Active Directory (Anglais)

Now Available: Update 1702 for System Center Configuration Manager

AD -

We are delighted to announce that we have released version 1702 for the Current Branch (CB) of System Center Configuration Manager that includes new features and product enhancements!

Many of these enhancements are designed for organizations that are going through the digital transformation and want to modernize their IT infrastructure, policies and processes. As one of the first steps in this journey, our customers are upgrading to the Current Branch of ConfigMgr, and by doing so, they are starting to gain some benefits such as lower costs, simplified management, and better experience for both users and IT Pros. Take a look at how Australian Government Department of Human Services went through this journey.

This transformation is also supported by data that we see through our telemetry. There are now more than 31,000 organizations managing almost 70 million devices with the Current Branch of Configuration Manager. We expect this trend to continue in the coming months as more customers start realize the benefits of improved productivity and security as well as lower costs that come with staying current with Windows 10, Office 365, and Configuration Manager.

Thanks to our active Technical Preview Branch community, the 1702 update includes feedback and usage data we have gathered from customers who have installed and road tested our monthly technical previews over the last few months. As always, 1702 has also been tested at scale by real customers, in real production environments. As of today, nearly 1 million devices are being managed by the version 1702 of Configuration Manager.

1702 update includes many new features and enhancements in Windows 10 management and also new functionality for customers using Configuration Manager connected with Microsoft Intune. Here are just few of the enhancements that are available in this update:

  • Support for Windows 10 Creators Update – This version of Configuration Manager now supports the release of upcoming Windows 10 Creators Update. You can upgrade Windows 10 ADK to the latest version for full OS imaging support.
  • Express files support for Windows 10 Cumulative Update – Configuration Manager now supports Windows 10 Cumulative Update using Express files.
  • Customize high-risk deployment warning – You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system.
  • Close executable files at the deadline when they would block application installation – If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline. This is currently the feature with the second highest number of votes on UserVoice.
  • Conditional access for PCs managed by System Center Configuration Manager – Now production ready in update 1702, with conditional access for PCs managed by Configuration Manager, you can restrict access to various applications (including but not limited to Exchange Online and SharePoint online) to PCs that are compliant with the compliance policies you set.

This release also includes new features for customers using Configuration Manager connected with Microsoft Intune. Some of the new feature include:

  • Android for Work support – You can now enroll devices, approve and deploy apps, and configure policies for devices with Android for Work.
  • Lookout threat details You can view threat details as reported by Lookout on a device.
  • Apple Volume Purchase Program (VPP) enhancements – You can now request a policy sync on an enrolled mobile device from the Configuration Manager console.
  • Additional iOS configuration settings We added support for 42 iOS device settings for configuration items.

For more details and to view the full list of new features in this update check out our Whats new in version 1702 of System Center Configuration Manager documentation.

Note: As the update is rolled out globally in the coming weeks, it will be automatically downloaded and you will be notified when it is ready to install from the Updates and Servicing node in your Configuration Manager console. If you cant wait to try these new features, this PowerShell script can be used to ensure that you are in the first wave of customers getting the update. By running this script, you will see the update available in your console right away.

For assistance with the upgrade process please post your questions in the Site and Client Deployment forum. To provide feedback or report any issues with the functionality included in this release, please use Connect.If theres a new feature or enhancement you want us to consider including in future updates, please use the Configuration Manager UserVoice site.

Thank you,

The System Center Configuration Manager team


Additional resources:

Video:  Everything You Want to, Need to, and/or Should Know About EMS in 2017

AD -

The demands of mobility and security change fast. Really fast. Faster than anyone could have imagined just a few years ago.

This is a reality that inspires the work we do with EMS architecting it as a cloud service so that its features and solutions are tuned to the needs of your organization. The speed at which we update and improve EMS is, in my estimation, unmatched anywhere else and this rapid and regular cadence is our way of underscoring the value we place on your organizations productivity, security, and success.

That commitment is a lot more than corporate platitudes and to show just how serious we are about this, this new video is a great way to learn about everything weve added since we published the 2016 overview.

Spoiler alert: There are an unbelievable amount of upgrades, improvements, and enhancements. I think youre going to be blown away by what you see. There are things in this video that only EMS can provide, as well as things EMS can do far better than anyone else.

If you want to see whats in store, heres the table of contents from the videos intro:


Azure Information Protection: Ready, Set, Protect! – Part 3

AD -

This post is the third in a 4-part series focusing on how to implement information protection in your organization.

In Part 1 of the series we showed you how to get going with classification and labeling, and FAST. In Part 2 we focused in on how you can take the learnings and benefits of classification and labeling and protect your information.

Today’s blog post is for those of you who are either Information Protection skeptics or have yet to kick off a proper evaluation of the technology in this space. We want to help you hone in on what’s really important in an enterprise solution for Classifying, Labeling and Protecting (CLP) your information. I’ll be the first to admit that I write this from a position of bias, but I promise to be as candid as one can be having walked many miles in these particular shoes.

As you scope your project and desired outcomes, we suggest that the critical criteria for a CLP solution as being:

  1. Anchored in the new world information models while interoperating with the older world models
  2. Deeply integrated into the applications that matter
  3. Deeply integrated into the services that matter
  4. Provided by a worthy enterprise partner
  5. Promises a spectrum of assurances that span your requirements
  6. Hosted in a manner that is consistent with your compliance boundaries

Let’s explore these one by one:

Anchored in the new world information models

Generally speaking, the old world model is one where, like a butterfly, data is set free and you ask your IT leadership to ‘catch it’ before it leaks (DLP). While there are certainly use cases for reactive classification and protection of data, everyone would prefer that data be born properly classified, labeled and protected. We call this model CLP, Classification and Labeling should trigger DLP or other types of protection, like encryption. When considering information protection offerings, you want to ensure that your chosen vendor can perform this CLP activity early enough to be effective and secure. This is easier asked than done!

Deeply integrated into the applications that matter

Building on the above, CLP should be built into all your important applications. This is a tall order! Let’s break it down.

  • Most organizations use Office (Word, Excel, PowerPoint) and Outlook. They do so on PCs, Macs, Mobile Devices and even in web browsers via Outlook Web Access (OWA) and Office Web App companions (WAC). You’ll want a partner that can integrate CLP into these products.
  • Many other files types are important. Those can be enabled for protection via Windows Explorer extensions or more invasive bolt-on ‘filter driver’ abstractions or via format owner influence (i.e. application integrations). The Window Explorer extension category is achievable by any vendor so the important criteria here is how forward looking the offer is. Specifically, in which format is the file labeled and protected? This is critical as one could strongly assert that future versions of Windows (at the least) will become aware of data-bound encrypted files. When this happens, say in a future version of Windows 10, you’ll want ALL your encrypted assets to ‘just work’. Incompatible protection formats will, well, continue to be incompatible.
  • As we progress from add-on protection tools towards native integrations, the next most popular file type is PDF. There are many PDF readers but the undisputed king-of-PDF is Adobe with Foxit being the next most recognized offering. You’ll want a partner that stands a chance to partner with Adobe and that works with others to enable a popular and standardized CLP in their offerings.
  • Some of you may want to leverage native email clients. Here, just as with PDF, you’ll want to evaluate your partner’s ability to influence the leading mail clients (iOS mail, Android mail, Windows mail) to integrate support for CLP.
Deeply integrated into the services that matter

Beyond desktop and device applications, you will want to see integrations both across the services you use in your environments and to collaborate with your broader ecosystem. As you move to the cloud, you are adopting Exchange Online, SharePoint Online, OneDrive for Business as well as other offerings such as SAP, Box, Dropbox, SFDC and so on.

  • As information flows, you will want to gain visibility into how and where this happens, AND be able to take actions.
  • These actions may be in-line (such as active blocking) but also remedial in nature (being able to apply protection to a document that lands on a cloud storage platform for example).

As with applications, you want to choose a vendor that can achieve these for both Microsoft cloud as well as be sufficiently influential to be in a position to work with the other significant cloud vendors in your environment.

Provided by a worthy enterprise partner

Security is a serious business. You want to be working with technology partners who are advocating strong leadership in the space, and who are in it for the duration. The last thing you want is to adopt products that either end up being terminated, or acquired by larger companies that are not directionally aligned. The floor is littered with solutions that have been subsumed in both these scenarios (Liquid Machines, Sealed Media, and several more).

Promises a spectrum of assurances that span your requirements

Our experiences show us that while there are broad commonalities in our customer base, there are also a long list of specific requirements that apply to smaller groups of customers. From geopolitical and country-specific laws, to regulatory compliance, to internal business information policies, your business is, well your business. And you need a partner that offers you the ability to adopt technology the way that you need to. There may be guiding rails, but the range of choice must be available.

  • What are the requirements you have for encryption keys?
  • Where can logs be stored?
  • Can you use public clouds or is there a need for segmented platforms?
  • Do you have highly toxic data that must reside on physical platforms you control?

Regardless of what the permutations are that you need, your partner must be able to work with you to help you adopt in the right ways. Being just on premises or just cloud based is insufficient.

Hosted in a manner that is consistent with your compliance boundaries

And lastly, but certainly by no means least, you must have confidence in your security partner to operate the applications, services and platforms you use to the standards you require. Cloud vendors must adhere to all compliance and security needs, from writing code through to operational processes, you should look into how this is done, and what will happen in the event of an incident.

In closing

Hopefully you found this to be a useful checklist. With the above offered as neutrally as one in my position can do, Id like to now say that, for each of the above, our Azure Information Protection offering scores quite well. In total, we feel even stronger that no other vendor can get anywhere near as close to meeting these needs requirements as can Microsoft. Sure, we have a few edges that need a bit more work but wed be doing that alongside you, and at a rapid rate of innovation.

We know this is a lot to absorb, and we are here to help. Engage with us on Yammer, Twitter or send us an e-mail to

Thank you,

Dan Plastina on behalf of our enthusiastic Azure IP team.

Twitter: @DanPlastina
Useful links: (PDF)

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Reduce running costs for your RDS Deployment in Azure using Auto-Scaling

AD -

This post is authored by Clark Nicholson, Principal Program Manager, Remote Desktop Services.

Hello everyone. This is Clark Nicholson from the Remote Desktop Services team. Im writing today to let you know we have recently published a new version of the Remote Desktop Session Host (RDSH) auto-scaling sample script that uses Azure Resource Management (ARM) PowerShell.

Many of you have deployed Remote Desktop Services (RDS) in Azure VMs based on the RDS Technet documentation, the RDS ARM templates, or the RDS Azure Marketplace solution template. You may be wondering, How do I reduce the cost of my RDS deployment in Azure? It turns out that for many RDS deployments, the most significant cost is the RDSH server VMs, so a great way to reduce cost is to shut down and de-allocate your RDSH VMs during off hours and then start them back up again as usage increases. The sample script is intended to help you automate RDSH scaling. You can use the sample script as-is with simple configuration using the config.xml file, or you can customize the sample script itself. The PowerShell script, xml configuration file, and a deployment document are all included in a .zip file that can all be downloaded from TechNet Script Center.

For more information, please see Remote Desktop Services, and Microsoft Azure Virtual Machines.

Note: Questions and comments are welcome. However, please DO NOT post a request for troubleshooting by using the comment tool at the end of this post. Instead, post a new thread on the RDS & TS forum or make suggestions on the RDS User Voice forum. Thank you!

PingAccess for Azure AD: The public preview is being deployed!

AD -

Howdy folks,

Back in September, I blogged about our exciting partnership with Ping Identity.

Since then, Microsoft and Ping Identity have worked closely together to extend the capabilities of Azure AD Application Proxy to support new kinds of on-premises applications using Ping Access.

I’m happy to announce today that PingAccess for Azure AD is now ready for Public Preview and is currently being deployed across Azure AD data centers around the world. Many of you in North America will see it turn on today and it should be available to everyone by the end of the day Friday, 3/24/2017.

I’ve invited one of the program managers on our team, Harshini Jayaram, to share more details in a blog, which you’ll find below. We hope you try it out and look forward to hearing what you think!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


Hi all,

We’ve already have many customers use Application Proxy to provide single sign-on (SSO) and secure remote access for web applications hosted on-premises. Many of them use this product for applications such as local SharePoint sites, Outlook Web Access for local Exchange servers, and other business web applications. It is a simple, secure, and cost-effective solution:

  • Simple: You don’t need to change the network infrastructure, put anything in a DMZ, or use VPN.
  • Secure: Application Proxy only uses outbound connections, giving you a more secure solution. It also works with other security features you’ve seen in Azure such as two-step verification, conditional access, and risk analysis. Learn more about this in Security considerations for Azure AD Application Proxy.
  • Cost-Effective: Application Proxy is a service that we maintain in the cloud, so you can save time and money.

Right now, all those benefits of Application Proxy are available for many different types of applications, including:

  • Web applications using Integrated Windows Authentication
  • Web applications using form-based access
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway

If you want more details, you can check out our Application Proxy documentation. For this blog, I want to focus more on how we’re adding header-based applications with this new public preview!

PingAccess for Azure AD enables more apps!

Our customers have consistently asked for Application Proxy to also support apps that use headers for authentication, such as Peoplesoft, Netweaver Portal, and WebCenter. To enable this capability for our Azure AD Premium customers, we have partnered with Ping Identity. Ping Identity’s PingAccess now allows Application Proxy to support apps that use header-based authentication.

PingAccess is installed on-premises. For apps that use header-based authentication, Application Proxy connectors route traffic through PingAccess. Existing App Proxy applications are not impacted and use the current flow with no changes. An overview of this flow is shown below, and you can always check out our overview documentation for more on App Proxy flows.

Figure 1: Application Proxy + PingAccess Infrastructure Overview

PingAccess is a separately licensed feature, but your Azure Premium licenses now include a free license to configure up to 20 applications with this flow. If you have more apps, you’ll need to get a license through Ping Identity.

Joining the Preview

We are excited to have you join our preview! To get started you need to:

  1. Configure Application Proxy Connectors
  2. Create an Azure AD Application Proxy Application
  3. Download & Configure PingAccess
  4. Configure Applications in PingAccess

Just head to our Application Proxy + PingAccess documentation for a walkthrough of each of these steps.

We hope you enjoy trying this preview! As always, we’d love to hear from you with any questions, comments, or feedback, so please leave us a comment or reach out to us directly at


Harshini Jayaram

First ever #AzureAD AMA results

AD -

Howdy folks,

On March 9th, the Azure AD team hosted its first “Ask Me Anything” (AMA) on Reddit. A bunch of us gathered in a big conference room, and even more of the team joined on a Skype call (sadly, the Skypers didn’t get any of the snacks or pizza).And so many of you asked such great questions that we learned a lot ourselves. Thank you for participating!

If you haven’t had a chance to go through the thread yet, I recommend you take a look.There’s a lot of interesting and valuable information there.

Just about to start!

Everyone hard at work AMAing

So how did it go? Pretty awesome! Some quick stats:

  • More than 50 people from our team participated, and some of our wonderful MVPs and representatives from our Microsoft partner teams joined, as well
  • We had 102 top-level questions (29 per hour) and 449 total comments (128 per hour)
  • Our post was upvoted by 96% of people with a total of 72 points. This compares with:
    • 25 – average number of points for of all other /r/Azure AMAs (a 284% increase!)
    • 89% – average upvote percentage for all other /r/Azure AMAs (a 7.8% increase!)
  • We answered 99% of questions during the event
  • The Azure AD AMA page had 2,586 hits in the five days surrounding the event, and is still getting 60-100 hits per day

For questions per hour, total comment count, and response rate, we’re the new AMA champions at Microsoft.The SQL team has us beat for total number of questions, though, so we’ll definitely host another AMA in the future and try to knock them off the top. We’re looking forward to it and hope you’ll join us!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Lululemon’s Corporate Technology Manager talks about Employee Discounts, How to Effectively Embrace Shadow IT, and Clicking Things 57 Times

AD -

In the second half of my conversation with Simon Cheng (Manager of Corporate Technology at Lululemon) we talk about how often he gets requests for discounts on Lululemon gear, as well as how his IT organization has structured their infrastructure to support the companys culture and the needs of its workforce to operate in ways that suit their roles and working preferences. His team has developed some ingenious ways to use technology to extend Lululemons positive culture to offices all over the world.

Simon also talks about how he uses Shadow IT to learn about the needs of a workforce that is changing demographically and has expectations for new or evolving ways to work. I really recommend this section of our discussion (around 2:34).

He also shares a really valuable insight about designing technology with the end-user in mind. Clicking through countless screens is easy for engineers but not much fun for someone whos racing to get work done.


To Learn more about Microsoft Enterprise Mobility + Security, visit:

Next week I talk with the fascinating mobile security company Lookout.

You can subscribe to these videoshere, or watch past episodes here: www

Microsoft Enterprise Mobility + Security and the Microsoft Graph API

AD -

Across the more than forty thousand customers that Enterprise Mobility + Security (EMS) serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their business. Customers may choose to manage their mobility solutions internally while others choose to work with a managed service provider to manage on their behalf. Regardless of the structure, our goal is to enable IT to easily design processes and workflows that allow them to be more empowered and efficient.

As the Microsoft Intune and Azure Active Directory admin experiences come together in Azure, were taking an important step forward in our ability to offer EMS customers more choices and capability. Built on the Microsoft Graph API, the new Intune and Azure AD experience on Azure opens a new set of possibilities for our customers and partners to simplify, automate, and integrate their workloads.

Microsoft Graph API connects developers to the data that drives productivity mail, calendar, contacts, documents, directory, devices, and more. It serves as a single interface where Microsoft services can be reached through a set of REST APIs. With our shift to Azure and the Microsoft Graph API, customers now have the choice to manage the administration and operation of Intune and Azure AD services in the new Azure console or through the Microsoft Graph API. The scenarios that the Microsoft Graph API enable are expansive we expect the value to you and all our customers to center on three core benefits:


Microsoft Graph API is accessible through several platforms and tools, including REST- based API endpoints, and most popular programming and automation platforms (.NET, JS, iOS, Android, PowerShell). Resources (user, group, device, application, file) and policies can be queried through this API, and formerly difficult or complex questions can be addressed via straightforward queries. For example, you can use the Graph APIs to check the compliance state of all your Intune- managed devices and feed this data into your existing reporting system, enabling a simple, yet powerful, reporting experience across your organization.


The Microsoft Graph API allows you to connect different services and automate workflows and processes between them. For example, you could connect your HR system with the Microsoft Graph APIs to automate the provisioning of mobile devices when youre onboarding a new employee, and set up automation to retire and wipe a device as employees leave the company. If you are a service provider managing the environment of multiple customers at once, you could use these capabilities to automate the onboarding of tenants, populating them with default policies and implementing industry-specific templates. All this can be set up to happen automatically without ever opening a management console.


The Microsoft Graph API can send detailed device and application information to other IT asset management or reporting systems. You could build custom experiences which call our APIs to configure Intune and Azure AD controls and policies and unify workflows across multiple services. For example, a help desk organization might build a custom solution that incorporates Intune functionality into their console, allowing them to manage device and application policies in a unified way alongside other helpdesk tasks. You can even connect with PowerBI and other analytics services to create custom dashboards and reports based on Office 365, Intune, and Azure AD data from the Microsoft Graph API.



The new Intune for Education experience and the OneDrive for Business console, where Intune app protection policies are now built in directly, are both great examples of new experiences that are made possible because of Intune and Azure AD being built on the Microsoft Graph API. Were also working directly with several partners who are starting to explore whats possible with our APIs in preview. Its exciting to see the ideas they come up with around how these capabilities will improve their processes and workflows, and the custom solutions they will enable.

The Intune and Azure AD APIs are available in preview now as part of the Microsoft Graph API beta and will be generally available later in 2017.*For a closer look, check out the documentation on how to use Intune and Azure Active Directory APIs.

*Use of a Microsoft online service requires a valid license. Therefore, accessing EMS, Microsoft Intune, or Azure Active Directory Premium features via Microsoft Graph API requires paid licenses of the applicable service and compliance with Microsoft Graph API Terms of Use.

This is a Can’t-Miss Episode of “The Endpoint Zone”

AD -

Maybe I’m biased, but I think every EPZ episode is great – but this one is GREAT.

In this episode we dive in on a coupleEMM stat that I think you’ll find pretty shocking, as well as:

  • A bunch of new EMS demos.
  • OneDrive for business policy integration in the Office 365 console
  • Custom dashboards with PowerBI
  • Conditional Access policy that lets you express organizational risk tolerance
  • Device compliance
  • And the new Intune on Azure Console!


Microsoft Teams is now generally available — and MAM enabled on iOS and Android!

AD -

Great news – today Microsoft announced the general availability of Microsoft Teams! Were excited to share this huge milestone and announce that the updated Microsoft Teams apps are now enabled with Intune MAM capabilities, so you can empower your teams to work freely across devices, while ensuring that conversations and corporate data is protected at every turn. The Microsoft Teams apps supports the Intune MAM app-level data protection with or without MDM device enrollment. Look for them in the Google Play and iOS App stores today.Support for Microsoft Teams in the Intune admin console is currently being rolled out.

Microsoft Teams is a chat-based workspace in Office 365 that brings together people, conversations, and content in a fresh new way that takes the work out of collaboration and makes it easy for teams to stay on the same page and achieve more. Microsoft Teams goes way beyond chat, giving you easy access to the tools your people depend on everyday Word, Excel, PowerPoint, OneNote, SharePoint and Power BI – are all built-in, so youre never more than a click away from getting things done. And its customizable, allowing you to create a workspace that fits the unique needs of every team.

With the Teams apps for iOS and Android, work gets done anywhere –you can collaborate with partners and contribute to projects, even on the go.

Heres a great article if youre looking for more details on Intune MAM policies. Visit the Whats new in Microsoft Intune page for more on these and other recent developments in Intune.

Additional Resources

Technology Manager at Lululemon Discusses Planning for a Mobile Workforce & Weighing Pros and Cons of Early Adoption

AD -

Simon Cheng is the Manager of Corporate Technology at Lululemon and he was nice enough to make the trip down from Vancouver so that we could drive around and ostensibly get lunch.

The work Lululemon has done with their infrastructure is fascinating: The IT team has built a network tailored to the needs of a mobile and widely distributed workforce. This means they understand that corporate devices will also have personal uses, that data is going to move back and forth across the perimeter constantly, and that their security and identity management has to account for all of this.

Simon also has a very interesting perspective on early adoption much like Accenture, Lululemon was using Office 365 back before it had a name. Any early adoption comes with risks, and Simon has worked first hand with these benefits and setbacks. I like how he explains it: You have to balance what you get with bumps in the road.

To learn more about how top CIOs stay secure + productive,check out this new report.

Next week, Simon and I talk about how Lululemon uses technology to support its culture, the steps they took to build an infrastructure that supports a wide variety of work styles, and how he uses Shadow IT as a learning tool.

You can also subscribe to these videoshere, or watch past episodes here: www

Conditional Access “limited access” policies for SharePoint are in public preview!

AD -

Howdy folks,

Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data.

But not anymore! Working with the SharePoint team, we’ve created a great new feature in the conditional access experience that I think you’re going to love: the ability to limit a user’s ability to download, print and sync based on the state of their device.

To tell you more about it, I’ve invited one of my program managers, Nitika Gupta, to write a blog, which you’ll find below. Read up, try things out, and let us know what you think!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


Hi folks,

I’m Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity.

Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn’t get on to a machine that isn’t encrypted, locked, secure from malware, etc. This is an important aspect of securing company data.

Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren’t enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive.

But what if we could have great user productivity and maintain a great security posture? That’s what the Secure, Productive Enterprise is all about and why I am thrilled to announce the public preview of the “Limited Access to SharePoint and OneDrive” feature! Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.

Let me show you how it works in Azure AD Conditional Access and SharePoint!

Getting started

Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our limited access documentation for more detailed instructions.

  1. First create an Azure AD Conditional access policy for SharePoint that applies only to browser client apps with “use app enforced restrictions” as the session control.

    Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.

  2. Next, go to device access in the SharePoint admin center and select the checkbox to “Allow limited access (web-only, without the Download, Print, and Sync commands)”

Note: It can take up to 15 minutes for policy changes to take effect.

End user experience

When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.


We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.


Nitika Gupta


What is Happening Inside Enterprise Mobility?

AD -

I recently met with Nick McQuire from CCS Insights to see some of his new research on Enterprise Mobility. I really encourage you to read the blog post.

In the post, Nick describes the trends and changes he discovered in the data gathered from a survey of more than 400 mobile technology decision makers in the United Stated and Europe. Two of the points in his report below stood out to me:

Acceleration of Windows 10 Deployment & the Convergence of PC and Mobile Device Management

The CCS research identifies the same trends we have been seeing in both the acceleration of Windows 10 adoption, as well as the convergence of the PC Management and Enterprise Mobility Management teams and strategies. According to the survey:

  • 86% of firms stated they would upgrade their Windows PCs to Windows 10 within 3-4 years.
  • 47% of those orgs say they will upgrade in the next 12 months.
  • 83% of the firms said they planned to converge their PC management and Enterprise Mobility management strategy and teams.
  • 44% of firms say they planned to do this convergence within the next 12 months.

These figures match the same feedback were getting in just about every one of our customer conversations. To give you a sense of what we see internally, here are some data points weve found in the telemetry that comes back to Microsoft from millions of devices around the world:

  • We see a significant acceleration in the rate of Windows 10 deployments worldwide.
  • I am tracking dramatic growth on a weekly and monthly basis that shows almost all of these new Windows 10 devices are deployed and managed through ConfigMgr and Intune.
  • Its not surprising to see that 99%+ of the Windows 10 devices reporting telemetry to Microsoft are being managed by ConfigMgr or Intune with the majority of the Windows 10 devices being managed by ConfigMgr.
  • Of the 85M monthly active users of Office 365, over 95% of the cloud identities are being managed by Azure Active Directory (Premium). If you are using something else as your IDP, you are built on a configuration that is not widely used. You can massively simplify if you move to just use what comes from Microsoft.
  • Our most recent quarterly earnings revealed that EMS grew more than 135% over the previous quarter- a staggering 400% faster than the nearest EMM provider.
  • We now have the largest EMM customer base with more than 41k unique customers which is 200% – 300% larger than other EMM providers.
  • The Enterprise Mobility + Security (EMS) suite from Microsoft is the largest Enterprise Mobility Management (EMM) and Identity as a Service (IDaaS) solution in the market.

Leading enterprise organizations are successfully converging their PC management and EMM strategies with ConfigMgr and EMS, and we have built an integrated solution that enables your Active Directory and ConfigMgr investments, as well as your organizations expertise, to be easily extended to managing mobile devices, cloud identities, and the SaaS apps your employees are using.

If you’re defining and implementing your go-forward strategy for bringing together your PC management, Enterprise Mobility management, and Identity protection/management strategies, I am convinced the solution will most likely be based on AD/ConfigMgr + EMS.

SaaS apps are the most used apps on mobile devices

Another part of the CCS research that I found really interesting was this data about the most commonly used apps on employees’ mobile devices:

See any patterns?

Here is another view of this same list categorized by regular, occasional, and rare usage.

As I was looking over these two tables, two big things jumped out to me:
  • The most commonly used apps are predominately SaaS apps. It really is a mobile-first, cloud-first world!!
  • EMS has the most comprehensive solution for managing the most-used apps.

EMS has integrated with all of the SaaS apps noted above to provide a great single-sign-on experience for users, as well as give IT the ability to bring these SaaS apps under management (heres how to get it up and running). With each of these SaaS apps, EMS offers the ability to provide real-time conditional access (block/allow) based on risks associated with the user identity, the device being used, the app being used, and the physical location of the user/device. One of the most important things that we provide for each of these SaaS apps is the ability to identify user accounts exhibiting suspicious behaviors (indicating a compromised user account) while attempting to access corporate content. The conditional access capabilities within EMS protects this access to company data in the SaaS services.

You also need the ability to protect the data when it is accessed and stored on mobile devices. The concept here is pretty well understood, e.g. you need to separate company data from personal data and apply data loss prevention policies to the company data (while staying away from that personal data). This is usually referred to as Mobile Application Management, containers, application configuration, etc. Looking at the lists above, EMS has the broadest support and depth of management for the apps associated with these services.

EMS provides the broadest and most comprehensive solution for managing, protecting, and securing company data in these SaaS apps while at the same time providing a wonderful and empowering experience for your users.

Perhaps my favorite statement from the CCS research is the following:

A hot question I hear often from IT leaders is “Who’s winning in this market?” Over the past 12 months, judging by our survey, the answer is Microsoft. Propelled by a big year in security, cloud, productivity apps and the positivity surrounding Windows 10, Microsoft has grown its brand credibility significantly, especially against Apple.

We are humbled by the incredible excitement and interest we’re seeing in the work weve done with Windows 10, ConfigMgr, and EMS. As we continue building and delivering these services, one of the things that I’m most pleased about is the feedback from those who are benefitting from how different Microsoft is today compared to just a couple years ago. It is very rewarding to hear that our efforts to listen to customers and to adjust what were delivering based on those needs is making a difference. This emphasis on agility and customer-centricity is really exciting to see in action.

Microsoft Mechanics Video: New Conditional Access capabilities in Azure AD and Enterprise Mobility + Security!

AD -

Howdy folks,

Ive talked and written a lot about vision of Identity as the New Control Plane.

This is based on the idea that as more and more of a companys digital resources live outside the corporate network, in the cloud and on devices, that a great cloud based identity system is the best way to maintain control over and visibility into how and when users access corporate applications and data.

The conditional access system in Azure AD Premium and the Enterprise Mobility + Security suite is the engine that makes this control plane vision a reality. It gives you, the enterprise admin, the ability to create policy based access rules for any Azure AD-connected application (SaaS apps, custom apps running in the cloud or on-premises web applications). Azure AD evaluates these policies in real-time, and enforces them whenever a user attempts to access an application.

Simon May and I just filmed a short ~10 minute video for On Microsoft Mechanics, where we discuss Azure ADs Conditional Access system and the many improvements weve made recently which youll find below. In the video I demonstrated the improved user experience, how company data is protected without impacting productivity and the improvements weve made to the IT admin experience.

Contextual controls and the unified administration experience

One of the biggest improvements weve made is an expanded set of contextual controls so you can adjust user access based on type of app, specific user permissions, where the app is accessed from, and if the user is using a compliant device.

Weve also made it easier to implement these controls with the new unified administration experience in the Azure Portal, which provides an all-in-one admin experience across Azure AD and Microsoft Intune.

Now you can establish multiple policies per app, share policies across applications, or set default policies globally for your whole tenant. And when you set risk-based conditional access controls, machine learning will be continuously safeguarding access to your apps and data in real-time.

Check out todays show to see these capabilities in action, try it out for yourself, and learn more on our documentation page. And, as always, let us know what you think! Were listening.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

The final push to GA Azure AD in new Azure Portal: We need your help!

AD -

Howdy folks,

Last September we shared the first preview of the new administration experience for Azure Active Directory in the new Azure portal. Since then, we’ve added lots of new functionality, including reporting, app management, conditional access, B2B, and licensing.

Many of you are using the new experience regularly in fact, over half a million of you are using it, from almost every country in the world, with usage increasing by about 25% each month. We appreciate all your positive feedback, and love the constructive feedback that’s helped us make an even stronger product. But there are still a LOT of you using the old portal.

Late last week we turned on the another set of feature updates, and the new experience now has all of the features identity admins frequently use. With that update, we’ve entered our final push to GA the UX in the next ~60 days.

And that’s where we need your help : We need everyone to move over to using the new portal for production tasks so we can uncover any last minute lingering issues.

What to expect

We took the opportunity of redesigning this experience to optimize some of our features, so you might not immediately recognize everything in the new portal. For example, since reporting is a key part of the value of Azure AD, we’ve made activity information more accessible and powerful. We’ve has written a helpful article to help you transition to the new model.

There are other differences, too. Some functionality that was part of Azure AD in the classic portal will be integrated differently in the future. Azure Rights Management Services has matured into Azure Information Protection. We’ve previously shared the plans for Access Control Namespaces.

We also have a few features we’re still transitioning: Azure Active Directory Domain Services, MFA provider management, schema editing for provisioned apps, and a few reports including enterprise state roaming status, invitation summary, unlicensed usage, and MIM hybrid reports.

Let us know what you think!

Over the next month or so, as we work to make Azure Active Directory generally available in the new Azure portal, we’ll be completing transition of the last few features, ironing out some usability issues, fixing any bugs we find, and responding to your feedback. But even when we GA, we’re not going to stop. We’ll continue to work to make the experience of administering Azure Active Directory richer, more streamlined, and efficient, and we appreciate your help. Send us your feedback in the ‘Admin Portal’ section of our feedback forum.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

CIO of eBay Defines “Success” in IT & Discusses Integrating Legacy Systems with New Infranstructure

AD -

In the second half of my discussion with Dan Morales (CIO, eBay) we had to edit out a discussion about the weirdest stuff ever sold on the site, but we do talk about a moment when he thought he had failed, but then realized he had succeeded, but then it dawned on him that it was more of a fail-success. Faiccess, maybe? It turns out that migrating to Office 365 has gotten so easy that no one notices it happened but that may mean no one is using all the great features.

Dan also talks about how hes removed the friction caused by thousands of global workers carrying countless different devices that access both old and new apps within the same infrastructure. His insights are really valuable for any IT team working with thousands of users, legacy systems, and multiple offices. When it comes to security: Security done right is hidden.

To Learn more about Microsoft Enterprise Mobility + Security, visit:

Next week, I meet up with Simon Cheng from Lululemon.

You can subscribe to these videoshere, or watch past episodes here: www

Automate Advanced Threat Analytics Lightweight Gateway deployment with Powershell

AD -

Guest post by Cathy Smith, Senior Consultant, Cybersecurity Group. This blog discusses an open-source project that Cathy leads that automates ATA Lightweight deployment with Powershell. We are happy to share this project and encourage the ATA ecosystem to contribute here!

Advanced Threat Analytics (ATA) Version 1.6 introduced a new deployment option, the ATA Lightweight Gateway, to allow customers to deploy the ATA Gateway directly on a domain controller, without the necessity of a dedicated ATA Gateway server and the added complexity of port mirroring from the domain controller to the ATA Center.

As customers have embraced this new paradigm, some of our engagements have asked us to deploy the ATA Lightweight Gateway to dozens, if not hundreds, of domain controllers. This scenario is common when there are multiple branch sites and IaaS deployments. The current deployment model does not support scaling to this level.

In an effort to help my customers deploy to multiple branches, I wrote a PowerShell script to read a list of servers from a file and deploy the ATA Gateway to each server. This allows us to strategically roll out and deploy across the enterprise. We can select the appropriate groups of servers to deploy to maintain availability across the enterprise.

This script has been tested with standalone ATA Gateway servers as well as Lightweight Gateways. These servers are Windows Server 2012 R2. The script was written and tested with PowerShell ISE version 5.0.

Because the installation command runs in quiet mode (/quiet) it is not currently possible to capture any error messages that may be the result of installation failure. As a workaround, I have used the ATA Center console to determine if Gateways have not installed correctly. This is an area for future enhancement.

Another possible enhancement would be to run the deployments asynchronously, to scale to even larger deployments. I decided to write this synchronously initially, to avoid flooding the Center with new gateways.

I hope our customers will find this useful in their large scale deployments. The code is available at my GitHub site.

Azure Information Protection: Ready, set, protect! – Part 2

AD -

Part 2 – Adopt a data-centric protection strategy

This post is the second in a 4-part series focusing on how to implement information protection in your organization.

In Part 1 of the series we showed you how to get going with classification and labeling, and FAST. In this next post in the series we are going to focus on how you can take the learnings and benefits from that and protect your information.

What is data-centric protection?

Traditional information protection solutions focused a lot on control. Network security solutions such as firewalls and proxies made sure sensitive information never left corporate boundaries. Device security solutions ensured protection of sensitive data as long as the data was contained within the managed devices and apps. This works great if your data is being accessed by internal users on managed devices. But today data is travelling further and faster, and with rapidly increasing collaboration scenarios, these lines of defense fall short. Once your data is shared with external parties or stored in locations where you have absolutely no control or visibility, what then? This is where data-centric protection can help you.

How does this help you?

If there is anything you should deeply internalize, its that data-centric protection is a journey not an event. Like any security approach, there is no magic wand to wave, you need to invest in the process and evolve along with threats, users work styles and technology advances. Doing nothing is not an option, so that leaves doing something! Right now, you may have nothing in place, getting started moves you from zero to something!

For a broader data-centric security strategy, you should have a holistic approach and consider technologies such as data classification, watermarking, data loss prevention (DLP), conditional access and cloud access security broker (CASB). This will help you gain control over data in heterogeneous environments and also address most of your data loss challenges. Lets see how we, as your enterprise security partner, can help you with this strategy by exploring a native, a DLP, and a CASB scenario.

Scenario 1 Identify sensitive data and apply protection automatically

You can create sensitivity labels and configure polices for actions to occur, whether that be after a user manually selects a label, or through content detection (conditions) that make recommendations or just apply automatically.

  1. Choose default labels or customize per your needs. For guidance on labels, refer toPart 1.

2. If you wish to do content detection, define conditions that look for patterns in data, such as words, phrases or expressions. You can select from preconfigured rules or customize to meet your requirements, as well as choose how many occurrences need to exist before the condition is met. In the example below, we want data to be automatically labeled as confidential if there is at least one occurrence of a credit card number.

3. Define the actions that will be executed when the label is applied. You can automatically apply protection (using Azure RMS or ADRMS with HYOK) as well as visual markings such as watermarks, headers and footers.

You can follow our technical documentation on configuring policies which has the complete set of options, so you can test these options yourself.

Scenario 2 Control information flows using a DLP engine

You can leverage your existing border gateway and information flow controls (such as mail gateways, content scanning and DLP engines) to create rules on how to manage information. As recommended inPart 1 if your data is classified and labeled appropriately, you can also set up your DLP engine to read the labels and take actions accordingly.

In the example below, we have an Exchange Online rule that looks for email attachments that contain data labeled as Internal and blocks such emails when shared with external recipients.


Scenario 3 Monitor the flow of sensitive data to cloud environments using CASB

As sensitive data travels to cloud environments, it becomes critical to monitor how the data is being used, shared or distributed. You can configure policies for a CASB solution to look for sensitive data in cloud environments and take actions or get alerted in case of abnormal behaviors.

In the example below, we have configured an alert when a document with Confidential label is traveling to an external location.

You can refer to this blog on how the integration of Azure Information Protection and Cloud App Security works along with technical guidance on how admins can gain visibility and control over sensitive data in cloud environments.

How to drive this change across your organization?

Information protection touches the day to day operations of the entire organization. How do you bring everybody along so they comply versus block? Here are some tips that can help you.

  • Start with our default labels! We put a lot of effort and research into these, and meet a large majority of customer needs.
  • Start SMALL. Establish your first use case and scenario, pick something that allows you to learn and to gain confidence. Then your second, third you get the idea
  • Use protection templates to define permissions, and include groups for easy management.
  • Work with your desktop and mobile management teams. They can help you package updates, clients and apps so that they are in place on devices prior to users needing them. This smooths the user experience.

Thank you,

Dan Plastina on behalf of our enthusiastic Azure IP team.

Twitter: @DanPlastina
Useful links: (PDF)

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

First ever Azure AD Ask Me Anything (AMA)! March 9th, 10am – 1pm Pacific

AD -

Howdy folks,

I’m excited to announce that we’re going to host our first ever Azure AD Ask Me Anything session!


March 9, 2017 from 10:00 am to 1:00 pm
Pacific Time. You’ll be able to access the AAD AMA when it goes live on March 8.

What’s an AMA session?

We’ll have folks from across the Azure Active Directory Engineering team available to answer any questions you have. You can ask us anything about our products, services, or even our team!

Why are we doing an AMA?

As you know, we love learning from our customers and the overall identity community. We want to know how you use Azure Active Directory and how your experience has been using it. Your questions provide insights into how we can make the service better.

Who will be there?

Well, first we really hope you’ll be there! We’ll have a broad set of Program Managers and Developers from the Azure Active Directory team participating throughout the day.

Go ahead, ask us anything about our public products or the team. But please note, we cannot comment on unreleased features and future plans.

So head over to the Azure Active Directory AMA
on March 9!
We’re looking forward to having a conversation with you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)