24 Feb.

Public Preview Of Azure AD Group Based License Management for Office 365

Continuing the ongoing addition of features into the Azure Portal for different components of the Enterprise Mobility + Security suite, Azure Active group based licensing is now in public preview. Here are some of the key take aways from the announcement.

  • Licenses can be assigned using any “security group” in Azure AD, whether synced from on-premises or created directly in Azure AD.
  • AADP1 or AADP2 subscriptions can combine license management with dynamic group membership
  • All Microsoft Online Services that require user-level licensing are supported.
  • The administrator can disable one or more service components when assigning a license to a group. This allows staged deployments of rich products like Office 365 Enterprise E5 at scale.
  • The feature is only available in the Azure portal.
  • Licenses are typically added or removed within minutes of a user joining or leaving a group.


Three additional articles that are worth looking at are

Assigning licenses to a group in Azure Active Directory

What is group-based licensing in Azure Active Directory?

Azure Active Directory group-based licensing additional scenarios

Setting up Azure Active Directory for self-service group management



^ Scroll to Top
 16 Feb.

Intune Preview Portal Updates For February 2017

For those of you with recently created Intune tenants that have access to the Intune preview functionality within the Azure Portal, more capabilities have been added to test out. The one which I’ve had many people tell me was on their wish list is non-managed devices can access assigned apps, making it easier for MAM without device enrolment scenarios to become more user friendly for app location and installation use.

Ability to restrict mobile device enrollment

Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile. 

    • Restricting mobile device enrollment does not restrict PC client enrollment.
    • For iOS and Android only, there is one additional option to block the enrollment of personally owned devices.


Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as explained in this article. 

View all actions on managed devices

A new Device Actions report shows who has performed remote actions like factory reset on devices, and additionally shows the status of that action. See What is device management?.

Non-managed devices can access assigned apps

As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps assigned to them as “available without enrollment” on their non-managed devices. Using their Intune credentials, users will be able to log into the Company Portal website and see the list of apps assigned to them. The app packages of the “available without enrollment” apps are made available for download via the Company Portal website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to enroll their device if they wish to install those apps. 

Custom app categories

You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.

Display device categories

You can now view the device category as a column in the device list. You can also edit the category from the properties section of the device properties blade. See How to add an app to Intune.

^ Scroll to Top
 16 Feb.

Intune Updates February 2017 – Part 2

The What’s New In Intune page over on docs.microsoft.com has just been updated, and the following updates were covered across new capabilities and notices. These include a new guided experience for Windows 10 Company Portal, group migration impact on iOS policies, the new MDM server enrolment address for Windows devices, the upcoming Android Company Portal app changes and the ability to associate multiple management tools with the Windows Store for Business instead of only one.

New Capabilities

New guided experience for Windows 10 Company Portal

Beginning in March, the Company Portal for Windows 10 will include a guided Intune walkthrough experience for devices that have not been identified or enrolled. The new experience provides step-by-step instructions, customized for the user’s build of Windows 10, that guide users through performing AAD registration (required for identification for Conditional Access features) and MDM enrollment (required for device management features). The guided experience will be accessible from the Company Portal home page and is optional; users can continue to use the app if they do not complete registration and enrollment, but may experience limited functionality.


Group migration will not require any updates to groups or policies for iOS devices

For every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic device group will be created in AAD based on the Corporate Device Enrollment profile’s name, during the migration to Azure Active Directory device groups. This will ensure the as devices enroll, they will be automatically grouped and receive the same policies and apps as the original Intune group. +

Once a tenant enters the migration process for grouping and targeting, Intune will automatically create a dynamic AAD group to correspond to an Intune group targeted by a Corporate Device Enrollment profile. If the Intune Admin deletes the targeted Intune group, the corresponding dynamic AAD group will not be deleted. The group’s members and the dynamic query will be cleared, but the group itself will remain until the IT Admin removes it via the AAD portal.+

Similarly, if the IT Admin changes which Intune group is targeted by a Corporate Device Enrollment profile, Intune will create new dynamic group reflecting the new profile assignment, but will not remove the dynamic group created for the old assignment.+

Defaulting to managing Windows desktop devices through Windows settings

The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM agent enrollment flow rather than through the PC agent. The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.+

Improving mobile app management support for selective wipe

End users will be given additional guidance on how to regain access to work or school data if that data is automatically removed due to the “Offline interval before app data is wiped” policy.+

Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in January.+

New MDM server address for Windows devices

Windows and Windows Phone users attempting to enroll a device will fail if they enter manage.microsoft.com as the MDM server address (if prompted). The MDM server address is changing from manage.microsoft.com to enrollment.manage.microsoft.com. Notify your user to use enrollment.manage.microsoft.com as the MDM server address if prompted for it while enrolling a Windows or and Windows Phone device. For additional information about this change, visit aka.ms/intuneenrollsvrchange.+

New user experience for the Company Portal app for Android

Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more modern look and feel. This improved user experience includes:+

    • Colors: tab headers can be colored according to your custom color palette.
    • Interface: Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is now a floating action button.
    • Navigation: All Apps shows a tabbed view of Featured, All and Categories for easier navigation.
    • Service: My Devices and Contact IT tabs have improved readability.


You can find before and after images on the UI updates page.+

Associate multiple management tools with the Windows Store for Business

If you are using more than one management tool to deploy Windows Store for Business apps, previously, you could only associate one of these with the Windows Store for Business. You can now associate multiple management tools with the store, for example, Intune and Configuration Manager. For details, see Manage apps you purchased from the Windows Store for Business with Microsoft Intune.

^ Scroll to Top
 10 Feb.

Say Hi At Ignite 2017 Australia

For those of you heading along to Microsoft Ignite on the Gold Coast next week, drop by any of the four sessions I’ll be delivering during the week and say hello. When I’m not in one of these sessions I’ll either be near the hands on labs or dropping in to some of the sessions to make sure I learn something as well.



^ Scroll to Top
 9 Feb.

Outlook for iOS Add-In Notification from Intune team

Another announcement from the Intune team about what’s required to make sure that the Outlook add-ins announced last week interact with Exchange and Mobile Application Management policies. Read on for the full details included in the email…

Last week, the Outlook team announced add-ins for Outlook on iOS. This add-in feature set already exists in Outlook on Windows, web and Mac (in Office Insiders). Since add-ins are managed via Exchange, users will be able to copy and share data and messages across Outlook and unmanaged add-in applications, unless access to add-ins is turned off by your Exchange admin. In order to manage user access permissions to add-ins, please work with your Exchange admin to ensure that your MAM data protection policies apply to add-ins. How does this affect me? If your Exchange policies are already set to prevent side loading add-ins or installing add-ins, then read no further. Your MAM policies will apply per your settings. If, however, you have set policies in MAM to restrict cut, copy, and paste operations within Outlook on iOS and have not set your add-in policy in Exchange, you should know that by default, users will be able to install add-ins to Outlook. These add-ins can access message body, subject and other message properties. You can turn off end-user ability to install add-ins by having your Exchange Admin remove the “My Marketplace Apps” and “My Custom Apps” roles. For more details, see the additional information link shared below. Note that the setting change in Exchange will apply to Outlook across Windows, web, Mac (in Office Insiders) and mobile. What do I need to do? Review your Exchange policies today. Read up on the documentation linked below. Inform your IT and helpdesk staff. Contact our support team with any specific questions or concerns. Please click additional information to learn more.

^ Scroll to Top
 8 Feb.

Intune Updates February 2017 – Part 1

We are still in early February, but a few updates have rolled out late last month and early this month, below you will find a summary of these, which include app updates, and portal updates. I’ve received notification that one of my Intune tenants is going to be migrated early so that I can test things out without having to keep spinning up new trial tenants.

New Capabilities

In-console reports for MAM without enrollment

New app protection reports have been added for both enrolled devices and devices that have not been enrolled. Find out more about how you can monitor mobile app management policies with Intune here.


Company Portal for iOS links open inside the app

Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in January.

Modernizing the Company Portal website

Beginning in February, the Company Portal website will support apps that are targeted to users who do not have managed devices. The website will align with other Microsoft products and services by using a new contrasting color scheme, dynamic illustrations, and a “hamburger menu,” Company Portal website hamburger menu which will contain helpdesk contact details and information on existing managed devices. The landing page will be rearranged to emphasize apps that are available to users, with carousels for Featured and Recently Updated apps. You can find before and after images available on the What’s new in the Intune app UI page.

Progress bar when launching the Company Portal on iOS

The Company Portal for iOS is introducing a progress bar on the launch screen to provide the user with information about the loading processes that occur. There will be a phased rollout of the progress bar to replace the spinner. This means that some of your users will see the new progress bar while others will continue to see the spinner.

^ Scroll to Top
 8 Feb.

Azure MFA VPN Support In Preview

When running through the different pieces of Enterprise Mobility + Security with those who are focused on the cloud only components, it usually comes as a surprise to see how many different on-premises services can be extended with the different EMS components. The one that people know about is AADConnect, but Intune has connectors for Configuration Manager, Exchange and Simple Enrolment Protocol, AIP/RMS has the Azure RMS connector, and of course Advanced Threat Analytics is deployed by the customer. The MFA server is also available, and today’s announcement highlights some changes that are in the pipeline.

First of all it’s worth mentioning that the announcement focuses solely on potentially reducing or eliminating the requirement for MFA Server for some VPN scenarios, it doesn’t target the other scenarios that MFA Server addresses such as extending ADFS authentication methods, IIS app integration, RDS broker support and general purpose RADIUS and LDAP authentication. Remember that you need AAD Premium P1 or P2 licensing for Azure MFA server, so you can buy those standalone or as part of EMS E3 or E5.

So what does it do? Well, as the article suggests, this focuses on providing a cloud based MFA server for VPN without the on-premises MFA Server requirement. Instead it requires the installation of the NPS extension for Azure MFA, which supports the following operating systems. The list looks like it might need to be cleaned up a little, it references some previews and release candidates for versions of Windows Server that are no longer supported, but I think the final one listed sums it up.

Windows Server 2008 R2 SP1, Windows Server 2008 Service Pack 2, Windows Server 2012, Windows Server 2012 Beta Essentials, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials , Windows Server 2012 R2 Preview, Windows Server 2012 R2 Standard , Windows Server 2012 Release Candidate, Windows Server 2012 Standard, Windows Server 2016, Windows Server 2008 R2 SP1 or above with the NPS component enabled


The installation instructions provided, for those wanting to give it a try…

1. Run Setup.exe on your existing NPS Server

2. Run the PowerShell script from C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive)

For full details on the preview, head on over to Augment your existing authentication infrastructure with the NPS extension for Azure Multi-Factor Authentication – Public preview for more information, and keep an eye on the questions that are getting asked there in case anything relevant pops up.


^ Scroll to Top
 4 Feb.

Intune Groups Migrating to Azure AD Groups Email Notification

For those of you not actively monitoring your tenant administrator email accounts, it’s worth reading the content of a message that was just sent out to advise of some changes that are coming through as part of the migration process.


Intune Groups Migrating to Azure AD Groups

Dear Tenant Administrator,

Microsoft Intune is a Mobile device management, mobile application management, and PC management solution from Microsoft. Intune is the mobility solution in Enterprise Mobility & Security (EMS) or can be purchased as a standalone service.

Over the next few months, Intune is migrating all Intune groups over to Azure AD groups. What does this mean to you? As an Azure AD admin, you’ll start to see Intune groups in your Azure AD infrastructure. Please do not delete these groups; they’ll pop in there in preparation for migration, then will be populated by our migration engine.

We’re excited to bring Intune groups over to Azure AD groups as this will provide an improved experience for our Intune service admins. Migration will also allow Intune admins to use the new Intune on Azure experience currently in preview at portal.azure.com.

If you have any questions on the grouping and migrating experience, please look at the docs here: https://aka.ms/new_grouping_experience_admin. Alternatively, if you have any questions on migration, reach out to our grouping migration team intunegrps@microsoft.com or support.

Thank you, Microsoft Intune


^ Scroll to Top
 3 Feb.

New Configuration Service Providers for Windows 10 1703

Over on the recently updated What’s new in MDM enrollment and management page on MSDN new CSPs have been added for 1703. You can also check out the update listings for 1511 and 1607 while you are there, along with the change history.

What’s new in Windows 10, version 1703

Item Description
New nodes in Update CSP Added the following nodes to the Update CSP:

  • FailedUpdates/Failed Update Guid/RevisionNumber
  • InstalledUpdates/Installed Update Guid/RevisionNumber
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
CM_CellularEntries CSP To PurposeGroups setting, added the following values:

  • Purchase – 95522B2B-A6D1-4E40-960B-05E6D3F962AB
  • Administrative – 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
CellularSettings CSP

CM_CellularEntries CSP

EnterpriseAPN CSP

For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.
SecureAssessment CSP Added the following settings:

  • AllowTextSuggestions
  • PrintingCapability
  • ScreenCaptureCapability
Messaging CSP Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.
Policy CSP Added the following new policies:

  • DeliveryOptimization/DOAllowVPNPeerCaching
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
  • DeliveryOptimization/DOMinFileSizeToCache
  • DeliveryOptimization/DOMinRAMAllowedToPeer
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
  • EnterpriseCloudPrint/CloudPrintResourceId
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
  • Privacy/LetAppsGetDiagnosticInfo
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
  • Privacy/LetAppsRunInBackground
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
DevDetail CSP Added the following setting: DeviceHardwareData.
CleanPC CSP Added new CSP.
DeveloperSetup CSP Added new CSP.
^ Scroll to Top
 31 Jan.

Changes to Access Work Or School in Windows 10 Insider Preview

One of the things that Windows 10 Azure Active Directory join with Intune auto enrolment is that it has protected me from some of the changes that were taking place in the Windows Settings UI for Access Work Or School. With the Anniversary Update there were some changes that made it harder to figure out what was happening, especially around clarity in joining Azure AD versus just performing a device enrolment. With the current Insider preview builds, steps have been taken to address this, and you’ll see them in screenshots further in this post.

The auto enrolment capability is provided by Azure Active Directory Premium, and needs to be enabled in the Intune app settings in the Azure portal, so it’s not something a free Azure Active Directory tenant or Office 365 user would see unless they had licensed AAD Premium or EMS separately. Sure, it’s not hard to enrol a device manually, but it is easy enough to automate. That’s not the topic of today’s post though, I’ll focus on the UI changes in Windows Insider Preview 15019. In the screenshots below I have the Insiders build on the left, and 1607 on the right.

On the left under Related settings you can see Enroll only in device management making a welcome appearance, which helps to differentiate it from the Connect option above, which provides device registration by default.


On both builds, Connect provides the same screen. You can see here that this performs device registration, as you have to click in Alternate actions to for Join this device to Azure Active Directory.

On the left in the Insiders Preview, I’ve selected Enroll Only in Device Management, but I’ve left the Connect screen on the right.

As I mentioned above, some of the previous changes here have lead to confusion, and hopefully some of these changes make it easier to follow the required steps for end user driven enrollments.


^ Scroll to Top

%d bloggers like this: