10 Jul.

Microsoft 365 Suites Announced Today

Today at Inspire 2017, the Microsoft 365 Business suites were announced, with Microsoft 365 Business offering a combination of Windows 10 Pro management enhancements, a subset of Enterprise Mobility + Security (EMS) and Office 365 Business Premium subscriptions. Also introduced was Microsoft 365 Enterprise offerings, which are also known the Secure Productive Enterprise (SPE). These include the E3 and E5 versions of Office 365, EMS and Windows 10 Enterprise, think of this is a version for smaller, more price sensitive customers delivered via an integrated Admin Console. For this post I’ll focus on Microsoft 365 Business as it is the new kid on the block.

As the announcements above  are still fresh and it will take a while to address all of the details, I’ll be watching this carefully at Inspire this week and paying attention to the questions that are asked of the presenters, and catching up with some of the members of the Windows 10 team to get further details of what they have done. With what we know already the easiest, and best known component is Office 365 Business Premium. This is available today, and like the other Office 365 Business plans allows a maximum of 300 licenses to be assigned to users. It’s usually priced somewhere around half the price off Office 365 Enterprise E3, so it’s a great option for those who don’t need some of the more advanced options of the E3 SKU.

What are some of the major differences? Instead of focusing on all of the differences between Office 365 Business Premium and E3 SKUs, instead let’s focus on the differences that are important from the BCS versus SPE conversation. One of the big ones here is that the version of the desktop Office suite included in Business doesn’t provide all of the functionality that is included in Office 365 Pro Plus, which is part of the Office 365 E3 offering. Why is this important? With SPE E5, you get the traditional rights management capabilities of Office 365, alongside the advanced labelling and data classification capabilities of Azure Information Protection. Office 365 Pro Plus includes the RMS capabilities natively, whereas the version included with Office 365 Business and Business Premium doesn’t include those capabilities. This has been an issue I’ve had to raised in the past with some customers looking to leverage the full functionality of Office 365 Business Premium alongside an EMS subscription.

The enhanced Windows 10 Pro management experience will be delivered by a subset of Intune capabilities, and we’ve already seen how Intune functionality can be exposed and simplified in different ways like they have done with Intune for Education. This customised management experience provides simplified management, including a simplified approach to deploying the Office 365 desktop apps. Based on some of the features that have been discussed, it seems that like Intune for Education it also includes at least some of the capabilities of Azure Active Directory Premium P1, so for now I’ll assume the feature set is similar until I get clarification. Some of the Intune for Education AAD capabilities include MDM auto-enrol, password write-back, dynamic group membership, Enterprise State Roaming and more than ten SaaS apps per user, so I’m hoping the list is similar for Microsoft 365 Business. So while some elements of this I’m still unsure of, I think we have a good starting point.

Obviously there are plenty of missing details from this post, but I’ll tackle them as I get more answers over the week while in Washington D.C. at Inspire.


Below are some of the resources that have just gone live, I’ll be adjusting this post as I review all of the available material.:

Partner resources

Understand the value of Microsoft 365 Business to your customers and your practice.

Sales readiness

Get your team ready to sell Microsoft 365 Business.

Technical readiness

Ensure your IT and adoption experts have what they need to deploy Microsoft 365 Business and onboard customers.

^ Scroll to Top
 1 Jul.

Windows Autopilot Resources

Last week saw public announcements for the Windows Autopilot technologies, as well as some of the additional capabilities coming up in the Windows 10 Fall Creators Update which will be released later this year. Windows Autopilot allows OEMs, distributors and resellers to link a device to an organisation, which means that even before the user signs in for the first time the device can start receiving customisations based on group membership.

At it’s core, Windows Autopilot allows a brand new PC to be issued to users who can then use their internet connection to sign in with their Azure Active Directory credentials, which can easily be synchronised with their on-premises Active Directory with Azure Active Directory Connect. The device is automatically enrolled in the company’s MDM solution e.g. Microsoft Intune, and then the device will start receiving applications and policies based on the user and device group memberships.


For more information check out the following posts and articles

Modernizing Windows deployment with Windows AutoPilot

Overview of Windows AutoPilot

Delivering the Modern IT promise with Windows 10

^ Scroll to Top
 5 May.

Intune for Education Resources

I’m in the final stages of content preparation for the upcoming Microsoft Australia Education Partner national roadshow, and one of the key technologies I’ll be covering is Intune for Education. I covered this briefly back when it was first announced, but now it’s live and it’s time to highlight some of the resources that are available now.


Get Started Guide

What is Intune for Education?

What is Express Configuration?

After the events kick off I’ll record a few of the demonstrations and post them so that you can see what we are showing around the country.

^ Scroll to Top
 22 Apr.

Communication from the Microsoft Intune Team – Welcome to the new Intune on Azure Experience

One of the Intune tenants I managed received the following via email today, a huge step to encourage people to start using the new Intune on Azure experience. Of course the first thing I checked was whether the blades still said “Preview”, because I didn’t read the full text of the message, so I had to go back and check it again, where it explains “We will remove the “Preview” tag once we meet our engineering bar for the new Intune experience” – yes, it does pay to read the full text instead of just skimming over it… but on a positive note… good night Silverlight, don’t let the bed bugs bite.



Having trouble viewing this email? View as a webpage.
Microsoft Intune
Welcome to the new Intune on Azure admin experience! Now that your groups and users are migrated to Azure AD grouping and targeting, you can use the new Intune admin experience at portal.azure.com. Login with your Intune admin credentials on any
supported modern browser for the Azure console, add Intune as a favorite in the Azure service menu, and enjoy streamlined management of core Enterprise Mobility + Security (EMS) workflows across Azure AD and Intune.

Getting Started

The new portal is a big, but welcome change for many of you accustomed to the classic Intune Silverlight-based experience. Watch a new Microsoft Mechanics video that highlights the new Intune on Azure admin experience. Below, you’ll find links to new documentation to help you get acquainted with the new look and feel.

Updates to Microsoft Intune on Microsoft Azure
Where did my Intune feature go in Azure? The service is rebuilt from the ground up and integrated with Azure AD. The doc here has many useful tips on where to find your favorite feature.
What is the Azure portal preview? Read more here.
Download the Intune on Azure infographic posted here and share with your team.
What’s New?

While migrations are underway for all Intune customers, you’re welcome to use both the Intune on Azure and the classic Intune experience. New features/functionality will be added to the Intune on Azure experience. We will remove the “Preview” tag once we meet our engineering bar for the new Intune experience, but rest assured the new console is already fully supported by our support team. You can always find information on new features at our
What’s New in Intune on Azure page. If you don’t see a feature you want, let us know (or vote up) the item in the Intune User Voice.

And our Favorite…

Finally, we’re very excited for the addition of Microsoft Graph API and have been building out documentation and references for your use. Graph API provides a unified endpoint (REST API) across EMS, Office 365 and Azure. With Graph API, you will be able to automate common tasks from a command line and make it easier to integrate Intune with your existing systems and workflows. Graph API functionality will give you more flexibility than ever before to manage and secure your enterprise. Please read more about Graph API and Intune

Thank you for being an Intune customer, and we hope that you will enjoy the new Intune on Azure experience!

The Intune team

Microsoft Corporation | One Microsoft Way Redmond, WA 98052-6399

This message was sent from an unmonitored email address. Please do not reply to this message.

Legal | Privacy

^ Scroll to Top
 20 Apr.

Intune April 2017 Updates

Earlier today I posted about the new features for Intune in the Azure Portal, and below are the general updates for the month. There are updates across MyApps, Managed Browser, Company Portal and Windows 10 Bulk Enrollment amongst others.


New capabilities

MyApps available for Managed Browser

Microsoft MyApps now have better support within the Managed Browser. Managed Browser users who are not targeted for management will be brought directly to the MyApps service, where they can access their admin-provisioned SaaS apps. Users who are targeted for Intune management will continue to be able to access MyApps from the built-in Managed Browser bookmark.+

New icons for the Managed Browser and the Company Portal

The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security (EM+S). You can see the new icon for the Managed Browser on the what’s new in Intune app UI page.+

The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to late May.+

progress indicator in Android Company Portal

An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or resumes the app. The indicator progresses through new statuses, beginning with “Connecting…”, then “Signing in…”, then “Checking for security requirements…” before allowing the user to access the app. You can see the new screens for the Company Portal app for Android on the what’s new in Intune app UI page.+

Block apps from accessing SharePoint Online

You can now create an app-based conditional access policy to block apps, which don’t have app protection policies applied to them, from accessing SharePoint Online. In the apps-based conditional access scenario, you can specify the apps that you want to have access to SharePoint Online using the Azure portal.+

Bulk Enroll Windows 10 devices

You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.

^ Scroll to Top
 20 Apr.

Updates to Microsoft Intune on Microsoft Azure – New Microsoft Mechanics Video

A new video has been added to the Microsoft Mechanics channel on YouTube for Updates to Microsoft Intune on Microsoft Azure. It includes demonstrations of Role Based Access Controls, tighter integration with Azure Active Directory Groups; reporting and automation capabilities leveraging the Microsoft Graph API and more.

^ Scroll to Top
 20 Apr.

What’s New In The Microsoft Intune Preview In Azure Portal For April 2017

Over the last few weeks I’ve been talking to quite a few people who have started using the Intune preview in the Azure Portal for more of their day to day management tasks, and it’s always interesting to hear the things that most people are excited about. For a while the typical response was “No more Silverlight”, but over time this has changed as people are seeing more functionality light up, as well as new functionality that is being rolled in. Some of the more exciting ones for me are the Windows 10 ones that are opening up scenarios that target education, which is obviously setting the stage for Intune for Education when that becomes available. That’s not to say the Android and iOS updates aren’t welcome, because they certainly are, it’s just that for the next few months that’s the segment I’ll be heavily focused on.

Below is the full list of updates from docs, and as you can see it’s a pretty big list this month, with plenty of links for further information.

April 2017

Support for managed configuration options for Android apps

Android apps in the Play store that support managed configuration options can now be configure by Intune. This feature lets IT view the list of configuration values supported by an app, and provides a guided, first-class UI to allow them to configure those values.+

Remote assistance for Android devices

Intune now uses the TeamViewer software, purchased separately, to enable you to give remote assistance to your users who are running Android devices. For more information see Remote control Android devices using TeamViewer.+

New Android policy for complex PINs

You can now set a required password type of Numeric complex in an Android device profile for devices that run Android 5.0 and above. Use this setting to prevent device users from creating a PIN that contains repeating, or consecutive numbers, like 1111, or 1234.+

Additional support for Android for Work devices

    • Manage password and work profile settings

      This new Android for Work device restriction policy now lets you manage password and work profile settings on Android for Work devices you manage.

    • Allow data sharing between work and personal profiles


This Android for Work device restriction profile now has new options to help you configure data sharing between work and personal profiles.+

    • Restrict copy and paste between work and personal profiles

      A new custom device profile for Android for Work devices now lets you restrict whether copy and paste actions between work and personal apps are allowed.


For more information, see Device restrictions for Android for Work.+

Assign LOB apps to iOS and Android devices

You can now assign line of business (LOB) apps for iOS (.ipa files) and Android (.apk files) to users or devices.+

New device policies for iOS

    • Apps on Home screen – Controls which apps users see on the Home screen of their iOS device. This policy changes the layout of the Home screen, but does not deploy any apps you specified that are not installed.
    • Connections to AirPrint devices – Controls which AirPrint devices (network printers) that end users of iOS device can connect to.
    • Connections to AirPlay devices – Controls which AirPlay devices (like Apple TV) that end users of iOS device can connect to.
    • Custom lock screen message – Configures a custom message that users will see on the lock screen of their iOS device, that replaces the default lock screen message. For more information, see Available device actions


Restrict push notifications for iOS apps

In an Intune device restriction profile, you can now configure the following notification settings for iOS devices:+

    • Fully turn on or off notification for a specified app.
    • Turn on or off, the notification in the notification center for a specified app.
    • Specify the alert type, either None, Banner, or Modal Alert.
    • Specify whether badges are allowed for this app.
    • Specify whether notification sounds are allowed.


Configure iOS apps to run in single app mode autonomously

You can now use an Intune device profile to configure iOS devices to run specified apps in autonomous single app mode. When this mode is configured, and the app is run, the device is locked so that it can only run that app. An example of this is when you configure an app that lets users take a test on the device. When the app’s actions are complete, or you remove this policy, the device returns to its normal state.+

Configure trusted domains for email and web browsing on iOS devices

From an iOS device restriction profile, you can now configure the following domain settings:+

    • Unmarked email domains – Emails that the user sends or receives which don’t match the domains you specify here will be marked as untrusted.
    • Managed web domains – Documents downloaded from the URLs you specify here will be considered managed (Safari only).
    • Safari password auto-fill domains – Users can save passwords in Safari only from URLs matching the patterns you specify here. To use this setting, the device must be in supervised mode and not configured for multiple users. (iOS 9.3+)


VPP apps available in iOS Company Portal

You can now assign iOS volume-purchased (VPP) apps as Available installs to end users. End users will need an Apple Store account to install the app.+

Synchronize eBooks from Apple VPP Store

You can now synchronize books you purchased from the Apple volume-purchase program store with Intune, and assign these to users.+

Multi-user management for Samsung KNOX Standard devices

Devices that run Samsung KNOX Standard are now supported for multi-user management by Intune. This means that end users can sign in and out of the device with their Azure Active Directory credentials, and the device is centrally managed whether it’s in use or not. When end users sign-in, they have access to apps and additionally get any policies applied to them. When users sign out, all app data is cleared.+

Additional Windows device restriction settings

We’ve added support for additional Windows device restriction settings like additional Edge browser support, device lock screen customization, start menu customizations, Windows Spotlight search set wallpaper, and proxy setting.+

Multi-user support for Windows 10 Creators Update

We’ve added support for multi-user management for devices that run the Windows 10 Creators Update and are Azure Active Directory domain-joined. This means that when different standard users log onto the device with their Azure AD credentials, they will receive any apps and policies that were assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.+

Fresh Start for Windows 10 PCs

A new Fresh Start device action for Windows 10 PCs is now available. When you issue this action, any apps that were installed on the PC are removed, and the PC is automatically updated to the latest version of Windows. This can be used to help remove pre-installed OEM apps that are often delivered with a new PC. You can configure if user data is retained when this device action is issued.+

Additional Windows 10 upgrade paths

You can now create an edition upgrade policy to upgrade devices to the following additional Windows 10 editions:+

    • Windows 10 Professional
    • Windows 10 Professional N
    • Windows 10 Professional Education
    • Windows 10 Professional Education N


Bulk Enroll Windows 10 devices

You can now join large numbers of devices that run the Windows 10 Creators update to Azure Active Directory and Intune with Windows Configuration Designer (WCD). To enable bulk MDM enrollment for your Azure AD tenant, create a provisioning package that joins devices to your Azure AD tenant using Windows Configuration Designer, and apply the package to corporate-owned devices you’d like to bulk enroll and manage. Once the package is applied to your devices, they will Azure AD join, enroll in Intune, and be ready for your Azure AD users to log on. Azure AD users are standard users on these devices and receive assigned policies and required apps. Self-service and Company Portal scenarios are not supported at this time.+

New MAM settings for PIN and managed storage locations

Two new app settings are now available to help you with mobile application management (MAM) scenarios:+

  • Disable app PIN when device PIN is managed – Detects if a device PIN is present on the enrolled device, and if so, bypasses the app PIN triggered by the app protection policies. This setting will allow for a reduction in the number of times a PIN prompt is displayed to users opening a MAM-enabled application on an enrolled device. This feature is available for both Android and iOS.
  • Select which storage services corporate data can be saved to -Allows you to specify which storage locations in which to save corporate data. Users can save to the selected storage location services, which means all other storage location services not listed will be blocked.

    List of supported storage location services:

    • OneDrive
    • Business SharePoint Online
    • Local storage
^ Scroll to Top
 18 Apr.

Configuring Windows Information Protection In The Azure Portal Preview

A few weeks ago I made several posts about Azure Active Directory Preview in the Azure Portal, and this week it’s time to start looking at some of the Intune preview capabilities in the Azure Portal. Today I’ll start with Windows Information Protection, which has moved into the Intune Mobile Application Management blade.

Previously this is where the Platform choices (highlighted above) only showed iOS and Android, but now we have Windows 10 making a long overdue appearance. Once I fill out the Name and Description I choose to Add apps.

Add Apps provides the option of adding Recommended Apps as one of the options, which you can see is a collection of Microsoft Desktop and Store apps.

Once the Recommended Apps have been added (you don’t need to select them, or select them all), you can then choose to customise the app list further by clicking Add apps.

Now we can add Store apps.

And Desktop apps.

We can also choose to Import apps via AppLocker XML files.

We can also Add apps that are exempt.

Required setting provides
that should look familiar if you have configured WIP from the Silverlight based classic Intune portal.

The first page of Configure advanced settings gives the ability to start identifying the trusted network boundaries, and how Data protection should be enforced.

You can add the Name and Value of several identified boundaries

Enabling Windows Hello for Business as a sign in method is also configured here.

Finally we need to deploy this, so we need to choose Add user group and then we can target the users we want the policy to apply to.

^ Scroll to Top
 29 Mar.

AAD Self Service Group Management In the Azure Portal

Following on from the last two posts, this time the focus is on Azure Active Directory Self Service Group Management capabilities.

Figure 1: The first step is enabling the Self Service Group Management settings in the Azure Portal, under Directory, Users and Groups – Group settings, General settings.

Figure 2: Signed in as Admin, I choose the option to Create Group.

Figure 3: Choose the appropriate details, this case I have selected the Group policy of The group requires owner approval and Group type of Security

Figure 4: The Marketing group now appears underneath Groups I own

Figure 5: Signed in as the user Cloud, they are only a member of four groups. Here I select Join group.

Figure 6: After finding the Marketing group, I can choose to Join Group

Figure 7. I need to provide a Business justification

Figure 8: I receive notice that the request has been sent.

Figure 9: Admin receives notification via email and via the notification icon that there is something that needs their attention

Figure 10: Notifications advises that the request needs to be approved

Figure 11: Just confirming that I want to Approve the request

Figure 12: Switching back to the user Cloud, we can see that the Marketing group is now listed.

Figure 13: We can now see the details of the Marketing group

Figure 14: Going back to Apps for the user Cloud, we can see the SaaS apps they have access to. We want to make members of the Marketing group able to use an additional Twitter account we have just added.

Figure 15: Back in the portal I can select the ausmarkos Twitter app

Figure 16: I assign the Marketing group to the ausmarkos Twitter app

Figure 17: Back in the myapps portal as Cloud user, I can see that ausmarkos Twitter has been added to the top of the Apps list

^ Scroll to Top
 29 Mar.

AAD Application Proxy In The Azure Portal

Following on from yesterday’s post, I’ll continue with the app publishing story, but this time via the Azure Active Directory Application Proxy. The app proxy allows you to publish on-prem web apps, while leveraging the identity security benefits that Azure Active provides.


Figure 1: The initial steps for setting up the AAD App Proxy include choosing Enterprise Applications within Azure Active Directory, and then clicking Application Proxy

Figure 2: Next we need to choose Download Connector

Figure 3: From the server where we want to run the connector we run setup.

Figure 4: The only configuration we need to perform on the server is signing in to our Azure AD Global Admin account.

Figure 5: Switching back to the Azure Portal, choose Add an application, and then populate the Add your own on-premises application

Figure 6: Once the new app has been added, we can make some customisations, including enabling the app and choosing a logo, amongst others.

Figure 7: Next we should add a test user or group, and we do this via Add Assignment, Users and Groups, and Invite.

Figure 8: Signing in to myapps.microsoft.com we can see that internalapp is now published to Admin

Figure 9: Clicking on internalapp opens up a new tab, where you can see the msappproxy.net URL and the successfully loaded web page from the internal server we published.

^ Scroll to Top

%d bloggers like this: