had the right access from day one and that access was revoked promptly when they left the organization. Access Lifecycle Management: Managed access rights across various resources, ensuring that employees had appropriate access based on their roles and responsibilities. This included automated access reviews and entitlement management to maintain compliance and security. Privileged Access Management: Secured privileged accounts by implementing policies for just-in-time access and monitoring privileged activities to prevent misuse. Outcome: Enhanced Security: The company achieved a higher level of security with Zero Trust principles, protecting sensitive manufacturing data and ensuring compliance with international regulations. Improved Performance: Employees experienced improved performance and reliability with Windows 365 Cloud PC, enabling them to work efficiently from any location. Scalability and Flexibility: The company could easily scale its virtual desktop implementation to meet changing demands, supporting a dynamic workforce. Streamlined Management: IT teams benefited from simplified management and centralized control, reducing administrative overhead and improving operational efficiency. Comprehensive Threat Protection: The company effectively mitigated internet threats and ensured secure access to SaaS applications and internet resources. By integrating Windows 365 Cloud PC, Microsoft Entra Private Access, Microsoft Entra Internet Access, and Microsoft Entra Identity Governance, the manufacturing company successfully created a secure, scalable, and efficient remote work environment, enhancing productivity and ensuring compliance with industry regulations. The desired least privilege for 3 rd party access was achieved by isolating the users on a compliant device segmented by per app VPN access via Global Secure Access. Case Study: A Healthcare Provider Background: A large healthcare provider with multiple hospitals and clinics across the United States needed to ensure secure remote access for its staff to access patient records and other sensitive information. The provider faced challenges with its existing remote access infrastructure, which was not adequately equipped to handle the increased demand for remote work and stringent regulatory requirements such as HIPAA. Additionally, the provider required a solution for verifiable identity to manage the lifecycle of user identities, including joiner, mover, and leaver scenarios, and to ensure that only authorized personnel could access sensitive patient data. Challenges: Data Security and Compliance: Ensuring the protection of sensitive patient data and compliance with healthcare regulations such as HIPAA. Scalability: The need to quickly scale remote access solutions to accommodate a growing number of remote healthcare professionals. User Experience: Providing seamless and efficient user experience for healthcare professionals accessing critical applications and patient records remotely. Identity Governance: Managing the lifecycle of user identities, including the creation, updating, and removal of access rights, to ensure that healthcare professionals had appropriate access based on their roles and responsibilities. Verifiable Identity: Implementing a system to verify the identities of healthcare professionals securely and efficiently. Solution: The healthcare provider adoptedWindows 365,Microsoft Entra Private Access,Microsoft Entra Internet Access,Microsoft Entra Identity Governance, andMicrosoft Entra Verified IDto address these challenges: Windows 365: Scalability: Enabled the provider to quickly scale virtual desktops based on demand, providing flexibility for remote and hybrid work. Centralized Management: Simplified IT management with centralized control over updates, patches, and configurations. Consistent User Experience: Delivered seamless user experience across devices, ensuring healthcare professionals can access critical applications and patient data efficiently. Microsoft Entra Private Access: Zero Trust Security: Implemented Zero Trust principles to secure access to private applications and resources, ensuring only authorized users could access sensitive information. Conditional Access: Used Conditional Access policies to control access based on user identity, device health, and location, enhancing security. VPN Replacement: Replaced the legacy VPN solution with Microsoft Entra Private Access, providing secure access to private corporate resources without the need for a traditional VPN. Microsoft Entra Internet Access: Secure Web Gateway: Provided identity-centric Secure Web Gateway (SWG) to protect against malicious internet traffic and ensure secure access to SaaS applications and internet resources. Threat Protection: Enhanced protection against internet threats, ensuring that healthcare professionals could safely access the internet and SaaS applications. Microsoft Entra Identity Governance: Identity Lifecycle Management: Automated the creation, updating, and removal of user identities based on signals from HR systems, ensuring that healthcare professionals had the right access from day one and that access was revoked promptly when they left the organization. Access Lifecycle Management: Managed access rights across various resources, ensuring that healthcare professionals had appropriate access based on their roles and responsibilities. This included automated access reviews and entitlement management to maintain compliance and security. Privileged Access Management: Secured privileged accounts by implementing policies for just-in-time access and monitoring privileged activities to prevent misuse Microsoft Entra Verified ID: Verifiable Credentials: Implemented a managed verifiable credential service to issue and verify credentials for healthcare professionals. This ensured that only verified individuals could access sensitive patient data and applications. Identity Verification: Used verifiable credentials to confirm the identities of healthcare professionals during onboarding and access requests, enhancing security and compliance. Decentralized Identity: Leveraged decentralized identifiers (DIDs) to provide healthcare professionals with self-owned, verifiable credentials that could be securely stored and presented when needed. Outcome: Enhanced Security: The provider achieved a higher level of security with Zero Trust principles, protecting sensitive patient data and ensuring compliance with healthcare regulations. Improved Performance: Healthcare professionals experienced improved performance and reliability with Windows 365, enabling them to work efficiently from any location. Scalability and Flexibility: The provider could easily scale its virtual desktop implementation to meet changing demands, supporting a dynamic workforce. Streamlined Management: IT teams benefited from simplified management and centralized control, reducing administrative overhead and improving operational efficiency. Comprehensive Threat Protection: The provider effectively mitigated internet threats and ensured secure access to SaaS applications and internet resources. Verifiable Identity: The use of Microsoft Entra Verified ID ensured that only verified healthcare professionals could access sensitive patient data, enhancing security and compliance. By adoptingWindows 365and theMicrosoft Entra Suite, the healthcare provider successfully met their stringent requirements for secure remote access. They achieved enhanced security and compliance with healthcare regulations, ensuring the protection of sensitive patient data. The scalable and flexible virtual desktop provided by Windows 365 allowed the provider to support a dynamic remote workforce efficiently. Additionally, the integration of Microsoft Entra Private Access, Internet Access, Identity Governance, and Verified ID ensured robust identity management, secure access to internal resources, and protection against internet threats. This comprehensive solution streamlined IT management, improved operational efficiency, and delivered seamless user experience for healthcare professionals, ultimately enabling the provider to maintain high standards of patient care and data security in a remote work environment. These case studies demonstrate the versatility and effectiveness of Windows 365 and Microsoft Entra Suite in enhancing secure remote work across various industries. If you need more details or have any other questions, feel free to ask! When comparing Windows 365 and Microsoft Entra Suite to other remote work tools, several key factors come into play, including security, ease of use, scalability, and integration capabilities. Here’s a comparison with some popular remote work solutions: Windows 365 vs. Traditional Virtual Desktop Solutions Windows 365: Simplicity and Ease of Use: Widows 365 is designed for straightforward deployment and management. It provides seamless experience with minimal setup, making it ideal for organizations that need quick, reliable access to virtual desktops without the extensive technical customization. Per-User Licensing: Windows 365 uses a per-user licensing model, which simplifies budgeting and cost management. This model allows for predictable costs, making it easier for businesses to plan their expenses. Integration with Microsoft Ecosystem: Being a Microsoft product, Windows 365 integrates seamlessly with other Microsoft services like Microsoft 365, Microsoft Entra ID, Microsoft Intune, Microsoft Entra Suite, Microsoft Defender for Endpoint, and many more. This integration enhances productivity and security by providing a unified environment. Scalability: Windows 365 can easily scale to meet the needs of growing businesses. Whether you need to add more users or increase resources, Windows 365 can adapt to changing demands without significant reconfiguration. Security: Windows 365 benefits from Microsoft’s robust security infrastructure. It includes features like multi-factor authentication, conditional access, Microsoft Intune, Microsoft Defender for Endpoint, Microsoft Entra Suite (Entra Private/Internet Access, Entra Identity Governance, Entra Identity Protection, Entra Verified ID) ensuring that your data, resources, and applications are always protected. Consistent User Experience: Windows 365 provides a consistent and familiar Windows experience across devices. Users can access their Cloud PC from any device with an internet connection, maintaining productivity and continuity. Traditional Virtual Desktop Solutions: Complexity in Setup and Management: Traditional solutions can be complex to set up and manage, requiring significant IT expertise and resources. This complexity can lead to higher operational costs and longer deployment times. Scalability Issues: Scaling traditional virtual desktops solutions can be challenging. Adding new users or increasing resources often requires substantial reconfiguration and investment in additional hardware. Integration Challenges: Non-Microsoft solutions may not integrate as seamlessly with other tools and services, especially those within the Microsoft ecosystem. This can result in fragmented user experience and reduced productivity. Security Concerns: While traditional solutions offer security features, they may not match the comprehensive security infrastructure provided by Microsoft. This includes advanced threat protection, multi-factor authentication, and seamless integration with security tools like Microsoft Defender and Microsoft Entra Suite. Cost Management: Traditional solutions often use a per-device licensing model, which can be less predictable and more expensive compared to the per-user licensing model of Windows 365. This can make budgeting and cost management more difficult. User Experience: Traditional solutions might not provide a consistent and familiar user experience across different devices. Users may face issues with performance and accessibility, impacting their productivity. Microsoft Entra Suite vs Other Identity and Access Management (IAM) Solutions Microsoft Entra Suite: Microsoft Entra Private Access Identity-Centric Zero Trust Network Access (ZTNA): Replaces traditional VPNs with a more secure, identity-centric approach, reducing the attack surface and mitigating lateral movement. Seamless Access: Provides fast, seamless access to private applications from any device and location, enhancing user productivity. Conditional Access Policies: Enforces adaptive Conditional Access controls, including multifactor authentication (MFA), to validate both device and user identities. Microsoft Entra Internet Access Secure Web Gateway (SWG): Protects against malicious internet traffic and unsafe content, ensuring secure access to SaaS apps and internet resources. Identity-Centric Security: Integrates identity and network access controls to provide comprehensive protection across public and private networks. Microsoft Entra ID Governance Automated Identity Lifecycle Management: Ensures that the right people have the right access to the right resources at the right time, improving productivity and security. Access Reviews and Compliance: Facilitates regular access reviews and compliance checks to reduce the risk of access abuse and ensure regulatory compliance. Delegated Access Management: Allows business groups to manage access requests and approvals, streamlining operations and reducing IT workload. Microsoft Entra Verified ID Digital Identity Verification: Enables secure, real-time verification of identity claims and credentials, reducing fraud and improving trust. Self-Service Enrollment: Simplifies identity verification processes, reducing the need for support calls and manual checks. Open Standards-Based: Built on open standards, ensuring interoperability and flexibility for various use cases. Least Privilege Access Role-Based Access Control (RBAC): Assigns users the minimum permissions necessary to perform their duties, reducing the risk of unauthorized access. Just-In-Time Access: Grants access rights only for the duration needed, minimizing the window of opportunity for potential attackers. Regular Audits: Conducts periodic reviews of user access to ensure compliance with the principle of least privilege. Microsoft Entra ID Protection Advanced Threat Detection: Uses machine learning to identify and respond to sign-in risks and unusual user behavior in real-time. Adaptive Access Policies: Automatically adjusts access policies based on detected risks, enhancing security without compromising user experience. Integration with Security Tools: Seamlessly integrates with other Microsoft and non-Microsoft security solutions for comprehensive threat management. Other IAM Solutions: Security:Varies widely depending on the provider but may not offer the same level of integration with Conditional Access and Zero Trust principles. Ease of Use: User experience can vary, with some solutions requiring more complex setup and management. Scalability: Many IAM solutions are scalable, but integration with existing systems can be challenging. Integration: May not integrate as seamlessly with Microsoft 365 and other productivity tools, potentially leading to a fragmented user experience. Other Secure Access Service Edge (SASE) Solutions Security: Generally strong, but the level of identity integration can vary. Ease of Use: User experience can differ, with some solutions requiring more complex configurations. Scalability: Typically scalable, but integration with existing systems and applications can be a challenge. Integration: May not offer the same level of integration with Microsoft 365 and other productivity tools, potentially leading to a less cohesive experience. Conclusion Windows 365 and Microsoft Entra Suite offer robust, scalable, and integrated solutions for secure remote work. This combined solution stands out for its comprehensive security features, ease of use, and seamless integration with other Microsoft services. While other solutions may offer strong security and scalability, the deep integration and unified ecosystem provided by Microsoft can significantly enhance productivity and security for remote hybrid work environments. Stay tuned for a follow up blog discussing the Business Value of this combined solution (ROI/TCO).Windows 365 Boot - Simple (Complimentary) Step-by-Step
Simple steps to enabling Windows 365 Boot July 24, 2023 Contributors: Juan José Guirola Sr. (Microsoft) Much excitement has been introduced by the announcement and availability of Windows 365 Boot. Especially now that, as of time of this writing, Windows 365 Boot is in Public Preview. To assist you with the configuration and deployment, you may be following the articles below: What is Windows 365 Boot? https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-guide Windows 365 Boot guided scenario https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-guide Physical device requirements https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-physical-device-requirements Restrict access to physical device https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-restrict-user-access-physical-device These are all great starting points to get you started with enabling Windows 365 Boot in your environment. This article is meant to compliment the above articles to offer additional guidance and help clarify some of the steps mentioned in the articles above and simplify the deployment of Windows 365 Boot. Complimentary Steps: Start by following the steps as described in Windows 365 Boot guided Scenario: https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-guide Next follow the guidance as described in Restrict user access to Windows 365 Boot physical device: https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-restrict-user-access-physical-device These particular steps can be accomplished in Intune by introducing a Configuration profile with admin templates. Recommend creating a specific Configuration profile for each policy that you want to enforce. The article has us creating profiles for the following: Prevent access to physical device’s Task Manager Prevent users from changing the physical device’s password Set default credential provider Remove Notifications and Action Center from the task bar Prevent physical device notifications Prevent automatic launch of apps during user sign-in Improve sign-in on touch screen devices Follow Appendix Section “Restrict access to Physical Device” found in this document for detailed steps for creating each of these policies in Intune. Next follow the guidance as described in Windows 365 Boot physical device setup and requirements: https://learn.microsoft.com/en-us/windows-365/enterprise/windows-365-boot-physical-device-requirements NOTE: The instructions in the above link assumes that you are working with a physical device that has already been enrolled in Intune management. If you are working with a physical device that is currently not enrolled in Intune management, follow the steps in the link below to enroll the device into Intune. Once the device is enrolled in Intune, you can execute a device “Wipe” as instructed in the steps documented in the above link.https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device After initiating the wipe and you complete the Autopilot process and follow all prompts, you ultimately end up with login in directly into your Windows 365 Cloud PC. Appendix Restrict access to Physical device. Policy #1 - Prevent Access to physical device’s Task Manager Steps to create policy “Prevent Access to physical device’s Task Manager Go to Microsoft Intune admin center: https://endpoint.microsoft.com Select “Devices”. Then select “Configuration profiles” under Policy Ensure “Profiles” is selected, then click “Create profile” In “Create a profile Screen”, under Platform select “Windows 10 and later from drop down, and “Templates” from Profile type drop down. Select "Administrative templates” then Create Follow the prompts as presented in the profile creation – 5 total steps Basics Configuration settings Select "User Configuration" and in the search bar type Task Manager Select Remove Task Manager Select "Enabled" and then click on OK Scope tags You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next. Assignments Select group that you want to target and click Next. Review + create Review configuration and click on Create. Policy #2 - Prevent users from changing the physical device’s password Steps to create policy “Prevent users from changing the physical device’s password Follow steps 1 – 5 as described in creating Policy #1 Then follow the prompts as presented in the profile creation – 5 total steps Basics Configuration settings Select "User Configuration" and in search bar type remove change password Select "Remove Change Password" Select Enabled and Click on OK Scope tags You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next. Assignments Select the group that you want to target and click Next. Review + create Review configuration and click on Create. Policy #3 – Set default credential provider Steps to create policy “Set default credential provider” Follow steps 1 – 5 as described in creating Policy #1 Then follow the prompts as presented in the profile creation – 5 total steps Basics Configuration settings Select "Computer Configuration" and in search bar type Assign a default credential provider. Select "Assign a default credential provider". Select Enabled and enter the following CLSID to set username and password as the default:{60b78e88-ead8-445c-9cfd-0b87f74ea6cd} Click OK Note: The CLSID for credential providers can be located in following registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers Scope tags You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next. Assignments Select the group that you want to target and click Next. Review + create Review configuration and click on Create. Policy #4 – Remove Notifications and Action Center from the task bar Steps to create policy “Remove Notifications and Action Center from the task bar” Follow steps 1 – 5 as described in creating Policy #1 Then follow the prompts as presented in the profile creation – 5 total steps Basics Configuration settings Select "User Configuration" and in search bar type Remove Notifications and Action Center. Select "Remove Notifications and Action Center". Select Enabled and OK. Scope tags You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next. Assignments Select the group that you want to target and click Next. Review + create Review configuration and click on Create. Policy #5 – Prevent physical device notifications Steps to create policy “Prevent physical device notifications” Follow steps 1 – 5 as described in creating Policy #1 Then follow the prompts as presented in the profile creation – 5 total steps Basics Configuration settings Select "User Configuration" and in search bar type Turn off toast notifications. Select "Turn off toast notifications". Select Enabled and OK. Scope tags You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next. Assignments Select the group that you want to target and click Next. Review + create Review configuration and click on Create. Policy #6 – Prevent automatic launch of apps during user sign-in Steps to create policy “Prevent automatic launch of apps during user sign-in” Follow steps 1 – 5 as described in creating Policy #1 Then follow the prompts as presented in the profile creation – 5 total steps Basics Configuration settings Select "User Configuration" and in search bar type Do not process the legacy run lis. Select "Do not process the legacy run list". Select Enabled and OK. Scope tags You can choose to configure Scope tags. For this article we are electing to bypass this. Click Next. Assignments Select the group that you want to target and click Next. Review + create Review configuration and click on Create. Policy #7 – Improve sign-in on touch screen devices (OPTIONAL AND APPLICABLE ON DEVICES THAT REQUIRE THE USE OF TOUCH KEYBOARD) Note: This is “enabled” by default on Windows devices. [UPDATE] As of September 26, 2023, Windows 365 Boot is now Generally Available (GA). Here is the article for additional details:Windows 365 Boot is now generally available! - Windows IT Pro Blog (microsoft.com) Continue the conversation by joining us in theMicrosoft 365 Tech Community!Whether you have product questions or just want to stay informed with updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected.How to Automate Windows 365 Cloud PC Last Login monitoring!
Automate Windows 365 Cloud PC Last Login monitoring! (Windows 365, Azure Active Directory, Power Automate, MS Graph) Contributors: Juan José Guirola Sr. (Next Generation Endpoint GBB for Americas) Bobby Chang (Power Platform GBB for Americas) Enterprises of all sizes are adopting and aligning Windows 365 to solve several business-critical scenarios. Organizations appreciate the simplicity of the solution, rapid deployment, and enhanced end user experience; offering the opportunity to include new solutions to their services catalog! Part of the simplicity of Windows 365 is that its management plane is Microsoft Intune. Leveraging the Windows 365 admin blade in Intune, administrators can perform the initial configuration of the service and perform on going monitoring of Cloud PCs deployed within the enterprise with several reports being made visible through the “Reports” blade, to include Device management, Endpoint Security, Endpoint Analytics, etc. We have recently introduced a new type of analytical report – Cloud PC utilization report (preview) – which brings visibility to Cloud PCs with low usage. This is a nice addition to the platform, and a much-needed report. For some organizations, that level of reporting will suffice. But if you are looking for a more custom report that aligns to the specific goals and needs of your organization, then keep reading. This blog will describe how to use the Microsoft Power Platform to automate the reporting of Windows 365 based on your specific criteria and receive notifications via email when the criteria is met. In our example, we are setting the criteria to report on Cloud PCs that have not been logged on to for 60 days or more. Let’s get started. Prerequisites The following items are required to automate the process and deploy in a production environment: (For personal development and sandbox/testing scenario, you can use the Microsoft 365 Developer Plan and Power Apps Developer Plan). Windows 365 Enterprise Licenses Azure Active Directory (Azure AD) Premium (P1/P2) Microsoft Endpoint Manager Power Automate per flow plan Microsoft Graph (Windows 365 Cloud PC MS Graph API in beta) Working with Windows 365 Cloud PCs using the Microsoft Graph API Azure App Registration with the following permissions: CloudPC.Read.All. For enterprise production scenarios, we would recommend leveraging the Application Lifecycle Management (ALM) capabilities in Power Platform, in order to safely adopt future changes to your processes. However, this is outside of the scope of this blog post. Register MS Graph in Azure AD If you have followed our previous BLOG – How to automate Windows 365 Cloud PC self-service requests – you may have already performed these steps. If so, please proceed to the next section of this BLOG. Register MS Graph as an Enterprise application in Azure Active Directory. Log into the Azure portal with appropriate permissions for making application registrations. Global Administrator privileges will provide the permissions to make application registrations; there are other options by following the custom role details in this documentation Custom role permissions for app registration - Azure AD - Microsoft Entra | Microsoft Docs. In the Azure services portal, click Azure Active Directory > Azure Active Directory. Figure 1: A screenshot of the Azure Active Directory blade in the Azure services portal. Select App registrations in the left navigation menu. Click New registration. Give the application a name, select Single Tenant for the supported account type, and then click Register. Figure 2 : A screenshot of the Register an application screen, showing the details that need to be identified for the new application. Note your Directory (tenant) ID and Application (client) ID GUIDs and then click on API Permissions. Figure 3: A screenshot of the recently created application overview with the Application (client) ID and Directory (tenant) ID details highlighted. Click API permissions in the left navigation menu. Click Add a Permission. Select Microsoft.Graph and choose Application permissions. Ensure the following permissions are added: CloudPC.Read.All User.Read User.Read.All Group.Read.All Mail.Send (optional for sending messages via Graph ) Figure 4: A screenshot of the Select permissions setup. Once the permissions have been added, click Grant consent. Click Certificates & secrets in the left navigation menu, and then click New client secret. Important! Note this secret key and store it somewhere safe, like a key vault. This key will only be visible upon creation. Once you navigate away, you will be unable to expose the key again and will have to generate a new key. Create the Cloud PC Last Login Monitoring automation! In this section, we will build the Power Automate flows that will orchestrate the Last Login monitoring reporting process. This decision flow illustrates the end-to-end process of retrieving Cloud PC attribute values from the Microsoft Graph leveraging the Windows 365 API and parse through the LastLoginResult value to compare against our criteria of 60 days or more. Figure 5: A flowchart depicting the process for reporting Cloud PC Last Login. To begin, sign into Microsoft Power Automate with your Microsoft 365 organization credentials. From the left navigation menu, click + Create then: Click Automated cloud flow. Name the flow and choose the flow trigger, “Recurrence” from list. Click Create. Set your desired Interval. Figure 6: A screenshot that shows the Recurrence trigger. Click on + New step (To add variable for the UPN). In Choose an operation, type variable. Select Initialize variable from Actions. Type Init VARUPN details screen. Give it a name, e.g., VARUPN and select “String” as Type. Click + New step (To add variable for the “lastLoginResult” attribute value of the Cloud PC). Choose an operation, type variable. Select Initialize variable from Actions. Give it a name, e.g. lastLoginResult and select “String” as Type. Click on + New step (To add variable for the “Composed_LastLoginResult_Value” of the Cloud PC). Search for VAR in Choose an operation. Select Initialize variable. Give it a name (e.g. Composed_LastLoginResult) and select “String” as Type. Click on + New step (To add variable for CurrentDateTime). Choose an operation, type variable. Select Initialize variable from Actions. Give it a name (e.g., DateNow) and select “String” as Type. In the Value field, Add, Expression, in Fx type utcNow() Click on + New step (To add variable for DateDifference) Choose an operation, type variable. Select Initialize variable from Actions. Give it a name (e.g., DateDiff) and select “Integer” as Type. Click on + New step (To add variable for the “Criteria,” which in our example is 60 day +). Choose an operation, type variable. Select Initialize variable from Actions. Give it a name (e.g., More than 60 days) and select “String” as Type. At this point, we need to determine the automated actions, based on the “LastLoginResult” value of the Cloud PC. This can be accomplished by parsing through each Cloud PC LastLoginRestult value and applying a “Condition” action. Let’s add a GET step to the flow to gather Cloud PC attribute value: Click Add an action. Important! To add the control to perform Graph API calls against tenant to gather Cloud PC attribute value, search for HTTP. In the Method field, select GET. Under URI, set it up exactly as illustrated below: https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs? $select=userprincipalname,id,displayName,managedDeviceName,Status,imageDisplayName,lastModifiedDateTime,lastRemoteActionResult,lastLoginResult For Authentication, select Active Directory OAuth. Leave the authority as default. Enter your Tenant ID under Tenant, https://graph.microsoft.com under Audience, the AppID under Client ID, and the Secret in the Secret section. For production scenarios, you should consider storing your secret in a Key Management solution, like Azure Key Vault If you are using Azure Key Vault, then you can first add the Get Secret action from the pre-built Azure Key Vault connector (https://learn.microsoft.com/en-us/connectors/keyvault/#actions) then securely pass your Secret into this step of your automation - Figure 7: Example setup for Graph API controls to gather Cloud PC attribute value. Hide your Secret from the Power Automate run history Click on the … to the right of the Power Automate HTTP action Select Settings Turn the toggles to On for “Secure Inputs” and “Secure Outputs” in order to not display your Secret in plain text on the logs or run history Click Add an action, and search for “Parse JSON.” Under Parse JSON, select Body for the Content field and insert the body of the HTTP request response into the Schema field. Use the following schema: Figure 8: A screenshot of completed content and schema details for Parse JSON. { "type":"object", "properties":{ "@@odata.context":{ "type":"string" }, "value":{ "type":"array", "items":{ "type":"object", "properties":{ "userPrincipalName":{ "type":"string" }, "managedDeviceName":{ "type":"string" }, "id":{ "type":"string" }, "displayName":{ "type":"string" }, "imageDisplayName":{ "type":"string" }, "status":{ "type":"string" }, "lastModifiedDateTime":{ "type":"string" }, "lastRemoteActionResult":{}, "lastLoginResult":{} }, "required":[ "id", "userPrincipalName", "displayName", "imageDisplayName", "managedDeviceName", "status", "lastModifiedDateTime", "lastRemoteActionResult", "lastLoginResult" ] } } } } Note: You can also get this schema by using the Graph explorer to request from the same endpoint. Use the Generate from example button to generate the schema. Click Add action and search for “Apply to each.” In the Output field, select Value from our Parse JSON step. Click Add an action and search for “Compose.” In the Compose step, enter rungraph for: {id} Figure 9: Compose control example. Click Add an action and search for “HTTP.” Configure the HTTP using the same variables for TenantID, APpID, and Secret, as in the previous HTTP action, but using the following URI: https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs/@{items('Apply_to_each_2')?['id']}? $select=userprincipalname,id,displayName,managedDeviceName,Status,imageDisplayName,lastModifiedDateTime,lastLoginResult Example: Figure 10: Example setup for retrieving lastLoginResult value for each specific Cloud PC. Follow the same steps as previously outlined to hide your Secrets from the run history (Click on … > Select Settings > Turn toggles to On for “Secure Inputs” and “Secure Outputs”) Click Add an action, search for “Parse JSON.” Select Body for the Content field and insert the following into the Schema field: { "type":"object", "properties":{ "@@odata.context":{ "type":"string" }, "value":{ "type":"array", "items":{ "type":"object", "properties":{ "userPrincipalName":{ "type":"string" }, "managedDeviceName":{ "type":"string" }, "id":{ "type":"string" }, "displayName":{ "type":"string" }, "imageDisplayName":{ "type":"string" }, "status":{ "type":"string" }, "lastModifiedDateTime":{ "type":"string" }, "lastRemoteActionResult":{}, "lastLoginResult":{} }, "required":[ "id", "userPrincialName", "displayName", "imageDisplayName", "managedDeviceName", "status", "lastModifiedDateTime", "lastRemoteActionResult", "lastLoginResult" ] } } } } Figure 11: A screenshot of the Parse JSON schema. Click Add an action and search for “Condition”. Select lastLoginResult under Parse JSON for the value. Select is not equal to for condition. Under Add dynamic content, type null as the expression. Figure 12: lastLoginResult Condition Expression. At this point we are ready to add logic to the flow based on meeting the criteria of the condition. If yes - Click Add an action and search for “Set variable”. Insert a Name (e.g. lastLoginResult) For Value, select lastLoginResult under Parse JSON2 as the Dynamic content Click Add an action and search for “Compose”. Select Compose as the Data Operation. Enter the following expression in Inputs field: split(variables('lastLoginResult-Value'),'"') Click Add an action and search for “Compose”. Select Compose as the Data Operation. Enter the following expression in Inputs field: outputs('Compose_3')?[3] Click Add an action and search for “Set Variable”. Select Set Variable. Give it a Name (e.g. Composed_LastLoginResult_Value) Click on Add dynamic content to add Value Select Outputs under Compose 4 Step. Click Add an action and search for “Set Variable”. Select Set Variable. Give it a Name (e.g. DateDiff) Click on Add dynamic content to add Value Select Expression and enter the following expression div(sub(ticks(variables('DateNow')),ticks(variables('Composed_LastLoginResult_Value'))),864000000000) Now that we’ve been able to extract the proper number of days since lastlogin, let’s send out the email notifications. Click Add an action and search for “Condition”. Select DateDiff variable as the value. Select is greater than as condition. Enter 60 as the value (or whatever aligns to your criteria) Click Add an action and search for “Send an email”. Select Send an email v2. Provide a name (e.g. More than 60 Days Email notification) Enter the necessary information to the fields as necessary for your environment. See below as an example. Figure 13: Sample email template. Once you’re past the Apply to Each scope, Click Add an action, and search for “Terminate.” Set the Status to Succeeded. Return to the initial criteria Conditon to setup the the If no process. Scroll up in the workflow to access this setup. Click Add an action and search for “Set variable.” Select Set Variable. Enter a name (e.g. lastLoginResult-Value) Value enter Blank The entire flow process should look like the image below. Once you’ve completed adding in steps to your automation flow, you’re ready to test the solution. You can run a manual test or wait till the schedule task kicks off. Finally, you should receive an email like the one below: Admin Email Notification NOTE: WE WILL UPDATE THIS ARTICLE IN THE NEAR FUTURE TO INCLUDE THE ADDITION OF UPDATING A TABLE IN POWER APPS AND A FRONT FACING APPLICATION WHERE ADMINS CAN TAKE ACTION TO RECLAIM WINDOWS 365 LICENSE! STAY TUNED!!! Continue the conversation by joining us in theMicrosoft 365 Tech Community!Whether you have product questions or just want to stay informed with updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected.Windows 365 Cloud PC Self-Service Automated Request Process
How to automate Windows 365 Cloud PC self-service requests (Windows 365, Azure Active Directory, Microsoft Forms, Power Automate, MS Graph) Contributors: Juan José Guirola Sr. (Next Generation Endpoint GBB for Americas) Bobby Chang (Power Platform GBB for Americas) Azim Manjee (Cloud Endpoint Technical Specialist) Windows 365 simplifies how organizations offer Cloud PCs to their employees. As a cloud-based service from Microsoft, Windows 365 provides a personal, secure streamed experience from any supported device. It comes with all the productivity, security, and collaboration benefits of Microsoft 365. Windows 365 removes the need to manage a complex infrastructure and it integrates with existing cloud-based networking investments such as Azure Active Directory, Microsoft Endpoint Manager, and more. As the workplace continues to shift toward hybrid work, Windows 365 gives more organizations the ability to issue a cloud-native, persistent Cloud PC that is available 24 hours a day, 7 days a week, all with the ease of assigning a license. This simplified approach to provisioning Cloud PCs opens up the potential for automation and self-service scenarios. With Windows 365, you can provide your employees with Cloud PCs on demand, and here, we’ll show you how. Prerequisites The following items are required to provide automated, self-service Cloud PC request of Windows 365 deployment in a production environment: (For personal development and sandbox/testing scenario, you can use the Microsoft 365 Developer Plan and Power Apps Developer Plan). Windows 365 Enterprise Licenses Windows 10 Enterprise or Windows 11 Enterprise Azure Active Directory (Azure AD) Premium (P1/P2) Azure AD native group (must NOT be a synced group) Microsoft Intune (previously known asMicrosoft Endpoint Manager) Microsoft Forms Power Automate per flow plan Microsoft Graph (Windows 365 Cloud PC MS Graph API in beta) Working with Windows 365 Cloud PCs using the Microsoft Graph API Azure App Registration with the following permissions: CloudPC.Read.All. For enterprise production scenarios, we would recommend leveraging the Application Lifecycle Management (ALM) capabilities in Power Platform, in order to safely adopt future changes to your processes. However, this is outside of the scope of this blog post. Before you begin Before you set up automation and a self-service Cloud PC request process, identify and assign the target Azure AD group(s) for the Windows 365 Cloud PC license assignment and provisioning policy. In our scenario, we have three Azure AD Groups (one Azure AD group for each of our three business segments), for both license and provisioning policy assignments. To configure group license assignments, see Assign licenses to users by group membership in Azure Active Directory. For information about how to target the groups for provisioning policies, see Create Windows 365 Cloud PC provisioning policies. Once you have the group assignment, set up the self-service process starting with Microsoft Forms. Create the request intake form Establishing an intake process will not only allow your employees to request the Windows 365 Cloud PC on-demand, but also allow you to build in an approval process and a feedback loop once the license is provisioned and ready for access. For our scenario, we are using Microsoft Forms as the intake form for requesting a Cloud PC. If your organization needs additional requirements around data validations and user experience in the form, we recommend leveraging Power Apps instead. To create a form with Microsoft Forms, see the Microsoft Forms help and learning home page or Create a form with Microsoft Forms. The following are the key components of our example form: Purpose-specific title “Windows 365 Cloud PC Request Form” Four questions to identify the requesting employee’s business segment, the type of Cloud PC they require, their region, and their contact number (aka mobile number) Shared to people in the organization only, for security, tracking, and notification purposes Alt text: Example Windows 365 Cloud PC Request Form in Microsoft Forms. Register MS Graph in Azure AD Once the request form is complete, register MS Graph as an Enterprise application in Azure Active Directory. Log into the Azure portal with appropriate permissions for making application registrations. Global Administrator privileges will provide the permissions to make application registrations; there are other options by following the custom role details in this documentation Custom role permissions for app registration - Azure AD - Microsoft Entra | Microsoft Docs. In the Azure services portal, click Azure Active Directory > Azure Active Directory. Alt text: A screenshot of the Azure Active Directory blade in the Azure services portal. Select App registrations in the left navigation menu. Click New registration. Give the application a name, select Single Tenant for the supported account type, and then click Register. Alt text: A screenshot of the Register an application screen, showing the details that need to be identified for the new application. Note. Alt text: A screenshot of the recently created application overview with the Application (client) ID and Directory (tenant) ID details highlighted. Click API permissions in the left navigation menu. . Select Microsoft.Graph and choose Application permissions. Ensure the following permissions are added: CloudPC.Read.All User.Read User.Read.All Group.Read.All Mail.Send (optional for sending messages via Graph ) Alt text: A screenshot of the Select permissions setup. Once the permissions have been added, click Grant consent. Click Certificates & secrets in the left navigation menu, and then click New client secret. Important! Note this key and store it somewhere safe, like a key vault. This key will only be visible upon creation. Once you navigate away, you will be unable to expose the key again and will have to generate a new key. Create the Cloud PC provisioning process automation In this section, we will build the Power Automate flows that will orchestrate the self-service process. This decision flow illustrates the end-to-end process of adding the requestor to proper AD security group, prompting an approval process, and then notifying requestor of their Cloud PC readiness. Alt text: A flowchart depicting the process for the automated provisioning process. To begin, sign into Microsoft Power Automate with your Microsoft 365 organization credentials. From the left navigation menu, click + Create then: Click Automated cloud flow. Name the flow and choose the flow trigger, “When a new response is submitted” (Microsoft Forms) from list. Click Create. Alt text: A screenshot that shows the flow name and trigger selection options. In When a new response is submitted, select your form from the Form Id drop down, then: Click + New step. Search for “forms” in Choose an operation and select Get response details (Microsoft Forms) from Actions. For Get response details, select your form from the Form Id drop down and then select Response Id as Dynamic content. Alt text: A screenshot of the criteria for the Get response details step. Click on + New step (To add variable for the Object ID of the targeted group in Azure AD). In Choose an operation, type variable. Select Initialize variable from Actions. Type VARGroup ID details screen. Give it a name, e.g., VARGroupID and select “String” as Type. Click + New step (To add variable for the “id” attribute value of the Cloud PC). Choose an operation, type variable. Select Initialize variable from Actions. Give it a name, e.g. VARCloudPCID and select “String” as Type. Click on + New step (To add variable for the “status” provisioning value of the Cloud PC). Search for VAR in Choose an operation. Select Initialize variable. Give it a name (e.g. VARProvisioningStatus) and select “String” as Type. Click on + New step (To add variable for your tenant ID). Choose an operation, type variable. Select Initialize variable from Actions. Give it a name (e.g., VARTenantGUID) and select “String” as Type. Tenant ID/Tenant GUID is required for authentication against the CloudPC Microsoft.Graph API. For information on getting your tenent ID, see How to find your Azure Active Directory tenent ID.For information on getting your tenent ID, see How to find your Azure Active Directory tenant ID. In the Value field, enter your Tenant ID. Click on + New step (To add variable for your Choose an operation, type variable. Select Initialize variable from Actions. Give it a name (e.g., VARAppID) and select “String” as Type. (This AppID represents the App Registration Client GUID, which is required for authentication against the CloudPC Microsoft.Graph API). In the Value field, enter your App Registration Client ID. Click on + New step (To add variable for the “Secret,” which is your . Choose an operation, type variable. Select Initialize variable from Actions. Give it a name (e.g., VARSecretID) and select “String” as Type. This is required for authentication against the CloudPC Microsoft.Graph API. Refer to Step 6 in the “Register MS Graph in Azure AD” section of this document. For additional protection, use Azure KeyVault to store and retrieve this client secret. Refer to Defining inputs and outputs for this variable action to obfuscate the secret during run time and from the logs. In the Value field, enter your Client Secret. At this point, we need to determine the automated actions, based on the “Business Segment” value provided by requestor. This can be accomplished by applying a Switch action. : Click on + New step. Search for “Switch” in Choose an operation and select Switch (Control). Next to On, select What Business Segment are you part of? from Dynamics content. Add as many “Cases” as needed to meet your specific needs. In our example, we have 3 Cases, which represent the 3 business segments: South Enterprise, LATAM, and Microsoft Federal. Within each Case, click Add an action Search for “variable” and select Set variable. Select VARGroupID from the Name drop down. Insert the Object ID of the desired targeted group for each “Case.” Note: The Object ID can be retrieved by viewing the group properties in Azure AD. Alt text: A screenshot of options for setting the Case variables. Click on + New step (This step will initiate the approval process) Search for “approval” in Choose an operation and select Start and wait for an approval. Select Approve/Reject – Everyone must approve from the Approval type drop down. Enter the email addresses for approvers in the Assigned to field. Fill in the remaining fields as desired. In our example, we elected to use values gathered from the requestor. Alt text: A screenshot of the available settings for the approval process in Start and wait for an approval. Click on + New step. This step will set up the execution process determined by approval outcome. Search for “Condition” in Choose an operation and select Condition control. Select Outcome under Dynamic content as the value. Choose is equal to and type “Approve” for the value. You will be presented with two sub processes, If yes and If no. Add necessary flows for each. Alt text: A screenshot of the If yes and If no sub-process flow setup options. For the If yes process: Click Add an action. Search for “Azure AD” in Choose an operation and select Get User. Select Responders’ Email for the User Id or Principal Name value. Click Add an action. Search for “Azure AD” in Choose an operation and select Add user to group. Select VARGroupID for Group Id and Id for User Id. Click Add an action. Search for “Send email” in Choose an operation and select Send an email (V2) Office 365 Outlook. Select VARGroupID for Group Id and Id for User Id. Rename to “Send an approved email.” Fill in all fields, as desired. Alt text: A screenshot of the Send an approval email setup. [Optional] If you want to added notification, click Add an action. You can add notification to your flow. In our example we are using Twilio, but you can choose to use other services. Follow your SMS provider’s instructions to properly configure in Power Automate Flow. Click Add an action. To pause the flow and allow the provisioning process to kick off in the backend, select Delay and configure the desired time. In our example, we’ve elected to delay the flow for 1 minute. Search for Delay in Choose an operation. Click Add an action. Important! To add the control to perform Graph API calls against tenant to monitor requestors Cloud PC provisioning status, search. In the Method field, select GET. Under URI, set it up exactly as illustrated below, placing the UserPrincipalName dynamic content inside the string: https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs?$filter=userPrincipalName eq '@{outputs('Get_user')?['body/userPrincipalName']}' and status eq 'Provisioning'&$count=true For Authentication, select Active Directory OAuth. Leave the authority as default. Enter your TenantID variable under Tenant, https://graph.microsoft.com under Audience, the AppID under Client ID, and the Secret in the Secret section. Alt text: Example setup for Graph API controls to monitor requestor Cloud PC provisioning status. Click Add an action, and search for “Parse JSON.” Under (note in the UI you will also see Parse User CPCs), select Body for the Content field and insert the body of the HTTP request response into the Schema field. Use the following schema: Alt text: A screenshot of completed content and schema details for Parse JSON. { "type":"object", "properties":{ "@@odata.context":{ "type":"string" }, "@@odata.count":{ "type":"integer" }, "value":{ "type":"array", "items":{ "type":"object", "properties":{ "id":{ "type":"string" }, "displayName":{ "type":"string" }, "imageDisplayName":{}, "provisioningPolicyId":{ "type":"string" }, "provisioningPolicyName":{ "type":"string" }, "onPremisesConnectionName":{ "type":"string" }, "servicePlanId":{ "type":"string" }, "servicePlanName":{ "type":"string" }, "status":{ "type":"string" }, "userPrincipalName":{ "type":"string" }, "lastModifiedDateTime":{ "type":"string" }, "managedDeviceId":{}, "managedDeviceName":{}, "aadDeviceId":{}, "gracePeriodEndDateTime":{}, "servicePlanType":{ "type":"string" }, "statusDetails":{} }, "required":[ "id", "displayName", "imageDisplayName", "provisioningPolicyId", "provisioningPolicyName", "onPremisesConnectionName", "servicePlanId", "servicePlanName", "status", "userPrincipalName", "lastModifiedDateTime", "managedDeviceId", "managedDeviceName", "aadDeviceId", "gracePeriodEndDateTime", "servicePlanType", "statusDetails" ] } } } } Note: You can also get this schema by using the Graph explorer to request from the same endpoint. Use the Generate from example button to generate the schema: Click Add action and search for “Apply to each.” In the Output field, select Value from our Parse JSON step. A Do until step should appear., If it doesn’t, click Add an action and search for “Do until.” Alt text: A screenshot of the Do until setup. In the Do until step, select the ProvisioningStatus variable is equal to string(‘provisioned’). Click and search for “Set Variable.” Configure the CPC-ID Variable to the ID of the item from the Parse JSON. Click Add an action and search for “HTTP.” Configure the HTTP using the same variables for TenantID, APpID, and Secret, as in the previous HTTP action, but using the following URI: https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs/@{variables('CPC-ID')} Example: Alt text: Example setup for monitoring Cloud PC. Click Add an action, search for “Parse JSON.” Select Body for the Content field and insert the following into the Schema field: { "type":"object", "properties":{ "@@odata.context":{ "type":"string" }, "id":{ "type":"string" }, "displayName":{ "type":"string" }, "imageDisplayName":{ "type":"string" }, "provisioningPolicyId":{ "type":"string" }, "provisioningPolicyName":{ "type":"string" }, "onPremisesConnectionName":{ "type":"string" }, "servicePlanId":{ "type":"string" }, "servicePlanName":{ "type":"string" }, "status":{ "type":"string" }, "userPrincipalName":{ "type":"string" }, "lastModifiedDateTime":{ "type":"string" }, "managedDeviceId":{ "type":"string" }, "managedDeviceName":{ "type":"string" }, "aadDeviceId":{ "type":"string" }, "gracePeriodEndDateTime":{}, "servicePlanType":{ "type":"string" }, "statusDetails":{} } } Alt text: A screenshot of the Parse JSON schema. Click Add an action and search for “Set Variable.” Select ProvisioningStatus for the Name and configure the provisioning status variable to the status of the item from the Parse JSON. Click Add an action and search for “Delay.” Set a delay in an appropriate increment to recheck the status based on your typical Cloud PC provisioning time (e.g., 30 minutes is a normal time increment). In our example, we selected an increment of every 15 seconds. Consider throttling concerns to not overwhelm the API and cause timeouts. Once you’re past the Do Until scope, Click Add an action and search for “Send an Email.” Create your “successful” provisioning email. In our example, we use several variables and dynamic content to ensure clarity. You can also embed links to the different clients available to the employee for accessing their Cloud PC. Alt text: An example of a “successful” provisioning email setup. Click Add an action and search for “Send Text Message.” Create your “successful” provisioning SMS. In our example, we use several variables and dynamic content for clarity. Alt text: An example “successful” provisioning SMS message setup. Once you’re past the Apply to Each scope, Click Add an action, and search for “Terminate.” Set the Status to Successful. Return to the Approval Conditon to setup the rejection or If no process. Scroll up in the workflow to access this setup. Click Add an action and search for “Send Email.” Create and carefully word the rejection email. Alt text: An example of a rejection email setup. Click Add an action and search for Terminate. Set the Status as Cancelled. The entire Power Automate flow should look like the image below. Alt text: A Power Automatic flow diagram depicting the process described in this document. Once you’ve completed adding in steps to your automation flow, you’re ready to test the solution. Select Test and execute the steps described in the User experience section of this document. User experience Once the self-service experience is configured, the employee or requestor should be able to generate a request. The following is an example of what the user can expect during their request experience. The requestor completes the Self-service user request form. Alt text: An example of a completed self-service request form filled in by an employee. The flow kicks off based on information entered in the form by the requestor. The approval process begins. Alt text: An illustration of the approval process flow. The Approver gets an email and Microsoft Teams notification to approve, reject, or reassign the request. Alt text: An example of an approval request. Once approved or rejected, the flow continues to add the user to the proper Azure AD Group, which in turn will assign the proper Windows 365 license and the correct provisioning policy. Alt text: An illustration of the If yes and If no process flows. If the request is approved, the approval email and SMS text will be sent to the requestor informing them that the request was approved. If the request is rejected, the rejection email will be sent. Alt text: An example of an approval email. Alt text: An example of an approval text message. Power Automate will monitor the provisioning status as it changes from “provisioning” to “provisioned.” Once the Cloud PC status changes to “provisioned,” the requestor will receive an email and SMS text message informing them that their Cloud PC has been provisioned and is ready to access. Alt text: An example email message informing the requestor that their Cloud PC has been provisioned. Alt text: An example text message informing the requestor that their Cloud PC has been provisioned. Continue the conversation by joining us in theMicrosoft 365 Tech Community!Whether you have product questions or just want to stay informed with updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected.
