User Profile
jenstf
Brass Contributor
Joined Jun 20, 2019
User Widgets
Recent Discussions
Re: Microsoft 365 Certified: Fundamentals MS-900 certification
Great that you want to take a certification sa2my96 I haven't taken any of the fundamentals tests, but I have a lot of other Microsoft certification test. I belive that one has 40-60 questions in 85 minutes. Passing score in Microsoft tests are 700 out of 1000 possible points. But that is not necessarily the same as 70% as the questions have different (secret) weightings. If you are a student or work in IT sales, the fundamentals are probably a good thing. But if you work as a tech I would skip that level. At Microsoft Ignite 2019 they had a big testing center for all the other certifications and just a couple of PCs outside in the reception of the testing area for the fundamental tests. So for a tech I would say the only reason to take them are just to learn how the certification tests work or if you are just starting out in the business as a junior or still a student. JT M365:Enterprise Admin, M365:Modern Desktop Admin Associate, Azure Admin Associate, 3xMCSE, 4xMCSA5.8KViews1like1CommentAdministrative templates - system variables
When I try to use the system variable %username% in a path in a administrative template device configuration policy it ends up as computername on the client, even if it' s in the user part of the policy and assigned to a user group. Why does it end up with computername instad of username?1.1KViews0likes0CommentsRe: Hybrid Domain Join - Name Prefix
Isaias_Perez There is only one option you can use with hybrid and that is a prefix. You can create a Configuration Policy in Intune of the type "Domain Join (preview). There you have the setting "Computer name prefix". There are random characters added after that prefix to get a 15 character computer name. So if you add "Contoso-PC-" you will get something like Contoso-PC-1KNI, Contoso-PC-1HZQ and so on10KViews0likes0CommentsRe: Get Azure Joined Device Information using PowerShell
bjcls EntilZha If you don't find the commands you are looking for in the Microsoft.Graph.Intune module you could just run Invoke-MSGraphRequest and use the complete MS Graph API If you have already connected with Connect-MSGraph you don't have to spend multiple code lines getting an auth token and creating the correct header.8KViews0likes0CommentsRe: Duplicating Device Configuration Profiles
JayWilliams wrote: Lucky us, the entire Intune UI front end is built using Graph so anything we can do in the UI, we can also do in Graph. Well, much of it. But not all. You can do everything you do in UI by automation, but not necessary with Graph API. Conditional Access is controlled by the API main.iam.ad.ext.azure.com Haven't found any official documentation for that API, so probably not ment for public usage and possibly unsupported?51KViews0likes1CommentRe: Best practice - Win10 App Deployment - Update Management
PatrickF11 You should be able to upload a new package file, but you need a detection rule that checks for version to trigger the install/upgrade. You should try that. I haven't testet the upgrade scenario yet myself, but it is interesting to get an answer to.8.2KViews1like4CommentsRe: Ensure Users aren't missed from CA Policy
Yes, you should analyze the Azure AD Sign-in logs first (add client application column) and make sure to exclude all service accounts that doesn't support modern authentication from the policy and prepare the users, especially those that show up in the log as legacy auth users..979Views0likes0CommentsRe: Conditional Access native iOS mail app works - but not if manually configured or if mail already set
Adam Weldon-Ming In my policies I don't use "Apply policy only to supported platforms". The documentation isn't clear on what that choice actually is good for. i.e. Linux isn't a supported platform and will then bypass this policy. I have one policy with "Exchange active sync clients" and one for "other clients".38KViews0likes6CommentsRe: Conditional Access native iOS mail app works - but not if manually configured or if mail already set
The first policy (legacy) should block access. It's also recommended to make one policy for active sync and one for other clients. Make sure to exclude service accounts that doesn't support modern authentication. I would monitor the sign-in log and look for logins from other client and active sync (unsupported) before doing this in production. JT39KViews1like8CommentsRe: How do I add users synced from AD to AAD as local administrators on Windows 10 devices with OMA-URI?
JorgenSundet Anything in event log on the client, DeviceManagement-Enterprise-Diagnostics-Provider ? Your syntax looks ok and as you are saying, it works for cloud only. If they should be added to all devices, have you tried adding them with "Additional local administrators on Azure AD joined devices" that you find under Device -> Device Settings in Azure AD? Global admins and device owner gets local admin rights by default. Another options is by PowerShell - “net localgroup administrators AzureAD\testuser@contoso.com /add > nul 2> nul” | cmd JT2.1KViews0likes0CommentsRe: Ensure Users aren't missed from CA Policy
StuartK73 There is also "any location" and "any device", but "all users" should do the trick. Make sure to block legacy authentication, both to make sure MFA access controls works and because basic auth tokens won't carry enough information to filter properly in all CA policies.986Views0likes2CommentsRe: Conditional Access native iOS mail app works - but not if manually configured or if mail already set
Adam Weldon-Ming What does the sign-inn log in Azure AD say, choose to show the client app column? Do you also block legacy authentication? You could also add an App Protection Policy to make sure also nonregistered BYOD devices are forced to use Outlook, but this shouldn't be necessary for access control if you don't also want better management of company data. JT38KViews1like10CommentsRe: Block 3rd Party Mail/Calendar Apps
Brett Lindsey You should block legacy authentication anyway with conditional access. With that you get rid of most 3rd party apps. As far as I know, only the native iOS email application supports modern authentication. Two policies with block as action control, one for other clients and one for active sync under client apps. In combination with approved client app cond acc. and eventually App Protection policy you should be able to force the users to use Outlook6.4KViews0likes0Comments
Recent Blog Articles
No content to show