In the last post I covered what was required (very little, apart from an Azure subscription!) with Windows Server 2016 Essentials Technical Preview 3 to set up an Azure Virtual Network, but and today I’ll switch over to the Azure management portal so that we can see what was created for us. If you don’t have an Azure subscription to test with, just go to www.azure.com and sign up for a 30 day trial.
Selecting Networks on the left hand side, you can see the AzEssTP3 Virtual Network that I created inside of Essentials, along with a couple of others I had created previously.
Digging in to the details of the Virtual Network, you can see that the Quick Start page has a link to additional Azure Networking information for those that need more information.
In the Dashboard, we can see that the connection is active, how much traffic has passed through it, and the gateway IP address.
Under Configure you can see the on-premises DNS server details, and that the connection has been set up as a Site to Site connection rather than as a point to site connection, which would be used more often in a client to virtual network type scenario.
So now that I’ve confirmed that the connection has been created and is active, I should create a virtual machine inside of the virtual network so that I can test connectivity back to my on-premises environment.
If you haven’t seen the Azure Virtual Machine creation process, I’ll walk you through some of the steps here. First of all you can see that there are range of Microsoft, Linux and Oracle offerings that we can leverage, it’s not just Windows!
After that last comment, of course I do choose to create a Windows Server 2012 R2 Datacenter image, I’m deliberately choosing a lower size VM to keep costs down, and I need to provide a username and password that meets the Azure requirements.
This is where you can see that I have chosen the virtual network AzEssTP3 which I created previously. The VM will automatically be provisioned in Australia East because that’s the location I selected when I created the virtual network.
Just a few more selections to install the VM agent and the Microsoft Antimalware security extension, and then I click the tick and the VM provisioning process begins.
Here you can see the VM is starting. The provisioning and start up process normally takes a few minutes.
Once it has started, you can see that the status has now switched to running.
I can switch to the Dashboard and see the current stats for the VMs resource utilisation, as well as the internal IP address at the bottom.
I can then launch the RDP connection from the Azure management portal, at which point I am taken into the freshly created VM, where Server Manager will auto launch by default.
What I want to do with this VM is join it to the on-premises Active Directory domain environment. Here you can see that there are a couple of changes I will need to make, including moving away from a workgroup, and you will also see the Remote Management is currently disabled, which could be problematic in the future if I want to manage this server through my on-premises Essentials server.
Changing from a workgroup member to a domain member works the way we expect.
I enter the domain details, but I realise I still haven’t actually verified network connectivity.
To test connectivity, I can just ping back to my on-premises server (I allowed this traffic through the firewall for the sake of this test). I can successfully ping my local network resources, so it’s time to complete the domain join process.
I enter my domain credentials at the prompt.
And there we are, we have a domain joined server sitting inside of the Azure Virtual Network we created.
In the next post I’ll revisit some of the things you can do inside of Server Manager once you have the connection established, which isn’t really related to Azure Virtual Networking integration feature, just more of a refresher of what you can do inside of Server Manager.^ Scroll to Top
I’ve previously posted about the Office 365, Azure Active Directory and Intune integration with Windows Server 2016 Essentials Technical Preview 3, now it’s time to start looking at some of the other Azure integration pieces, starting with the Azure Virtual Network integration. Before taking a look at what’s required to get this working, it’s worth discussing what the scenarios might be for leveraging this capability. Simply put, if you need to extend your network into the Azure for the purpose of enabling Azure RemoteApp, virtual machines running a variety of OSs and applications, as well as a variety of other services, this will provide seamless access to the Azure hosted resources from your local network. In this post I’ll focus on the Essentials Dashboard configuration, and in the next post I’ll show what’s happening on the Azure management portal.
Starting here with a fresh installation, you can see that Azure Virtual Network integration is disabled, but on the right hand side I can choose Integrate with Azure Virtual Network.
This will launch the download and installation of the Microsoft Service Integration Package, which should be a quick process.
Once that has completed, you get the option to Restart Dashboard, which again is fairly quick.
When the Dashboard restarts you are presented with the Sign in to Microsoft Azure screen.
In TP3 I have found that I cannot use my Microsoft Account sign in, and instead have to use a work or school account (aka Azure Active Directory) to sign in. If you normally sign in to your Azure tenant with a Microsoft Account, you can create a new user in the default directory and assign them rights to the Azure subscription so that you can sign in those Azure AD new credentials instead.
Once the credentials are entered we have to authorise access to Azure.
We are then presented with the subscriptions drop down box. This account only has access to one subscription, so I’ll just accept the default.
Now we get to start making some choices around whether we are going to use an existing local network and Azure virtual network or create new ones, and if we are creating a new Azure Virtual Network which Azure datacenter do we want it in.
For this post I’ll just create a new Azure Virtual Network in Australia East (aka Sydney) and create a new Local network.
We now get to set up the VPN device, in this case I will host it directly on the Essentials server, but I could set it up on another Windows Server 2012 or later on the network. Alternatively, if I have VPN hardware that is compatible with Azure I could use that instead.
And with that we have created an Azure Virtual Network, and established connectivity through to it.
Once I close the wizard you can see that Azure Virtual Network is now shown as enabled. In the next post I’ll switch over to the Azure management portal where I will provision a new virtual machine into the virtual network and then join it to the on-premises domain.^ Scroll to Top
In the last post I covered what the end user AAD Join experience could look like, depending on how the underlying cloud services are configured, and in this post I’ll explain some of the configuration settings that are exposed in Azure Active Directory and Intune. Let’s start with the Azure Active Directory configuration settings.
In the Azure Active Directory Configure screen, we have the following options…
Users may join devices to Azure AD – Select the users and groups that are allowed to join devices to Azure AD.
Additional administrators on Azure AD Joined devices – With Azure AD Premium, you can choose which users are granted local administrator rights to the device. Global Administrators and the device owner are granted local administrator rights by default.
Users may register their devices with Azure AD – Allow users to register their devices with Azure AD (Workplace Join). Enrolment with Microsoft Intune or Mobile Device Management for Office 365 requires Device Registration. If you have configured either of these services, ALL will be selected and the button will be disabled.
Require Multi-factor Auth to join devices – Multi-factor authentication is recommended when adding devices to Azure AD. When set to ‘Yes’ users that are adding devices from the internet must first use a second method of authentication.
Maximum number of devices per user – Designates the maximum number of devices a user can have in Azure AD. If a user reaches this quota, they will not be able to add additional devices until one or more of their existing devices are removed.
Because I’ve already registered a device for the previous post, I can go to the user’s Devices page to see the devices they have already registered, and we can see that it confirms that it is AAD Joined. But what about non-Windows 10 devces?
Here’s another user with Android and iOS devices, and you can see here that these are Workplace joined, but not AAD Joined.
In order for the next steps to allow auto-enrolment into Intune, you need to make sure that they user has an Intune or Enterprise Mobility Suite license assigned to them.
To configure Intune to allow auto-enrolment as part of the AAD Join process, go to the Applications page for Azure Active Directory.
You can check the Skip Quick Start the next time I visit to avoid seeing this screen again, but otherwise just click on Configure.
In the Intune properties page we have the following options available…
MDM Enrolment URL – The URL of the enrolment endpoint of the MDM service. The enrolment endpoint is used to enroll devices for management with the MDM service.
MDM Compliance URL – The URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliant device, a link to the compliance URL is displayed to the user. Users can navigate to this URL hosted by the MDM service, in order to understand why their device is considered non-compliant. Users can also initiate self-service remediation so their device becomes compliant and they can continue to access resources.
Manage devices for these users – Select the groups of users whose devices should be managed by this MDM service.
Let’s switch over to the Intune management portal now to see what is happening over there…
Because of the Auto-enrol enablement being enabled in Azure Active Directory my DESKTOP-UD317C3 Windows 10 device is already showing up as a mobile device inside of the Intune portal.
The final thing is to revisit the Defender restriction I showed in the previous post.
The Defender GUI restriction policy was created with via an OMA-URI setting for Windows 10, which you can find out more about here.^ Scroll to Top
One of the new capabilities in Windows 10 that I’m a big fan of is the ability to join Azure Active Directory, here I’ll do a quick walk through of what you see on the Windows 10 client, and what needs to be configured in Azure Active Directory and Intune to allow this to occur.
First up, this screen is presented at the end of a Windows 10 Pro or Windows 10 Enterprise installation if the device has network connectivity. If there is no network connectivity, you will be prompted to create a local account as that will be your only way to sign in. Because these screenshots are from Enterprise, you will also notice that there is no Microsoft Account prompt to be seen. At this point choose the Join Azure AD option and click next.
At this screen you can enter the credentials you normally use to access Microsoft Online Services that leverage Azure Active Directory, such as Office 365, CRM Online, Microsoft Intune, Azure Rights Management Service etc
Once you enter your credentials and your password click on Sign In.
Depending on how, or if, your organisation synchronises your on-premises Active Directory with Azure Active Directory, you may see this log in screen. This screen is presented in this particular environment because AAD Connect is being used for synchronisation, but Active Directory Federation Services is providing the authentication services.
Once the user is authenticated, device enrolment starts taking place. This is normally a fairly quick process.
Once device enrolment is complete, you are presented with the default Windows 10 screens.
When you get to the login screen, enter the credentials you used to Azure Active Directory Join the device can now be used to log in.
At this point the usual end user first sign in experience kicks off.
Including the setting up your apps screen, which can vary in length based on the performance of the PC, and what else may have been loaded into the image.
While users don’t have to use a PIN, you can prompt for a PIN, which will become much more important moving forward with the Passport updates that are coming from Microsoft.
Next we are prompted for a multi-factor authentication option.
Clicking Pick a verification method presents a drop down list of the options
These are text message, phone call and mobile app. Choose the one that makes most sense for you and that will work in most of the environments you will be working from. In my case phone and text aren’t always available, but data always is, so I’ll select Mobile app. Make sure you have installed the Azure Authenticator app on your Windows, iOS or Android device in order to proceed.
We can then scan the QR code from the app or manually enter the code and the provided URL to authenticate on our mobile device.
Once verification is complete, we see that the app is successfully set up, and we can click on next.
Now we are prompted that corporate policies will be enforced on this device, such as ensuring password policies are met, lock screen requirements and allowable sign in methods, for example.
We are now prompted to receive verification via phone or the Azure Authenticator app we have already setup.
We enter the code we receive and click next.
We can now add phone as a secondary authentication method in case we lose our phone with the configured app.
Now it’s time to create the PIN we were advised about earlier, and you have the ability to customise the requirements depending on the need of your organisation.
In this case a 4 (minimum) digit PIN is required, numbers only, which is what most people would be used to at this point.
Once matching PINS are entered, we land at on the Windows 10 desktop.
Checking system properties first, note that this machine is not domain joined in the traditional manner, which raises the question how do we check if it has successfully joined Azure Active Directory.
That’s not a difficult task, we go into Settings.
Then select System, About, and here you can see the organization association with emsadfs, the domain that I logged in from.
Earlier it was mentioned that policies would be enforced on the device, and here I will highlight an Intune policy that has been applied by launching Windows Defender.
You can see that this action has been restricted, and while it doesn’t give the user any details on the exact mechanism being used, you can see that it at least tells them that it is something that has been set up the system administrator.
In the next post I’ll cover the behind the scenes Azure Active Directory and Intune settings I have enabled to allow the above Azure Active Directory Join scenario to succeed.
^ Scroll to Top
We can move on to more of the integration features, where the focus is on reducing some of the requirement to sign in to the web portals for the different online services. One of the important things to mention here is that the Essentials Dashboard is not trying to replace the need to access the different online admin consoles, that would be a monumental task to undertake, and it would need to be updated constantly to take into consideration all of the changes that get rolled into the different Office 365 services. At this stage it doesn’t seem like the UI or functionality for the following capabilities have changed much in this area versus Windows Server 2012 R2 Essentials, but I know a lot of people haven’t seen it in action so I’ll still go through them.
Enabling the integration services populates Storage with SharePoint libraries, and you can see the options have available are Add a library, Manage SharePoint Sites and Refresh.
Once we select the Documents library you can see that in the task pain we can see that tasks related to that library now become available as well.
Taking a look at the Document Library properts you can see that the URL is exposed, and the option to enable document versioning. The other option is require that documents are checked out before they can be edited, which I don’t recommend enabling because this will disable the ability to leverage some of the collaboration capabilities of recent version of Office.
Clicking on the Access tab shows that permissions are being inherited from the parent site, which we can change if we want to customise these permissions.
Next up we can add a new SharePoint Library from the SharePoint Libraries Tasks pane, rather than opening the SharePoint Online administration site.
We just type in a few details, it’s important to note that we only get a small number of SharePoint options exposed to us versus what we can do with libraries inside of SharePoint online.
Again we can see the options to set permissions or inherit them from the parent site.
And that’s all that’s required for creating a new SharePoint Library.
If we go back over to the Tasks Pane and choose Manage SharePoint sites we are prompted that we are about to be redirected to a website.
From there we are taken into SharePoint Online, and the next step is to click on Team Site.
Clicking on Team Site is sitting there ready for configuration, and you can see there is a shortcut on the left hand side for the OEMLibrary that I just created through the Essentials Dashboard.
Clicking on that shows us that this library, as expected, is empty because we just created it.
You can see that the Essentials Dashboard makes it easy to set up the initial libraries, but you will really need to do the bulk of your SharePoint admin tasks inside of SharePoint Online.
That’s it for this post, stay tuned for Part 5 of this series where I’ll start exploring more of the Azure specific integration features.
^ Scroll to Top
An updated version of the Mobile Device Management Design Considerations Guide has been released, and you can grab it here.
The goals of this guide are to help you answer the following questions:
With all of the different design and configuration options for mobile device management (MDM), it’s difficult to determine which combination will best meet the needs of your organization. This design considerations guide will help you to understand mobile device management design requirements and will detail a series of steps and tasks that you can follow to design a solution that best fits the business and technology needs for your organization. Throughout the steps and tasks, this guide will present the relevant technologies and feature options available to organizations to meet functional and service quality (such as availability, scalabiility, performance, anageability, and security) level requirements.^ Scroll to Top
You can download the high resolution of the infographic here to get a visual representation of how Microsoft approaches enterprise mobility by managing identity, devices, apps and data. It shows how Azure Mult-Factor Authentication, AAD Application Proxy, AAD Connect, Office 365, RemoteApp, Azure RMS and Intune work together with other Microsoft technologies to deliver the solution.^ Scroll to Top
A few days ago the ECM Docs team at Microsoft released a preview of the Guided Intune Enrollment for Android Company Portal dcoument. It includes screen by screen representations like you can see below to walk users through the process of enrolling devices.
^ Scroll to Top
The vast majority of the early posts to this site where done from Zlin, a small city in the south east of the Czech Republic, and famous for being the birthplace of Ivana Trump and Bata shoes. This week fate has me back in the Czech Republic for a 4 day train the trainer event for AAD, Intune and RMS… or Enterprise Mobility Suite as the cool kids call that combination. This preview of the material forms the basis of upcoming training events that I’ll be running in Australia. There are already some welcome improvements versus the previous versions of EMS training, the summary is below…
Pre-Work: This is something we’ve been trying to implement in the previous deliveries with limited success, as most people aren’t used to the idea of doing a bunch of prep work done before turning up to the event. I know I’m guilty of not even knowing where events are until the morning of the event when I look in my calendar. Signing up for the Azure trial if needed, setting up AAD Premium and an Office 365 E Trial are all parts of this, but it goes further with the manual creation of cloud and storage accounts, and the pre-creation of virtual machines and the purchase of certificates for use in the ADFS labs.
Hydration Kit now supports Azure VMs: This addresses a big problem for those who didn’t have the right equipment (low specs or non-x64 8GB+ laptops), the right operating systems (Win 8 Pro or higher, Windows Server 2012 or higher), the right hypervisor (Hyper-V). This is a huge improvement, and because this is all PowerShell driven you can customise as much or as little as needed, such as changing the Azure datacenter the VMs are provisioned in, for example.
Content will be splt: The AAD Premium content will be 2 days of content, and the Intune and RMS content will be combined into 2 days of content. This really starts to give the topics the time they deserve, especially considering how much of the time had previously been spent on lab setup.
Last but not least, and completely unrelated to the training topics, my Czech speaking skills are still non-existant, apart from key words like pivo, sunka and zrzlina.^ Scroll to Top
In the last post I ran enabled Azure Active Directory, Office 365 and Intune integration, now it’s time to see how this integrates with the local user administration experience.
To start with, let’s take a look at the Microsoft Cloud Services Integration screen to verify that we have enabled the 3 user related options.
Moving across to the Users tab, we can see that we only have an administrator added, so it’s time to add a use account from User Tasks on the right hand side.
The Add a User Account wizard launches, and I’ll keep this user as a Standard user, not as an administrator.
We get three options on the next screen regarding our choices with Assign a Microsoft Cloud Services account.
We can choose to assign an existing online account to the freshly created account, and as you can see here I have already set up several users online that don’t have a local account association.
You could also choose to not assign a Microsoft Cloud Services account if the user doesn’t need those capabilities.
For this post I’ll stick to the Create a new Microsoft Cloud Services account and assign it to this user account.
We are then presented with the Assign Microsoft Cloud Services licenses selections, where we can either get granular within the suites or leave them as is,
We are then switched back to the on-premises portion of the wizard to select shared folder access.
Next up we can have the option to Enable Anywhere Access for this user account to configure VPN and Remote Web Access choices.
We then briefly see that the online license assignment is taking place.
We are then presented with the summary information for the new user we just added.
Now we have our new user sitting in the Users tab, where we can adjust the user properties.
Instead of changing any user properties, we can verify the Microsoft Cloud licenses that have been assigned.
Here we see that the integration has been successful, and the assigned licenses are showing up as expected.
Other Online Services account tasks we can perform from here include associating online accounts with existing on-premises uers.
Or alternatively we could import user accounts from Microsoft Cloud Services into our local Active Directory domain.
That’s it for this post, in the next post I’ll delve into the Office 365 integration functionality that is exposed through the Essentials Dashboard.^ Scroll to Top