Azure AD – Protect your directory better by using Administrative Units (Preview)

The Azure AD administrative units are in Preview since a while, but lastly they got an update and I decided to check the opportunities that it might gives. Right from the bat, this feature has still a lot of possible improvement, I list those which would affect me the most at the end of the blog. But beside this, there are some neat use cases where I would configure Administrative Units.

Protect service accounts
Since the user administrator role can reset nearly every users password within the Azure AD (exceptions are Global Admin role members and more, see Azure AD User Administrator; thanks to nicola for the correction), it is very unlikely that you want to have a lot of administrators having that role. With Azure AD administrative units, you can add add regular users to a administrative unit. On this administrative unit you then can safely assign the User Administrator role to a technician, without giving the opportunity to gain access to an account with higher permissions. The following roles can be assigned within an administrative unit:

You can add a user to multiple administrative units, which allows to create a well designed delegation model for users and groups in Azure Active Directory.

Continue reading

Intune Autopilot – Prepopulate the Startmenu

It might be not that popular with Windows 10, but every company wants a well curated startmenu, rather than the default delivered from Microsoft:

We have multiple Options to configure the startmenu, I’m sure I don’t know them all. But when it comes to Windows 10 and Intune autopilot, we do not really have an option as what I have considered. This blog tries to catch the available options we currently have with Intune and Autopilot.
Continue reading

Windows 10 settings management with Intune

When a journey ends, a new journey will begin. My journey with the old school domain joined and GPO managed devices within my LAB ended, and I finally conquer new areas with Azure AD join and Intune controlled devices. Due to the lack of opportunities, I still waited so long, because a lot of settings were not possible to set. And some of them are still not that simple to set through Intune, but there is a solution for, I would like to say, most of the requirements.

So within this blog post, I would like to document my current knowledge of Windows 10 settings management through Intune. As today, we have the following options to configure GPO alike settings through Microsoft Intune:

  • Intune Windows Enrollment settings
  • Intune Portal blade settings
  • Intune Portal Custom CSP settings
  • Intune ADMX-backed administrative template settings (Preview)
  • PowerShell Script
  • Let’s have a closer look to the different options.
    Continue reading

    Office 365 – Content Search and eDiscovery

    Today I would shed some light on the two options “Content Search” and “eDiscovery” from the Security and Compliance center of Office 365. You can reach the security and compliance center through the following URL:

    Office 365 – Security & Compliance Center

    The first questions that may raise up, what is content search and eDiscovery, and what is the difference of those two options.
    With content search, you can search all the content that is actually available, regarding existent policies (given example: Exchange Hold). Content search may help you in various occasions, where it may not be required to use eDiscovery. For legal documentation the eDiscovery should be used, where you also can specify Mailboxes, SharePoint Locations and OneDrive for Business to set hold policies on them.

    The next question might be: Who has access to those features by Default?

    It depends… Continue reading

    Azure AD Connect – Configure the “Enable-ADSyncExportDeletionThreshold” wisely

    Today would shed some light on the cmdlet “Enable-ADSyncExportDeletionThreshold” which comes with the Azure AD Connect. If you are using Azure AD Connect to synchronize your On-Premise Active Directory to Azure Active Directory, Azure AD Connect will never execute a batch of more than 500 objects to delete. You can check the current value by using “Get-ADSyncExportDeletionThreshold”:

    Continue reading

    Azure AD – Change from ADFS to pass-through Authentication

    Since pass-through Authentication is GA and the major limitations are gone, I decided to change my Azure AD authentication against my local AD from ADFS to pass-through provided with Azure AD Connect.
    For those who are not that familiar with the concept of pass-through authentication, on this Microsoft Article “How it works”, you will find all the information. The picture below is from this article as well.

    Continue reading

    ADFS – Single Sign On with automatic Login on Edge Browser

    Today I would like to share my experience when it comes to add a User Agent (e.g. Browser) to the list of Single Sign On capable applications. There is quite a good Article from Microsoft that describes how to add a User agent to the ADFS Configuration, you will find this Article here:
    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia
    Continue reading