Active Directory (Anglais)

New Enhancements to the Azure AD Pass Through Authentication Preview are live!

AD -

Howdy folks,

If you’re a follower of this blog you’ll probably recall that we announced pass-through authentication and seamless single sign-on in Azure AD at the end of last year. These features make it easy and fast to deliver world class end user sign-in experiences with Azure AD. Today I’m excited to announce a few improvements we’ve made that make these capabilities even more secure, easier to use, and easier to administer.

Pass-through authentication

Pass-through authentication lets users sign in to your cloud apps while getting rid of the need to store any user passwords in the cloud or deploy new server infrastructure. Some of the key improvements we’ve just turned on include:

  • Security: We’ve improved user sign-on security with public key / private key encryption between Azure AD and on-premises agents. That’s in addition to secure HTTPS, which is always used to transfer usernames and passwords.
  • Usability: We now support using any attribute, configured as Alternate ID in Azure AD Connect, as the username.
  • Easier deployment: Now you only need to open two ports to deploy pass-through authenticationthe standard ports 80 and 443.

Seamless single sign-on

Seamless single sign-on gives users on your corporate network the ability to access cloud apps from their domain-joined devices without needing to re-enter their passwords. This feature uses Kerberos authentication instead.

We simplified the end user sign-on experience by removing the need for your users to enter their usernames when they access cloud apps with tenant-specific URLs (like

Customer adoption

We’ve seen our enterprise customers enthusiastically adopting these new capabilities even before they go GA. Deutsche Post DHL, a global organization with almost 500,000 employees, has been using these features in production and has this to say about their experience:

“We use pass-through authentication and seamless single sign-on to provide 50,000+ users the ability to sign-in to Yammer and 16 other enterprise applications. What I like most about it is its simplicity – it just works! We plan to migrate all ADFS-based applications to this setup soon.” – Joe Gasowski, Head of Identity and Access Management, Deutsche Post DHL

Learn more!

Dive into our detailed documentation for pass-through authentication and seamless single sign-on and let us know what you think by leaving us a comment below or emailing us at We look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Configuration Manager Client Messaging SDK available on

AD -

The Configuration Manager team is pleased to announce that the Configuration Manager Client Messaging SDK version 5.1706.1034.1000 is now available as a package on Previously the Client Messaging libraries were released with the System Center 2012 R2 Configuration Manager SDK.

NuGet is a package management Visual Studio extension that enables you to browse and add libraries and their configuration to your development projects easily from the Solution Explorer in Visual Studio or a command-line interface.

Releasing ConfigMgr SDK libraries on as packages will allow us to provide more frequent updates.

Notable Changes in this version:
  • Improvements to the certificate hashing algorithm detection and usage.
  • Fix to the hash algorithm not being properly defined when sending client registration requests.
  • Updated the default ClientVersion value to match Configuration Manager current branch 1511 (5.0.8325.0000).
  • Changed the support status of ConfigMgrBgbMessageRequest, ConfigMgrBgbMessageReply, and HeartbeatDiscoveryDataRecordFile from “PartiallySupported” to “Supported”.
  • Other fixes and improvements.

We have also published updated documentation for the Client Messaging SDK online.

We invite you to try out our new Client Messaging SDK package hereand leave us some feedback on our User Voice site.


Additional Resources:

Configuration Manager Client Messaging SDK Documentation

Configuration Manager SDK Documentation

NuGet Package Consumption Overview

Partner with Enterprise Mobility + Security to drive your customers’ digital transformation

AD -

Microsofts Enterprise Mobility + Security (EMS) is the only comprehensive mobility solution designed to help manage and protect users, devices, apps, and data in a mobile-first, cloud-first world. EMS is one of Microsofts fastest growing products our customer count has doubled to over 40,000 and our install base has grown 6x over the past year. This tremendous growth creates a huge opportunity for EMS partners looking to solve critical customer issues around consulting, systems integration, or managed services.

There are several scenarios where customers need your help, ranging from securely managing employees mobile productivity with Intune, to single-sign-on to cloud apps with Azure AD Premium, to protecting corporate data from cybersecurity attacks with innovative security technologies that leverage machine learning and the Microsoft Intelligent Security Graph. And because EMS is a cloud-based solution, set-up is simple and fast and the solution easily scales to meet your customers growing needs, enabling you to focus on building more value-added services and continuing to build your EMS business.

By building an Enterprise Mobility + Security practice, your organization can help our mutual customers successfully navigate their digital transformations, while at the same time ensuring that all security and compliance needs are met. We will be there with you throughout the journey as your business thrives, you will have access to additional resources, investments, training, and other opportunities to help you succeed and grow your EMS business. To learn more and get started, please visit our new Become a Partner page. Existing partners can access resources through the Microsoft Partner Network.

Azure Information Protection unified administration now in Preview

AD -

Hi everyone, and welcome to an important post for those of you who work with the configuration of Azure Information Protection (AIP). As you may already be familiar with, for historical reasons we are currently spanned across both the classic and new Azure management portals. This is due to the protection part of AIP (the encryption, formerly known as Azure RMS) being in the classic, and the Classification and Labelling part being in the new.

Well, today that all changes! We are excited to release into Preview the new unified administrative experience which brings the Protection configuration (you will know this as Azure RMS templates) into the AIP configuration. This is the first step in our move to a label centric model.

So what does this mean to you?
  • From an admin perspective, we have unified access to all configuration into a single location to define your classification taxonomy, labels and any specific actions including protection.
  • You can try out this new unified admin experience right now, just log into
  • Until now, an admin had to first create RMS templates in the Azure classic portal, then go to the Azure portal to configure labels, and then link RMS templates to labels.
  • Moving forward, everything is now configured via the Azure portal. Protection becomes an optional setting of a label, just like visual marking or classification automation with conditions.
  • Based on your feedback, we have also removed the need for an admin to be a Global Admin! Security Admins can create labels and configure protection settings.
  • Following our release of new collaboration features in February, we have now added UI based configuration options to protect content to:
    • anyone within your company (e.g.
    • anyone at another company (e.g.
    • a group of people at another company (e.g.

This is our first step in the move from the previous Classic Portal ( to the Azure portal (, which is scheduled to be complete by July this year. We would really love to have you try out the new settings, and let us know what you think. We will be listening in Yammer

Lets take a deeper look

When you log into the portal and open a label, you will see that we have added an option to set Protection permissions on the label (which also means sub-labels, for brevity we will just say labels):


Once you choose the option Custom (Preview) you can define the same settings that were previously in the classic portal, including content expiration, offline access policy, users/groups and their rights. In the example below, we are giving the Big Wigs group and Bonnie as a specific user the Co-Owner rights.

You can also optionally provide everyone within your organization rights:


If you wish to collaborate on protected content with people outside your organization, you can use the custom or external option to add users (i.e., groups (i.e. or entire organizations (

Once the settings are configured and saved, the AIP service creates Protection templates in the background. We still create these templates to preserve backward compatibility for applications that use RMS templates without requiring any updates to adopt labels.

A note on templates: The AIP client refreshes templates that are associated with labels, and this refresh happens whenever you relaunch the client. For users without the AIP client (i.e. just using RMS) these templates refresh on a regular basis, the default is 7 days but you can tune this.

A few questions you may have

I dont see all the options that are available on the classic portal, where are they?
In this Preview we enable only creation of new templates as settings on the label. Management of existing templates via the Azure portal will come with the next Preview release expected late May.

Can I continue to manage templates created via the Azure portal using the classic portal?
Yes, but we dont recommend that you archive or delete these templates through classic portal or using PowerShell. If you want to remove them, you should first disable protection on the relevant label and then remove the templates.

How can I create scoped templates?
You should create scoped policies and create a label scoped to the relevant group. Any template created as a configuration on a label will be scoped to the same audience. Note: Only e-mail enabled groups and users can be used for scoped templates.

We know this can be a lot to absorb, and we are here to help! Engage with us on Yammer, Twitter or send us an e-mail to


Thank you,
Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: (PDF)

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Demonstrating our Growth Mindset & Learning from our Customers: We’re reverting the branding logic on Azure AD login pages

AD -

Howdy folks,

Back on April 7th we announced changes to the branding logic for Azure AD login pages. In the 18 days since then we’ve learned a ton from you, our customers, including the fact that many of you are not thrilled with these changes. Additionally, we learned that we took many you by surprise and did not give you enough time to alert and train your employees about the change.

So today we get to demonstrate our Growth Mindset! We’ve learned from your feedback and we’ve decided to roll back these changes (they are being reverted as I type). We’re going to revisit the overall here plan and take steps to better socialize and communicate future end-user facing UX changes. Ariel Gordon the PM for these features has the details below.

Thanks to all of you who shared your feedback with us about these changes. We learned a lot from you and we’ll use these lessons to improve going forward.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director or Program Management

Microsoft Identity Division


Hi everyone,

Earlier this month we changed the logic that controls app vs. company branding on Azure AD login pages. These changes had two key motivations: provide better brand awareness to customers using B2B flows, and reconcile the branding logic between Azure AD and Microsoft accounts, as a prerequisite to merging the two login experiences later this year.

And while we tested and validated the new logic with many customers, we underestimated the impact of these changes to the broader community. You’ve also told us that these changes had disrupted your business because we failed to provide advanced notice.

We’re heard you loud and clear. We’ve therefore decided to rollback these changes, effective immediately. We’re also making changes to our engineering and communication process to ensure this doesn’t happen again. Specifically, our team is making the following commitments:

  1. Future login UX change that affect business customers will be announced ahead of time
  2. Changes will be tested via flighting, and incorporate a Preview period that allows us to gather broader feedback from you
  3. For most disruptive design changes, we’ll introduce an opt-in period of at least 30 days, giving everyone a chance to update their support and training materials

Best regards,

Ariel Gordon, Principal Program Manager, Identity Division (@askariel)

Managing mobility for Office365 Tweet chat

AD -

Got questions about managing Office mobile apps? Want to learn more about Intune? Curious about Azure Information Protection? We have answers.

The Enterprise Mobility + Security engineering team will be hosting a Tweet Chat via @MSFTMobility on Wednesday, May 17th from 11:00 -12:00 PDT. Just make sure you use the #EnterpriseMobilityTweetChat hashtag in your questions to ensure they show up in the conversation.

During this Tweet Chat, our engineering team will be huddled in a conference room in our Microsoft Campus in Redmond, Washington, and we will be ready to tackle your questions such as:

  • What options does Microsoft offer for managing Office mobile apps?
  • How do Mobile Device Management (MDM) and Mobile Application Management (MAM) differ?
  • How to protect and manage apps on non-enrolled devices with Intune?
  • How to configure Application Protection policies for Office Mobile Apps with Intune?
  • How to define policies for Multi-Identity capabilities with Intune?
  • How to set up risk based policies for Conditional Access to Office apps?
  • How to set up policies for automatic classification with Azure Information Protection?
  • How to utilize Document Tracking Capabilities within Azure Information Protection?
  • What Enterprise Mobility Suite capabilities can be enabled from within the Office365 admin console Azure Multi-Factor Authentication, Conditional Access, App Protection policy for OneDrive?

If you would like to add to our list of questions, you can leave a comment on this blog post, and well be happy to answer it during our Tweet Chat. If you are not on Twitter, please create an account so you can join us!

Dont miss this Tweet Chat save it to your calendar.


Before you stop reading, here are a few quick housekeeping items:
  • Be nice: If you disagree, be polite.
  • Stay on topic.
  • Please do not spam or self-promote during the chat.
  • Responding to other participators: If you want to respond to a certain user, make sure to include their Twitter handle so its clear who youre speaking to.
  • Label your posts: If youre asking a question please number it. For example, put Q1: before your question if its the first one thats been asked. If youre answering a question, put A1:.
  • No Troubleshooting: While we would love to help troubleshoot your Conditional Access issues, 140 characters and a Tweet Chat do not allow for thorough technical assistance. We have great folks that help monitor our Twitter account, though, so feel free to DM us privately for help.
  • Ask us anything about Managing Office Mobile Apps, but we will not comment on unreleased features or future plans.

Update 1704 for Configuration Manager Technical Preview Branch – Available Now!

AD -

Hello everyone! We are happy to let you know that update 1704 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This months new preview features include:

  • Secure Boot inventory data Hardware inventory can now determine whether the device has Secure Boot enabled (enabled by default).
  • Run Task Sequence step This is a new step in the task sequence to run another task sequence, which creates a parent-child relationship between two task sequences.
  • Reload boot images with latest Windows PE version During the “Update Distribution Points” wizard on a boot image, you can now reload the version of Windows PE in the selected boot image.

This release also includes the following improvements for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:

  • Androidapp configuration support Administrators can create an app configuration policy for Android applications deployed with Google Play.

Update 1704 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1703 baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If theres a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.


The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center

#AzureAD Mailbag: Azure AD App Proxy, Round 2

AD -

Hey everyone, Ian Parramore here. Long time no post for us on these mailbags. You might be wondering what happened and why we didnt have a post for almost 2 months. I can tell you who is to blame, Mark. Now that we got that out of the way. Today were going to dive in a little bit on some of the most common questions weve seen around the Azure AD Application Proxy. For those of you not familiar with this awesome feature, Application Proxy provides single sign-on (SSO) and secure remote access for web applications hosted on-premises. These on-premises web applications can now be integrated with Azure AD, allowing your end users to access your on-premises applications the same way they access O365 and other SaaS apps integrated with Azure AD. You don’t even need to change the network infrastructure or require a VPN to provide this solution for your users. To learn more about Application Proxy and how to get started, see our documentation. Now lets dig into some of your questions.


Question 1:

Im trying to setup Kerberos constrained delegation as discussed in this article but am struggling to understand the PrincipalsAllowedToDelegateToAccount method. Do you have some more insights you can share on this?


Answer 1:

PrincipalsAllowedToDelegateToAccount is specifically used where the Connector servers are in a different domain to the web application service account and requires the use of Resource-based Constrained Delegation.


If the Connector servers and the web application service account are in the same domain then you can use the Active Directory Users and Computers to configure the delegation settings on each of the Connector machine accounts to allow them to delegate to the target SPN.


If the Connector servers and the web application service account are in different domains then we need to use Resource based delegation where the delegation permissions are configured on the target web server / web application service account.

This is a relatively new method of Constrained Delegation introduced in Windows Server 2012 which supports cross-domain delegation by allowing the resource (web service) owner to control which machine/service accounts are allowed to delegate to it. There is no UI to assist with this configuration so we need to use PowerShell.


Each Azure AD Application Proxy Connector machine account needs to be granted permissions to delegate to the web application service account.

When validating your configuration you can check the PrincipalsAllowedToDelegateToAccount setting using the following PowerShell:-

Get-ADUser -Identity sharepointserviceaccount -Properties “PrincipalsAllowedToDelegateToAccount”


The following output shows 2 machine accounts with permissions to delegate to the sharepointserviceaccount corresponding to our 2 Connector servers:



If one or more of your Connector servers do not have permissions to delegate to the target web application service account then you will see errors similar to the following:


In the article you’ll see the following sample PowerShell commands:

$connector= Get-ADComputer -Identity connectormachineaccount -server

Set-ADUser -Identity sharepointserviceaccount -PrincipalsAllowedToDelegateToAccount $connector


This is fine but will only set one Connector with delegation rights to the sharepointserviceaccount.

If you only specify one of two Azure AD App Proxy connectors, access to the app will only succeed if traffic is routing through that connector.


Where you have more than one Connector the first command would ideally look something like this:

$connectors = Get-ADComputer -filter {name – like “*appproxyname*”} -server


This command assumes the connectors have a similar name and that the wildcards will return more than one computer account. For example, in my environment I have two connectors, MSFTPM-AAP1 and MSFTPM-AAP2. So I would run:

$connectors = Get-ADComputer -filter {name – like “*aap*”} -server


This returns both servers and sets them in the $connectors variable. I can then run the second command to set the attribute appropriately on my resource server:

Set-ADUser -Identity sharepointserviceaccount -PrincipalsAllowedToDelegateToAccount $connectors


We can then use the following PowerShell to re-validate the setting:

Get-ADUser -Identity sharepointserviceaccount -Properties “PrincipalsAllowedToDelegateToAccount”

Note the above examples are using Set-AdUser/Get-AdUser when getting/setting the PrincipalsAllowedToDelegateToAccount attribute. This is because the web application is running under a service account.


If the web application was running under a machine context we would need to use Set-AdComputer/Get-AdComputer. This may be relevant in a test environment with only a single web server but in a load balanced web server deployment we would expect the services to be running under a common service account.


When populating the $connectors variable we will always use Get-AdComputer as we are specifically interested in the Connector machine accounts.


For further information about Kerberos Constrained Delegation and Resource-based Constrained Delegation please see the following whitepaper


Question 2:

Should I create a dedicated account to register the connector with the Azure AD Application Proxy?


Answer 2:

There’s no reason to. Any global admin account will work fine. The credentials entered during installation are not used after the registration process. Instead, a certificate is issued to the connector which will be used for authentication from that point forward. You can see this certificate in the personal store of the computer account:

Question 3:

How can I monitor the performance of the Azure AD Application Proxy connector?

Answer 3:

There are Performance Monitor counters that are installed along with the connector. To view them do the following:

1. Start -> Type “Perfmon” -> Enter

2. Select Performance Monitor and click the green “+” icon:

3. Select and add the Microsoft AAD App Proxy Connector counters:


Question 4:

Can only IIS-based apps be published? What about web apps running on non-Windows web servers? Does the connector have to be installed on a server with IIS installed?


Answer 4:

Woah, this is a 3 for 1!

No there is no IIS requirement for apps that are published.

Yes you can publish web apps running on servers other than Windows Server. Having said that, you may or may not be able to use pre-authentication with a non-Windows Server depending on if the web server supports Negotiate (Kerberos authentication).

The server the connector is installed on does not have to have IIS installed.


Question 5:

Does the Azure AD App Proxy connector have to be on the same subnet as the resource?


Answer 5:

There is no requirement for the connector to be on the same subnet. It does however need name resolution to the resource as well as the necessary network connectivity (routing to the resource, ports open on the resource, etc.). If you want a more detailed discussion on connector location, please see our blog.


Question 6:

Ive published the App Proxy application, and Im able to log in, but the application is not displaying as expected. Why isnt it working?


Answer 6: If youre able to login and the application isnt displaying properly, there are two common possible causes.

Please verify that all the pages referenced by the application are in the path you published. For example, we see many cases where the published path is contoso/myapp/register/, but the web page has references to resource under different paths e.g. conotoso/myapp/style.css. Because the path containing the style page has not been published, the application is unable to find it when loading.

One way to check if this may be the problem is to look at a Fiddler trace or use the Network tab in the F12 Developer tools in Internet Explorer or Edge browsers to get an overview of the request/response pairs and associated HTTP status codes as you load a web page. You can use the output to identify if you are getting any 404 errors, and if so, whether the resources with the 404 errors are in the published path.


In the above example, publishing contoso/myapp/ instead of contoso/myapp/register/ would solve the problem.


Also, make sure to check if your application uses hard-coded internal links to either other applications or unpublished sites or, for its own internal namespace.


This can be problematic where the internal and external FQDNs in use are different and the web server generates links based on its internal name. Our general recommendation is to use the same internal and external FQDN and protocol (validate that both are the same https is preferred, http is allowed) where possible to reduce the chance of any problems.


For sites that contain links to other internal sites or applications, you would need to identify these and then ensure the relevant applications and sites are also published and available externally through Application Proxy. If these links are fully qualified, please use the custom domains feature to make sure these links will work. If not, look for an upcoming announcement in the coming months on some new Application Proxy capabilities in this area.! Please check the Enterprise Mobilty and Security blog for announcements.


You can use a tool such as Fiddler to review the traffic and identify request failures with a 404 status. You can also use the Network tab in the F12 Developer tools in Internet Explorer or Edge browsers to get an overview of the request/response pairs and associated HTTP status codes as you load a web page.


Thanks for reading.


For any questions you can reach us at, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons


-Ian Parramore, Harshini Jayaram, and Mark Morowczynski

Updates to Microsoft Intune on Microsoft Azure

AD -

This post is authored by Simon May, Principal Program Manager, Intune CXP.

Empowering not only your employees, but also you to be more productive is one of the main goals for us. Ability to manage your mobility ecosystem from virtually any device and any browser, managing increasingly larger numbers of devices and apps, a modern micro-services cloud architecture, enterprise-grade APIs, reporting and automation support, unified admins experience for all of Enterprise Mobility + Security (EMS), and Role Based Access Controls (RBAC). These are all things that thousands of our customers have been asking us for. We are now delivering it to you.



More than half of Intune tenants have been already migrated to our new Azure micro-services based infrastructure, delivering the experiences described above. Our team is working diligently to migrate the remaining customers, taking the utmost care as they do.

Streamlined management of core EMS workflows across Azure AD and Intune

Personally, I find Conditional Access to be one of the most amazing features of EMS. We are continually told by our customers how good our access management experience is architecturally and practically. End users like the guided route to compliance, and IT can trust that the right users are granted or denied access based upon a combination of device, network location, risk, and other factors. We heard from many customers that it is not optimal to manage access, and thus risk, to company data from multiple places, the Azure AD console and the Intune Silverlight console.

We listened and significantly improved the experience.

Theres now a single experience in the Azure portal to express how I want to govern the level of risk that Ill accept granularly. I can require devices I trust coming from networks trust dont to need MFA, while not requiring MFA from devices I trust on networks I trust.

Harness the Microsoft Graph for simplicity, automation, and integration

Weve had phenomenal feedback from early adopters about the work that our team has done with the Microsoft Graph API. Now a single API spans Office 365, Azure AD, Intune, and other Microsoft cloud services. You can leverage this API for complex reporting through PowerBI and other big data or analytics services to build custom dashboards for your business. IT admins are always looking for ways to save time and automate repetitive admin tasks. The Microsoft Graph API enables you to do just that.

Manage devices, users and groups with nearly unlimited scale

Following your tenants migration, Intune will use groups in Azure AD for user and device management and to apply policy. This reduces admin overhead since groups dont need to be built in two places. For example if you have an Engineering group in Azure AD that you use to assign SaaS apps in Azure AD and use to configure access to a SharePoint site, you can now use that exact same group to apply policy to your devices and apps in Intune. Not only that but you now have the power of Dynamic groups in Azure AD at your disposal to create groups based on simple or even complex queries of device and user information.

Of course, your company could well have more than one IT admin and the level of experience and, lets face it trust, you put in those admins differs. Now you have granular Role Based Access Control that lets you enable or disable administrative capabilities depending upon the role a person has. One company Im working with allows their Help desk staff to lock a users device, but they dont want that employee to be able to do something destructive wipe the device. For that only a Help desk manager can initiate the request.

There is a huge amount of information to unpack and understand for your organization. To help you out, Craig Marl, Principal Program Manager and I took to Microsoft Mechanics, where Im asking the kinds of questions you might ask to understand more; Craig has the answers. Of course, if you have more questions, just ask below or you can ask me on twitter @simonster.


No password, phone sign in for Microsoft accounts!

AD -

Howdy, folks!

Here in the identity division at Microsoft, we don’t like passwords any more than you do! So we’ve been hard at work creating a modern way to sign in that doesn’t require upper and lowercase letters, numbers, a special character, and your favorite emoji. And after a soft launch last month, we’re excited to announce the GA our newest sign-in feature: phone sign-in for Microsoft accounts!

With phone sign-in, we’re shifting the security burden from your memory to your device. Just add your account to the Android or iOS Microsoft Authenticator app, then enter your username as usual when signing in somewhere new. Instead of entering your password, you’ll get a notification on your phone. Unlock your phone, tap “Approve”, and you’re in.

This process is easier than standard two-step verification and significantly more secure than only a password, which can be forgotten, phished, or compromised. Using your phone to sign in with PIN or fingerprint is a seamless way to incorporate two account “proofs” in a way that feels natural and familiar.

Here’s howyou set itup:

  • If you already use the Microsoft Authenticator for your personal account, select the dropdown button on your account tile, and choose Enable phone sign-in.
  • If you are adding a new account on an Android phone, we’ll automatically prompt you to set it up.
  • If you are adding a new account on an iPhone, and we’ll automatically set it up for you by default.

Then just try it out! The next time you sign in, we’ll send a notification to your phone. That’s it!

Note: A link at the bottom of the confirmation page lets you choose to use a password instead if your phone isn’t handy, or you can switch back from your password to the Microsoft Authenticator. Either way, we’ll remember your preferences next time you sign in.

Using a device to sign in is new to you, and it’s new to us, too. We want to make sure we get it right, so we want to hear from you. Use the Microsoft Authenticator forum to offer suggestions, ask questions, and engage with our support team and other fans of account security. And as always, keep an eye on this blog for news about improvements and new features.

We look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


[Update 4/18/17 3:08pmPacific: A few people have asked if this works withWindows Phone version Microsoft Authenticator. Windows Phone makes up <5% of the active users of our Authenticator Apps so we have prioritized getting this working with iOS and Android for now. If/When it becomes a bigsuccess on those high scale platforms, we will evaluate adding support for Windows Phone.]

Why Office 365 customers need to consider Enterprise Mobility + Security

AD -

Office 365, apart from being the global standard for productivity, provides built-in fundamental management and security capabilities to help protect your company data as you embrace mobility and cloud.

If you are responsible for providing a great end user computing environment for your organization, you are facing other changes such as:

  • New types of users – task workers, outside collaborators and other contributors will need access to your company information via the Office mobile apps, and eventually a larger subset of your app portfolio.
  • Users need to access Office 365 resources from a variety of locations.
  • Your cloud-based app portfolio will expand beyond Office mobile apps.
  • Information needs to be shared more freely inside and outside your organization, while maintaining security
  • You need to constantly re-assess and redefine your security posture based on a dynamic, changing threat landscape.

These changes surface a need to surround your Office 365 deployment with robust management and security capabilities. Office 365 capabilities need to be augmented by a comprehensive mobility solution that protects against threats both on-premises and in the cloud, securely delivers Office 365 and other applications on any device, and safeguards critical corporate assets.

To achieve this, you need to consider and build out three fundamental capabilities; each of which span across component technologies, and are seamlessly delivered by EMS.

  1. Secure, streamlined access to all the corporate resources (like apps and files) your employees and outside collaborators need to be productive regardless of location and device.
  2. Managed mobility capabilities that empower users to do more on their devices, while keeping organizational assets protected; these capabilities need to transfer smoothly across device management policies (eg. BYOD, CYOD, enrolled and non-enrolled scenarios) and across various types of apps (eg. Office 365, LOB Apps, 3rd party SaaS apps).
  3. Advanced security capabilities that constantly listen and learn from the ever-changing threat landscape, thereby anticipating, detecting and responding to threats as they emerge.

Explore our new ebook to discover the EMS capabilities that help you achieve this, and watch our upcoming webinar series to see it all in action. Happy exploring!

Attend free hands-on classes to advance your skills with EMS

AD -

Microsoft is offering a series of free, instructor-led, live virtual classes on Microsoft Enterprise Mobility + Security (EMS). In this training, youll learn through extensive hands-on labs how EMS can help keep the employees in your company productive on their favorite apps and devices and your company data protected. Specifically, the class will cover the following two scenarios in depth:

  • Identity and Access Management: learn how to centrally manage single sign-on across devices, your datacenter, and the cloud
  • Identity-driven Security: learn how to guard your data from attacks on multiple levels using innovative, identity-driven security techniques

The class is offered in recurring sessions in different time zones throughout April, May and June. Space is limited so check out the class schedule and reserve your virtual seat today!

Azure Information Protection: Ready, Set, Protect! – Part 4: regulations and compliance

AD -

Welcome to the 4th and final post in our Ready, Set Protect! Series. To recap our journey, in Part 1 of the series we showed you how to get going with classification and labeling, and FAST. In Part 2 we focused in on how you can take the learnings and benefits of classification and labeling and protect your information. Part 3 was for those of you who are either Information Protection skeptics or have yet to kick off a proper evaluation of the technology in this space, and we wanted to help you hone in on whats really important in an enterprise solution for Classifying, Labeling and Protecting (CLP) your information.

Todays blog post is for those of you who have needs to comply with data protection regulations and want to understand how you can use Azure Information Protection (AIP) to help meet some of those needs. By way of example so its a little more real, we will use the EU-GDPR (European Union General Data Protection Regulation) as an example in this discussion.

To set the scene, the GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they are processing personal data in connection with goods or services offered to EU data subjects or are processing personal data in connection with monitoring the behavior of EU data subjects. It applies to companies processing and holding the personal data of data subjects in the European Union, regardless of their location.

As you can see, this has far reaching implications, and as such for organizations who are subject to such laws, this is a topic of intense discussion and debate. The breadth of the regulations and the implications of non-compliance have led to customers (in particular CIO/CISO/DPO leaders) having to re-evaluate data protection and handling.

The challenge with compliance

Many data protection regulations like the GDPR are essentially privacy laws. When organizations are compliant with the law, they will have, among other things:

  1. Adequate knowledge about the Personal Data that is being processed
  2. Safeguards documented and implemented to protect the data
  3. The means to audit the storage and protection of the data
  4. The means to control access to this data
  5. The awareness of a breach, and adequate knowledge of the Personal Data that has been lost to limit the liability

Systems and processes put in place now can possibly provide coverage for new data. However, organizations must also deal with mountains of existing unstructured data* in the form of documents and emails collected and archived over the years. This too could contain Personal Data that has been processed, and therefore may need to be identified and secured.

* Microsoft offers solutions around structured data, which is outside of the scope of this blog post.

The question is: how can organizations ensure better compliance with this volume of unstructured data?

The building blocks of compliance

Data protection laws like the GDPR usually define the safeguards that need to be in place to handle Personal Data. However, they also go to great lengths to articulate how organizations must prove that the safeguards exist and how they handle Personal Data in different scenarios. In its distilled form, regulations and compliance makes you responsible for inventory, security, and audit of all Personal Data in a provable manner.

To break this down into actionable steps and help customers comprehend the larger picture around management of Personal Data, the framework in the diagram below will help:


The Azure Information Protection product is part of a larger Microsoft solution for helping customers with their efforts around data protection regulatory compliance and provides capabilities to inventory, secure, and audit Personal Data. In conjunction with other services like Microsoft Office 365 Data Loss Prevention and Microsoft Cloud App Security (MCAS) it provides customers with insight, monitoring, protection and control over the data flowing through their organizations. Lets look at how AIP and other Microsoft Information Protection services plug into this framework and help with compliance.

Data Inventory

The first step in the lifecycle of managing Personal Data is to first identify where it is.

Microsoft provides an organization with capabilities to analyze unstructured data residing in its file shares, SharePoint sites/libraries, online repositories, and desktop/laptop drives. With the access to the file, an organization can use these solutions to scan the contents of each file and determine whether certain classes of Personal Data exist in the file. The organization can then classify and tag with a label each file based on the kind of data present. Additionally, the organization can generate reports of this process, with information about the files scanned, classification policies that matched, and the label that was applied. These reports are one of the artifacts of the Data Inventory phase that can be used by the organization in audit scenarios.

The data inventory step is not a one-time event. As the files change and new content gets added, repeating the steps in the inventory phase helps keep the organization up-to-date with compliance requirements.

As the file containing Personal Data travels, other services that are part of the data flow can help the organization track this data. For example, organizations can use Office DLP to inspect data flowing out of Office applications, and use MCAS to monitor data flowing to and from different online locations and SaaS apps. This ecosystem of offerings can help you keep the inventory report up-to-date.

Securing data

With the data inventory phase correctly identifying documents with Personal Data, securing it and ensuring authorized processing is the next responsibility. This means that access to Personal Data should be controlled and policed and Azure Information Protection provides an identity-based security solution that can be used for this purpose. The organization can establish policies in AIP that outline the rings of access for various departments, in which scenarios, and for what types of Personal Data. These policies would tie to the applicable compliance needs for the Personal Data.

AIP provides the organization with flexibility in defining its policies. With its policies in place, the organization can use AIP to encrypt the files having Personal Data and manage access rights in accordance with the appropriate policy. Decryption will be conditional to the user being authorized by the access policy thereby enforcing the intended safeguards around the Personal Data (i.e., unauthorized persons will not have access). With the rights-based encryption in place, sharing becomes less cumbersome. You have the means to prevent Personal Data from leaking to unauthorized persons, with audit logs to track each access.

Securing data is also about controlling its flow. DLP systems and MCAS tap into this flow and enforce the policy with actions such as Warn, Encrypt, Notify, Block, Quarantine, and Revoke access. The flexibility of the systems allows the definition of complex rulesets to abstract the organizations policies for handling data, including Personal Data.

Compliance monitoring phase

Reporting on compliance is an important function in any compliance regime, and there are a number of artifacts and processes that should be created and maintained. There are two broad categories in the GDPR:

  1. Proving compliance in a manner sufficient for the organizations data protection officer to fulfill his or her duties
  2. Reporting data breaches and remediation

Azure Information Protection stores information about the state of protection on unstructured Personal Data, and can plug into the reporting that is useful for both compliance and breaches. The platform also allows you to audit actions taken by the users and by automated systems. By evaluating these signals, you get a chance to enhance the policies that underpin your organizations compliance. Fine-tuning the policies also reduces any unintentional friction in the system that users might encounter due to compliance restrictions.

As a final note, we used GDPR as an example to show how we can help with data protection needs. There are other regulations that mandate different treatment for different categories of data, and organizations can use AIP to help with its compliance regime for other regulations that protect other categories of data.

In closing

Getting to a compliant state with data protection regulations can be a daunting task, but we are here to help you, provide support and guidance and help you get a good handle on what you need to do.
We know this is a lot to absorb, and we are here to help. Engage with us on Yammer, Twitter or send us an e-mail to

Thank you,
Dan Plastina on behalf of our enthusiastic Azure IP team.
Twitter: @DanPlastina
Useful links: (PDF)

It really is very easy to get started. We have a lot of information available to help you, from great documentation to engaging with us via Yammer and e-mail. What are you waiting for? Get to it!

Extend cloud identity and access management to your customer and partner relationships

AD -

Organizations are transforming how they operate in a digital world. This means seizing new opportunities quickly, reinventing business processes, and delivering greater value to customers. More important than ever are the strong and trusted relationships with the whole ecosystem in which an organization operates. This includes business partners, contractors, and of course customers. While business-to-business (B2B) and business-to-consumer (B2C) interactions may be different, sustaining both requires information security combined with intuitive user experiences.

As your network of B2B and B2C connections grows online, securing them across on-premises, cloud, and hybrid scenarios becomes more of a challenge. A secure identity platform is critical to support this growth and to enable digital business securely. With this goal in mind, today we announce two important extensions in the capability of Microsoft Azure Active Directory.

Azure Active Directory B2B collaboration now generally available

Businesses are increasingly dispersed, mobile, and collaborative, relying on wide range of vendors, partners, and contractors to stay nimble and capitalize on changing markets. Azure Active Directory (AD) is the foundation of our identity-driven approach to security and extends beyond your own employees to secure the identities of external collaboratorspartners, contractors, and vendors. Our goal is to make it easy and secure to collaborate with the employees of any organization. Azure AD B2B collaboration is generally available today and is part of Microsoft Enterprise Mobility + Security (EMS).

B2B collaboration provides external user accounts with secure access to documents, resources, and applicationswhile maintaining control over internal data. Theres no need to add external users to your directory, sync them, or manage their lifecycle; IT can invite collaborators to use any email addressOffice 365, on-premises Microsoft Exchange, or even a personal address (, Gmail, Yahoo!, etc.)and even set up conditional access policies, including multi-factor authentication. Your developers can use the Azure AD B2B APIs to write applications that bring together different organizations in a secure wayand deliver a seamless and intuitive end user experience.

Millions of users from thousands of businesses have already been using Azure AD B2B collaboration capabilities available through public preview.

As early adopters of Azure AD B2B collaboration, we used this service to provide a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems. The latest enhancements are interesting, and we plan to use the invitation manager API in our Partner Relationship Management portal for a more customized guest onboarding/provisioning experience. The Azure AD team has been an incredible partner in our re-creation of a more agile and cost-effective hybrid cloud IT infrastructure. Steve Braunschweiger, Chief Enterprise IT Architect Kodak Alaris

Heres how you can get started with Azure Active Directory B2B collaboration: Azure Active Directory B2C now available in Europe

Another important audience within most enterprise ecosystems are the customers who trust your business with their own sensitive personal and financial information. Azure Active Directory B2C enables organizations to securely connect with their customers at scale. Today, Azure AD B2C is generally available in Europe. Azure AD B2C is a highly available, global identity and access management service for your consumer-facing applications. It scales to hundreds of millions of protected identities, integrates easily with nearly any platform on any device, and includes optional multi-factor authentication for additional protection. Your consumers will be able to use existing social media accounts or create new credentials for single sign-on access to your applications through a fully customizable experience.

Organizations now have the option to use Azure AD B2C tenants that operate and store data only in European datacenters. For all other regions, Azure AD B2C is available through the North American or European datacenters.

Heres how you can get started with Azure Active Directory B2C:

As companies adopt a cloud-first position to take advantage of increased agility and faster innovation, like B2B and B2C, we recognize that cloud-first doesnt mean cloud-only. As we announced today, we make it easy for customers to maximize their existing investments to adopt cloud. A hybrid approach is a strategic plan for businesses financially, for security, and for their identities and applications.

Azure AD B2B Collaboration is Generally Available!

AD -

Howdy folks,

This is a blog post I’ve been as eager to publish as I suspect you’ve been eager to read it. I’m excited to let you know that Azure AD business-to-business (B2B) collaboration is generally available worldwide!

Azure AD B2B collaboration capabilities enable any organization using Azure AD to work safely and securely with users from any other organization, small or large, with or without Azure AD, & with or without an IT organization.

Organizations using Azure AD can provide their B2B partners access to documents, resources, and applications while maintaining control over corporate data. Developers can use the Azure AD B2B APIs to write applications that bring two organizations together in a secure way that is also seamless and intuitive for end users to navigate.

Customer demand for these capabilities is sky high! Already during the public preview, customers have invited 2.6M guest users using these new capabilities.

And more than 20% of Azure AD Tenants with >10 users are now using Azure AD B2B!:

We have spent thousands and thousands of hours with these customers diving into how we can best serve their needs with Azure AD B2B.

I’d like to thank all of you who spent time with us providing feedback and suggestions. We would not have reached this point without your partnership.

Now you can dive in and use Azure AD B2B in your organization! Here are a few of highlights of the things you can do now:

Easily add B2B users to your organization:

Enable your collaborators to bring their own identity to work with you:

Delegate to application and group owners so they can add B2B users directly to any of the thousands of apps that work with Azure AD:

Have consistent authorization policies protecting your corporate content across your employees and partners:

Use our APIs and sample code to easily build applications to onboard your external partners in ways customized to your organization’s needs:

With Azure AD B2B collaboration, you can get the full power of Azure AD to protect your partner relationships in a way that end users find easy and intuitive.

Work with any user from any partner

  • Partners use their own credentials
  • No requirement for partners to use Azure AD
  • No external directories or complex set-up required

Simple and secure collaboration

  • Provide access to any corporate application or resource
  • Seamless user experiences
  • Enterprise-grade security for applications and data

No management overhead

  • No external account or password management
  • No sync or manual account lifecycle management
  • No external administrative overhead

Get started today on the Azure portal.

Learn More

There’s far more detail about the new Azure AD B2B Collaboration features in our updated documentation, so take a look and let us know if you have any questions! And if you haven’t seen it yet, check out (below) the latest short video about Azure AD B2B we put together, too.

As always, connect with us for any feedback, discussions and suggestions through our Microsoft Tech Community. You know we’re listening!

Best Regards,
Alex Simons (@Twitter:@Alex_A_Simons)
Director of Program Management
Microsoft Identity Division

Need help getting started with EMS? Check out our new Find a Partner experience!

AD -

Thanks to customers like you, Enterprise Mobility + Security is a growing at a very fast rate we now have over 40,000 customers who have purchased EMS and started their journey with us. Some of you may need help getting started with EMS, and were here to help! While we have several internal resources to help with deployment, including FastTrack, in some cases its most efficient and effective to work with one of our many Enterprise Mobility + Security partners. Today, were happy to announce that we have built a great new way for you to search for and find the right Enterprise Mobility + Security partner for your specific needs. From the EMS website, click the Partner dropdown and select Find a Partner.



This will take you to our Partner Search portal, where you can search for EMS partners and filter partners based on region and industry.



Once youve found the partner that works best for you, clicking their logo on the Partner Portal will direct you to the partners profile on Microsoft Partner Center, where you can read more about the partner (including their competencies) and contact them directly to begin your engagement.



Please give the new Find a Partner experience a try and let us know your feedback.

End of support for DirSync and Azure AD Sync is rapidly approaching. Time to upgrade to AAD Connect!

AD -

Howdy folks,

On April 13 of last year, we announced the deprecation of “Windows Azure Active Directory Sync (DirSync)” and “Azure Active Directory Sync (Azure AD Sync)” and that it was time to start planning to upgrade to Azure AD Connect. We also announced at the time that DirSync & Azure AD Sync will reach end of Support on April 13, 2017. Since then, 35,000 customers have successfully upgraded from these deprecated tools to Azure AD Connect that’s what we like to see!

Today, we are confirming that DirSync and Azure AD Sync will reach end of Support as planned on April 13, 2017.

I would highly recommend that if you haven’t upgraded to Azure AD Connect, you should do so VERY soon to avoid service disruptions. Azure AD will stop accepting connections from DirSync and Azure AD Sync after December 31, 2017.

For more information about the DirSync and AAD Sync upgrade, please see the DirSync and Azure AD Sync deprecation documentation.

If you have any questions or feedback about this change, we’re all ears. Please leave us a comment below or reach on Twitter using the #AzureAD hashtag.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Improving the branding logic of Azure AD login pages

AD -

Howdy folks,

Today we’re blogging to give you a heads up about some upcoming improvements we think you’ll want to be aware of. We’re making this set of improvements to the logic that drives app and company branding on Azure AD login pages. This change is going to make it easier for employees and B2B guests to understand how they are signing in and what apps they are signing into in a variety of different scenarios. Pretty much everyone we know is passionate about UX and branding, so we know this is likely to be a hot topic, so we want to give you an early heads up and explain the change.

I’ve invited Ariel Gordon, one of the Program Managers on my team, to share more details about this change. As always, we want to hear from you about this experience, so leave us a comment below, or reach out to us on Yammer or Twitter.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director or Program Management

Microsoft Identity Division


Hi everyone,

We’re continuing to make progress on converging the Azure AD and Microsoft account identity systems. One of the big changes our team is working on is realigning the user experiences (“the pixels”) between the two systems. It’s a big milestone that requires us to rationalize the way the two systems represent different brands in our sign-up and sign-in experiences. Proper branding is essential to establish context, help users feel secure, and help them know which account to use for a given interaction.

Getting this right is tricky, because there can be up to four relevant and different brands for any sign-in flow:

  1. The brand of the app that the user is signing into, or providing consent for (e.g. Office)
  2. The brand of the organization that owns the resource (e.g. the app belongs to Fabrikam)
  3. The brand of the organization that the user is a member of (e.g. user is a Contoso employee)
  4. The brand of the platform/service provider (e.g. Microsoft).

That’s a lot of brands to represent on a single page! The design we shipped a few years back made a radical simplification by only allowing one brand to be displayed at a time. The change we’re making right now swings the pendulum back and introduces a nice visual optimization for users of Azure AD B2B.

With the updated branding logic, the full-bleed illustration on the left side of the screen will now represent the resource owner for all tenanted login scenarios. It will override the app’s illustration and will no longer be replaced by the user’s org illustration. This is a nice improvement for B2B flows, and it means that your employees and your business guests will now see a persistent representation of your organization.

For non-tenanted login flows, the full-bleed illustration on the left will continue to show the application that users are signing in to.

Note that “Left” and “Right” are swapped for RtL languages such as Hebrew or Arabic.

Brand presentation scenarios

The screenshots below illustrate the four main use cases.

#1: Contoso employee goes to a generic app URL (e.g.

In this example, a Contoso user is signing into a mobile application, or into a web application using a generic URL. The illustration on the left will always represent the app brand, and the interaction pane on the right will update to show Contoso elements when appropriate.

#2: Contoso employee goes to a Contoso app that’s restricted to internal users (e.g.

In this example, a Contoso user is signing into an internal application using a company-specific URL. The illustration on the left represents the company brand (Contoso). The interaction pane on the right is locked to Contoso and helps employees through sign-in.


#3: Contoso employee goes to a Contoso app that’s open to external users (e.g.

In this example, users are signing into a LoB application from Contoso but the user may or may not be a Contoso employee. The illustration on the left represent the resource owner (Contoso), just like case #2 above. But this time, the interaction pane on the right is not locked to Contoso, to convey that external users are welcome to sign in.

#4: Fabrikam employee goes to a Contoso app that’s open to external users

In this final example, the application belongs to Contoso and the user who’s signing in works for Fabrikam. The illustration on the left represents the resource owner (Contoso), and the interaction pane on the right dynamically updates to show relevant information to Fabrikam employees.

Wrapping up

This change in logic will give our partners better branding opportunities in a variety of B2B scenarios. Most users should either see a positive change or no change at all.

If you are interested in learning more, check out the documentation.

We want to hear from you about this change, so please keep the feedback coming!


Ariel Gordon (Twitter: @askariel)

Azure Information Protection Documentation Update for March 2017

AD -

Hi everybody

Our technical writer, Carol Bailey, is letting you know whats new and hot in the docs for March.

Reminders: Follow us on Twitter (@TheRMSGuy) and join in our peer community

Dan (on behalf of the Information Protection team)

The Documentation for Azure Information Protection has been updated on the web and the latest content has a March2017(or later) date at the top of the article.

Updates for this month support the new release of the Azure Information Protection client, and also incorporate customer feedback for clarifications. Any day now (maybe by the time you read this!) you can also expect updated guidance for Migrating from AD RMS to Azure Information Protection. The basic instructions for migration remain the same but after learning from several customer migrations, we’ve picked up some tweaks and tips to help make this process go more smoothly. For example, we’re adding a preparation phase, which includes setting onboarding controls and deploying a pre-migration script to ensure that clients don’t accidentally bootstrap against the Azure Rights Management service before you are ready for them.

We value customer feedback and try to incorporate it whenever possible. If you have feedback about the documentation, you can contact us by emailing

What’s new in the documentation for Azure Information Protection, March 2017

The following information lists the articles that have significant technical changes since the last update (February 2017).

Applications that support Azure Rights Management data protection

– Previously, this article contained information about client apps, only. It now contains a new section for server-side solutions from software vendors.

On-premises servers that support Azure Rights Management data protection

–Added Windows Server 2016 support for file servers that run Windows Servers and use File Classification Infrastructure (FCI)

Frequently asked questions for Azure Information Protection

–New entry:Is the Azure Information Protection client only for subscriptions that include classification and labeling?Information about how the client detects and operates in protection-only mode.

Frequently asked questions about classification and labeling in Azure Information Protection

–Revised theinstructions forExchange message classification and included a screenshot of configuring an Exchange Online transport rule to set a message header for an Azure Information Protection label. In addition, the entry “How do I sign in as a different user?” is removed, and this information is now in the new Custom configurationssection of the Azure Information Protection client admin guide.

Frequently asked questions about data protection in Azure Information Protection

–New entry:How do I send a protected email to a Gmail or Hotmail account?We’ve had a lot of questions asking how to configure Azure Information Protection as shown in the Ignite sessionSend secure email to anyone with the power of Microsoft Office 365 and Azure Information Protection. This feature is still in private preview.

Quick start tutorial for Azure Information Protection

– Updated throughout, to reflect the new, default policyfor customers who are connecting to the Azure Information Protection service for the first time.

Preparing for Azure Information Protection

–Added a new section about considerations if email addresses change.

Refreshing templates for users

–Updated the information to include the Azure Information Protection client and Office 2016 for Mac, and revised the information for Office 2010.

Configuring usage rights for Azure Rights Management

–Updatedthe description for Save As, Export (common name) to clarify that ifthis right is not granted, Office applications let a user save a document to a new name if the selected file format supports Rights Management protection. For example, when an authorized user opens Report.docx that has been protected but the Save As, Export right is not granted, she can save the document as NewReport.docx because Word supports Rights Management for that file type, but she can’t save the document as Report.pdf because Word doesn’t support Rights Management for that file type.

In addition, this page is updated for information that Outlook and the Outlook web app requires the Edit Content, Edit (common name) right with Reply or Reply Allwhen the recipient is in another organization.

The default Azure Information Protection policy

–Updated for the revised default policy that was deployed March 21, 2017. If you were already using Azure Information Protectionbefore the default policy was revised, your earlier version of the default policy is not updated because you might have configured it and deployed into production. However, you can use this information to update your policy to the latest values.

How to configure the policy settings for Azure Information Protection

–Updated for the new setting: For email messages with attachments, apply a label that matches the highest classification of those attachments

How to configure a label for visual markings for Azure Information Protection

–Updated to clarify thatvisual markings are not appliedwhen the label is applied by using File Explorer and the right-click action, or when a document is classified by using PowerShell.

Logging and analyzing usage of the Azure Rights Management service

–Updated to clarify that the file-name field is populated only forprotected documents that are tracked by using the Azure Information Protection client for Windows or the Rights Management sharing application for Windows, and is also blank if the request type is RevokeAccess. Other fields are updated to clarify when they are similarly blank if the request type is RevokeAccess.

Installing Windows PowerShell for Azure Rights Management

–Updated to clarify that if you have the minimum required version of PowerShell (v2.0), you must manually load the module (Import-Module AADRM) before you can use any of the Azure RMS cmdlets in your PowerShell session. Because most people have a later version of PowerShell, other documentation pages do not include the step to manually import module before running the cmdlets.

Azure Information Protection client: Version release history

–Updated for information about the release this month.

Azure Information Protection client administrator guide

–Updated for information about prerequisites and custom installs, with a new section for Additional checks and troubleshooting. There’s also a new section, Custom configurations,which contains advanced configurations that you might need for specific scenarios or a subset of users. Suitable for administrators but not for end users, these configurations will often require deleting files or editing the registry, so please do this carefully! Note that the information previously published as an FAQ entry (“How do I sign in as a different user?”)is now moved to this new section.

File types supported by the Azure Information Protection client

–Updated for PDF files that now support labels that can apply classification-only.

Using PowerShell with the Azure Information Protection client

– Removed the statement that you can useNew-AzureADServicePrincipal from the latest Azure AD PowerShell module to create the service principal account forSet-RMSServerAuthentication.Currently, this cmdlet is not supported for the Azure Rights Management service and instead, you must useNew-MsolServicePrincipal from the MSOL PowerShell module.

Classify and protect a file or email by using Azure Information Protection

–Updated for the new functionality to set custom permissions for a document.

RMS protection with Windows Server File Classification Infrastructure (FCI)

– Updated to clarify that you must run the Get-RMSTemplate on the file server before running the script, and again with the -force parameter if you make changes to the template you’re using for FCI. Also clarified that this configuration does not support scoped templates.


– Updated to clarify that you can run this command concurrently when you specify a different path for the -LogFile parameter for each command that runs in parallel. Protect-RMSFiledoes not currently support running concurrently;Set-AIPFileLabel does support running concurrently.


Update 1703 for Configuration Manager Technical Preview Branch – Available Now!

AD -

Hello everyone! We are happy to let you know that update 1703 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This months new preview features include:

  • Windows Analytics Commercial ID and Windows telemetry levels You can specify the Windows Analytics Commercial ID and configure telemetry, commercial data, and Internet Explorer data collection settings in Client Settings for use with Upgrade Analytics.
  • In-place UEFI conversion – You can customize a Windows 10 in-place upgrade task sequence to include the Windows 10 UEFI conversion tool.
  • Collapsible task sequence groups – Groups in the task sequence editor can be collapsed or expanded.
  • Azure Services wizard – The Azure Services wizard provides a common configuration for the cloud Azure services you use with ConfigMgr. This is done by using Azure web apps to provide the common subscription and configuration details that administrators would otherwise have to re-enter for each additional cloud Azure cloud service you use.
  • Direct links to applications in Software Center – You can now provide end users with a direct link to an application in Software Center. This means they no longer must open Software Center and search for an application before they can install it.
  • Import PFX certificate feature for ConfigMgr clients – Import PFX certificate profiles are now supported on ConfigMgr clients running on Windows 10 desktops. See How to create PFX certificate profiles in System Center Configuration Manager and this blog post.

This release also includes the following improvement for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:

  • Apple Volume Purchase Program (VPP) enhancements – Support has been added to tag education vs business volume purchase program tokens, device licensing, and adding multiple volume purchase program tokens.

Update 1703 for Technical Preview Branch is available in the Configuration Manager console. In addition, we willupdate the baseline version of Configuration Manager Technical Preview Branch available on TechNet Evaluation Center. It will be based on the Technical Preview Branch version 1703. Baseline bits are used for new installations.

We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use Connect. If theres a new feature or enhancement you want us to consider for future updates, please use the Configuration Manager UserVoice site.


The System Center Configuration Manager team

Configuration Manager Resources:

Documentation for System Center Configuration Manager Technical Previews

Try the System Center Configuration Manager Technical Preview Branch

Documentation for System Center Configuration Manager

System Center Configuration Manager Forums

System Center Configuration Manager Support

Download the Configuration Manager Support Center


S'abonner à Philippe BARTH agrégateur - Active Directory (Anglais)