Active Directory (Anglais)

Improving experience for VPN profiles for ConfigMgr and Hybrid MDM

AD -

Starting in the System Center Configuration Manager 1709 Technical Preview, we’re making it easier to determine which VPN profile settings are supported on each platform – like the changes we’ve made to compliance policies and configuration items. When creating a new VPN profile, you’ll first choose the platform it applies to, and then all the settings in the following wizard pages will apply to the selected platform. This will make it much easier to avoid creating an invalid profile – which will in turn reduce the need to troubleshoot broken VPN profiles or to contact support.

We started down this path several releases ago when we split the Windows 10 VPN workflow from the all platforms workflow. Now, we’ve split up all the supported platforms so they’ll each have their own path.

In addition to splitting out the workflows by platform, we’ve also combined the Configuration Manager client and hybrid mobile device management (MDM) workflows for Windows 10, since both management methods now support the same settings. For Windows 8.1, we’ve clearly marked the settings supported by Configuration Manager only, and we’ve retained the import option.

Finally, we’ve removed the Automatic VPN page, since all the settings configured by this page were deprecated by their respective platforms, making this page obsolete.

In this blog post, we’d like to answer some questions you may have.

Why did you make this change?

The main driver for this change is to prevent customers from inadvertently creating invalid VPN profiles. Prior to this change, all VPN settings for all platforms supported by Configuration Manager were exposed in the all platforms workflow. Some settings were labeled by platform (specifically, per-app VPN for iOS), but beyond this it was to tell which settings applied to which platform; also, the Automatic VPN page was still there even after it had become obsolete.

Customers and support staff would then ask why a specific configuration wasn’t working correctly. In most cases, they had created a profile with settings that were not supported by the platform. Sometimes the setting was supported for one of the targeted platforms, but not another, and it was impossible to tell from the user experience. Finding out that the configuration the customer wanted to use wasn’t supported was disappointing and frustrating for everyone involved. These changes are designed to prevent these issues.

In earlier releases, we made similar changes in compliance policies and configuration items for the same reason. VPN is the first of the company resource access profiles to get this treatment, and while it was mainly designed to improve the experience for MDM profiles, the updates benefit devices managed by the Configuration Manager client as well – particularly because the Windows 8.1 settings are clearly set apart from all the mobile platforms now.

What about my existing profiles?

We understand that many of our customers use VPN profiles for multiple platforms, and by this point, you might be concerned. However, you don’t need to worry about your existing profiles; one of our goals was to ensure that all existing profiles continue to work as they did before the change. When you upgrade, you will still see the same properties pages, and no changes will be made to the profiles themselves. All new profiles will use the new experience, but all existing profiles will still use the previous experience.

Let us know what you think!

If you’re eager to have similar changes applied to other profile types, please leave a request on UserVoice:

If you still have questions, or are experiencing issues, reach out to your Microsoft contact or support team.

You can also find more information about this change here.

 

Thanks,

Tyler Castaldo

Program Manager, Enterprise Mobility

Update 1709 for Configuration Manager Technical Preview Branch – Available Now!

AD -

Hello everyone! We are happy to let you know that update 1709 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This month’s new preview features include:

  • Co-management – Co-management is a solution where Windows 10 devices with Fall Creators Update can be concurrently managed by Configuration Manager and Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD) to provide a way for you to modernize Windows 10 management over time. You can read more about co-management here.

This release also includes the following improvement for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:

  • Improved VPN Profile Experience in Configuration Manager Console – VPN profile settings are now filtered according to platform. When you create new VPN profiles, each supported platform will contain only the settings appropriate for the platform. Existing VPN profiles are not affected. You can read more about this change here.

Update 1709 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1703 baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If there’s a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.

Thanks,

The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

Improving access control with three new Azure AD public previews

AD -

Howdy folks,

It was great to get to meet so many of you at Ignite last week! Thanks a ton for stopping by the booth and making time to attend our sessions. If you were at Ignite or follow our blog, you know we announced a ton of new Azure AD capabilities last week. As a follow-up, we’re going to do a few posts that cover the new capabilities we turned on in more detail. First up, let’s take a look at some of the new access control features we’ve just put into public preview.

As customers increasingly adopt Azure AD, we’ve received a ton of request for features that help make sure the right people have access to the right resources, and that give enterprises control of and visibility into this access. In response to that feedback, we’re pushing three new and exciting features in Azure AD to public preview:

  1. Extending Azure AD Privileged Identity Management to include Azure RBAC roles.
  2. Automated, periodic access reviews
  3. Automated Terms of Use administration and reporting

Here’s a quick tour of each of these new public previews.

Privileged Identity Management – extended to managing in Azure

Azure AD Privileged Identity Management (PIM) is already generally available for managing Azure AD roles, which are used to administer Azure AD and other Microsoft online services. The top request we’ve seen in the feedback forum for Azure AD PIM is to bring just-in-time role activation, access reviews, and reports to Azure resources. We know these upgrades will help organizations address the challenges of large-scale IaaS administration, so we’ve added them and are now making them available in public preview.

This new preview shows up in the Azure portal as part of the Azure AD PIM UI alongside the recent approval workflows preview.

With this Azure AD PIM preview for Azure RBAC, you can now:

  • Ensure the right users are assigned to Azure subscriptions, by starting an access review of any role in the subscription and asking a resource owner or the users themselves to confirm they still need access
  • Control exposure of business-critical Azure assets by making users, either individually or via a group, eligible to activate a role to manage resources
  • Limit how long a user can be activated in a role, and set an expiration date for a user’s or group’s role membership
  • Get reports about users and groups with role assignments in Azure subscriptions, resource groups and resources, who activated their roles, and what users did in Azure while activated
  • Let users take charge of their own role activity and requiring them to provide a justification or requiring that they authenticate with multi-factor authentication prior to when they need to activate a role

For example, you can make a user, including a guest user, eligible for an Azure resource group’s role. Once you’ve done that, that user can activate the role when they need to make a change to the resource, and you can see a report of the changes the user made in Azure while they were activated.

If you’re already using Azure AD PIM, you’ll see “Azure resources” in the Manage section.

If you’re not already using PIM, take a look at the instructions to enable Privileged Identity Management for your directory to get started. Read more about this exciting new preview at PIM for Azure resources (Preview).

Note: Azure PIM is an Azure AD Premium 2 feature.

Access reviews for attestation

The second new feature in preview is access reviews of users in groups and assigned access to applications. We’ve already included access reviews for admins in directory roles in Azure AD PIM, and now we’re expanding how access reviews can be used for groups and application access.

There are quite a few ways to control application access in Azure AD. A lot of organizations use groups in AD or Azure AD to control access. Users can also request application access. And now, the new Office 365 groups feature allows more users across your organization to create their own groups and pick who they want in those groups. (We’ve added a preview of automatic expiration of Office 365 groups to ensure the number of groups doesn’t get overwhelming).

Of course, over time, group memberships and application access assignments can get stale people change jobs or no longer need access to a particular application. Maybe a guest who was given access isn’t affiliated with their original organization any longer. This staleness can cause a problem for protecting business-sensitive assets or applications subject to compliance. To avoid access getting out of hand, organizations can now schedule access reviews to make sure only the users they want to have access to their assets and applications are able to access those things.

An access review asks users to recertify (or “attest”) to access rights to an app or membership in a group. You can ask users to review their own rights or select reviewers to review everyone in a group or everyone assigned access to an app. You can also ask the group owners to review. And finally, for those organizations that have other processes in place to manage employee access, you can scope the review to include only guest members or guests who have access.

Reviewers will receive an email so they can see the reviews in the access panel. Azure AD includes access highlights and recommendations that help reduce how long it takes for a review to be completed.

The results are aggregated and then, based on those results, the admin can choose when to make changes and remove the denied users’ access.

This particular preview includes access reviews for:

  • Members of Office 365 groups
  • Members of security groups and DLs, including groups originating from on-premises AD
  • Users who have application access, including users who are members of groups assigned to enterprise applications

And we’ll be adding more features and scenarios in the future!

For even more information on access reviews, you can check out the access review overview and turn on the preview for your tenant at https://aka.ms/azureadaccessreviews.

Note: Access reviews are an Azure AD Premium 2 feature

Terms of use

Our third preview being announced today is a terms of use access control we’ve added to Conditional Access.

With terms of use, you can require a user to view and consent to your organization’s terms of use before they’re able access to an application. The terms can be any document relevant to your organization’s business or legal policies. Just start by uploading a PDF of that document to Azure AD, then, through conditional access policies, target the terms to be visible to groups of users or specific applications. If a user is in scope of this control, they’ll only receive access to the application if they’ve agreed to the terms presented.

You can see in the Azure AD audit reports who consented to each terms of use and when they consented.

You can also configure multiple conditional access policies, using different policies for different applications or groups of users. For example, you might want to have everyone who access to a privacy-sensitive application use multi-factor authentication to sign in and to agree to the terms of use for that application.


Read more about this feature at Azure Active Directory Terms of Use (Preview).

Note: Terms of Use is an Azure AD Premium 1 feature

Try them out!

I hope you’ll try out these new features and let us know what you think. If you’re interested in taking these new features for a test drive and you don’t have EMS yet, get a free trial of Enterprise Mobility + Security E5.

Please keep sharing your ideas on the Azure AD feedback forum. We want to hear from you!

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Azure Information Protection Status Update – September 2017

AD -

Hello again to our AIP community! In case you missed it, you can find last month’s posting here and of course, were listening to your feedback and feature requests. Speaking of which, its been a busy month with a HUGE set of updates to both the client and for admins!

Before we get into those details, please take a minute to look at all the announcements we made at Ignite this week. Office 365 Message Encryption (previously Secure Mail) is now GA. Attend this webinar to learn more about the feature. Integration with Conditional Access is in public preview and preview for MCAS integration and Scanner are coming this month!

AIP Client:

The current GA client is now 1.10.56.0!

  • Enjoy more than 80 pre-defined information types when configuring a label condition. All pre-defined information types are aligned with Office 365 DLP information types (more information here)
  • Introducing a new label action, set custom permission. When applied in Word, Excel, PowerPoint or via the classify and protect app, users are prompted to define the permission scope for this item i.e. which users/groups and protection settings.
  • Introducing a new vertical menu. Users can now label an item by clicking the protect button in Word, Excel, PowerPoint and Outlook. This is an alternative to the horizontal bar.
  • This client can display label names, descriptions and Policy Tips in a users local language. The additional languages are specified by the admin, and then the client displays based on the Windows and Office settings.
  • PowerShell commands improvements:
    • Introduce a new cmdlet: Set-AIPAuthentication and Clear-AIPAuthentication to support scenarios of running powershell cmdlets on an unattended server.
    • Introduce an option to label files on behalf of another user (-owner) and to preserve the file details such as last modified users and last modified time (PreserveFileDetails)
  • Plus as always a number of fixes and updates:
    • Support for generically protecting large files that previously could be corrupted if larger than 1 GB. The file size is now limited only by available hard disk space and available memory.
    • The Azure Information Protection client viewer opens protected PDF (.ppdf) files as view-only.
    • Support for Exchange online mode.
    • Support for labeling and protection of files stored on SharePoint Server.
    • Watermarks now support multiple lines. In addition, visual markings are now applied to a document on the first save only rather than every time a document is saved.
    • The Run Diagnostics option in the Help and Feedback dialog box is replaced with Reset Settings. The behavior for this action has changed to include signing out the user and deleting the Azure Information Protection policy.
    • Support for proxy servers that require authentication.
    • Email validation when users specify custom permissions. Also, multiple email addresses can now be specified by pressing Enter.
    • The parent label is not displayed when all its sub-labels are configured for protection and the client does not have an edition of Office that supports protection.

The latest Preview client now posted is 1.13.9.0 which contains a number of new features and fixes.

  • Admins can set a different behavior of the default label in Outlook vs. in Word, Excel and PowerPoint. For example the policy can enforce one (or no) default label in Outlook while enforcing a different (or no) default label in the other applications. To experience this feature you can define a default label in Outlook that will override that default label that was set in the Admin UI.
  • On the custom permissions dialog, users can now find and select users by clicking the address book icon available in Word/Excel/PowerPoint as well as in the classify and protect app.
  • Support sharp graphics and text on dynamic dot per inch(DDPI) Monitors for the classify and protect app, viewer and Office 2016 Click-To-Run. When working with 2 monitors with different DPI resolution graphics and text will be displayed the same in both monitors.
  • Major bug fixes in this preview version:
    • Fix a set of specific Office crashes after AIP upgrade
    • Performance and memory consumption improvements in Office
    • User defined permissions in classify and protect app
    • Ability to apply ADRMS protection when working in a HYOK environment
For Admins:
  • Allow Information workers to hide the information protection bar in applications. This can be defined per scope.
  • Choose if the Do Not Forward button in Outlooks main ribbon is displayed or not.
  • Control if the set custom permission option in available or not.
  • Set which Font is used for content marking. If no specific Font is specified, the Calibri font is used.

These updates were heavily influenced by your great feedback, and allowed us to ship new features, verify bug fixes and generally improved our product. We thank you for this ongoing engagement!

Upcoming milestones: Other things to be aware of:
  • We’re adding a new feature to the new OneDrive sync client: the ability to sync IRM-protected SharePoint document libraries and OneDrive locations. Learn more about this Preview here.
  • The RMS Protection tool is moving to End Of Life on February 10 2018. This functionality is replaced by the AIP Client.
  • With regards to templates and labels, we have moved to protection being an attribute of labels, and not standalone templates as was the case with RMS. This means a few things:
    • Templates were initially designed to define sets of rights granted to groups and users. In most cases this was a technical implementation answering a need to protect data according to an information handing policy. Labels represent a business policy of how information should be managed, with optional protection of the data when specified enforced by the template.
    • In order to deliver on this, we need to maintain a one to one mapping between a label and its associated protection template. As you move from templates to labels, you can convert the template to a label, however if you want to apply the same permissions multiple times, you will need to create a new label for each additional use and specify the protection attributes.
  • A reminder that the Azure classic portal is going to be retired on Nov 30. For more info please see this blog. We also have a great set of migration guidance in our Docs.

As we let you know previously, we have adopted UserVoice as a platform for you to tell us what we should be working on, and I would ask and encourage you all to take a look and place your votes to help us understand the priorities you have.

Summary

Hopefully this helps you with your testing, planning and deployments, we welcome your commentary and feedback. We also know this can be a lot to absorb, and we are here to help! Engage with us on Yammer or Twitter and let us know whats important to you by voting on UserVoice!

It really is very easy to get started with AIP. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Thank you,

Adam Hall on behalf of the Azure Information Protection team.
Twitter: @adhall_msft
Useful links: https://aka.ms/adhall

How Microsoft Advanced Threat Analytics detects golden ticket attacks

AD -

If youre in the business of threat detection, you are probably familiar with the term golden ticket. For those less familiar, a golden ticket is the name of a Kerberos ticket that is manually created by an attacker after gaining access to your environments encryption “master key”. A golden ticket allows an attacker to masquerade as any user or gain the permissions of any role at any time they want, giving them full control over your environment.

Being able to detect this kind of attack has historically been difficult, because the adversary is leveraging credentials with the same key your Active Directory uses.

What can you do about it? This article provides more detail, but in short, you can:

  1. Reduce privileged account exposure by lowering the number of privileged administrators while also implementing “Just Enough Admin” and “Just in Time” access for administrators.
  2. Implement Microsoft Advanced Threat Analytics (ATA), a detection solution that reveals when an adversary has compromised credentials, is using a golden ticket, and/or is moving laterally on your network, escalating privileges, and exerting domain dominance.
How Microsoft ATA can help

Microsoft ATA detects the malicious replication of directory services, which is a method an attacker uses to obtain the master key to your environment. Mimikatz’s DCSync and Impacket’s secretsdump are two tools that an adversary may use to replicate the Kerberos encryption master key (also known as a KRBTGT account) from a domain controller. Microsoft ATA detects the use of these tools and tactics.

ATA learns normal replication and ticket usage patterns to automatically detect and alert if an attacker steals the master key. More importantly, Microsoft ATA will alert you when an adversary begins using a golden ticket on your network.

ATA during a Golden Ticket attack

During a golden ticket attack, the ATA console can provide useful insight into a company’s defenders including:

  • Details about the counterfeit ticket (e.g., the account that the adversary is masquerading as)
  • What resources were used to access the counterfeit ticket
  • How long the counterfeit ticket was used

In the example below Microsoft ATA detected a golden ticket attack, noting the adversary used the counterfeit ticket for 51 hours:

With ATA, the Digital Forensics Incident Response (DFIR) team can actively detect this attack techniquean ability the DFIR previously did not havewhile also gaining insights into the adversary’s actions. In this case, the DFIR team investigated the alert and identified this incident to be the result of an advanced attacker leveraging a golden ticket in their environment.

 

Advanced Threat Analytics is part of the Microsoft Enterprise Mobility + Security Suite (E3) or the Microsoft Enterprise CAL Suite (ECAL). Start a trial or deploy it now by downloading an Advanced Threat Analytics 90-day evaluation.

Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site!

All the best,

Hayden Hainsworth (@cyberhayden)
Customer & Partner Experience Program Leader, Cybersecurity Engineering
Microsoft Cloud + Enterprise Division

Enterprise Mobility + Security @ Ignite 2017 – Wrap Up

AD -

Last week at Microsoft Ignite, more than 25,000 IT professionals converged in Orlando Florida to learn about Microsofts technology advancements, skill up across new products, and meet with Microsoft experts. For EMS we unveiled a wave of new capabilities, presented more than 45 sessions, and met with thousands of customers. I wanted to take a moment and package up all the great information we shared and things we learned from all of you.

We continued to hear from you about the tectonic shifts in IT, with the move towards mobility and use of the cloud for employees, against a backdrop of the rising number of cybersecurity attacks. We passionately believe and continued to observe throughout the whole week, that IT is uniquely positioned to be the champion of change for this new work experience and digital transformation.

Our vision is to empower you and your organization to achieve more in this digital transformation journey while helping you continue to protect your corporate resources. With Microsoft Enterprise Mobility + Security (EMS), we are committed to an integrated experience across identity, mobility, and security solutions that work across platforms, devices, operating systems, and SaaS apps. Id like to summarize the announcements we made last week:

Protect at the front door: raising the bar with conditional access

In June we announced the general availability of the new conditional access admin experience in the Azure portal. This new experience delivers powerful simplicity to support admins across EMS; including Azure Active Directory and Microsoft Intune. And conditional access is powered by the Microsoft Intelligent Security Graph which processes billions of signals to determine user sign-in risk levels. With the new conditional access console experience, you can now create policies that protect at the user, app, location, device, and risk level in minutes. Last week customers of all sizes told us its changing the game for them.

But what weve delivered to date is only the beginning. At Ignite we announced the expansion to secure a whole new wave of scenarios for our customers:

Controlling and limiting access to cloud apps

With Azure Active Directory Conditional Access, access context, continuous cybersecurity threat intelligence, and the risk signals are put to work to help you control access in real-time. Now, we are expanding conditional access capabilities to Microsoft Cloud App Security to provide better protection of your data in the cloud apps.

Watch the Ignite Session: Productivity and protection for your employees, partners, and customers with Azure Active Directory.

Uniquely integrated with Azure AD conditional access, Cloud App Security can help you to perform real-time monitoring and control over your cloud applications. The activities performed within the user sessions in SaaS apps can be limited and controlled based on the conditions such as user identity, location, device and detected sign-in risk level. For example, you can allow access to SaaS apps from an unfamiliar location or unmanaged device while blocking the download of the sensitive documents.

Watch the Ignite session: Bring visibility, data control and threat protection to cloud apps with Cloud App Security.

We also announced that our new conditional access for Azure Information Protection allows organizations to apply access policies to some of their most important data. Policy can be applied to require a user to MFA when accessing Azure Information Protection protected documents, or just when they are off the corporate network or they have been flagged as having an elevated risk. This allows all conditions and controls to be used, also providing the option to require a managed device when accessing protected content.

Watch the Ignite session: Discover whats new in Azure Information Protection and learn about the roadmap and strategy.

New conditions and custom controls

Last week we announced several new options for customers with time and regional fencing to give control over access based on two new conditional parameters. With time fencing you can restrict access to corporate data to specific hours. Regional fencing makes it easy to block access from specific countries and regions, based on automatic IP address checks. With our new custom controls, you can require acceptance of custom terms of use agreements (which you define) and integrate with selected third party MFA providers when challenging users to authenticate their identity.

Watch the Ignite session: Ensure users have the right access with Azure Active Directory.

Pass-through Authentication

Pass-through Authentication is now generally available as an Azure AD sign-in method – an alternative to Password Hash Sync. It is for organizations who cant (or dont want to) permit users’ passwords, even in hashed form, to leave their internal boundaries. It allows users to sign into both on-premises and cloud applications using the same passwords. This feature provides users a better experience, helps reduce IT helpdesk calls and protects user accounts with Conditional Access policies. It works by securely validating users passwords directly against Active Directory using a lightweight on-premises agent.

Watch this video: Azure AD Pass-through Authentication and Seamless Single Sign-on.

Protect sensitive data anywhere

Employees are using more SaaS apps, creating more data, and working across multiple devices. While this has enabled people to do more, it has also increased the risk of data loss it is estimated that 58% of workers have accidentally shared sensitive data with the wrong person. At Microsoft Ignite we announced several new EMS capabilities to help protect your data throughout its lifecycle, from creation to deletion.

Discovering and identifying data is a critical first step. To help you detect the types and locations of your data Azure Information Protection scanner will now be able to scan on-premises repositories such as file servers and SharePoint servers to detect sensitive information and automatically classify, label, and protect it based on your company policies. We also announced that now we provide a new and enhanced Cloud App Discovery experience in Azure AD powered by Microsoft Cloud App Security. You can discover more than 15,000 cloud apps without any agents on user devices and get ongoing analytics. These capabilities are now available to all Azure AD P1 and EMS E3 customers.

Another critical capability customers need is a consistent and integrated classification, labeling, and protection approach across information protection technologies, enabling persistent protection of your data everywhere.

To provide you better and unified data protection in cloud apps, we are taking the integration between Microsoft Cloud App Security and Azure Information Protection to the next level. Leveraging Microsoft’s Information Protection capabilities, Microsoft Cloud App Security can scan, classify sensitive data stored in cloud apps and apply Azure Information Protection labels automatically for protection including encryption.

Finally, we announced the general availability of improvements to Office 365 message encryption, which makes it easier to share protected emails with anybody inside or outside of your organization. Recipients can view protected Office 365 emails on a variety of devices, using common email clients or even consumer email services such as Gmail and Outlook.com. Watch this session to learn more about these enhancements – Protect and control your sensitive emails with new Office 365 Message Encryption capabilities

Watch the Ignite session: Protecting complete data lifecycle using Microsoft information protection capabilities.

Detect threats and recover from attacks

The nature of IT security has changed as the frequency and severity of the cybersecurity attacks have grown dramatically. These breaches also reflect a new approach targeted attacks by compromising credentials across cloud and on-premises, leveraging those credentials to access and steal data in your hybrid environment.

To help you detect these attacks we announced the limited preview of a brand-new service Azure Advanced Threat Protection for users that brings our on-premises identity threat detection capabilities to the cloud and integrates them with the Microsoft Intelligent Security Graph. Powered by the graph, our Advanced Threat Protection (ATP) products have a unified view of security event data so your security operations analysts can investigate an incident from endpoint to end-user to email.

Traditional security tools have a high rate of false positive identifications and sifting through them to locate the important and relevant alerts can be overwhelming. Azure ATP for users reduces false positives and provides clear attack information on a simple timeline for fast triaging with an end-to-end investigation experience. Leveraging the depth and breadth of Microsofts vast amount of security intelligence, Azure ATP for users help you protect your identities both on-premises and in the cloud.

Watch this session from Ignite: Learn about Microsoft Advanced Threat Analytics Futures.

Modernizing management of Windows 10

Digital transformation also requires organizations to modernize their IT infrastructure, policies and processes to lower costs, simplify device and app management, and provide a better experience for both users and IT Pros. We designed Microsoft 365 for this reason, and we are excited to announce new improvements to make it easier for customers to realize full benefits of Microsoft 365 by enhancing the ability to deploy and manage Windows 10 and Office 365 ProPlus from the cloud.

First, we are enabling a bridge to modern management for existing System Center Configuration Manager (ConfigMgr) customers with co-management that allows managing Windows 10 devices by both ConfigMgr agent and Intune MDM at the same time. For example, customers will be able to transition the management of VPN profiles, OS updates, and conditional access checks from ConfigMgr to Intune while continuing to use ConfigMgr for other workloads. Over time, customers will be able to move more workloads to Intune. This unique ability enables customers to start their journey to cloud-based management in small manageable steps with lower risk while maintaining the control they expect.

We are also excited to announce Intune Management Extension that provides additional Windows 10 management functionality in addition to what is currently available through the MDM channel. This new feature allows our customers to automate actions on the endpoint by having the ability to run PowerShell scripts from the cloud.

To round out our capabilities for managing the broad spectrum of devices our customers choose we announced integration between Jamf and Intune. Jamf is one of the most widely used solutions for macOS management. Jamf will integrate with Intunes device compliance engine to provide an automated compliance management solution for macOS devices accessing applications connected with Azure AD authentication.

Watch the Ignite Session: Microsoft 365: Modern management and deployment.

Thank you!

Microsoft Ignite was a huge week for us on the EMS team. We are thankful to be able to spend time with customers and very honored to be an important part of digital transformation for so many companies around the world. Thank you to all of you who could attend Microsoft Ignite in person or who have watched the recorded content so far.

S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)