Today at Inspire 2017, the Microsoft 365 Business suites were announced, with Microsoft 365 Business offering a combination of Windows 10 Pro management enhancements, a subset of Enterprise Mobility + Security (EMS) and Office 365 Business Premium subscriptions. Also introduced was Microsoft 365 Enterprise offerings, which are also known the Secure Productive Enterprise (SPE). These include the E3 and E5 versions of Office 365, EMS and Windows 10 Enterprise, think of this is a version for smaller, more price sensitive customers delivered via an integrated Admin Console. For this post I’ll focus on Microsoft 365 Business as it is the new kid on the block.
As the announcements above are still fresh and it will take a while to address all of the details, I’ll be watching this carefully at Inspire this week and paying attention to the questions that are asked of the presenters, and catching up with some of the members of the Windows 10 team to get further details of what they have done. With what we know already the easiest, and best known component is Office 365 Business Premium. This is available today, and like the other Office 365 Business plans allows a maximum of 300 licenses to be assigned to users. It’s usually priced somewhere around half the price off Office 365 Enterprise E3, so it’s a great option for those who don’t need some of the more advanced options of the E3 SKU.
What are some of the major differences? Instead of focusing on all of the differences between Office 365 Business Premium and E3 SKUs, instead let’s focus on the differences that are important from the BCS versus SPE conversation. One of the big ones here is that the version of the desktop Office suite included in Business doesn’t provide all of the functionality that is included in Office 365 Pro Plus, which is part of the Office 365 E3 offering. Why is this important? With SPE E5, you get the traditional rights management capabilities of Office 365, alongside the advanced labelling and data classification capabilities of Azure Information Protection. Office 365 Pro Plus includes the RMS capabilities natively, whereas the version included with Office 365 Business and Business Premium doesn’t include those capabilities. This has been an issue I’ve had to raised in the past with some customers looking to leverage the full functionality of Office 365 Business Premium alongside an EMS subscription.
The enhanced Windows 10 Pro management experience will be delivered by a subset of Intune capabilities, and we’ve already seen how Intune functionality can be exposed and simplified in different ways like they have done with Intune for Education. This customised management experience provides simplified management, including a simplified approach to deploying the Office 365 desktop apps. Based on some of the features that have been discussed, it seems that like Intune for Education it also includes at least some of the capabilities of Azure Active Directory Premium P1, so for now I’ll assume the feature set is similar until I get clarification. Some of the Intune for Education AAD capabilities include MDM auto-enrol, password write-back, dynamic group membership, Enterprise State Roaming and more than ten SaaS apps per user, so I’m hoping the list is similar for Microsoft 365 Business. So while some elements of this I’m still unsure of, I think we have a good starting point.
Obviously there are plenty of missing details from this post, but I’ll tackle them as I get more answers over the week while in Washington D.C. at Inspire.
Below are some of the resources that have just gone live, I’ll be adjusting this post as I review all of the available material.:
Understand the value of Microsoft 365 Business to your customers and your practice.
Get your team ready to sell Microsoft 365 Business.
Ensure your IT and adoption experts have what they need to deploy Microsoft 365 Business and onboard customers.
Last week saw public announcements for the Windows Autopilot technologies, as well as some of the additional capabilities coming up in the Windows 10 Fall Creators Update which will be released later this year. Windows Autopilot allows OEMs, distributors and resellers to link a device to an organisation, which means that even before the user signs in for the first time the device can start receiving customisations based on group membership.
At it’s core, Windows Autopilot allows a brand new PC to be issued to users who can then use their internet connection to sign in with their Azure Active Directory credentials, which can easily be synchronised with their on-premises Active Directory with Azure Active Directory Connect. The device is automatically enrolled in the company’s MDM solution e.g. Microsoft Intune, and then the device will start receiving applications and policies based on the user and device group memberships.
For more information check out the following posts and articles
I’m in the final stages of content preparation for the upcoming Microsoft Australia Education Partner national roadshow, and one of the key technologies I’ll be covering is Intune for Education. I covered this briefly back when it was first announced, but now it’s live and it’s time to highlight some of the resources that are available now.
After the events kick off I’ll record a few of the demonstrations and post them so that you can see what we are showing around the country.^ Scroll to Top
One of the Intune tenants I managed received the following via email today, a huge step to encourage people to start using the new Intune on Azure experience. Of course the first thing I checked was whether the blades still said “Preview”, because I didn’t read the full text of the message, so I had to go back and check it again, where it explains “We will remove the “Preview” tag once we meet our engineering bar for the new Intune experience” – yes, it does pay to read the full text instead of just skimming over it… but on a positive note… good night Silverlight, don’t let the bed bugs bite.
^ Scroll to Top
Earlier today I posted about the new features for Intune in the Azure Portal, and below are the general updates for the month. There are updates across MyApps, Managed Browser, Company Portal and Windows 10 Bulk Enrollment amongst others.
Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not targeted for management will be brought directly to the MyApps service, where they can access their admin-provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps from the built-in Managed Browser bookmark.+
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security (EM+S). You can see the new icon for the Managed Browser on the what’s new in Intune app UI page.+
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to late May.+
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or resumes the app. The indicator progresses through new statuses, beginning with “Connecting…”, then “Signing in…”, then “Checking for security requirements…” before allowing the user to access the app. You can see the new screens for the Company Portal app for Android on the what’s new in Intune app UI page.+
You can now create an app-based conditional access policy to block apps, which don’t have app protection policies applied to them, from accessing SharePoint Online. In the apps-based conditional access scenario, you can specify the apps that you want to have access to SharePoint Online using the Azure portal.+
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.^ Scroll to Top
A new video has been added to the Microsoft Mechanics channel on YouTube for Updates to Microsoft Intune on Microsoft Azure. It includes demonstrations of Role Based Access Controls, tighter integration with Azure Active Directory Groups; reporting and automation capabilities leveraging the Microsoft Graph API and more.
Over the last few weeks I’ve been talking to quite a few people who have started using the Intune preview in the Azure Portal for more of their day to day management tasks, and it’s always interesting to hear the things that most people are excited about. For a while the typical response was “No more Silverlight”, but over time this has changed as people are seeing more functionality light up, as well as new functionality that is being rolled in. Some of the more exciting ones for me are the Windows 10 ones that are opening up scenarios that target education, which is obviously setting the stage for Intune for Education when that becomes available. That’s not to say the Android and iOS updates aren’t welcome, because they certainly are, it’s just that for the next few months that’s the segment I’ll be heavily focused on.
Below is the full list of updates from docs, and as you can see it’s a pretty big list this month, with plenty of links for further information.
Android apps in the Play store that support managed configuration options can now be configure by Intune. This feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to allow them to configure those values.+
Intune now uses the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Android devices. For more information see Remote control Android devices using TeamViewer.+
You can now set a required password type of Numeric complex in an Android device profile for devices that run Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or consecutive numbers, like 1111, or 1234.+
This new Android for Work device restriction policy now lets you manage password and work profile settings on Android for Work devices you manage.
This Android for Work device restriction profile now has new options to help you configure data sharing between work and personal profiles.+
A new custom device profile for Android for Work devices now lets you restrict whether copy and paste actions between work and personal apps are allowed.
You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when you configure an app that lets users take a test on the device. When the app’s actions are complete, or you remove this policy, the device returns to its normal state.+
You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an Apple Store account to install the app.+
Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is centrally managed whether it’s in use or not. When end users sign-in, they have access to apps and additionally get any policies applied to them. When users sign out, all app data is cleared.+
We’ve added support for additional Windows device restriction settings like additional Edge browser support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy setting.+
We’ve added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.+
A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if user data is retained when this device action is issued.+
You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.+
Two new app settings are now available to help you with mobile application management (MAM) scenarios:+
List of supported storage location services:
A few weeks ago I made several posts about Azure Active Directory Preview in the Azure Portal, and this week it’s time to start looking at some of the Intune preview capabilities in the Azure Portal. Today I’ll start with Windows Information Protection, which has moved into the Intune Mobile Application Management blade.
Previously this is where the Platform choices (highlighted above) only showed iOS and Android, but now we have Windows 10 making a long overdue appearance. Once I fill out the Name and Description I choose to Add apps.
Add Apps provides the option of adding Recommended Apps as one of the options, which you can see is a collection of Microsoft Desktop and Store apps.
Once the Recommended Apps have been added (you don’t need to select them, or select them all), you can then choose to customise the app list further by clicking Add apps.
Now we can add Store apps.
And Desktop apps.
We can also choose to Import apps via AppLocker XML files.
We can also Add apps that are exempt.
Required setting provides
that should look familiar if you have configured WIP from the Silverlight based classic Intune portal.
The first page of Configure advanced settings gives the ability to start identifying the trusted network boundaries, and how Data protection should be enforced.
You can add the Name and Value of several identified boundaries
Enabling Windows Hello for Business as a sign in method is also configured here.
Finally we need to deploy this, so we need to choose Add user group and then we can target the users we want the policy to apply to.^ Scroll to Top
Following on from the last two posts, this time the focus is on Azure Active Directory Self Service Group Management capabilities.
Figure 1: The first step is enabling the Self Service Group Management settings in the Azure Portal, under Directory, Users and Groups – Group settings, General settings.
Figure 2: Signed in as Admin, I choose the option to Create Group.
Figure 3: Choose the appropriate details, this case I have selected the Group policy of The group requires owner approval and Group type of Security
Figure 4: The Marketing group now appears underneath Groups I own
Figure 5: Signed in as the user Cloud, they are only a member of four groups. Here I select Join group.
Figure 6: After finding the Marketing group, I can choose to Join Group
Figure 7. I need to provide a Business justification
Figure 8: I receive notice that the request has been sent.
Figure 9: Admin receives notification via email and via the notification icon that there is something that needs their attention
Figure 10: Notifications advises that the request needs to be approved
Figure 11: Just confirming that I want to Approve the request
Figure 12: Switching back to the user Cloud, we can see that the Marketing group is now listed.
Figure 13: We can now see the details of the Marketing group
Figure 14: Going back to Apps for the user Cloud, we can see the SaaS apps they have access to. We want to make members of the Marketing group able to use an additional Twitter account we have just added.
Figure 15: Back in the portal I can select the ausmarkos Twitter app
Figure 16: I assign the Marketing group to the ausmarkos Twitter app
Figure 17: Back in the myapps portal as Cloud user, I can see that ausmarkos Twitter has been added to the top of the Apps list^ Scroll to Top
Following on from yesterday’s post, I’ll continue with the app publishing story, but this time via the Azure Active Directory Application Proxy. The app proxy allows you to publish on-prem web apps, while leveraging the identity security benefits that Azure Active provides.
Figure 1: The initial steps for setting up the AAD App Proxy include choosing Enterprise Applications within Azure Active Directory, and then clicking Application Proxy
Figure 2: Next we need to choose Download Connector
Figure 3: From the server where we want to run the connector we run setup.
Figure 4: The only configuration we need to perform on the server is signing in to our Azure AD Global Admin account.
Figure 5: Switching back to the Azure Portal, choose Add an application, and then populate the Add your own on-premises application
Figure 6: Once the new app has been added, we can make some customisations, including enabling the app and choosing a logo, amongst others.
Figure 7: Next we should add a test user or group, and we do this via Add Assignment, Users and Groups, and Invite.
Figure 8: Signing in to myapps.microsoft.com we can see that internalapp is now published to Admin
Figure 9: Clicking on internalapp opens up a new tab, where you can see the msappproxy.net URL and the successfully loaded web page from the internal server we published.