Category: Microsoft
Category Archives: Microsoft
After Removing GPO, Intune Policies Not Applying
Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead.
Here’s the expected behavior:
Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied.When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 8) all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied.The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs.
However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline.
Here’s what I’ve done to try to fix this:
Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint.Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied.Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they’re not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can’t negotiate the timing on this for our whole fleet of computers.Apply the policy that makes MDM policies take precedence over GPOs. This did not work.
Here’s what we’re not willing to try (I’m preempting some of Microsoft’s usual boilerplate responses):
We will not reset the computers – there are too many for this to be a scalable solution.We will not unjoin and rejoin the computers from MDM – there are too many for this to be a scalable solution.
While I’m tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for.
Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don’t think this is something that will be resolved with time.
Any advice would be greatly appreciated!
Part of our fleet remains Entra Hybrid Join (as computers are refreshed, they are Entra Joined instead). We apply Windows Security Baselines through both Group Policy and Intune. Recently, we evaluated the differences between the two baselines and determined they are nearly identical. Accordingly, we decided to disable GPO based security baselines for Entra Hybrid Joined devices and let Intune push security settings for the baseline instead. Here’s the expected behavior:Security baseline settings are set by both Intune and GPO. By default, GPO wins, so the Intune setting is not applied.When the GPO settings are removed, at some point in the next 24 hours (I believe it happens every 8) all Intune policies are reapplied whether or not they have changed. With the GPOs gone, MDM policies that were once blocked by group policy are applied.The end result: all security policies are applied, but most of them are coming from Intune (MDM) instead of from GPOs.However, this is not what is happening. While Intune claims the security baseline have applied, the settings that were once overridden by GPOs never apply and the computer effectively has no security baseline. Here’s what I’ve done to try to fix this:Make a copy of the existing baseline with a new name and assign it to the computers, unassign the original baseline. This does not work. The policies claim to have applied, but never apply on the endpoint.Change a single setting in the baseline hoping the change triggers the whole configuration reapplying. The endpoint only applies the changed setting, other settings in the baseline do not get applied.Unassign the baseline entirely, wait for the computer to sync and reassign the baseline. This works, but is not a viable solution for a large fleet of computers. This would be fine if all of our computers were receiving GPO updates regularly, but they’re not (they are remote). This only works if the computer syncs one time while no settings are applied and again after the configurations are reassigned. We can’t negotiate the timing on this for our whole fleet of computers.Apply the policy that makes MDM policies take precedence over GPOs. This did not work.Here’s what we’re not willing to try (I’m preempting some of Microsoft’s usual boilerplate responses):We will not reset the computers – there are too many for this to be a scalable solution.We will not unjoin and rejoin the computers from MDM – there are too many for this to be a scalable solution.While I’m tempted to open a support case with Microsoft, this has only ever been a time-consuming and frivolous process. I expect they would pass the ticket around and eventually apologize to me when they decide this is a support case I should actually pay for. Why would MDM policies not apply even after the group policies that once conflicted with them have been removed? This is impacting all Entra Hybrid Joined computers, the vast majority of which are running the latest build of Windows 11 23H2. Some of these computers have sat for 48 hours in this state, so I don’t think this is something that will be resolved with time. Any advice would be greatly appreciated! Read More
Export data from Log Analytics Workspace to Storage Account
Hello community,
Could you please recommend a solution to migrate data from Log Analytics Workspace (1 table) to Storage Account?
There are about 70 million rows that should be exported.
The continuous export is not the solution here.
We were thinking about a Logic App but there is too much data.
Hello community, Could you please recommend a solution to migrate data from Log Analytics Workspace (1 table) to Storage Account?There are about 70 million rows that should be exported.The continuous export is not the solution here.We were thinking about a Logic App but there is too much data. Read More
How to connect Azure DevOps Pipelines Variables to Azure Key Vault?
Variable groups in Azure DevOps provide a centralized and reusable way to manage these variables across multiple pipelines or stages within a pipeline.
Here are the key advantages of using variable groups:
Reuse variables across pipelines or stages, which reduces repetition and makes maintenance easier.
Update variable values in one place, which automatically applies the change to all pipelines or stages using that variable group. This makes maintenance simpler and less error-prone.
Keep variables consistent across pipelines, which avoids discrepancies that may happen when handling variables in each pipeline separately.
Advantages of storing credentials in Azure Key Vault:
Better Security: Azure Key Vault offers a secure and centralized way to store sensitive data. You can use Key Vault to keep sensitive information safe and hidden from the pipeline variables.
Access Management: Azure Key Vault lets you control access to stored variables, so you can set permissions for different users or applications.
While there are some limitations to consider, such as inflexible settable variables and stable Key Vault values, the benefits of migrating to Azure Key Vault generally outweigh these drawbacks.
Steps involved in migrating Azure DevOps Pipeline Variables to Azure Key Vault
Step 1: Create an Azure Key Vault in Azure Portal
Step 2: Create Secrets in Azure Key Vault
Step 3: Create a service connection in Azure DevOps
Step 4: Create Variable Groups in Azure DevOps
Provision access on the azure KV for service principal (App ID)
Step 5: Link the Azure Key Vault to variable group by ensuring the appropriate permissions on the service connection
Step 6: Link your Variable Group to the Pipeline
Step-by-Step elaborate Guide: Migrating Azure DevOps Pipeline Variables to Azure Key Vault
Step 1: Create an Azure Key Vault
Select Go to resource when the deployment of your new resource is completed.
You might face a problem while authorizing the Key Vault through a service connection. Here’s how you can resolve it:
Problem: During the authorization process, you may encounter an error indicating that the service connection lacks “list and get” permissions for the Key Vault.
Solution: Switch the permission mode to use access policies by accessing the Key Vault’s details page in the Azure Portal, clicking on “Access Configuration,” and switch to “Vault Access Policy” and apply. (RBAC will take care of it)
Select first option from the below page:
Step 2: Create Secrets in Azure Key Vault
With the proper permissions in place, create the corresponding secrets within the Azure Key Vault. For each variable in the pipeline, create a secret in the Key Vault with the same name and the respective value.
Step 3: Create service connection in Azure DevOps
Create a service connection
Sign in to your Azure DevOps organization, and then navigate to your project.
Select Project settings > Service connections, and then select New service connection to create a new service connection.
Select Azure Resource Manager, and then select Next.
Select Service principal (manual), and then select Next.
Select Azure Cloud for Environment and Subscription for the Scope Level, then enter your Subscription Id and your Subscription Name.
Fill out the following fields with the information you obtained when creating the service principal, and then select Verify when you’re done:
Service Principal Id: Your service principal appId.
Service Principal key: Your service principal password.
Tenant ID: Your service principal tenant.
Once the verification has succeeded, provide a name and description (optional) for your service connection, and then check the Grant access permission to all pipelines checkbox.
Select Verify and save when you’re done.
2 ways to create service connection –
Option 1: APPid created randomly – display name is same – app id is different
Option 2: create service principal first- first create app id and use it in service connection – have unique ID name in ADO and Azure portal – to be used
Step 4: Create Variable Groups in Azure DevOps (To link to Azure Key Vault in following steps)
Open the variables tab inside Pipelines->Library and choose the new variable groups
Add variable group name and description
Select check box for ‘Allow access to pipelines’ and ‘Link secrets from AzKeyVault as variables’
Select Azure subscription
Link secrets from an Azure key vault
In the Variable groups page, enable Link secrets from an Azure key vault as variables. You’ll need an existing key vault containing your secrets.
To link your Azure Key Vault to the variable group, ensure that you have the appropriate permissions on the service connection. Service connections provide the necessary credentials to access resources like Azure Key Vault. Grant the necessary permissions by configuring the access policies in the Azure Key Vault settings.
Step 5: Link your Variable Group to the Pipeline
To utilize the migrated variables from Azure Key Vault, link the variable group to your pipeline:
Go to the variables tab on your pipeline
Once you link the variable group to your pipeline, it will look like this:
Variable groups in Azure DevOps provide a centralized and reusable way to manage these variables across multiple pipelines or stages within a pipeline.
Here are the key advantages of using variable groups:
Reuse variables across pipelines or stages, which reduces repetition and makes maintenance easier.
Update variable values in one place, which automatically applies the change to all pipelines or stages using that variable group. This makes maintenance simpler and less error-prone.
Keep variables consistent across pipelines, which avoids discrepancies that may happen when handling variables in each pipeline separately.
Advantages of storing credentials in Azure Key Vault:
Better Security: Azure Key Vault offers a secure and centralized way to store sensitive data. You can use Key Vault to keep sensitive information safe and hidden from the pipeline variables.
Access Management: Azure Key Vault lets you control access to stored variables, so you can set permissions for different users or applications.
While there are some limitations to consider, such as inflexible settable variables and stable Key Vault values, the benefits of migrating to Azure Key Vault generally outweigh these drawbacks.
Steps involved in migrating Azure DevOps Pipeline Variables to Azure Key Vault
Step 1: Create an Azure Key Vault in Azure Portal
Step 2: Create Secrets in Azure Key Vault
Step 3: Create a service connection in Azure DevOps
Step 4: Create Variable Groups in Azure DevOps
Provision access on the azure KV for service principal (App ID)
Step 5: Link the Azure Key Vault to variable group by ensuring the appropriate permissions on the service connection
Step 6: Link your Variable Group to the Pipeline
Step-by-Step elaborate Guide: Migrating Azure DevOps Pipeline Variables to Azure Key Vault
Step 1: Create an Azure Key Vault
Select Go to resource when the deployment of your new resource is completed.
https://dev.azure.com/MSComAnalytics/DigitalStoresAnalytics/_wiki/wikis/DigitalStoresAnalytics.wiki/8379/keyvault-secret-tagging-checklist
You might face a problem while authorizing the Key Vault through a service connection. Here’s how you can resolve it:
Problem: During the authorization process, you may encounter an error indicating that the service connection lacks “list and get” permissions for the Key Vault.
Solution: Switch the permission mode to use access policies by accessing the Key Vault’s details page in the Azure Portal, clicking on “Access Configuration,” and switch to “Vault Access Policy” and apply. (RBAC will take care of it)
Select first option from the below page:
Step 2: Create Secrets in Azure Key Vault
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&source=recommendations&tabs=yaml%2Cbash
With the proper permissions in place, create the corresponding secrets within the Azure Key Vault. For each variable in the pipeline, create a secret in the Key Vault with the same name and the respective value.
Step 3: Create service connection in Azure DevOps
Create a service connection
Sign in to your Azure DevOps organization, and then navigate to your project.
Select Project settings > Service connections, and then select New service connection to create a new service connection.
Select Azure Resource Manager, and then select Next.
Select Service principal (manual), and then select Next.
Select Azure Cloud for Environment and Subscription for the Scope Level, then enter your Subscription Id and your Subscription Name.
Fill out the following fields with the information you obtained when creating the service principal, and then select Verify when you’re done:
Service Principal Id: Your service principal appId.
Service Principal key: Your service principal password.
Tenant ID: Your service principal tenant.
Once the verification has succeeded, provide a name and description (optional) for your service connection, and then check the Grant access permission to all pipelines checkbox.
Select Verify and save when you’re done.
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml
2 ways to create service connection –
Option 1: APPid created randomly – display name is same – app id is different
Option 2: create service principal first- first create app id and use it in service connection – have unique ID name in ADO and Azure portal – to be used
Step 4: Create Variable Groups in Azure DevOps (To link to Azure Key Vault in following steps)
Open the variables tab inside Pipelines->Library and choose the new variable groups
Add variable group name and description
Select check box for ‘Allow access to pipelines’ and ‘Link secrets from AzKeyVault as variables’
Select Azure subscription
Link secrets from an Azure key vault
In the Variable groups page, enable Link secrets from an Azure key vault as variables. You’ll need an existing key vault containing your secrets.
To link your Azure Key Vault to the variable group, ensure that you have the appropriate permissions on the service connection. Service connections provide the necessary credentials to access resources like Azure Key Vault. Grant the necessary permissions by configuring the access policies in the Azure Key Vault settings.
Step 5: Link your Variable Group to the Pipeline
To utilize the migrated variables from Azure Key Vault, link the variable group to your pipeline:
Go to the variables tab on your pipeline
Once you link the variable group to your pipeline, it will look like this:
Entering Hanja (Korean) on Surface Laptop (Copilot+ PC) (US version)
Hello,
I bought the US version of the new Surface Laptop (Copilot+ PC) (13 “) last week. I regularly type in Korean and have just noticed that the new Copilot button has replaced the button next to the Right Alt key which is used to input Hanja on the Windows Korean keyboard. How do I do this now?
Thank you so much!
Best regards from New Orleans.
Hello, I bought the US version of the new Surface Laptop (Copilot+ PC) (13 “) last week. I regularly type in Korean and have just noticed that the new Copilot button has replaced the button next to the Right Alt key which is used to input Hanja on the Windows Korean keyboard. How do I do this now? Thank you so much! Best regards from New Orleans. Read More
How do I complain to Paytm?
Paytm has a contact 06370-523079 (Available 24/7) form on their website (www. Paytm com) that allows you to submit inquiries, feedback, or requests. You can access this by navigating to the “Contact Us
Paytm has a contact 06370-523079 (Available 24/7) form on their website (www. Paytm com) that allows you to submit inquiries, feedback, or requests. You can access this by navigating to the “Contact Us Read More
Edit tables with ease in Word for the web
Hi, Microsoft 365 Insiders,
Great news for Word for the web users! We are excited to announce a new feature that makes editing tables even smoother. You can now quickly and easily modify tables to improve your document’s formatting and appearance — no cutting or pasting required! This update allows you to effortlessly edit your tables so you can focus on your content.
Check out our latest blog by Anushri Sahu, Product Designer, and Kirti Sahu, Product Manager, from the Word team: Edit tables with ease in Word for the web
Thanks!
Perry Sjogren
Microsoft 365 Insider Community Manager
Become a Microsoft 365 Insider and gain exclusive access to new features and help shape the future of Microsoft 365. Join Now: Windows | Mac | iOS | Android
Hi, Microsoft 365 Insiders,
Great news for Word for the web users! We are excited to announce a new feature that makes editing tables even smoother. You can now quickly and easily modify tables to improve your document’s formatting and appearance — no cutting or pasting required! This update allows you to effortlessly edit your tables so you can focus on your content.
Check out our latest blog by Anushri Sahu, Product Designer, and Kirti Sahu, Product Manager, from the Word team: Edit tables with ease in Word for the web
Thanks!
Perry Sjogren
Microsoft 365 Insider Community Manager
Become a Microsoft 365 Insider and gain exclusive access to new features and help shape the future of Microsoft 365. Join Now: Windows | Mac | iOS | Android Read More
Viva Amplify Roadmap Blog
As we continue to innovate and enhance Microsoft Viva, we’re excited to share a glimpse into the future of Viva Amplify. Our commitment to providing a centralized platform for orchestrating and managing campaigns and communications remains strong, and we’re thrilled to announce new features and capabilities that will roll out in the coming months. Some of these features are geared towards corporate communicators as well as empowering anyone who needs to communicate to their teams, projects and stakeholders. We have more coming for Frontline Managers also that we’ll share at a later date.
Accelerate Copilot adoption with pre-built campaigns
Last month, Amplify added the Copilot Deployment Kit which includes 8 pre-drafted communications to help organizations plan, communicate, and adopt Copilot. And now, to help with broader adoption of Copilot across the various Viva applications, we’re adding a new Viva for AI Transformation pre-built campaign to help corporate communicators and change management leaders with their AI transformation efforts by highlighting specific capabilities within each Viva module.
The Viva for AI Transformation campaign includes 10 pre-drafted communications and a campaign brief with objectives and key messages. Each communication can easily be edited, reviewed, and published to multiple channels—including SharePoint, Outlook, and Teams— highlighting the specific AI capabilities available in each Viva module and how employees and the organization can benefit from them.
Copilot in Viva Amplify Editor
We’re bringing the superpowers of Copilot directly into the Amplify editing experience to revolutionize the way you create and enhance content by providing you with a writing assistance for all your communications. Simply click the Copilot icon for help with content, style, rewrites, and tone. Copilot in Viva Amplify will be available in preview soon.
The Auto rewrite option quickly brings good suggestions to you based on the text you’ve already entered. Or use it to pick specific enhancements like using more concise or expansive language.
Moreover, Copilot will help you adjust the tone of your content to ensure a consistent tone across all your content or make your messaging more coherent so it resonates better with different audience segments. With this capability, you will be able to adapt your content to various tones, whether you need a casual tone for social messages, an engaging tone to compel and draw in your audience or a professional tone for business communications.
Required Approvals
Like Lists and libraries, campaigns can contain sensitive information, such as marketing campaign budgets or human resources initiatives. The required approval feature brings compliance, accountability and workflows to Lightweight Approvals in Viva Amplify. By enabling required approval for a campaign, stakeholders can ensure that all campaign content and associated publications adhere to organizational standards and receive the necessary approval before publishing, thus minimizing risks and errors.
You can require approval at the campaign level so that all Viva Amplify publications within the campaign go through the approval process before the content is published. This is an optional setting that a user can choose to apply to a campaign. By requiring approval, organizations can apply a significant level of quality and security to their content, ensuring every piece of content aligns perfectly with their standards and expectations.
Required approval is targeted to be generally available in August 2024.
Campaign goals
Coming soon, you’ll be able to define the goals and objectives of a campaign within Viva Amplify and track progress against these goals using campaign goals. Goals establish a clear path for a campaign, guiding every action and decision, and providing benchmarks for measuring progress so you can achieve your campaign objective (s). In this coming release, Viva Amplify will support goal tracking for the unique viewers metric integrated with analytics capabilities. When you set a campaign goal in the brief, it will be applied at the campaign level for all publications and published distribution channels. By setting specific targets, you can track progress and determine whether the campaign is meeting its goals for all distribution channels. Campaign goals empower you to make informed decisions and adjustments as needed throughout the campaign.
Copy a publication
Gone are the days where you must rewrite or manually copy and paste content from an old publication to a newly drafted one to reuse it. Soon in Viva Amplify, you will be able to copy a publication within an existing campaign with just a few clicks. This new feature streamlines the content creation process, enabling you to easily reuse existing content – across SharePoint, Outlook and Teams, including all channel specific customizations and related audiences – and saving you time and effort so you can be more efficient.
Switch quickly between content editing, channels and writing guidance
Coming soon, you will see the SharePoint content pane also available in Viva Amplify. The content pane serves as a convenient hub for various panes that support authors in crafting their publications. This centralized space now features a user-friendly toolbox that enables authors to easily explore and insert content for creating dynamic and captivating publications and incorporates other useful panes like configuration tools and design ideas. Additionally, and specific to Viva Amplify, it also hosts the distribution channel selection, writing guidance, and audience selection specific to the distribution channels. With this change we are also introducing the ability to add or remove channels directly from the distribution channel tabs.
Streamlined Authoring Experience in Teams and Outlook
Coming soon, we are rolling out updates to the editors for the Microsoft Outlook and Microsoft Teams distribution channels, to streamline previewing and editing. You will see the new editing experience when creating a new publication as part of a new or existing campaign and select to publish to Outlook and Teams. The new experience will enable you to customize the content for Outlook and Teams using a supported set of familiar web parts directly from the main drafting experience and improvements for loading content into the editor.
In addition to the changes to the canvas for preview and customization, you will be able to select the audience for the channel on the right side of the screen, independent from the editing canvas. You will continue to be able to switch between Preview and Customize and send test emails to verify how the published email is received in the different Outlook clients or is posted in Teams.
The streamlined authoring experience for Teams and Outlook channels will be rolling out in August and September.
Analytics
Reporting and analytics are a crucial piece of the Amplify value, and soon you’ll be able to go even deeper into engagement and capture new metrics. In the images below we’re showing designs because we want to illustrate the breadth of capabilities coming.
Let’s go deeper on how effective your campaigns and communications are with these new metrics and capabilities, including:
Audience Breakdown and organizational pivots – see engagement filtered by role, department, or other user information.
Campaign Brief Integration Amplify Analytics provides visuals feedback to campaign owners of progress as measured against the goals set in the Campaign Brief.
Trend graphs and simpler layouts – visualize data over time with easy-to-read charts
Reactions – understand the social gestures of the reactions you’ve received on your publication and the entire campaign
Export to PowerPoint – you can already download the reports to CSV, and we’re making it quick to present your communication progress in slides
Click through rate – see the performance of links and read rates within your publications.
Dwell time – understand how long viewers are spending viewing your publications
Multi-value queries – queries allow the user to selected multiple different Org metadata values combined with endpoints to created “and” queries that provide a deep context and understanding.
Viva Engage integration
Already in Private Preview, this is one of the most requested features is the ability to publish from Viva Amplify to Viva Engage communities and storylines. Analytics signals for Engage distribution are already included in our existing reports in private preview. We’re listening to preview customer feedback to improve the experience for the next version. Top requests such as support to publish as Articles in Engage and across multiple communities are already being looked at and we appreciate getting your feedback on what is most important to you when publishing to Engage from Viva Amplify.
Looking Ahead
As we build upon the success of Viva Amplify, we’re eager to hear your feedback and involve you in shaping the future of our platform. Stay tuned for more updates and get ready to amplify your communications with Microsoft Viva.
Microsoft Tech Community – Latest Blogs –Read More
What’s new in Microsoft Intune July 2024
The days in my part of the world have been long and hot. Often my emails are met with out-of-office replies as my colleagues and friends are taking time to recharge outside of work. It reminds me of just how valuable time is—in regard to both productivity at work and intentionality about disconnecting and prioritizing other parts of life. Fortunately for us all, improvements to Microsoft Intune don’t take summer holidays—and I’m highlighting three new capabilities this week that will help IT admins and users alike to allocate less time to endpoint management and more time to their other priorities, like adding value in the enterprise or enjoying family and friends.
Use Copilot to help create Kusto queries for device query
In January this year, we announced a device query capability for Microsoft Intune Advanced Analytics that enables you to get near-real time access to data about the state and configuration of devices. Device queries are authored in the Kusto Query Language (KQL), which isn’t a skill all IT administrators have developed, but I’m pleased to announce that, thanks to Microsoft Copilot in Microsoft Intune, getting device information and context is becoming simpler. This new capability, now in public preview, lets administrators ask Copilot for device data. If the question can be answered with device query, Copilot will generate a KQL string that can be pasted into Intune Advanced Analytics to get the answer. This equips admins without comprehensive knowledge of KQL to get the data they need more quickly—and is an ideal example of how Copilot can and will continue to empower IT admins of all skill levels to perform advanced tasks with ease, thus improving the endpoint management experience.
You can find more about this new capability in the Copilot in Intune documentation.
Users can install macOS apps on demand via Intune
We’re proud of the advances we’ve made in macOS device management over the last year—especially how we’ve been able to address the requests from you. Our newest improvement introduces options admins can offer to users for downloading unmanaged applications (in PKG and DMG format) via the Intune Company Portal app. We have added the “available” assignment type alongside the familiar “required” type, so you won’t need to rely on the line-of-business app workflow or third-party tools to deploy optional applications. This is a time-saver for administrators and users alike, and it is one of the most requested features from Mac device administrators, so I am especially pleased to see this capability available. More information can be found in the documentation on unmanaged PKG apps and LOB DMG apps.
Windows 365 Cloud PC security baseline updates
Configuring security settings can be time consuming, and for those who aren’t experienced, it might be confusing. Security baselines are policy templates you deploy with Intune to establish Microsoft Security–recommended settings in just a few clicks, and we’re pleased to announce the first update to the Windows 365 security baseline. We recommend adopting this baseline to help protect against security threats. Because this baseline is built with new technology, you’ll also get:
Faster deployment of baseline version updates
Improved user interface and reporting experience (such as per-setting status reports)
More consistent naming across Intune portal
Elimination of setting “tattooing”
Ability to use assignment filters for profiles
These baselines can be customized to meet your specific needs. In the case of this upgrade, you’ll need to manually update your customizations, if any, from the previous baseline. See Deploy security baselines for Windows 365 for more details.
Your input is vitally important to our continuous product development—let us know what features you want to see next through our feedback portal.
Stay up to date! Bookmark the Microsoft Intune Blog and follow us on LinkedIn or @MSIntune on X to continue the conversation.
Microsoft Tech Community – Latest Blogs –Read More
Skilling snack: Tools for creating accessible content
Are you familiar with the Windows accessibility tools that can help your information workers achieve more? Whatever content they create for your organization, you want it to be accessible to the largest audience possible. Let’s look at how Windows accessibility can serve the dual purpose of supporting your organization and the clients it serves. And if you have Copilot+ PCs, they’re built with accessibility in mind.
Time to learn: 86 – 120 minutes
WATCH
Co-designing for neurodiversity
In this recorded session, you’ll hear from leaders in the field about the importance of leveraging neurodiversity in your projects.
(41 mins)
Neurodiversity + Azure + AI Studio
LEARN
Learn the basics of web accessibility
When you’re designing a webpage, make sure you’re designing it for everybody. This module will show you the tools and skills you’ll need for accessible web design.
(15 mins)
Developers + Microsoft Edge
READ
Accessibility Insights for Windows
Learn about the Color Contrast Analyzer in Accessibility Insights for Windows. This tool makes it easy to ensure that contrast ratios are ideal for making text and graphics easier to perceive and read.
(time varies)
Accessibility Insights + Windows + Inclusive Design
READ + WATCH
Unlock new experiences on your Copilot+ PC
Discover what the latest enhancements to your workflow look like on Copilot+ PCs. If you create content, see AI-supported Cocreator and Photos in action. Turn on Live Captions with automatic translation into English. Look and sound better with built-in tools.
(30 mins)
Copilot+ PC + Live Captions + AI + Cocreator + Photos + Windows Studio Effects + Privacy
WATCH
Accessibility training for Microsoft 365
Watch this series of short videos to help ensure accessible content in Microsoft 365 apps.
(time varies)
Word + Outlook + PowerPoint +Excel + Accessibility
READ
Read about how Voice typing in Windows provides dictation capabilities that convert spoken word to text simply by selecting the Windows logo key + H wherever you want to start writing.
(time varies)
Windows + Voice typing + Accessibility
When you’re ready to take your accessibility skills to the next level, check out these snacks and additional resources:
Skilling snack: Accessibility in Windows 11
Skilling snack: Voice access in Windows
AMA: Supporting Accessibility with Windows 11
Tackling Tech video – Inside Windows 11 accessibility
Ability Summit 2024 – Watch highlights and on-demand videos about how AI can fuel accessibility innovation in Windows and beyond
LinkedIn course on digital accessibility
Hungry for more? Don’t miss our skilling snack library.
Be sure to come back every two weeks for fresh snacks and leave a comment below about what you’d like to learn next.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft Tech Community – Latest Blogs –Read More
Publishing in Marketplace a solution with multiple sppkg packages
We have multiple packages, each package contains a set of webparts. They share a common library package.
We would like to submit a solution in marketplace which has two sppkg packages. One for the webparts, and one for the library components used by the webparts. We are not able to upload two sppkg packages while submitting the application to the Marketplace.
Are two sppkg packages allowed for submission? If not, then what is a workaround?
We have multiple packages, each package contains a set of webparts. They share a common library package.We would like to submit a solution in marketplace which has two sppkg packages. One for the webparts, and one for the library components used by the webparts. We are not able to upload two sppkg packages while submitting the application to the Marketplace.Are two sppkg packages allowed for submission? If not, then what is a workaround? Read More
disconnect the other work or school accounts via Intune
Hi ,
Our users are working on projects and need to access their emails. When they add their email to Outlook, they often do not select the “Sign in with this app only” option. This causes a conflict because the other MS account gets added to the “Work or School Account,” leading to issues with the Windows license. The license is supposed to be Enterprise instead of Pro, as we have Microsoft E3 licenses.
My question is, how can I disconnect the other work or school accounts via Intune, using PowerShell or another tool, to avoid having to communicate with all users to disconnect it manually?
Thank you for your assistance.
Best regards,
Hi ,Our users are working on projects and need to access their emails. When they add their email to Outlook, they often do not select the “Sign in with this app only” option. This causes a conflict because the other MS account gets added to the “Work or School Account,” leading to issues with the Windows license. The license is supposed to be Enterprise instead of Pro, as we have Microsoft E3 licenses.My question is, how can I disconnect the other work or school accounts via Intune, using PowerShell or another tool, to avoid having to communicate with all users to disconnect it manually?Thank you for your assistance.Best regards, Read More
Issue with Creating an chat Invitation Links for External Users in Microsoft Teams
Hello,
I have a problem: we use Teams within my organization, and I am an administrator. I would like my users to be able to create a non-expiring invitation link that allows external users to open a Teams chat window with them.
There are two ways to do this, but neither works.
Creating the link manually: By using the following link and modifying the user’s email address, it opens Teams, but nothing happens:
https://teams.microsoft.com/l/chat/0/0?users=email address removed for privacy reasons
I have checked the various admin interfaces:
https://admin.microsoft.com/Adminportal/Home#/homepagehttps://entra.microsoft.com/#homehttps://admin.teams.microsoft.com/
I found nothing. An external user with Teams can open a chat with users from my organization when they search via email in Teams. However, I would like to automate this, especially for external users who do not yet have Teams.
I feel that these problems appeared with the New Teams version. Any clues?
Best regards,
Alexis
Hello, I have a problem: we use Teams within my organization, and I am an administrator. I would like my users to be able to create a non-expiring invitation link that allows external users to open a Teams chat window with them. There are two ways to do this, but neither works.Creating the link manually: By using the following link and modifying the user’s email address, it opens Teams, but nothing happens: https://teams.microsoft.com/l/chat/0/0?users=email address removed for privacy reasons Automatically creating an invite link: Using the “Find and invite people” button in the “Chat” tab of the Teams interface. This interface does not appear in either the application or the web interface with the New Teams version. I tested with an external account using the classic web version of Teams, and this button is visible. I have read that others have the same problem with the New Teams version, but they are able to see it on the mobile app version. I have checked the various admin interfaces:https://admin.microsoft.com/Adminportal/Home#/homepagehttps://entra.microsoft.com/#homehttps://admin.teams.microsoft.com/ I found nothing. An external user with Teams can open a chat with users from my organization when they search via email in Teams. However, I would like to automate this, especially for external users who do not yet have Teams. I feel that these problems appeared with the New Teams version. Any clues? Best regards,Alexis Read More
Sharepoint Home Site.
Hi Everone! I’m hoping someone can help me please
I am trying to customise my SharePoint home page with a HTML page. I am looking to keep the sharepoint bar across the top but replace the widgets below with a HTML page with click areas.
I can add a iframe, but this doesnt fill the page.
Example below of what i would like
I already have the HTML file with click locations created.
Hope someone can help.
Many Thanks
Hi Everone! I’m hoping someone can help me please I am trying to customise my SharePoint home page with a HTML page. I am looking to keep the sharepoint bar across the top but replace the widgets below with a HTML page with click areas. I can add a iframe, but this doesnt fill the page.Example below of what i would like I already have the HTML file with click locations created. Hope someone can help. Many Thanks Read More
Error While identify verification
Hi, I’m trying to join a partner program, but while i’m trying to progress i stoped on Identity verification.
When i click on button fix now this redirect me to another page with message: You need permission.
I already have read this document: Get verifiable credentials – Partner Center | Microsoft Learn but didn’t found nothing.
Hi, I’m trying to join a partner program, but while i’m trying to progress i stoped on Identity verification.When i click on button fix now this redirect me to another page with message: You need permission.I already have read this document: Get verifiable credentials – Partner Center | Microsoft Learn but didn’t found nothing. Read More
Team Trend Assistance
Good morning!
I’m trying to figure out how to pull the most common trends for a specific team (not numbers). I’ve done this before (a long time ago), but I can’t remember the functions to use.
Good morning!I’m trying to figure out how to pull the most common trends for a specific team (not numbers). I’ve done this before (a long time ago), but I can’t remember the functions to use. Read More
Microsoft Groups:Your request can’t be completed right now
Hi All,
A user cannot access her Groups in the Outlook online version and on the Desktop version. When she clicks on a group, she gets the error message: Your request can’t be completed right now. We also tried from the New Group website, and it is the same error. Can anyone help out?
Hi All, A user cannot access her Groups in the Outlook online version and on the Desktop version. When she clicks on a group, she gets the error message: Your request can’t be completed right now. We also tried from the New Group website, and it is the same error. Can anyone help out? Read More
Refresh data using Power Query’s From Folder connector in Excel for Mac
Hi, Microsoft 365 Insiders,
Great news for Excel for Mac users! We are happy to announce a new feature that makes your data management even smoother. You can now refresh data using Power Query’s From Folder connector in Excel for Mac. This update allows you to effortlessly keep your data current and organized. Check out our latest blog by Gal Zivoni, Product Manager on the Excel team: Refresh data using Power Query’s From Folder connector in Excel for Mac
Thanks!
Perry Sjogren
Microsoft 365 Insider Community Manager
Become a Microsoft 365 Insider and gain exclusive access to new features and help shape the future of Microsoft 365. Join Now: Windows | Mac | iOS | Android
Hi, Microsoft 365 Insiders,
Great news for Excel for Mac users! We are happy to announce a new feature that makes your data management even smoother. You can now refresh data using Power Query’s From Folder connector in Excel for Mac. This update allows you to effortlessly keep your data current and organized. Check out our latest blog by Gal Zivoni, Product Manager on the Excel team: Refresh data using Power Query’s From Folder connector in Excel for Mac
Thanks!
Perry Sjogren
Microsoft 365 Insider Community Manager
Become a Microsoft 365 Insider and gain exclusive access to new features and help shape the future of Microsoft 365. Join Now: Windows | Mac | iOS | Android Read More
SFTP enabled Storage Account Behind Nginx Reverse Proxy
I am trying to put SFTP enabled storage Account behind nginx proxy.
I tried with the below configuration in nginx.conf
nginx service won’t restart as port 22 is already in use for SSH.
Can someone help me?
I am trying to put SFTP enabled storage Account behind nginx proxy. I tried with the below configuration in nginx.confstream { upstream backend{ server <<storageAccount_private_ip>>:22; } server {listen 22; proxy_pass backend; }}nginx service won’t restart as port 22 is already in use for SSH. Can someone help me? Read More
Elevate search operations and streamline AI development with Cohere Rerank on Azure AI
At Microsoft Build, we announced the availability of Command R models on Azure AI. Today, we are very excited to announce the addition of two new models from Cohere:
Cohere Rerank 3 – Multilingual
Cohere Rerank 3 is considered a leading AI model for semantic reranking in search systems. These models are available as serverless APIs with pay-as-you-go token-based billing. Accessing Cohere’s enterprise-ready language models on Azure AI’s robust infrastructure enables businesses to seamlessly, reliably, and safely incorporate cutting-edge semantic search technology into their applications.
This integration allows users to leverage the flexibility and scalability of Azure AI, combined with Cohere’s language models, to deliver superior search results in production. Using Azure’s AI model catalog, and with just a few lines of code, developers can implement Rerank 3 to enhance their existing search systems.
According to Cohere, Rerank 3 offers state-of-the-art capabilities for enterprise search, including:
4k context length to significantly improve search quality for longer documents
Ability to search over multi-aspect and semi-structured data like emails, invoices, JSON documents, code, and tables
Multilingual coverage of 100+ languages
Improved latency and lower total cost of ownership (TCO)
How Customers Can Enhance Search with Rerank
Rerank models (compatible with 100+ languages) serve two primary purposes,
It can be added to existing search systems after an initial dense retrieval stage to improve the relevancy of results, or
it can be added to retrieval-augmented generation (RAG) systems to increase the relevancy of documents being passed to the generative model (and therefore reduce operating costs).
Atomicwork, a digital workplace experience platform and longtime Azure customer, has significantly enhanced its IT service management platform with Rerank 3. By integrating the model into their AI digital assistant, Atom AI, Atomicwork saw over 20% in improved search accuracy and relevance, providing faster, more precise answers to complex IT support queries. This integration has streamlined IT operations and boosted productivity across the enterprise.
“The driving force behind Atomicwork’s digital workplace experience solution is Cohere’s Rerank model and Azure AI Studio, which powers Atom AI, our digital assistant, with the precision and performance required to deliver real-world results. This strategic collaboration underscores our commitment to providing businesses with advanced, secure, and reliable enterprise AI capabilities,” said Vijay Rayapati, CEO of Atomicwork.”
TD Bank Group, one of the largest banks in North America, recently signed an agreement with Cohere to explore its full suite of large language models (LLMs), including Rerank 3.
“At TD, we’ve seen the transformative potential of AI to deliver more personalized and intuitive experiences for our customers, colleagues and communities,” said Kirsti Racine, VP, AI Technology Lead, TD. “We’re excited to be working alongside Cohere to explore how its language models perform on Microsoft Azure to help support our innovation journey at the Bank.”
Enterprises of any size and in any industry can leverage Rerank to enhance their search capabilities across countless scenarios, including:
Legacy search improvement: Improve results from legacy lexical or semantic tools
Customer support search: Enable self-serve across complex customer support docs
Multilingual search: Understand meaning and relevance across over 100 languages
RAG: Retrieve most relevant answers across heterogenous enterprise data sources
Command R+, Cohere’s flagship generative model which is also available on Azure AI, is purpose-built to work well with Rerank within a RAG system. Together, they are capable of serving the most demanding enterprise workloads in production.
Boosting Search Quality for 100+ Languages with a Single Line of Code
Established keyword-based search systems are deeply ingrained within a company’s information architecture, and switching to a vector database for embedding-based search is often impractical. This is where Cohere Rerank can help, providing a seamless bridge between traditional keyword-based search and the power of semantic search.
Accessible through Azure AI Studio’s Cohere Rerank endpoint, our model computes a relevance score for a set of text documents compared to a given user query. This approach consistently yields superior search results, especially for complex and domain-specific queries, compared to traditional embedding-based semantic search.
Why Azure AI for Cohere Rerank models?
Cohere Rerank models are now available as serverless APIs through Models as a Service (MaaS), which is now Generally Available. This enables enterprise-scale workloads with ease.
Network Isolation for Inferencing: Protect your data from public network access.
Expanded Regional Availability: Access from multiple regions.
Data Privacy and Security: Robust measures to ensure data protection.
Quick Endpoint Provisioning: Set up a rerank endpoint in AI Studio in seconds.
Azure AI ensures seamless integration, enhanced security, and rapid deployment for your AI needs.
How to deploy Cohere Rerank 3 models on Azure AI studio?
Prerequisites:
If you don’t have an Azure subscription, get one here: https://azure.microsoft.com/en-us/pricing/purchase-options/pay-as-you-go
Familiarize yourself with Azure AI Model Catalog
Create an Azure AI Studio hub and project. Make sure you pick East US, West US3, South Central US, West US, North Central US, East US 2 or Sweden Central as the Azure region for the hub.
Create a deployment to obtain the inference API and key:
Open the model card in the model catalog on Azure AI Studio.
Click on Deploy and select the Pay-as-you-go option.
Subscribe to the Marketplace offer and deploy. You can also review the API pricing at this step.
You should land on the deployment page that shows you the API and key in less than a minute.
These steps are outlined in detail in the product documentation.
Please check some samples to get started – LangChain, Web Requests, Cohere Client
FAQ
What does it cost to use Cohere Rerank on Azure?
You are billed based on the number of prompt and completions tokens. You can review the pricing on the Cohere offer in the Azure Marketplace offer details tab when deploying the model. You can also find the pricing on the Azure Marketplace.
Are the Cohere models’ region specific on Azure?
Command R/R+/Embed/Rerank models are available as serverless API endpoints.
These endpoints can be created in Azure AI Studio projects or Azure Machine Learning workspaces. Cross-regional support for these endpoints is available in the following regions in the US: East US, East US 2 , West US3, South Central US, West US, North Central US, Sweden Central
Do I require GPU capacity quota in my Azure subscription to deploy Cohere Rerank models?
Cohere mdodels are available through MaaS as serverless API endpoints. You don’t require GPU capacity quota in your Azure subscription to deploy these models.
Cohere models are listed on the Azure Marketplace. Can I purchase and use these models directly from Azure Marketplace?
Azure Marketplace is our foundation for commercial transactions for models built on or built for Azure. The Azure Marketplace enables the purchasing and billing of Mistral models. However, model discoverability occurs in both Azure Marketplace and the Azure AI model catalog. Meaning you can search and find Cohere models in both the Azure Marketplace and Azure AI Model Catalog.
If you search for Cohere Rerank 3 in Azure Marketplace, you can subscribe to the offer before being redirected to the Azure AI Model Catalog in Azure AI Studio where you can complete subscribing and can deploy the model.
If you search for Cohere Rerank 3 in the Azure AI Model Catalog, you can subscribe and deploy the model from the Azure AI Model Catalog without starting from the Azure Marketplace. The Azure Marketplace still tracks the underlying commerce flow.
Given that Cohere models are billed through the Azure Marketplace, does it retire my Azure consumption commitment (aka MACC)?
Yes, Cohere models are “Azure benefit eligible” Marketplace offers, which indicates MACC eligibility. Learn more about MACC here: https://learn.microsoft.com/en-us/marketplace/azure-consumption-commitment-benefit
Is my inference data shared with Cohere?
No, Microsoft does not share the content of any inference request or response data with any model provider.
Microsoft acts as the data processor for prompts and outputs sent to and generated by a model deployed for pay-as-you-go inferencing (MaaS). Microsoft doesn’t share these prompts and outputs with the model provider, and Microsoft doesn’t use these prompts and outputs to train or improve Microsoft’s, the model providers, or any third party’s models. Read more on data, security and privacy for Models-as-a-Service.
Are there rate limits for the Cohere models on Azure?
Cohere models come with 400 K tokens per minute and 1 K requests per minute limit. Reach out to Azure customer support if this doesn’t suffice.
Can I use MaaS models in any Azure subscription types?
Customers can use MaaS models in all Azure subsection types with a valid payment method, except for the CSP (Cloud Solution Provider) program. Free or trial Azure subscriptions are not supported.
Microsoft Tech Community – Latest Blogs –Read More
New Microsoft Entra Suite
Get a unified solution for secure access management, identity verification, and Zero Trust security for cloud and on-premises resources. The new Microsoft Entra suite integrates five capabilities: Private Access, Internet Access, ID Protection, ID Governance, and Face Check in Verified ID Premium, included with Microsoft Entra Suite. With these, you can streamline user onboarding, enhance security with automated workflows, and protect against threats using Conditional Access policies. See how to reduce security gaps, block lateral attacks, and replace legacy VPNs, ensuring efficient and secure access to necessary resources.
Jarred Boone, Identity Security Senior Product Manager, shares how to experience advanced security and management with Microsoft Entra Suite.
Get a unified experience.
Secure access for any employee, from anywhere, to any app, AI, or resource. Get started with the Microsoft Entra Suite.
Streamline the onboarding process.
Verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. See the new Microsoft Entra Suite.
Establish policies to dynamically adjust.
Improve the hybrid workforce experience with seamless access to any resource. Check out the new Microsoft Entra Suite.
Check out our video here:
QUICK LINKS:
00:00 — Unified solution with Microsoft Entra Suite
00:38 — Microsoft Entra Private Access
01:39 — Microsoft Entra Internet Access
02:42 — Microsoft Entra ID Protection
03:31 — Microsoft Entra ID Governance
04:18 — Face Check in Verified ID Premium, included with Microsoft Entra Suite
04:52 — How core capabilities work with onboarding process
06:08 — Protect access to resources
07:22 — Control access to internet endpoints
08:05 — Establish policies to dynamically adjust
08:45 — Wrap up
Link References
Try it out at https://entra.microsoft.com
Watch our related deep dives at https://aka.ms/EntraSuitePlaylist
Check out https://aka.ms/EntraSuiteDocs
Unfamiliar with Microsoft Mechanics?
As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast
Keep getting this insider knowledge, join us on social:
Follow us on Twitter: https://twitter.com/MSFTMechanics
Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics
Video Transcript:
-The new Microsoft Entra Suite goes beyond what you may have today to advance secure access management, protect and verify any identity, and enforce a Zero Trust security approach for your cloud and on-premises resources. In fact, if you’re using multiple siloed tools to do this today, integration gaps can increase your security exposure.
-Whereas Microsoft Entra Suite provides a unified solution to strengthen your security posture, by providing you with five key capabilities. Private Access, Internet Access, ID Protection, ID Governance, and Face Check with Verified ID. These work with your existing processes, and I’ll first explain how each works, and demonstrate them in action. Starting with Microsoft Entra Private Access.
-This capability is designed to improve protections for on-premises apps and resources without any code changes. It works together with Conditional Access policies so that as resources are being accessed, Private Access uses identity, device, and application signals to assess risk in real-time. And it will then apply additional network conditions to increase access protections to any app resource, including file shares or on-premises servers.
-This identity-centric Zero Trust network access approach goes beyond which you can do today with traditional VPNs. In fact, it helps block lateral attack movement, reduces the risk of over-permissioning, and replaces legacy VPNs. And it works by using a locally installed global secure access agent on your user’s managed device.
-Then in your local network, you’ll install a private network connector as an agent to handle traffic, which only uses outbound connections. And these work together to securely establish the connection between the user and the private resource.
-Second, Microsoft Entra Internet Access is designed to prevent end user access to unsafe and non-compliant content. To keep your users and devices safe from internet threats, here we protect them against malicious traffic using cloud delivered network security controls. Including web content filtering, based off Microsoft maintained categories, as well as endpoints that you can define as an admin.
-And soon we’ll add threat intelligence filtering to also protect against continuously evolving known threats. This also provides fast and seamless access through a globally distributed secure network edge, and private WAN to optimize traffic routing to internet destinations.
-And importantly, it extends Conditional Access adaptive controls to internet security, where each access temp is assessed in real-time across identity, device, location, and risk signals to protect any internet destination. This way, you now have a single policy engine across cloud apps and internet endpoints. And both Internet Access, as well as Private Access, have a deep integration with ID Protection and ID Governance to automate what’s in scope, which we’ll cover next.
-In fact, our third capability, Microsoft Entra ID Protection, provides foundational risk-based Conditional Access and multi-factor authentication services for detecting and remediating identity risks. Machine learning is used to identify compromised or malicious user accounts, and automates action to mitigate these threats.
-Using Conditional Access adaptive controls, you can ensure users and devices meet predefined conditions prior to granting access to any resource. Conditional Access assesses sign-in risks to look for anomalous single events.
-And user risk assesses sign-in trends over time to determine if an account has potentially been compromised. And with token protection, tokens are bound to the issued device, which means if stolen, they cannot be replayed on another device. ID Protection also works with hybrid identities when you integrate it with your on-premises Active Directory Services.
-Then our fourth capability, Microsoft Entra ID Governance, lets you balance security and productivity by ensuring that the right people have the right access to the right resources for the right amount of time. For example, for everyday users, you can ensure just enough access is granted so that users can only access what they need, and nothing more, to get their jobs done.
-Also, identity lifecycle management in Microsoft Entra lets you use workflow automation for provisioning your managed apps, data, and services, even those on premise. And you can couple that with additional steps, like procurement of computer hardware and more. And this is done together with entitlement management to select just the right resources and apps to prevent over-permissioning.
-Equally, the same lifecycle automation lets you grant access to people as they change roles, or remove access as employees leave your organization. Which brings us to our fifth capability, Face Check with Verified ID.
-This works together with ID Protection and ID Governance controls to accelerate and protect user onboarding. It’s a part of the Verified ID platform in Microsoft Entra. As a decentralized identity solution, it lets users verify credentials together with those from third party issuers, and prove they are who they say they are, without manual checks.
-Along with your government issued ID, face check with the Authenticator app can use the local device camera as a live motion image feed to ensure the person presenting that verified ID is in fact who they claim to be. So now that I’ve explained the five core capabilities of Microsoft Entra Suite, let me demonstrate them working together in action across everyday connected scenarios.
-Let’s start with the user onboarding process after the initial setup. In this example, our user account is only provisioned in our HR app, Workday. If we look at the user profile in Microsoft Entra, we can see all the attributes were automatically mapped from Workday, including the user’s hire date.
-The problem is that even though the account is in the directory service, the user does not yet have access to all resources needed to do their job. And this is where you can use lifecycle workflows as a part of ID Governance. Based on user attributes, like their department and location, I’ve created a simple automated workflow here.
-First, it will send a welcome email. Then the next task automatically assigns the user to the right group with the right software licenses, access to required on-premise and cloud-based apps, permission to sites in SharePoint. And even controls to govern access to internet endpoints.
-Finally, this custom task extension works with our ticketing system to procure the required computer hardware for this role. Workflows like these automatically detect accounts with matching conditions to automate defined tasks, saving you and your users time while right sizing and securing access to both cloud-based and on-premises apps and resources.
-In fact, with accounts onboarded and access to resources assigned, let’s move on to how Microsoft Entra Suite protects access to resources, first on your private network. Here, I’m shown an enrolled device with Global Secure Access client installed. I’ll paste the legacy on-premises hosted app address into my browser.
-And as you might expect, I can reach the site seamlessly, because this is a trusted device, I’m a trusted user, and I’m in a trusted sign in location on a trusted internal wifi network. This time, I’ll show you how this works on the same device, except using a different wifi network. I’ll change my connection in settings to Fourth Coffee Free Wifi, then move back to the browser.
-When I paste in the URL for the app we saw before, Conditional Access recognizes the changes of network location, and determines that there is additional risk with an untrusted network, asking me to re-authenticate. In this case, the policy is configured to allow me to prove my identity using passwordless authentication.
-Then I get access to the private app. Then beyond internally hosted apps, this also works for accessing other on-premise resources, like domain joined virtual machines running on local servers, or accessing on-premise file shares protected using Kerberos authentication.
-And both of these even work from non domain joined devices, and without a VPN. Additionally, Microsoft Entra Internet Access combines multiple Microsoft Entra Suite capabilities as you control access to internet endpoints.
-As an admin, you can create web content filtering policies for web categories and FQDNs. For example, you can block social networking like X, but allow professional networking sites like LinkedIn. This works with your Conditional Access policies as you scope users or groups, and optionally define exclusions.
-Importantly, these policies also work hand in hand with ID Governance, so that you can automate who is added or removed from policy scope as they enter, move within, or leave the organization. So as a user scope for this policy, access to X in our case will be blocked, but if they go to LinkedIn, you’ll see that it’s allowed.
-Additionally, you can establish policies that dynamically adjust based on changing risk levels, which is a lot smarter than firewall rules that you may have traditionally set. In the Conditional Access policy, an identity flag with high user risk usually indicates that the account has been compromised.
-Over time, they may have performed multiple risk activities, such as suspicious API calls or sending patterns. If you pair this condition with web filtering controls, like limiting access to web repository and storage sites, once an identity and scope for the policy is flagged with high user risk, you can block the user account from accessing those sites.
-And access will automatically get restored when the user risk signal changes and drops below a certain level. So that’s how Microsoft Entra Suite goes beyond what you may have today to unify and advance secure access management, protect and verify any identity, and enforce a Zero Trust security approach for your cloud and on-premises resources.
-Try it out today at entra.microsoft.com, and watch our related deep dives at ak.ms/EntraSuitePlaylist. Also, to learn more, check out ak.ms/EntraSuiteDocs. Subscribe to Microsoft Mechanics for the latest tech updates, and thanks for watching.
Microsoft Tech Community – Latest Blogs –Read More