User Profile
SRPfr
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Microsoft 365 and Windows 10 Subscription Activation.
Hi All, We want to buy Microsoft 365 Buisness Premium and E3 with included Windows 10 subscription. How can we activate the Windows 10 subscription ? It's mandatory to use (Hybrid) Azure AD joint ? Or can we use another more easy way to activate Windows 10 subscription ? If we need to use Azure AD joint, we need to use the hybrid version to use GPO. There is limitations/change or impacts when we use the hybrid Azure AD joint ? Like modification of local admin... Thanks1.6KViews0likes1CommentCross tenant migration tools : New MS solution compared to Migration Wiz?
Hi, I'm looking for informations about advantages and limitations between new Microsoft Cross Tenant migration solution (Preview) and "Migration Wiz". Microsoft solution look more limited and doesn't seem to have Free/busy sync. What are the returns for those who did use MS cross tenant solution ? Thanks,1.5KViews0likes2CommentsBest practice for security management (policies/rules ...) in AzureAD, Conditional Access & InTune
What's the best practice for security management in AzureAD, to manage policies/rules in MEM/InTune, Conditional Access... to easily review and add/remove access to a specific rule/right. Some examples : Best practice when we apply a Conditional Access to a group of user ? - Do we set a specific Azure AD group (Like for MFA : ForceMFA) in the Conditional Access policy. Then add groups or user in this Azure AD group. - Or do we add directly Azure AD group or user (Like Boston-Manager, Florida-Marketing…) in the Conditional Access settings ? Same for Intune/MEM policy (Like Compliance policies) : - Do we set a specific Azure AD group (Like InTune-Compliance-W10-Include, InTune-Compliance-W10-Exclude) for these policies. Then add groups or user in this group. - Or do we add directly AzureAD group or user in the InTune policies settings ? There’s a Microsoft best practice for AzureAD management like the AGDLP rule for AD OnPrem and advantage/disadvantage to use nested groups in AzureAD ? Thanks !AzureAD Password Policy impact after moving from AADConnec sync to Full cloud
Hi all, We plan to disable AADconnect dirsync to go full cloud and use only Azure AD. AD OnPrem domain use a very "light" password policy, less restrictive than Azure AD. AD OnPrem: - Complexity : Disabled - Minimum password lenght : 6 characters On Azure AD: - Complexity : Enabled - Minimum password lenght : 8 characters - We use the global setting "password never expire" and default settings. Question: With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ? Even if they have only a 6 characters password without complexity, they can continue to use this password with an Azure AD cloud only account? Thanks !Impact with Password Policy when we disable AADConnect Dirsync
Hi all, We plan to disable AADconnect dirsync to go full cloud and use only Azure AD. This domain use a very "light" password policy, less restrictive than Azure AD : AD OnPrem : - Complexity : Disabled - Min lenght : 6 characters - Max password age : 90 days. Most user on AD OnPrem have password set to "never expire". On Azure AD, we use the global setting "password never expire" and default settings. Questions : With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ? Even if they have only a 6 characters password without complexity ? If we use Azure AD global setting with an password expiration policy (like 90 days): For user without previous "password never expire" on AD OnPrem : Password will expire 90 days after the user has been marked "Cloud Only" (With the deactivation AADconnect sync). For user with previous "password never expire" on AD OnPrem: They will have no issue. I'm right? Thanks !Re: AzureAD Password Policy impact after moving from AADConnec sync to Full cloud
Thanks ChristianBergstrom for your answer. Do you meen "If the password doesn't meet the policy requirements, the user is prompted to try again " : at the user connexion ? My question is only related to user connexion, because password policy is set to never expire. I haven't seen any Microsoft document that indicates that the password need to meet the AzureAD password policy at the user connexion. For me the AAD password policy work like AD password policy : the password policy evaluation is made only when a user change the password, not at the connexion. Did you have perhaps a reference? We will activate SSPR only after the Tenant will be full cloud, but all users will not be complient, and want to minimize the impact when Tenant will switch to full cloud.2.8KViews0likes1CommentRe: AzureAD Password Policy impact after moving from AADConnec sync to Full cloud
Yes but when they will be forced to change the password if Tenant is set with « password never expire » ? - what will be the impact for user when he connect the first time with the cloud-only the Azure AD account, with a 6 characters password and the Tenant set with « password never expire » ? It’s like an AD Onprem password policy ? : Password Policy only evaluated when the password is changed or expired ? -> so no impact for user connexion even if the current password don’t meet the AzureAD password policy ?2.8KViews0likes3CommentsRe: AzureAD Password Policy impact after moving from AADConnec sync to Full cloud
Yes this is right, but : - what will be the impact for user when he connect the first time with the cloud-only the Azure AD account, with a 6 characters password and the Tenant set with « password never expire » ? It’s like an AD Onprem password policy ? : Password Policy only evaluated when the password is changed or expired ? -> so no impact for user connexion even if the current password don’t meet the AzureAD password policy ?2.8KViews0likes0CommentsRe: Impact with Password Policy when we disable AADConnect Dirsync
VasilMichevThanks Vasil for your answer. I think you have only answered one question ;). Do you have information on other questions below? After we switch to full cloud users, the password policy for all users will change, and we don't want to lower the Azure AD password policy. The question is more about : After disabled AADConnect dirsync, when all users are set to "Cloud Only" there will be no impact, right ? No impact when user authenticate to Azure AD with a password not matching the minimum requirements of new Azure AD Password policy ? Like a previous password set with only 6 characters password without complexity. If we set Azure AD global setting with an password expiration policy (like 90 days): For user without previous "password never expire" on AD OnPrem (After the deactivation of AADconnect sync) : Password will expire 90 days after the user has been marked "Cloud Only"? or does Azure AD keep the "password last set " from previous AD OnPrem ? For user with previous "password never expire" on AD OnPrem: Your Answer : This setting is not keep from previous sync with AADConnect So all AzureAD user will apply a password with exipration, and we need to set again "password never expire" on each user that need this setting ? with : Set-AzureADUser -ObjectId XXX -PasswordPolicies DisablePasswordExpiration Thanks !1.3KViews0likes1CommentRe: Best practice for the managed Google Play Account in Intune/MEM
Thijs Lecomte Thanks, but what will be the best practice for you, with Android Zero-Touch and Intune Google Play Account : - Two Professional Accounts. - Two Gmail Accounts (Apparently not recommended by Google : is asking to use a professionnal account to access to Zero-Touch portal). - Two Accounts (1 Gmail & 1 Pro) : 1 gmail Account for Intune Google Play Account & 1 Professional Accounts for Android Zero-Touch - One unique Professional Account. So only one ExO licence and one account to secure. Any disadvantage ? If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox or we don't need a mailbox ? Do you know if we use also iOS and Samsung Knox : Best practice will be to use one different account for each or the same for all ? (Google Play, iOS AppStore, Android Zero-Touch, Knox) Thanks,11KViews0likes3CommentsRe: Best practice for the managed Google Play Account in Intune/MEM
Thijs Lecomte When we want to use Android Zero-Touch, do we need to use the same account (Intune Google Play Account) or this can be 2 different account ? Apparently Google is asking to use a professionnal account to access to Zero-Touch portal. If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox ? Thanks !11KViews0likes5CommentsRe: Best practice for the managed Google Play Account in Intune/MEM
Thijs LecomteThanks for your answer ! This gmail account doesn't receive any email we need to check for MEM/InTune or Google Play ? Can we change the password and add MFA for this account without breaking InTune integration ? I have read that if we loose access to the Google Play account in InTune, to change this account with a new one, we need first retire all enrolled Android device and then enroll all devices. This will have a big impact for user, or there is a easier way to do this? Thanks,12KViews0likes7CommentsBest practice for the managed Google Play Account in Intune/MEM
Hi All, I'm looking for some advice on the best practice for setting the first step of Android enrollment in Microsoft Intune/MEM. What is the best practice for security and management, when we choose the managed Google Play account for Intune/MEM ? Using an AzureAD account (with or without exchange online licence), a Google account, or other external account ? Does this account need to have access to a mailbox and MFA can be used with this account ? Thanks !Solved12KViews0likes10CommentsRe: Exchange hybrid or not when all mailboxes are in EXO? Question about Object management.
We use AADconnect/PTA/Seamless SSO, but now without Exchange hybrid. Without Hybrid I saw only 2 difference in a scenario with all mailboxes in the cloud : - In EAC we can’t create an Office 365 mailbox object. (But a mailenable object is ok for aadconnect) - in Powershell we can’t use enable-remote mailbox. Not a big deal i think. Do you know if there’s other impacts to not activate Exchange hybrid ?1.8KViews0likes1CommentExchange hybrid or not when all mailboxes are in EXO? Question about Object management.
Hi all, We have all mailbox in EXO, nothing on-Premise. But we installed one Exchange server 2016 to manage synced Exchange object, with AADConnect. We didn’t enable Hybrid Exchange because we are not in a hybrid environment. 1/ What will be the difference in Exchange object management with or without Exchange hybridation ? (Mailenable user, remote mailbox, attributes available ...). I didn’t found any comparison table. 2/ with AADConnect and only EXO mailboxes, what will be the best practice for Sharedmailboxes, resources mailboxes and Distribution lists ? To create these objects directly on EXO or On-Premise ? Thanks !1.9KViews0likes3Comments
Recent Blog Articles
No content to show