"Users may register their devices with Microsoft Entra" grayed out. Neither Intune nor MDM in use
Hi, all. I want to prevent users from registering their personal devices in Entra. The option to do so in Identity -> Devices -> All Devices - > Device Settings is grayed out. The explanation there doesn't apply to my case. It reads "Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Device Registration. If you have configured either of these services, ALL will be selected and the button will be disabled." The thing is that I have configured neither, so the button should not be disabled. Any ideas? Thank you.
Issue after sync with Azure AD Connet
Hello, I'm trying to do some experiments with Azure AD Connet and found some issue and I like to find some suggestion from other experienced people on how to manage them. First thing I noticed is with the registered devices: I simulated my organization, so I created some virtual machine where I installed Office desktop apps and Teams; the devices are seen in AAD as Azure AD Registered; then I've done the sync of the devices from AD; I have an OU with inside our org accounts, so I have, for example, an inner Management OU with management user accounts; inside Management OU I have an OU called Management Computers where there are the management's devices; I have synced them and then enabled the Hybrid Join in Azure AD Connect. I've seen that the devices have been registered as Hybrid Join, but I have the situation where there are the duplicated devices; on every system, there is a Windows 10 version greated than 1803; I waited 2 days but never happened: I red some people that deleted the Azure registered one, but have red also that people have experiecenced issue to do so. Other question: I synced my users and it seems was all ok, so I saw in AAD Users->All Users the parameter "Directory synced" on Yes; after some delta sync I saw that a user that was synced that have no more Yes on that parameter and a new user, with that parameter was created; I deleted it and done a sync but on the old user I can't see that directory sync is again true: how to resolve this issue? Apart from these problems, I'd like to have a suggestion on how proceed when I have to sync real data; as I said previuosly, I have nested OU with users and their computers, but I don't want to sync all the users together; for example, I thought to sync first OU Managers (and their devices), than Marketing (and their computers) and so on: do you think this is an acceptable approach or I have to change it? Any help is very appreciated.Azure AD join device add to default AAD group
Hello, users can register and join devices to organizational Azure AD. devices are Windows, Android, iOS etc. Is it possible somehow to set default Azure AD Security group that new device should be member of? Example, somebody joins new windows pc to Azure AD and by default it should get the AAD security group named "Intune - policy1". Of course we use those group to target specific intune policy later. But by default devices should go to some AAD group. Any options? Cloud only environment (no hybrid)23H2 Passkeys: default to security key instead of mobile devices
Microsoft invested time & money to introduce Passkeys in Windows 11 23H2, as it should. Unfortunately, it defaults to a mobile device (iPhone, iPad or Android device) everytime you try to log on. This is very annoying for everybody that is using a Security Key (FIDO2). Before we just needed to enter our PIN but now we need multiple clicks to log on. I'm not aware of a solution to manage these options (manually or through Intune). Is anyone aware of a solution? I'm quite amazed Microsoft didn't think of this.Block access with Conditional Access for Unmanaged Devices
Today, we will discuss nothing new, but it’s still a topic that remains as relevant and important as ever. If you decide to block users working from unmanaged devices, you can securely mitigate various security risks, such as data leaks and successful phishing attacks. For example, we see the rise of Man-in-the-Middle (MitM) phishing attacks, which can easily steal your credentials and access tokens and use these to sign in to your account while completely bypassing multi-factor authentication. Conditional Access can prevent these attacks without relying on phishing-resistant authentication methods such as Hello for Business, FIDO2 hardware keys, or soon Microsoft Authenticator with Passkeys. In this blog, I’ll share seven recommendations to prepare you for a smooth implementation, look at the user experience, and show you how to block access with Conditional Access for Unmanaged devices. https://myronhelgering.com/block-access-with-conditional-access-for-unmanaged-devices/
New Blog | Step-by-Step Guide to Identify Inactive Users using Entra ID Governance Access Reviews
Within an organization, inactive user accounts can persist for various reasons, including former employees, service providers, and service accounts associated with products or services. These accounts may remain inactive temporarily or for extended periods. If an account remains inactive for 90 days or more, it is more likely to remain inactive. It’s crucial to periodically review these inactive accounts and eliminate any that are unnecessary. Microsoft Entra ID Governance Access Reviews now offers the capability to detect inactive accounts effectively. Using the Entra ID Governance Access Review feature, it’s possible to identify accounts that have not been actively used to sign into Entra ID, either interactively or non-interactively, for up to 720 days. Accounts that are left inactive are susceptible to being targeted by cybercriminals for several reasons: Inactive accounts may still use well-known passwords or credentials that have been compromised. Inactive accounts are less likely to have multifactor authentication (MFA) enabled. Due to their inactivity, these accounts may go unnoticed by advanced security controls in place. Read the full blog here: Step-by-Step Guide to Identify Inactive Users by using Microsoft Entra ID Governance Access Reviews - Microsoft Community HubConditional Access Policy: Allow Only Devices Marked As Compliant to Access Office 365 Applications
Hello, this seems like a straight forward question and answer but I can't figure it out. Reaching out to the community for help. Everyone in my Org has an Intune License assigned via Office 365. I want only users who have a device that is marked as compliant within Intune to be able to access Office 365 applications (Outlook, SharePoint, OneDrive, Teams, etc), as well as be able to access the web version of Outlook. The goal here is that if one of our users gets their credentials stolen, that the hacker can't sign into Outlook because their device is not Compliant within our Intune. Hackers are getting passed our MFA. Any help would be appreciated. Thanks!After Device Intune Enroll - Device gone from Entra?!
Hello, Intune/Entra/Endpoint/Security - its extremely overwhelming and confusing. We're just getting this started as we've moved to 365 and licenses that add Intune. A windows 11 laptop. Domain joined to the office. Hybrid joined to Entra. User account is an absolute basic one - nothing other than the default domain user on the local domain. I wanted to be sure all these enrollments and such would work at the simplest level automatically in the background from a simple user logging in to a device. After a 2 weeks of struggle, I finally just got this Windows 11 test device to Enroll with Intune yesterday afternoon. But this morning when I then went to our Entra portal, that device has disappeared from the Entra Devices list?! Running dsregcmd /status on the device, it is still showing as joined to Azure, and has the MDM urls and so on. The Entra Audit logs show no deletion of the device. WAIT - while I was typing this up I suddenly thought of something, and it turned out to be this! When the device Enrolled, it seems the device name in Entra was changed! It got changed to being the username, OS and time of the registration! Why would Entra do that??? That is not the actual device name! But now it shows as Test.One_Windows_2/27/2024_8:52 PM It should be our actual device name of ABC-L### Any insights as to why it did that, and how I can prevent this from happening with every other device I have yet to bring on board?Deleted computer object in local AD still in Azure AD
Hi, I'm dealing with a client who reported the following "issue". They have configured Azure AD Connect and device sync, everything seems to work. They deleted some computer objects from AD (dsa console) without disjoining them beforehand. Azure AD Connect continues to perfom synchronizations, but the computers still appear in Azure AD with Join Type <empty> (no longer Hybrid Azure AD Joined). I'm wondering if this is normal and those computersmust be manually deleted from Azure AD, or Azure AD should automatically delete the computers objects once the related AD object is deleted. Kind Regards, DavidDevice filter in the conditional access policies
Dear Microsoft Entra Friends, What is your experience with the device filter in the conditional access policies (Microsoft Entra ID)? The values of the attributes are not correct and therefore the policy is not processed correctly. This is confirmed in a "What If" test. Kind Regards, Tom Wechsler
