Simon May

Client and cloud

Simon May

  • Your questions answered from the Azure RMS Core Skills Jumpstart

    Last week we broadcast the Azure RMS Core Skills Jump Start live on Microsoft Virtual Academy. The on-demand version will be up soon. As always there were lots of questions and we have lots of answers! Here’s a summary of those questions (answered by Dan Plastina, Carol and myself).

    Question: I have experimented with Exchange transport rules (office 365) to apply RMS policies automatically to messages as they are sent externally. Unfortunately they aren’t able to be a opened by @gmail, etc. because of a requirement for Outlook desktop. Am I doing something wrong?

    Answer: no. Social ISPs like gmail and are not supported currently.

    Question: What are the benefits of Azure RMS in SMB environment and what is the best way for a business to deep its toe in the technology?

    Answer: You can just create a small test environment and create a 30 day Office 365 test tenant here:

    Question: another one! If I RMS protect a SharePoint document library, then I share a link to a document in the library, what RMS rules apply? (I haven’t experimented with this one yet).

    Answer: The document library applies whatever you define as policy for that library. Access to the library is based on SharePoint permissions to that library. We also cover this specifically in the Jumpstart in module 3.

    Question: SharePoint Online with O365 E3 license: Before I turn on RMS on a document library I can create documents in the library using the browser. After I turn on RMS on the document library the only thing I can do in the browser is upload a file., is this correct behavior?

    Answer: The Office Web Apps don’t currently support Rights Management, so when you enable it for a library it’s intelligent enough not to let you create a document that you’ll not be able to edit later in the browser.

    Question: Can I use Office 365 email encryption (via a transport rule) along with RMS when sending to external users but it doesn’t seem to work for me.

    Answer: You can either use OME or RMS, they cannot be used in Addition of each other currently.

    Question: Where do I find a comparison between the Azure RMS features provided by the different subscription options (Office 365, EMS, and Azure RMS standalone)?


    Question: What is the difference if I click on “share protected” based on the Sharing App or choose protection from the Word File menu?

    Answer: No difference it’s just a plugin to file explorer to make it easy to go through the process without having to open up each document.

    Question: Can RMS also be used to protect documents sent to users that are not part of my organizations? What are the limitations?

    Answer: If you use Azure RMS, yes. as Long as the outside users are not using gmail, yahoo or or other social IDENTITY providers.

    Question: A client has 4 users on O365 E3 and 2 users on E1. Can I add an RMS product licence to the 2 users, or, do they have to be given E3?

    Answer: Only E3 users can protect Content. All other can read for free. If they want to protect Content as well, they Need a license. You could assign an Azure RMS license to them.

    Question: So what credentials does the outside user need to authenticate?

    Answer: Either an organization ID that is already enrolled in Azure AD or if the organization doesn’t have an Azure AD created we will seamlessly create one (IT at the “shared to” organization can take this over later).

    Question: Is the Document Tracking Feature already available in Germany?

    Answer: Currently the preview is only available in the US. For Germany there will have to be done some modifications to follow German work law

    Question: If a document is protected with a template where an Azure AD contact had permission. What happens if the admin removed the external contact from the template permission? Can the external still open old documents that were created while he had permission on the template? Does the behavior depend on the configured offline setting for the template?

    Answer: The permissions depend on when he opened the document and how long the use license is valid. Group membership and permissions is granted based on the time you Access it first. If it worked first, the use license expires after 7 days (unless you set this to less in the template), and on the 5th day the admin removes any user from the template, that user will not be able to open it after his use license expires.

    Question: What account will the RMS connector use to connect to Azure RMS? Is it the admin account specified during the setup? If this is the case what happens if the admin changes his password?

    Answer: There will be a Special account created during Installation. so the normal admin can Change his pw whenever he wants

    Question: Can you provide information/link on how to setup O365 E1 to work with Azure RMS standalone


    Question: Is it possible to make the documents only openable, from computers authenticated? I mean, if a user grabs a flash drive, copies files, and get them out for “Snowden like use”, the files wont “show” the contents?

    Answer: You Need to authenticate to the RMS Server in order to Access Content. So the user Needs to authenticate, no matter on what device he is or the data is stored. So in this case you would revoke his permission making every place he stored the file useless.

    Question: Can you access a document that has been protected when you are off line (say in an airplane)?

    Answer: If you want to access a document you need to authenticate against the Azure RM service. When the document was protected it was given an expiration period (set by the user or the template). When this expires the document will become inaccessible. Secondly a use license was issued to the document, this includes how long the document can be access for offline before another authentication is required.

    Question: When the key is managed by Microsoft, how is it protected? Software only or HSM?

    Answer: HSM

    Question: Is there more RMS functionality in the EMS Suite vs E3 Office 365?

    Answer: Yes. The ‘Document tracking’ is EMS only.

    Question: Can I expire a shared file?

    Answer: Yes, using the ‘doc tracking’ feature you can remote kill a file. You can also set an expiration time on the file when you publish it.

    Question: Any specific reason the RMS Connector only allows Exchange and SharePoint (and not FCI) for the Office 365 SKU?

    Answer: Hi Tom. FCI is used on premises and generally users of O365 don’t cross over that much with the FCI use case. That’s why we licensed it the way we did.

    Question: Can I use Thales nShield Edge with RMS BYOK or do I need one of the bigger ones?

    Answer: Yes, the small USB unit if fine. You will be using it for BYOK and then locking in up in a safe afterwards. We’re handling all your actual processing with our HSMs hosted all over the world.

    Question: what about mobile devices?

    Answer: Mobile devices that currently support RMS, Windows Mobile, iOS 6+, Samsung KNOX enabled Android

    Question: We have seen documents referencing a SuperUser that can remove or change permissions when the account that protected the document is removed from the organization.

    Answer: Yes, there are a few ways to explain this. First, the OWNER is a key role. Any document that you protect you can unprotect. The SUPERUSER role is one where an RMS Admin can unprotect content. This same role is used for services like Exchange that perform anti-malware, DLP, archival, and eDiscovery.

    Question: RMS For Individuals can be used to protect without paying “for evaluation”. Any upcoming technical limitations for this (other than not getting logging, custom templates, Super User etc)?

    Answer: Nope. We’re intentionally very generous with RMS for Individuals for the users. The ‘catch’ is that we’re the holder of the root key so the IT Pros don’t have the ability to manage the content. When an organization licenses RMS they have the right to fully manage it.

    Question: Is company confidential for all domains in your tenant or for people who have the same email address as you?

    Answer: It’s whomever you place in the template. You can even put external partners by name e.g.:

    Question: Thanks, Anthony. I’m more interested in restarting RMS after a trial has expired. So, do a POC and then plan a full deployment. But that deployment will happen after the trial has expired. So, are there any challenges with restarting RMS?

    Answer: Here’s a simplifying view… RMS is $2/user/mth. Keep one paying user around and you’re using a paid service. Don’t fret with lifecycle changes for such a low price.

    Question: Does RMS contain any us government enforced backdoors?

    Answer: No is the simple answer. Our commercial services are built for you. I’d encourage you to review Brad’s posts on these topics here:

    Question: Is there a way to set flags for admin actions or stream the data to a SIEM for alerting?

    Answer: Azure RMS give you, the ITPro, a raw log of all RMS activity in near real-time. You can inject this into your SIEM.

    The post Your questions answered from the Azure RMS Core Skills Jumpstart appeared first on Enterprise Devices + Infrastructure.

  • FAQ ME! Microsoft Intune Jump Start FAQ!

    Last week I ran the Microsoft Intune Core Skills Jump Start and as promised multiple times during the event here’s the questions, and the answers to those questions, that folks on the Jump Start asked:

    Q: Do we have option to have Intune in [my / the] customer[‘s] DC than on Cloud?

    A: No, Microsoft Intune has been architected from the ground up to run at scales in the Microsoft Cloud and on Microsoft Azure. We did this in part because it means you get fantastic levels of scale, without the need for everything to come back to on-prem infrastructure. As the number of devices users have grows, your ability to manage those devices shouldn’t be constrained by an inability to grow the management infrastructure.

    Q: Can Intune integrate with SCCM?

    A: Absolutely! It’s designed that way, there’s documentation here on how to connect SCCM to Microsoft Intune.

    Q: What is the unique feature that Intune has to coexist with SCCM for an organization that already have SCCM 2012?

    A: Microsoft Intune when connected to Configuration Manager 2012 makes it possible to manage mobile devices via Microsoft Intune from SCCM. You can see a full list of features on Microsoft TechNet, check out the “Which Configuration is for Me?” section.

    Q: Does Intune have capability of Digital Rights Management or Which DRM solution it can integrate with?

    A: Azure RMS is part of the Enterprise Mobility Suite and can be used to protect your data

    Q: Intune can work through Azure but is it possible to have a ADFS, ADFS Proxy and [Microsoft] Federated Identity manager?

    A: Yes, it is fully supported. This would enable you to have authentication for Azure AD flow through the on-premises AD FS infrastructure.

    Q: Is it possible to clarify on what is happening in the background when a mobile device is enrolled to Intune?

    A: When the device is enrolled into Intune, three things happen primarily. First the device is configured to trust Microsoft Intune as an MDM authority (iOS, Windows) or device administrator (Android). Second the device and its information is added to Microsoft Intune and also to Azure AD as a device object tracking to the user who enrolled the device. Thirdly the device requests policy from Microsoft Intune.

    The actual blow by blow process varies per device.

    Q: Can Intune stand-alone and Intune/SCCM live together side by side?

    A: Not really. You could setup two tenants, have one configured in Hybrid and the other in standalone. You’d then need to think about where users are coming from. You could create cloud only users for the stand alone tenant and deal with them individually. You could also sync a specific set of users with a different User Principle Name (UPN) Suffix to your standalone tenant and users with another UPN suffix to the Hybrid tenant. I’m not really sure what the use case would be here though?

    Q: Can I migrate from Standard to Hybrid?

    A: Not on your own. You’ll need to call support and we need to clear data from the standalone tenant before migration to hybrid.

    Q: Can we use office 365 MDM and Intune on the same tenant

    A: That is the intent but at time of writing it’s not possible. There is a need to manually set the MDM authority which is something that Microsoft must do for you.

    Q: Is Conditional Access for Exchange on-premises with SCCM/Intune is already available?

    A: Conditional Access for Exchange on-premises is currently only available with Microsoft Intune stand alone.

    Q: Do we need the exchange connector for conditional access to Exchange on-premises?

    A: Yes

    Q: Is Apple iPad supported by Intune standalone?

    A: Yes

    Q: If you sync your on “on-prem” accounts with Intune and you already had some existing Office 365 user accounts that are cloud-only. Will this create an issue?

    A: No. If you already have Azure D Sync/AFDS in place you can just use the same. Nothing to configure. Just make sure that you create the Intune Account using the same account as you use for Office 365.

    Q: What can I do, when a phone is lost with corp data, and phone does not have an internet and mobile connection?

    A: You can’t do anything. It’s like having the phone turned off. But you can wipe the device, and when/if the device is online, it will be wiped.

    Q: Does the Intune client include Endpoint protection, or is that only with SCCM?

    A: That’s available in both scenarios.

    Q: Can I manage all or at least most aspects of Intune through SCCM or are some management features split between SCCM and the Intune portal?

    A: Today there are some limitations. But check this article out for what can be managed where.

    Q: Is Conditional Access available in O365 MDM?

    A: Yes, MDM in Office 365 include the ability to manage conditional access to Exchange Online and SharePoint online.

    Q: If I do a change in the policy is that pushed out our does the users need to reenroll the devices. For example if I decides to change the demand of password?

    A: No, they will just be asked to change the password to be compliant. However some policies could lead to tattooing, for example if you set an assigned access policy on Windows and delete the policy from Intune then there is nothing to re-enable the apps that are outside of the Assigned Access policy.

    OR to put it another way: If you set a policy to push a “1” to a device and the device is currently set to “0” the policy will set the device to “1”, deleting the policy won’t make the device automatically revert since it needs something to overwrite the policy.

    At its core OMA-DM can do 3 things on a device, Get, Set and Execute.

    Q: With the emphasis on BYOD and mobile devices, should we anticipate treating desktops as just another flavor of a BYOD scenario?

    Possibly but probably not with desktops. There will be a class of devices that will be BYO, a class that will be Company Owned and a class that will be task worker based. Those last two categories are probably going to require deeper management than BYO. Of course you will need to be able to manage the mix.

    Q: If I add a setting that only works on iOS and Windows Phone, what will happen if an Android user tried to enroll?

    A: The agent won’t know what to do with the setting so it will ignore the setting on that type of device.

    Q: Where can we find a manageable list of the Windows CSPs? Not an exhaustive List!

    A: This is the exhaustive list for Windows 10 (that is still subject to change).


    The post FAQ ME! Microsoft Intune Jump Start FAQ! appeared first on Enterprise Devices + Infrastructure.

  • Enable Office 365 Built-In MDM (Mobile Device Management)

    Do you have company owned mobile devices or employee-owned mobile devices that receive email? Of course, you do everyone does. Do you have a Mobile Device Management solution that you’re paying lots for but only using little of? Have you got or are you looking at getting Office 365? If the answer to any of these questions is yes then you need to be aware of Mobile Device Management in  which Microsoft announced on March 30 on the Office Blog. In this post, I’m going take you through enabling MDM management of a device but first, why is MDM in Office 365 important?

    Why is MDM in Office 365 important?

    The Exchange Active Sync (EAS) protocol has had some mobile device management like capabilities for some time, but as mobile devices and their use has evolved EAS hasn’t been the go-to management solution beyond email. OS manufacturers have invested in Mobile Device Management protocols and deeply instrumented those in their OS allowing MDM to apply policies far beyond email.

    I’ll give you a prime example of that evolution: The BYOD movement has led to people using their personal devices for work. It’s not clear legally how much control over such a device an employer has and it can vary dramatically even in one country. As a result wiping everything on a device that is personally owned could be worrisome to an employer.

    With AES, it’s only been possible to fully wipe a device. One of the capabilities that Office 365 built-in MDM brings is the ability to selectively wipe business data from the device. This is huge because if remote wipe is your only need, Office 365’s built-in MDM has you covered. More of you need to specify basic device policies (that still go beyond AES) to control device capabilities, such as encryption, password requirements, app (age) restrictions and the like. A full list of the policies enabled through Office 365 MDM is on TechNet.

    Conditional Access to Office 365 is also available through the built-in MDM. If you aren’t familiar with the principle of Conditional Access yet, it asks a simple question: Does the device meet the minimum bar for entry. You define the minimum bar. So you can set a policy that says that a device must be managed by Office 365, so you can wipe it, for example, before its allowed access to critical information. Frankly it’s ground-breaking that this ability is in an MDM offering that costs nothing extra.

    With all that in mind, what’s the answer to the question: Why is MDM in Office 365 important? The Answer: It gives you another option for management.

    For some customers, it might be the only MDM they need. Indeed I surveyed my Twitter followers and I found out something interesting (I do this regularly, you should follow me to participate and be heard). 14% of respondents to one poll were paying for MDM (which is probably about $100 per user or $51 per device per month* they could cut this from their expenditure immediately…that would probably make the boss happy!)

    How about if you still need MDM for some users that need capabilities beyond what’s built into Office 365 such as Mobile Application Management or Company Resource provisioning?

    There are people or groups of devices that need capabilities beyond what’s available built into Office 365 MDM and that is fine. Just license them for Microsoft Intune and the on-ramp is simple. Users with a Microsoft Intune license are managed through Microsoft Intune, users without are managed through Office 365 MDM! With Microsoft Intune, you get capabilities such as being able to automatically provision company resources (certificates, VPN, WiFi) and being able to distribute and manage apps.

    Ok, looks useful, let’s try this…

    That’s the why over with and hopefully you want to start taking a look. Let’s take a look through my Office 365 tenant and see what we need to do to get setup.

    Enable Office 365 MDM

    First we go to the Mobile Devices option in the Office 365 Admin portal and click Get Started to start the activation process, this will take some time to complete. If you’re using a custom domain (such as and not )to set up Office 365 as a mobile device management authority you will need to set up the correct DNS settings and exchange a certificate request from Office 365 for a certificate from Apple to work with the Apple Push Notification Network (APN) to support iOS. You’ll need to add the following two DNS entries if you’re using a custom DNS:

    Host name Record type Address TTL
    EnterpriseEnrollment CNAME 3600
    EnterpriseRegistration CNAME 3600


    REALLY neat feature. These are the same DNS entries you need to add if you’re using Microsoft Intune for MDM, which is why moving some or all users to Intune from Office 365 MDM is possible or put another way: Office 365 and Microsoft Intune co-exist for MDM.

    Optionally you can enable Multi-Factor Authentication (MFA) meaning that to enroll their device into Office 365 MDM management they need to give a second factor of authentication, such as receive a phone call or text from the Azure MFA service. Configuring this only requires MFA for device registration from that point forward, because the device is now trusted, it’s a second factor of authentication.

    Create A Device Security Policy

    Now that your Office 365 tenant is enabled for MDM we need to enable some policy. So click the Manage device security policies and access rules link. You’ll be taken to Compliance Center where you’ll click the Manage device access settings link.

    In Organization-wide settings for device access management, you can choose to allow devices that don’t support MDM management to enroll or choose to block them. If you choose block then a device must be MDM capable to be able to add an Office 365 email profile. You might want to do this for your regular users but have some users that you this rule doesn’t apply to (such as your C-level people).

    Finally, let’s create our policy and target it to some users. Click the New icon (the plus sign). Enter a policy name, and click Next. Make some policy settings: I like to set a password policy for testing purposes. The last section of the Device Security Policy determines what to do if a device is non-complaint, this is Conditional Access!

    Conditional Access

    Conditional Access, as previously stated, prevents a non-compliant device from accessing resources. If you select Block access and report violation what happens is that if any of the above policy settings aren’t set on the device (or the device has refused the setting) access to Office 365 Email, SharePoint and OneDrive for Business will be blocked from this device. If you select Allow access and report violation then the violation will just be audited (which you can see in either case in Compliance Center).

    This is simple a cool feature: It means you can definitely stop email flow to a device that isn’t enrolled, or a device that’s jailbroken or rooted, or a device that simply isn’t encrypted.

    In the case of email, all the user will get in their inbox, until they are complaint, is a single email telling them how to get complaint, and nothing more!

    If the device Click Next to set the policy.

    Something Extra Really Cool

    One other thing. If you tick the box that says Require managing email profile then what you’re saying is that if the user added their own email profile that is not good enough for them to access resources. The reason it’s not good enough is that you DO NOT have the right to wipe a non-managed email profile on iOS or Android and therefore you don’t have control over your organization’s email data.

    Ticking Require managing email profile does something really cool though. The user is prompted to remove the organizational email profile they added and, once that’s done, Office 365 will provision the email profile to the users device, making it managed!

    And that [Email Provisioning] takes is just one check box!

    Finally, Deploy the Policy

    The very last thing you’ll do is deploy the policy. Just search for a security group that you want to deploy the policy to, select the group, click Add and Ok. Then you can go to a test device and try out the policy, add an organizational email account manually on the device and (if you selected the Block option for conditional access) you’ll receive an email telling you to enroll your device by getting the Company Portal app from the store.

    Perhaps you’d like to see this in action

    Corporate Vice President, Enterprise Client and Mobility at Microsoft, Brad Anderson and I took a look at this on the latest episode of the Endpoint Zone with Brad Anderson which you can watch below:

    This is cool, I want to try it out how do I do that?

    Firstly, if you have Office 365 you should check to see if MDM is available in your Admin portal yet. If it is you’ll see it just like in the first step above. If it’s not it’s coming, Office 365 MDM is rolling out now, but it’ll take us a few more weeks to complete every Office 365 tenant (there are so many!)

    If you don’t yet have Office 365 you can get a free trial, although the functionality might not be available there yet, but it should be before the trial expires.

    Finally if you want to know even more, you should check out the free Microsoft Intune Jumpstart on Microsoft Virtual Academy next week that is part of our Enterprise Mobility Core Skills Jumpstart series. Since it’s a series you can sign-up for them all and watch them live or binge on the them as they become available on demand!

    * Airwatch Green Management Suite-Cloud as of 3/1/2015.





    The post Enable Office 365 Built-In MDM (Mobile Device Management) appeared first on Enterprise Devices + Infrastructure.

  • Endpoint Zone Episode 7: Office 365 Mobile Device Management

    This week I had the opportunity to catch up with Brad Anderson, CVP Enterprise Client and Mobility at Microsoft, as I usually do to film the Endpoint Zone. On this month’s episode we take a look, and walk through the new Office 365 MDM features including showing you how to enroll a device, set policy and selectively wipe the device: Game-changing stuff that normally requires you to buy a separate MDM solution!

    Take a look:

    The post Endpoint Zone Episode 7: Office 365 Mobile Device Management appeared first on Enterprise Devices + Infrastructure.

  • FAQ ME! Answering Questions from the Azure AD Core Skills Jumpstart

    Last week I ran the Azure AD Core Skills Jumpstart on Microsoft Virtual Academy and, as always, there were lots of questions from the audience. I thought I’d take all the questions that I could find in the questions queue and dump them to a file and compile and FAQ for you to peruse. Useful if you did or didn’t, get your question answered.

    Once on-prem AD is synced to Azure AD, do the user accounts on Azure still authenticate with or do they authenticate with their on-premises AD account to other azure based servers/apps?

    This is a really great question and the answer is they can use whatever you setup for them here’s some options:

    • If you want the user to continue to use then that will work, you can setup Azure AD Sync and effectively use it to provision the accounts into Azure AD. You could choose to enable Password (hash) sync too, although I’m not quite sure why you would. You’d probably only stay in this configuration for a short time.
    • Once you verify your DNS name com then you can add that UPN to your on-premises AD DS and configure user accounts to use that UPN. The users can then sign into Azure AD using their account. If you configure Password (hash) sync then they can use the same password as they would use on-premises and they can also use the UPN to logon on their PCs instead of contoso\user.
    • For some services – mainly those not in the browser or where the home realm is known (i.e. we know you’re calling from Contoso) you can also use contoso\user.

    Azure AD Answers

    What’s the difference between on-premises AD and Azure AD

    This is a kind of long and difficult question to answer, I’ll keep it under a paragraph but you should read more on TechNet around this if you want to go deeper.

    Azure AD is designed for a mobile world, as such it is globally available by default and isn’t based on you building your own domain controllers. It’s built to deal with hyper-scale (really large) and deals with about 18bn auths per week. Azure AD can be used for OAuth2.0 apps, which is basically how the modern web does authentication. We designed Azure AD to federate and connect with thousands of applications, prime among them Office 365, Microsoft Intune and Azure itself. That gives us a huge amount of telemetry about how people use the service that the developers can act upon.

    Contrast this with on-premises, where you design and build the infrastructure. Apps interact with AD DS either natively or via LDAP queries. You hand crank every federation and connection (and we know that many people don’t) and the data on how you use AD DS often doesn’t reach our engineers.

    There are other, huge differences but in a couple of lines that’s a starter. There is also this MSDN Article you can check out.

    Can I have azure AD in on premises?

    This question is much easier: No.

    However, you do have some components on-premises. Azure AD Sync synchronizes users from on-premises AD to Azure AD. Active Directory Federation Services (AD FS) keeps authentication on-prem and features such as Azure AD Application Proxy rely on an on-premises connector to enable reverse proxy.

    Can PCs join the Azure domain without an existing AD sync to an on-premises domain?

    No. It’s not possible to domain join a Windows PC to Azure AD today without on-prem domain controllers and computer accounts aren’t synchronized to Azure AD. In the future, you will be able to log into Windows 10 with an Azure AD user. Today, it is possible to “workplace join” a device to Azure AD thus creating an identity for the device against the joining user account. This is useful for conditional access uses, such as preventing mail flow to unregistered devices.

    Are the reports only available with Premium Azure AD?

    Azure AD Premium includes some extra, premium reports that add capabilities to your IT admin arsenal. I consider some  “big data for IT admins”. There are some other useful reports too and you can find a full breakdown by reading this MSDN library article on what they all do. However, here’s a quick list of the premium reports if you need them:

    • Sign ins from IP addresses with suspicious activity
    • Irregular sign in activity
    • Sign ins from possibly infected devices
    • Users with anomalous sign in activity
    • Application usage: summary
    • Application usage: detailed
    • Devices
    • Groups activity report
    • Password reset registration activity report
    • Password reset activity


    Scenario: Two different forests, DirSync & ADFS on one forest A. I wanted to sync both the forest user objects and Authentication has to use forest A. will this method work?

    Check out my earlier post on Setting up a strong identity management solution.


    How does AD FS work with Smart Card authentication?

    Jen Field, one of the Program Managers in the Identity team at Microsoft has a great blog post on exactly that: External authentication providers in AD FS in Windows Server 2012 R2: Overview


    Scenario: We have our on-premises domain controllers with a domain (let’s say NLCOMPANY.LOCAL) and our azure active directory with another domain, let’s say COMPANY.NL. We would like to implement azure sync between on-premises and azure active directory, but we would like the domain existing in azure COMPANY.NL to be the domain to log on the company laptops. Does it means we should create an AD on-premises with the same COMPANY.NL domain or can we do it in another way keeping our NLCOMPANY.local domain?

    This is actually a pretty common thing to need to do, so the answer is pretty easy. First authorize the domain in Azure AD. Then add the new UPN suffix to on-prem AD DS and assign specific users that UPN in their account. From this point forward they can log on as nlcompany\user or they won’t be able to use the nlcompany.local domain any further but you can add it as an extra attribute if it needs to be referenced by other apps and then point the other apps at the new attribute.

     Can we manage Azure AD exactly like we manage On-premises AD

    It really depends upon how you’ve configured your synchronization. If you don’t have any synchronization then you’ll need to manage Azure AD through the web portal or through PowerShell. If you’re syncing then you can, and should, be managing your user accounts and their attributes from the on-prem AD DS. Even in a synced scenario though you will need to go to the management portal or to use PowerShell to to manage parts of Azure AD that only exist there, such as reports.

    Are there Group policies in Azure AD?

    No – but that doesn’t mean you can’t manage settings effectively. Let’s think back to where Group Policy came from, it was grounded in doing a better job of managing Windows than simply deploying reg setting through a script. Group Policies are still incredible at this and they will be around for this purpose for a long time to come. However the types of devices that we use has changed and many of them aren’t Windows now. As such the “group policy” engine for Azure AD is Microsoft Intune and its MDM capabilities.

    Is it possible to use MFA only when user is trying to login from different country?

    Actually no, that’s not possible but probably only, respectfully, because the question isn’t very well scoped. Why would you only be worried about people potentially logging in from other countries? There are just as many, possibly more risks with users logging on without MFA in their home country. What is possible is to specify IP ranges that are exempt from requiring MFA. I would deploy this in places where I have a good expectation around physical security – such as the HQ with a small army of security professionals with guns and badges. I’d probably also deploy this to my VPN address range so as not to overly annoy users with extraneous authentication.

    Another option, now in preview, is to enable MFA on a per app basis. So, for example, your users don’t need MFA to use the company intranet (published with Azure AD Application Proxy) but they do need it to use the customer information in SalesForce.

    If you are using SharePoint 2010 on-prem and want to use application proxy to use it from the outside, can you install the connector on one of your SP 2010 servers? What is the best practice for locating the connector?

    The best practice is to install it on another server that can talk to the SharePoint server. Given that the server can be virtual then that shouldn’t be overly hard to do and because it’s talking over standard ports you can make your own, informed, decision over DMZ placement.

    Are the on-prem groups synced in AAD via sync?

    Currently groups and their membership are synchronized from on-prem to the cloud but write-back isn’t available.

    What mechanism determines if the device is potentially infected (from your logon attempts report)?

    We look for correlation with attempts to contact malware servers from the devices that users sign-in from.

    Are there specific attributes required for the sync to be successful? (other than UPN)

    Yes and the answer to this question depends upon which apps you are using that are dependent upon Azure AD. Luckily you don’t need to know exactly which attributes each app needs, although it is documented here, since the Azure AD Sync setup will do this for you.


    Resources, Next Steps

    Thank you very much for joining me for episode one of the Enterprise Mobility Core Skills Jumpstart Series. Next month, April 2014, we will be live again talking about the core skills you’ll need for Microsoft Intune. Register here.

    The post FAQ ME! Answering Questions from the Azure AD Core Skills Jumpstart appeared first on Enterprise Devices + Infrastructure.