On January 2018, conditional access policies for Intune will be moved for good to Azure AD.
Until now (and January 2018), conditional access configuration is/was available through the ‘classic’ Silverlight Intune portal, Intune App Protection (MAM) blade and classic Azure AD portal.
If you have policies configured on any of these previous access point, you need to review them and start configuring these policies using the new Azure AD portal.
Enjoy the new experience
Planner (the Office 365 solution to help you manage project plan and tasks) and Who (a Teams app to help you search people within your organization) have been integrated to Microsoft Teams.
When I say integrated this does not mean you have to search and add these apps, there are inside the Teams client; just check the 3 dots (…) just below the Files option
Then when you launch them, these applications will be displayed directly within the Teams client
NOTE you may be requested to authenticate again
As announced few weeks ago at the Ignite Conference, a new compliance center is now live in preview.
You can access the preview from https://aka.ms/compliancemanager.
From there you will be to access all relevant information for your compliance – from the trust documentation to compliance and audit reports
If you need to grant/manage access you can use the Settings option to select the user role and then grant permissions
While the new compliance center is in preview, you can still continue to access the ‘old’ portal.
NOTE to access the preview you must use either Edge, Chrome, FireFox or Safari. You can not use Internet Explorer. One would say this is to force you using Edge
With Windows 10 build 1709 (Fall Creators Update) and Intune, you can now provide details to the end-user while enrolling the device.
This can be quite helpful to let them know what is going on as well as for troubleshooting purpose.
To enable and configure it, you need to logon to your Azure ARM portal and go to Intune
Then you need to go to the Device enrollment\Windows enrollment section
Next open the Enrollment Status Screen blade
And from there you can configure a welcome message, including a title and support desk details
Once saved, this will be applied to all new device being enrolled with your Azure AD; showing your greeting (title – here in the screenshot ‘Your device is being enrolled”), your message (here ‘Please wait while your device is being enrolled with Azure AD) and the current progress of policy(ies) installation
During this period, your end-user can still click the Got it button and start working using their session.
Once the process is completed they will got a notification to inform them the device is ready.
Azure PowerShell has reached a new major milestone with the release of the latest major version (5.0.0). As for any new version there is a lot of improvements and new cmdlets but also few breaking changes. To get the MSI package go there https://github.com/Azure/azure-powershell/releases/download/v5.0.0-November2017/azure-powershell.5.0.0.msi To know all the breaking changes and update accordingly your scripts, go there https://aka.ms/azps-migration-guide
A new SharePoint Online settings is being rolled out to let you configure the idle session timeout.
The idle session timeout setting will let you configure how long the system is waiting before notifying and then logging out an inactive user.
This setting applies only on web browser session and should not impact OneDrive for Business client.
To configure it – including enabling the setting which is disabled by default – you need to use the latest version of the SharePoint Online PowerShell module available at https://go.microsoft.com/fwlink/p/?LinkId=255251 (at the time of writing this post the latest version is 16.0.7018.1200)
Once you have the latest SPO PowerShell module installed execute the following commands
Enabled WarnAfter SignOutAfter ------- --------- ------------ False 00:00:00 00:00:00
For the purpose of this post I set a very low timespan (respectively 10 and 15 seconds of inactivity)
You can change the timespans by re running the command Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan –Seconds <new value>) -SignOutAfter (New-TimeSpan –Seconds <new value>). If you do not include the –Enabled parameter you will be asked for the value ($true – or $false but as you want to change the timespan it must be true
or disable it with Set-SPOBrowserIdleSignOut -Enabled $false
A new feature is coming on Azure to help you gaining insight on your ExpressRoute.
With this new ExpressRoute monitoring solution you will be able to gain a comprehensive network monitoring between your branch offices, VNet and now ExpressRoute, including lost packets, bandwidth usage and network route analysis.
This monitoring feature is using the Network Performance Monitor on Azure introduced earlier this year (see https://cloudblogs.microsoft.com/hybridcloud/2017/02/22/introducing-network-performance-monitor-for-network-visibility-across-public-and-hybrid-clouds/).
To enroll to the preview go to https://aka.ms/npmcohort
With Windows 10 Fall Creators Update (build 1709) you can allow your end-user to self reset their password (or PIN) directly from the login screen.
To do so you need to have enable the self service password reset on Azure AD, use Intune as MDM and must be using Windows 10 1709 in Azure AD Joined configuration.
Logon to your Intune portal from the Azure ARM (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview)
Then you need to create a custom profile from Device configuration\Profiles
The profile need to be configured as follow
Once the profile has been saved, you can assign it (deploy) to your users
Once the configuration for the self service reset password/PIN from the login screen, the users will have the ability to reset their password or PIN directly from the login screen without having to use a colleague device to access the self service password reset portal.
The following screenshots are taken for a password reset but the result is similar with a PIN reset.
When the end-user use the reset password option, the Windows GINA (in charge of the authentication) redirects the user to the reset password page
At this time they need to enter their user logon – for the system to look for their account
Then they have to choose which verification method to use – i
Once they have chosen the verification method and have been successfully verified, they will be able to change the password
And if you have enable the password reset notification, your end user will also receive a notification to confirm the password has been reset to their main mailbox and recovery mailbox
As for all other Microsoft cloud services (Azure, Office 365…) Microsoft Teams now has his own PowerShell module.
You can get it by opening a PowerShell prompt (as usual always runas Administrator) and run the command
Install-Module -Name MicrosoftTeams
If required you will need to install NuGet and trust the repository
The current version (0.9.0) allows you to perform “basic” management operations like create/remove Team or Channels, set Guest access settings or off course add/remove user to a Team.
An update is currently under way (scheduled to be completed by end of December) to help you better manage client access to Exchange Online.
Client Access Rule for Exchange Online can only be managed by PowerShell.
With this new capability, you can define access rules to authorize/block access based on client IP addresses, clients used, protocol or even group membership.
The client access rule is composed by 4 components:
When implementing client access rules you need to keep in mind that your corporate network is not automatically set to grant access.
Complete details for implementing, managing and testing client access rule are available at https://technet.microsoft.com/en-us/library/mt842507.aspx
For example, thanks to the new access rule capability you will be able to “disable” POP and/or IMAP protocol by blocking the access instead of having to disable the protocols at the mailbox level.
Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint, Lync/Skype for Business) technologies.
He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.
He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.
He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).
With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.
This blog is using tracking code for analytics purpose.
No personal data are stored and maintained.