Simplify management of apps & devices

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Microsoft Intune &#8211; Enterprise Mobility and Security Blog</title> <atom:link href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune" rel="self" type="application/rss+xml" /> <link>https://blogs.technet.microsoft.com/enterprisemobility</link> <description>The most recent news and updates about Microsoft’s Enterprise Mobility offerings and events for enterprise technology professionals and developers.</description> <lastBuildDate>Thu, 04 May 2017 22:00:15 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <item> <title>Updates to Microsoft Intune on Microsoft Azure</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/19/updates-to-microsoft-intune-on-microsoft-azure/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/19/updates-to-microsoft-intune-on-microsoft-azure/#comments</comments> <pubDate>Wed, 19 Apr 2017 16:00:36 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=50805</guid> <description><![CDATA[Empowering not only your employees, but also you to be more productive is one of the main goals for us.]]></description> <content:encoded><![CDATA[<p><em>This post is authored by Simon May, Principal Program Manager, Intune CXP.</em></p>&#10;<p>Empowering not only your employees, but also you to be more productive is one of the main goals for us. Ability to manage your mobility ecosystem from virtually any device and any browser, managing increasingly larger numbers of devices and apps, a modern micro-services cloud architecture, enterprise-grade APIs, reporting and automation support, unified admins experience for all of Enterprise Mobility + Security (EMS), and Role Based Access Controls (RBAC). These are all things that thousands of our customers have been asking us for. We are now delivering it to you.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/04/One-console.-One-set-of-APIs.-Limitless-possibilities.png"><img width="863" height="558" title="One console. One set of APIs. Limitless possibilities." class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border-width: 0px" alt="One console. One set of APIs. Limitless possibilities." src="https://msdnshared.blob.core.windows.net/media/2017/04/One-console.-One-set-of-APIs.-Limitless-possibilities._thumb.png" border="0" /></a></p>&#10;<p>&nbsp;</p>&#10;<p>More than half of Intune tenants have been already migrated to our new Azure micro-services based infrastructure, delivering the experiences described above. Our team is working diligently to migrate the remaining customers, taking the utmost care as they do.</p>&#10;<h2>Streamlined management of core EMS workflows across Azure AD and Intune</h2>&#10;<p>Personally, I find <a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">Conditional Access</a> to be one of the most amazing features of EMS. We are continually told by our customers how good our access management experience is architecturally and practically. End users like the guided route to compliance, and IT can trust that the right users are granted or denied access based upon a combination of device, network location, risk, and other factors. We heard from many customers that it is not optimal to manage access, and thus risk, to company data from multiple places, the Azure AD console and the Intune Silverlight console.</p>&#10;<p>We listened and significantly improved the experience.</p>&#10;<p>Theres now a single experience in the Azure portal to express how I want to govern the level of risk that Ill accept granularly. I can require devices I trust coming from networks trust dont to need MFA, while not requiring MFA from devices I trust on networks I trust.</p>&#10;<h2>Harness the Microsoft Graph for simplicity, automation, and integration</h2>&#10;<p>Weve had phenomenal feedback from early adopters about the work that our team has done with the <a href="https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview">Microsoft Graph API</a>. Now a single API spans Office 365, Azure AD, Intune, and other Microsoft cloud services. You can leverage this API for complex reporting through <a href="https://powerbi.microsoft.com/">PowerBI</a> and other big data or analytics services to build custom dashboards for your business. IT admins are always looking for ways to save time and automate repetitive admin tasks. The Microsoft Graph API enables you to do just that.</p>&#10;<h2>Manage devices, users and groups with nearly unlimited scale</h2>&#10;<p>Following your tenants migration, Intune will use groups in Azure AD for user and device management and to apply policy. This reduces admin overhead since groups dont need to be built in two places. For example if you have an <strong>Engineering </strong>group in Azure AD that you use to assign SaaS apps in Azure AD and use to configure access to a SharePoint site, you can now use that exact same group to apply policy to your devices and apps in Intune. Not only that but you now have the power of <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-groups">Dynamic groups</a> in Azure AD at your disposal to create groups based on simple or even complex queries of device and user information.</p>&#10;<p>Of course, your company could well have more than one IT admin and the level of experience and, lets face it trust, you put in those admins differs. Now you have granular Role Based Access Control that lets you enable or disable administrative capabilities depending upon the role a person has. One company Im working with allows their <strong>Help desk</strong> staff to lock a users device, but they dont want that employee to be able to do something destructive wipe the device. For that only a <strong>Help desk manager</strong> can initiate the request.</p>&#10;<p>There is a huge amount of information to unpack and understand for your organization. To help you out, Craig Marl, Principal Program Manager and I took to Microsoft Mechanics, where Im asking the kinds of questions you might ask to understand more; Craig has the answers. Of course, if you have more questions, just ask below or you can ask me on twitter <a href="https://twitter.com/simonster">@simonster</a>.</p>&#10;<div class="video-container"><iframe width="500" height="281" src="https://www.youtube.com/embed/FpkCI6xmsE4?feature=oembed" frameborder="0" allowfullscreen></iframe></div>&#10;<p>&nbsp;</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/04/19/updates-to-microsoft-intune-on-microsoft-azure/feed/</wfw:commentRss> <slash:comments>7</slash:comments> </item> <item> <title>New EMS + Skycure integration helps ensure devices are risk free before accessing corporate resources</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/27/new-ems-skycure-integration-helps-ensure-devices-are-risk-free-before-accessing-corporate-resources/</link> <pubDate>Mon, 27 Mar 2017 15:00:45 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49385</guid> <description><![CDATA[Today were thrilled to announce the general availability of our integration with Skycure, a leader in the mobile threat defense space. ]]></description> <content:encoded><![CDATA[<p>Today were thrilled to announce the general availability of our integration with <a href="https://www.skycure.com/">Skycure</a>, a leader in the mobile threat defense space. The integration between Skycure and Microsoft Enterprise Mobility + Security gives organizations more confidence that devices are risk-free and secure before users access corporate resources.</p>&#10;<p>Mobile devices can be susceptible to sophisticated threats under the guise of seemingly harmless scenarios that end users execute on their devices. For example, connecting to a coffee shop Wi-Fi access point could open the users device to a man-in-the-middle attack. Installing a seemingly harmless app could expose the user to malware that can exploit platform vulnerabilities or access the camera without their knowledge. Skycures real-time mobile threat protection leverages a public app for guaranteed user privacy and simple maintenance, plus global crowd-sourced intelligence to ensure protection from zero day threats. The solution is designed to proactively protect against all mobile threat vectorsmalware, network-based risks, and OS and app vulnerability risksto help you identify and remediate these risks before they become a problem.</p>&#10;<p>This integration makes it easy for you to apply Skycures threat detection as an additional input into Intunes device compliance settings, giving Intune dynamic control over access to corporate resources and data based on Skycures real-time analysis. Once a threat is detected, Skycure immediately applies on-device protections and notifies Intune to enforce device status changes and conditional access controls to ensure that corporate data stays protected.</p>&#10;<p>&nbsp;</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/EMS-Skycure-Graph.png"><img title="EMS Skycure Graph" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="EMS Skycure Graph" src="https://msdnshared.blob.core.windows.net/media/2017/03/EMS-Skycure-Graph_thumb.png" width="878" height="440" class="aligncenter" /></a></p>&#10;<p align="center"><em>Skycure and Intune work together to make sure only low risk, compliant devices can access corporate resources.</em></p>&#10;<p>&nbsp;</p>&#10;<p>Visit our <a href="https://docs.microsoft.com/en-us/intune/deploy-use/skycure-mobile-threat-defense-connector">documentation site</a> for more details on how to deploy and use Skycure with Intune.</p>&#10;<p>You can read more about how <a href="https://www.skycure.com/blog/skycure-microsoft-integrate-mtd-ems-defend-mobile-threats/">Skycure defends against mobile threats</a>.</p>&#10;<hr />&#10;<p><em>Note that any necessary licenses for Skycure products must be purchased separately from Intune and/or EMS licenses.</em></p>&#10;]]></content:encoded> </item> <item> <title>Microsoft Enterprise Mobility + Security and the Microsoft Graph API</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/</link> <pubDate>Mon, 20 Mar 2017 19:54:11 +0000</pubDate> <dc:creator><![CDATA[Andrew Conway]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=49035</guid> <description><![CDATA[Across the more than forty thousand customers that Enterprise Mobility + Security (EMS) serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/20/microsoft-enterprise-mobility-security-and-the-microsoft-graph-api/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Across the more than forty thousand customers that <a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/07/07/introducing-enterprise-mobility-security/">Enterprise Mobility + Security (EMS)</a> serves today, theres a notable diversity in how they organize their IT resources to enable mobile productivity for their workforce. Each customer uniquely defines their mobile strategy and IT structure through a series of choices based on the strategic needs of their business. Customers may choose to manage their mobility solutions internally while others choose to work with a managed service provider to manage on their behalf. Regardless of the structure, our goal is to enable IT to easily design processes and workflows that allow them to be more empowered and efficient.</p>&#10;<p>As the Microsoft Intune and Azure Active Directory admin experiences come together in Azure, were taking an important step forward in our ability to offer EMS customers more choices and capability. Built on the <a href="https://developer.microsoft.com/en-us/graph">Microsoft Graph API</a>, the new Intune and Azure AD experience on Azure opens a new set of possibilities for our customers and partners to simplify, automate, and integrate their workloads.</p>&#10;<p>Microsoft Graph API connects developers to the data that drives productivity mail, calendar, contacts, documents, directory, devices, and more. It serves as a single interface where Microsoft services can be reached through a set of REST APIs. With our shift to Azure and the Microsoft Graph API, customers now have the choice to manage the administration and operation of Intune and Azure AD services in the new Azure console or through the Microsoft Graph API. The scenarios that the Microsoft Graph API enable are expansive we expect the value to you and all our customers to center on three core benefits:</p>&#10;<h2>Simplicity</h2>&#10;<p>Microsoft Graph API is accessible through several platforms and tools, including REST- based API endpoints, and most popular programming and automation platforms (.NET, JS, iOS, Android, PowerShell). Resources (user, group, device, application, file) and policies can be queried through this API, and formerly difficult or complex questions can be addressed via straightforward queries. For example, you can use the Graph APIs to check the compliance state of all your Intune- managed devices and feed this data into your existing reporting system, enabling a simple, yet powerful, reporting experience across your organization.</p>&#10;<h2>Automation</h2>&#10;<p>The Microsoft Graph API allows you to connect different services and automate workflows and processes between them. For example, you could connect your HR system with the Microsoft Graph APIs to automate the provisioning of mobile devices when youre onboarding a new employee, and set up automation to retire and wipe a device as employees leave the company. If you are a service provider managing the environment of multiple customers at once, you could use these capabilities to automate the onboarding of tenants, populating them with default policies and implementing industry-specific templates. All this can be set up to happen automatically without ever opening a management console.</p>&#10;<h2>Integration</h2>&#10;<p>The Microsoft Graph API can send detailed device and application information to other IT asset management or reporting systems. You could build custom experiences which call our APIs to configure Intune and Azure AD controls and policies and unify workflows across multiple services. For example, a help desk organization might build a custom solution that incorporates Intune functionality into their console, allowing them to manage device and application policies in a unified way alongside other helpdesk tasks. You can even connect with PowerBI and other analytics services to create custom dashboards and reports based on Office 365, Intune, and Azure AD data from the Microsoft Graph API.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Graph-API-is-the-gateway-for.jpg"><img width="873" height="186" title="Microsoft Graph API is the gateway for" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Microsoft Graph API is the gateway for" src="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Graph-API-is-the-gateway-for_thumb.jpg" border="0" /></a></p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/Supported-Platforms.jpg"><img width="872" height="147" title="Supported Platforms" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Supported Platforms" src="https://msdnshared.blob.core.windows.net/media/2017/03/Supported-Platforms_thumb.jpg" border="0" /></a></p>&#10;<p>The new <a href="https://blogs.windows.com/windowsexperience/2017/01/24/announcing-intune-education-new-windows-10-pcs-school-starting-189/#2h4ooD2KbRBHuix3.97">Intune for Education</a> experience and the OneDrive for Business console, where Intune app protection policies are now built in directly, are both great examples of new experiences that are made possible because of Intune and Azure AD being built on the Microsoft Graph API. Were also working directly with several partners who are starting to explore whats possible with our APIs in preview. Its exciting to see the ideas they come up with around how these capabilities will improve their processes and workflows, and the custom solutions they will enable.</p>&#10;<p>The Intune and Azure AD APIs are available in preview now as part of the Microsoft Graph API beta and will be generally available later in 2017.*For a closer look, check out the documentation on how to use <a href="https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/intune_graph_overview">Intune</a> and <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api">Azure Active Directory</a> APIs.</p>&#10;<hr />&#10;<p><em>*Use of a Microsoft online service requires a valid license. Therefore, accessing EMS, Microsoft Intune, or Azure Active Directory Premium features via Microsoft Graph API requires paid licenses of the applicable service and compliance with Microsoft Graph API Terms of Use. </em></p>&#10;]]></content:encoded> </item> <item> <title>Microsoft Teams is now generally available &#8212; and MAM enabled on iOS and Android!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/14/microsoft-teams-is-now-generally-available-and-mam-enabled-on-ios-and-android/</link> <pubDate>Tue, 14 Mar 2017 15:30:00 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[MAM]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48785</guid> <description><![CDATA[Great news &#8211; today Microsoft announced the general availability of Microsoft Teams! Were excited to share this huge milestone and announce that the updated Microsoft Teams apps are now enabled with Intune MAM capabilities, so you can empower your teams to work freely across devices, while ensuring that conversations and corporate data is protected at <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/14/microsoft-teams-is-now-generally-available-and-mam-enabled-on-ios-and-android/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Great news &#8211; today Microsoft announced the <a href="https://blogs.office.com/2017/03/14/microsoft-teams-rolls-out-to-office-365-customers-worldwide/">general availability of Microsoft Teams</a>! Were excited to share this huge milestone and announce that the updated Microsoft Teams apps are now enabled with Intune MAM capabilities, so you can empower your teams to work freely across devices, while ensuring that conversations and corporate data is protected at every turn. The Microsoft Teams apps supports the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/create-and-deploy-mobile-app-management-policies-with-microsoft-intune">Intune MAM app-level data protection</a> with or without MDM device enrollment. Look for them in the <a href="https://play.google.com/store/apps/details?id=com.microsoft.teams">Google Play</a> and <a href="https://itunes.apple.com/us/app/microsoft-teams/id1113153706?mt=8">iOS App</a> stores today.Support for Microsoft Teams in the Intune admin console is currently being rolled out.</p>&#10;<p>Microsoft Teams is a chat-based workspace in Office 365 that brings together people, conversations, and content in a fresh new way that takes the work out of collaboration and makes it easy for teams to stay on the same page and achieve more. Microsoft Teams goes way beyond chat, giving you easy access to the tools your people depend on everyday Word, Excel, PowerPoint, OneNote, SharePoint and Power BI &#8211; are all built-in, so youre never more than a click away from getting things done. And its customizable, allowing you to create a workspace that fits the unique needs of every team.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Teams.png"><img title="Microsoft Teams" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="Microsoft Teams" src="https://msdnshared.blob.core.windows.net/media/2017/03/Microsoft-Teams_thumb.png" width="771" height="435" class="aligncenter" /></a></p>&#10;<p>With the Teams apps for iOS and Android, work gets done anywhere &#8211;you can collaborate with partners and contribute to projects, even on the go.</p>&#10;<p><a href="https://technet.microsoft.com/en-us/library/mt627825.aspx">Heres a great article</a> if youre looking for more details on Intune MAM policies. Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune">Whats new in Microsoft Intune</a> page for more on these and other recent developments in Intune.</p>&#10;<h3>Additional Resources</h3>&#10;<ul>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="http://technet.microsoft.com/library/jj676587.aspx?WT.mc_id=Blog_Intune_Announce_PCIT">Find technical resources for Intune in the TechNet library</a></li>&#10;<li><a href="https://www.microsoft.com/en-us/server-cloud/enterprise-mobility/ems-trial.aspx?WT.mc_id=Blog_Intune_Announce_PCIT">Sign up for a free trial of Microsoft Intune</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/b/microsoftintune/rss.aspx?WT.mc_id=Blog_Intune_Announce_PCIT">Subscribe to the Intune blog RSS feed</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Conditional Access “limited access” policies for SharePoint are in public preview!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/</link> <pubDate>Thu, 09 Mar 2017 17:00:23 +0000</pubDate> <dc:creator><![CDATA[Alex_SimonsMS]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Android]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[Identity-driven Security]]></category> <category><![CDATA[iOS]]></category> <category><![CDATA[Office 365]]></category> <category><![CDATA[Security]]></category> <category><![CDATA[SharePoint]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48725</guid> <description><![CDATA[Howdy folks, Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data. But not anymore! Working with the SharePoint team, we&#8217;ve created a great <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/03/09/conditional-access-limited-access-policies-for-sharepoint-are-in-public-preview/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Howdy folks,</p>&#10;<p>Enabling productivity while securing data is the fine line IT pros walk today, and having the right tools to do it makes it that much easier. In the past, employees working from their personal devices was a recipe for leaked data.</p>&#10;<p>But not anymore! Working with the SharePoint team, we&#8217;ve created a great new feature in the conditional access experience that I think you&#8217;re going to love: the ability to limit a user&#8217;s ability to download, print and sync based on the state of their device.</p>&#10;<p>To tell you more about it, I&#8217;ve invited one of my program managers, Nitika Gupta, to write a blog, which you&#8217;ll find below. Read up, try things out, and let us know what you think!</p>&#10;<p>Best regards,</p>&#10;<p>Alex Simons (Twitter: <a href="https://twitter.com/Alex_A_Simons">@Alex_A_Simons</a>)</p>&#10;<p>Director of Program Management</p>&#10;<p>Microsoft Identity Division</p>&#10;<p>&#8212;-</p>&#10;<p>Hi folks,</p>&#10;<p>I&#8217;m Nitika Gupta, a Program Manager in the Identity Security and Protection team at Microsoft. Today we are announcing the public preview of a feature that will enhance security for SharePoint and OneDrive access while still helping maintain productivity.</p>&#10;<p>Microsoft Intune and Azure Active Directory conditional access provides the ability to grant or block access to resources based on device state. This helps organizations ensure content doesn&#8217;t get on to a machine that isn&#8217;t encrypted, locked, secure from malware, etc. This is an important aspect of securing company data.</p>&#10;<p>Unfortunately, not all devices can be managed. Sometimes people need to work from home computers, personal devices, or shared machines that aren&#8217;t enrolled. Until now, this meant losing productivity by denying access to SharePoint altogether or allowing unsecured download of content. Because of this, IT admins struggle to find the balance when configuring policies to prevent data leakage of corporate resources while ensuring that employees remain productive.</p>&#10;<p>But what if we could have great user productivity and maintain a great security posture? That&#8217;s what the Secure, Productive Enterprise is all about and why <strong>I am thrilled to announce the public preview of the &#8220;<em>Limited Access to SharePoint and OneDrive&#8221;</em> feature!</strong> Now you can allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.</p>&#10;<p>Let me show you how it works in Azure AD Conditional Access and SharePoint!</p>&#10;<h2>Getting started</h2>&#10;<p>Configuring limited browser-only access to SharePoint and OneDrive is an easy two-step process. See our <a href="https://aka.ms/spolimitedaccessdocs">limited access documentation</a> for more detailed instructions.</p>&#10;<ol>&#10;<li>&#10;<div>First <a href="https://portal.azure.com/">create an Azure AD Conditional access policy</a> for SharePoint that applies only to browser client apps with &#8220;use app enforced restrictions&#8221; as the session control.</div>&#10;<p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional1.png" /></p>&#10;<p>Tip: To prevent users from going around the browser policy and accessing resources from mobile and desktop applications on unmanaged devices, we recommend enabling Azure AD conditional access policy. This enables access from mobile and desktop apps only from a compliant or domain joined device.</li>&#10;<li>Next, go to <strong>device access </strong>in the SharePoint admin center and select the checkbox to &#8220;Allow limited access (web-only, without the Download, Print, and Sync commands)&#8221;</li>&#10;</ol>&#10;<p><img alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional2.png" /></p>&#10;<p>Note: It can take up to 15 minutes for policy changes to take effect.</p>&#10;<h2>End user experience</h2>&#10;<p>When accessing SharePoint and OneDrive from devices that are not compliant or domain joined, end users will see a warning banner explaining why their experience is limited.</p>&#10;<p><img class="aligncenter" alt="" src="https://msdnshared.blob.core.windows.net/media/2017/03/030917_0059_Conditional3.png" /></p>&#10;<h2>Feedback</h2>&#10;<p>We would love to hear your feedback! If you have any suggestions for us, questions, or issues to report, please leave a comment at the bottom of this post, or tweet with the hashtag #AzureAD.</p>&#10;<p>Thanks,</p>&#10;<p>Nitika Gupta</p>&#10;<p>@_nitika_gupta</p>&#10;]]></content:encoded> </item> <item> <title>Update 1702 for Configuration Manager Technical Preview Branch – Available Now!</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/#comments</comments> <pubDate>Mon, 27 Feb 2017 19:00:42 +0000</pubDate> <dc:creator><![CDATA[Yvette OMeally]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=47535</guid> <description><![CDATA[Hello everyone! We are happy to let you know that update 1702 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This months new preview features <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Hello everyone! We are happy to let you know that update 1702 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. This months new preview features include:</p>&#10;<ul>&#10;<li><strong>Azure Active Directory Domain Services support </strong> You can install a ConfigMgr site on an Azure virtual machine that is connected to <a href="https://go.microsoft.com/fwlink/?linkid=842178"><u>Azure Active Directory Domain Services</u></a>, and use the site to manage other Azure virtual machines connected to the same domain.</li>&#10;<li><strong>Improvements for in-console search </strong> Based on User Voice feedback, we have added several improvements to in-console search, including searching by Object Path, preservation of search text and preservation of your decision to search sub-nodes.</li>&#10;<li><strong>Windows Update for Business integration </strong> You can now implement Windows Update for Business assessment results as part of Conditional Access compliance policy conditional rules.</li>&#10;<li><strong>Customize high-risk deployment warning </strong> You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system. The default string regarding data may not apply in scenarios like in-place upgrade.</li>&#10;<li><strong>Close executable files at the deadline when they would block application installation</strong> &#8211; If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline.</li>&#10;</ul>&#10;<p>This release also includes the following improvements for customers using System Center Configuration Manager connected with Microsoft Intune to manage mobile devices:</p>&#10;<ul>&#10;<li><strong>Non-Compliant Apps Compliance Settings </strong>&#8211; Add iOS and Android applications to a non-compliant apps rule in a compliance policy to trigger conditional access if the devices have those applications installed.</li>&#10;<li><strong>PFX Certificate Creation and Distribution and S/MIME Support</strong> &#8211; Admins can create and deploy PFX certificates to users. These certificates can then be used for S/MIME encryption and decryption by devices that the user has enrolled.</li>&#10;<li><strong>Android for Work Support </strong>&#8211; You can now manage <a href="https://enterprise.google.com/android/"><u>Android for Work</u></a> devices. This enables you to enroll devices, approve and deploy apps, and configure policies for Android for Work devices.</li>&#10;</ul>&#10;<p>Update 1702 for Technical Preview Branch is available in the Configuration Manager console. For new installations please use the 1610 baseline version of Configuration Manager Technical Preview Branch <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>available on TechNet Evaluation Center</u></a>.</p>&#10;<p>We would love to hear your thoughts about the latest Technical Preview! To provide feedback or report any issues with the functionality included in this Technical Preview, please use <a href="https://connect.microsoft.com/ConfigurationManagervnext/Feedback"><u>Connect</u></a>. If theres a new feature or enhancement you want us to consider for future updates, please use the <a href="http://configurationmanager.uservoice.com/"><u>Configuration Manager UserVoice site</u></a>.</p>&#10;<p>Thanks,</p>&#10;<p>The System Center Configuration Manager team</p>&#10;<p><strong>Configuration Manager Resources:</strong></p>&#10;<p><a href="https://docs.microsoft.com/sccm/core/get-started/technical-preview"><u>Documentation for System Center Configuration Manager Technical Previews </u></a></p>&#10;<p><a href="https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview"><u>Try the System Center Configuration Manager Technical Preview Branch</u></a></p>&#10;<p><a href="https://docs.microsoft.com/sccm/"><u>Documentation for System Center Configuration Manager </u></a></p>&#10;<p><a href="https://social.technet.microsoft.com/Forums/en-US/home?category=ConfigMgrCB"><u>System Center Configuration Manager Forums </u></a></p>&#10;<p><a href="https://aka.ms/cmcbsupport"><u>System Center Configuration Manager Support</u></a></p>&#10;<p><a href="https://www.microsoft.com/en-us/download/details.aspx?id=42645"><u>Download the Configuration Manager Support Center</u></a></p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/update-1702-for-configuration-manager-technical-preview-branch-available-now/feed/</wfw:commentRss> <slash:comments>4</slash:comments> </item> <item> <title>Webinar: On-premises conditional access with EMS and NetScaler</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/#comments</comments> <pubDate>Mon, 27 Feb 2017 19:00:26 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=48035</guid> <description><![CDATA[The demand for a modern mobile user experience isnt just a matter of conveniencepeople do their best work when they have the freedom to access their corporate email and documents from anywhere, on any device. But increasing freedom and mobility also raises the stakes for IT requiring you to balance the need to protect your <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>The demand for a modern mobile user experience isnt just a matter of conveniencepeople do their best work when they have the freedom to access their corporate email and documents from anywhere, on any device. But increasing freedom and mobility also raises the stakes for IT requiring you to balance the need to protect your corporate data with the expectations and needs of your users.</p>&#10;<p><strong>Join us for a free one-hour webinar</strong> with Citrix NetScaler Unified Gateway expert Akhilesh Dhawan and David Randall, from Microsoft Intune to learn about a product integration between Microsoft EMS and Citrix NetScaler that provides on-premises conditional access to corporate resources and data.</p>&#10;<p>The integration of Citrix NetScaler Unified Gateway with Microsoft Enterprise Mobility + Security lets you:</p>&#10;<ul>&#10;<li>Give your employees the highly productive mobile experience they expect.</li>&#10;<li>Ensure that only the right users on compliant devices have access to your corporate data and resources.</li>&#10;</ul>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/02/EMS_NetScaler.png"><img title="EMS_NetScaler" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" border="0" alt="EMS_NetScaler" src="https://msdnshared.blob.core.windows.net/media/2017/02/EMS_NetScaler_thumb.png" width="800" height="329" /></a></p>&#10;<p>The live webinar is taking place on March 1, 2017 at 11 AM PT.</p>&#10;<p><a href="https://citrix.webcasts.com/starthere.jsp?ei=1135309&amp;sti=microsoft">REGISTER NOW to learn more about this integration and to see how it works!</a></p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2017/02/27/webinar-on-premises-conditional-access-with-ems-and-netscaler/feed/</wfw:commentRss> <slash:comments>2</slash:comments> </item> <item> <title>Microsoft Intune 2016 &#8211; a year in review</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/19/microsoft-intune-2016-a-year-in-review/</link> <pubDate>Thu, 19 Jan 2017 19:00:45 +0000</pubDate> <dc:creator><![CDATA[Microsoft Intune Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=46055</guid> <description><![CDATA[Where you are today is not where you will be tomorrow. Things change fast these days. Regardless of your industry, youre always in motion evolving and adapting to the shifting needs of your business and workforce. Intune gives you a diverse set of tools for managing your complex mobile environment and empowering a workforce <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/19/microsoft-intune-2016-a-year-in-review/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>Where you are today is not where you will be tomorrow. Things change fast these days. Regardless of your industry, youre always in motion evolving and adapting to the shifting needs of your business and workforce. Intune gives you a diverse set of tools for managing your complex mobile environment and empowering a workforce on the move. Intunes innovative combination of mobile application and device management options gives you flexibility in how you manage and secure mobile productivity.</p>&#10;<h3>Delivering ongoing innovation from the cloud</h3>&#10;<p>Our cloud service model gives you many advantages. It eliminates the need to plan, purchase, and maintain on-premises hardware and infrastructure, lowering costs and making your day-to-day management experience much easier.</p>&#10;<p>For the Intune team, the cloud makes it possible for us to innovate on an ongoing basis. Each month we release new features and product updates designed to help you empower your users to be productive, all while protecting the massive amounts of data flowing through your mobile ecosystem. And because Intune is always up to date, theres no need for a cumbersome deployment process for you to manage.</p>&#10;<p>Theres always something new in Intune. Check out our <a href="https://sway.com/C28XZnaiWRRA0UjW">Intune 2016 year in review</a> to see a list of features, innovations, and product news that we released in 2016.</p>&#10;<p><a href="https://sway.com/C28XZnaiWRRA0UjW"><img width="1024" height="316" title="Microsoft Intune 2016 timeline" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Microsoft Intune 2016 timeline" src="https://msdnshared.blob.core.windows.net/media/2017/01/Microsoft-Intune-2016-timeline.png" border="0" /></a></p>&#10;<p>And be sure to <a href="https://twitter.com/MSFTMobility">follow us on Twitter</a> and check back here for product updates throughout 2017. If theres a feature or update that you want us to consider, please add it to our <a href="https://microsoftintune.uservoice.com/forums/291681-ideas">User Voice conversation</a>.</p>&#10;<h3></h3>&#10;<h3>Additional resources:</h3>&#10;<ul>&#10;<li>Visit the <a href="https://docs.microsoft.com/en-us/intune/deploy-use/whats-new-in-microsoft-intune">Whats New in Microsoft Intune</a> page for more on recent developments in Intune.</li>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="https://docs.microsoft.com/intune">Find technical resources on the Intune docs site</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Breaking down EMS Conditional Access: Part 2</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/</link> <pubDate>Thu, 05 Jan 2017 16:00:25 +0000</pubDate> <dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45505</guid> <description><![CDATA[This post is the second in a three-part series detailing Conditional Access from Microsoft Enterprise Mobility + Security. Today, the typical employee connects an average of four devices to their corporate network. Usually theyre connecting from their own mobile device or PC, but thats not always the case. Maybe they use their daughters iPad in <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2017/01/05/breaking-down-ems-conditional-access-part-2/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p><i>This post is the second in a three-part series detailing </i><a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access"><i>Conditional Access</i></a><i> from Microsoft Enterprise Mobility + Security.</i></p>&#10;<p>Today, the typical employee connects an average of four devices to their corporate network. Usually theyre connecting from their own mobile device or PC, but thats not always the case. Maybe they use their daughters iPad in a pinch, or log on from a friends house, or use a hotel kiosk to connect. You might be OK with allowing access in some cases, but in other circumstances you may want to provide access only to certain employees, only to specific data, or only from known and compliant devices.</p>&#10;<p>Device-based conditional access from Microsoft Enterprise Mobility + Security (EMS) helps you make sure that only compliant mobile devices and PCsthose that meet the standards youve sethave access to corporate data.</p>&#10;<h2>Device Compliance</h2>&#10;<p>Device compliance policies help you protect company data by making sure the devices used to access your data or sensitive apps comply with your specific requirements or standards. Administrators can set these policies to enforce device compliance requirements before users attempt to access company resources. These can include settings for device enrollment, domain join, passwords and encryption, as well for the OS platform running on the device.</p>&#10;<p>You can use <a href="https://docs.microsoft.com/en-us/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune">compliance policy settings</a> in Microsoft Intune to create a set of rules for and to evaluate the compliance of employee devices. When devices don&#8217;t meet the conditions set in the policies, the end user is guided though the process of enrolling the device and fixing the issue that prevents the device from being compliant.</p>&#10;<p><a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-email-and-o365-services-with-microsoft-intune">Conditional access policies</a> are a set of rules that can restrict or allow access to a specific service based on whether the user meets the requirements you define. When you use a conditional access policy in combination with a device compliance policy, only users with compliant devicesin addition to any other rules youve setwill be allowed to access the service. Since both policies are applied at the user level, any device from which the user tries to access services will be checked for compliance.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/01/Conditional-Access-Policy-Scenario.png"><img width="790" height="463" title="Conditional Access Policy Scenario" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="Conditional Access Policy Scenario" src="https://msdnshared.blob.core.windows.net/media/2017/01/Conditional-Access-Policy-Scenario_thumb.png" border="0" /></a></p>&#10;<p align="center"><em>In this scenario, IT has applied a policy that blocks unmanaged devices from accessing and opening files stored on OneDrive for Business. Devices need to be enrolled first, before the location can be accessed.</em></p>&#10;<h2>EMS + Lookout, providing additional mobile endpoint security</h2>&#10;<p><a href="https://www.lookout.com/about/partners/microsoft">Lookouts deep integration with EMS</a> gives you real-time visibility into mobile device risks, including advanced mobile threats and app data leakage, which can inform your conditional access policies. Lookout provides visibility across all three mobile risk vectors: app-based risks (such as malware), network-based risks (such as man-in-the-middle attacks), and OS-based risks (such as malicious OS compromise).</p>&#10;<p>The integration between Lookout and EMS makes it easy to apply this threat intelligence to your conditional access policies. If a device is found to be non-compliant due to a mobile risk identified by Lookout, access is blocked and the user is prompted to resolve the issue with one-step guidance from Lookout before they can regain access. <em>Note that Lookout licenses must be purchased separately from EMS.</em></p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2017/01/EMS-Intune-Lookout.png"><img width="850" height="351" title="EMS Intune Lookout" class="aligncenter" style="float: none;padding-top: 0px;padding-left: 0px;margin-left: auto;padding-right: 0px;margin-right: auto;border: 0px" alt="EMS Intune Lookout" src="https://msdnshared.blob.core.windows.net/media/2017/01/EMS-Intune-Lookout_thumb.png" border="0" /></a></p>&#10;<h2>Device-based conditional access to on-premises resources</h2>&#10;<p>EMS conditional access capabilities help you to secure access to both your cloud and on-premises resources. Our customers often manage broad and complex networks, so with that in mind, weve built partnerships with popular network access providers such as Cisco ISE, Aruba ClearPass, and Citrix NetScaler. Now you can extend your Intune conditional access capabilities to work with these networks.</p>&#10;<p>Partner network providers can implement checks for Intune-managed and compliant devices as a requirement before allowing user access through either your wireless or virtual private network. When you <a href="https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-networks">extend device compliance policies to network providers</a>, you can ensure that only managed and compliant devices will be able to connect to your on-premises corporate network.</p>&#10;<p>EMS offers you some great access simplifications: you can still enable <a href="https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/protect-on-premises-data-with-intune">secure access to on-premises</a> applications without VPNs, DMZs, or on-premises reverse proxies by leveraging the Azure Active Directory Application Proxy. Best of all, all of this can be done without installing or maintaining additional on-premises infrastructure or opening your company firewall to route traffic through it. Conditional access capabilities will work for this scenario as well.</p>&#10;<h2>Additional Resources</h2>&#10;<ul>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/2016/10/31/breaking-down-ems-conditional-access-part-1/">Breaking down EMS Conditional Access: Part 1</a></li>&#10;<li><a href="https://microsoftintune.uservoice.com/?WT.mc_id=Blog_Intune_Announce_PCIT">Submit feedback and suggestions to the Intune engineering team</a></li>&#10;<li><a href="https://docs.microsoft.com/en-us/enterprise-mobility-security/solutions/protect-office365-data-with-intune">Read more about device based conditional access on the Intune docs site</a></li>&#10;<li><a href="https://blogs.technet.microsoft.com/enterprisemobility/feed/?product=microsoft-intune">Subscribe to the Intune blog RSS feed</a></li>&#10;<li>Follow us on <a href="https://twitter.com/MSFTMobility">Twitter</a></li>&#10;</ul>&#10;]]></content:encoded> </item> <item> <title>Conditional Access now in the new Azure portal</title> <link>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/</link> <comments>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/#comments</comments> <pubDate>Thu, 15 Dec 2016 18:00:09 +0000</pubDate> <dc:creator><![CDATA[Enterprise Mobility Team]]></dc:creator> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[Conditional Access]]></category> <category><![CDATA[Identity-driven Security]]></category> <guid isPermaLink="false">https://blogs.technet.microsoft.com/enterprisemobility/?p=45175</guid> <description><![CDATA[The digital transformation thats affecting every organization brings new challenges for IT, as they strive to empower their users to be productive while keeping corporate data secure in an increasingly complex technology landscape. Microsoft Enterprise Mobility + Security (EMS) provides a unique identity-driven security approach to address these new challenges at multiple layers and to <p><a class="read-more" href="https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/">Continue reading</a></p>]]></description> <content:encoded><![CDATA[<p>The digital transformation thats affecting every organization brings new challenges for IT, as they strive to empower their users to be productive while keeping corporate data secure in an increasingly complex technology landscape. Microsoft Enterprise Mobility + Security (EMS) provides a unique identity-driven security approach to address these new challenges at multiple layers and to provide you with a more holistic and innovative approach to security one that can protect, detect, and respond to threats on-premises as well as in the cloud.</p>&#10;<p>Risk-based conditional access is a critical part of our identity-driven security story. It ensures that only the right users, on the right devices, under the right circumstances have access to your sensitive corporate data. Conditional access allows you to define policies that provide contextual controls at the user, location, device, and app levels, and it also takes risk information into consideration (powered by the vast data in Microsofts <a href="https://www.microsoft.com/en-us/security/intelligence">Intelligent Security Graph</a>). As conditions change, natural user prompts ensure only the right users on compliant devices can access sensitive data, providing you the control and protection you need to keep your corporate data secure while allowing your people to do their best work from any device.</p>&#10;<p>This is an area where we are constantly innovating to bring you the most secure and easy-to-use solution, and today were announcing several improvements to Conditional Access in EMS:</p>&#10;<ol>&#10;<li><strong>Risk-based access policies per application</strong>. <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection">Leverage machine learning on a massive scale</a> to provide real-time detection and automated protection. Now you can use this data to build risk-based policies per application.</li>&#10;<li><strong>Greater flexibility to protect applications</strong>. Set multiple policies per application or set and easily roll out global rules to protect all your applications with a single policy.</li>&#10;<li>All these capabilities are now available in a <strong>unified administrative experience on the Azure portal</strong>. This makes it even easier to create and manage holistic conditional access policies to all your applications.</li>&#10;</ol>&#10;<p>These new <a href="https://www.microsoft.com/en-us/cloud-platform/conditional-access">conditional access</a> capabilities provide more flexible and powerful policies to enable productivity while ensuring security. Additionally, the new admin experience unifies conditional access workloads across Intune and Azure AD.</p>&#10;<p>If you are an Intune customer using the existing browser-based console or the Configuration Manager console, or an Azure AD customer using the classic Azure portal, you can now preview the new Conditional Access policy interface in the Azure portal.</p>&#10;<p><a href="https://aka.ms/cacontrols">Get started with these Conditional Access capabilities</a> or read on to learn a bit more about Conditional Access with EMS.</p>&#10;<h2>Overview</h2>&#10;<p>A Conditional Access policy is simply a statement about<br />&#10;<strong>When the policy should apply</strong> (called <strong>Conditions</strong>), and<br />&#10;<strong>What the action or requirement should be</strong> (called <strong>Controls</strong>).</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Conditional-access-policy.png"><img width="169" height="480" title="Conditional access policy" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Conditional access policy" src="https://msdnshared.blob.core.windows.net/media/2016/12/Conditional-access-policy_thumb.png" border="0" /></a></p>&#10;<h3>Conditions (When the policy should apply)</h3>&#10;<p>Conditions are the things about a login that dont change during the login, and are used to decide which policies should apply. Azure AD supports the following Conditions:</p>&#10;<ol>&#10;<li><strong>Users/Groups</strong> are the users/groups in the directory that the policy applies to.</li>&#10;<li><strong>Cloud apps</strong> are the services the user accesses that you want to secure.</li>&#10;<li><strong>Client app</strong> is the software the user is employing to access cloud app.</li>&#10;<li><strong>Device platform</strong> is the platform the user is signing in from.</li>&#10;<li><strong>Location</strong> is the IP-address based location the user is signing in from.</li>&#10;<li><strong>Sign-in risk</strong> is the likelihood that the sign-in is coming from someone other than the user.</li>&#10;</ol>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Conditions-preview.png"><img width="378" height="480" title="Conditions preview" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Conditions preview" src="https://msdnshared.blob.core.windows.net/media/2016/12/Conditions-preview_thumb.png" border="0" /></a></p>&#10;<p><a href="https://aka.ms/caconditions">Our documentation provides further details on how to set the conditions</a>.</p>&#10;<h3>Controls (What the action or requirement should be)</h3>&#10;<p>Controls are the additional enforcements that are put in place by the policy (such as do a Multi-factor authentication challenge) that will be inserted into the login flow. Azure AD supports the following controls:</p>&#10;<ol>&#10;<li><strong>Block access </strong></li>&#10;<li><strong>Multi-factor authentication</strong></li>&#10;<li><strong>Compliant device</strong></li>&#10;<li><strong>Domain Join</strong></li>&#10;</ol>&#10;<p>You can select individual controls or all of them.</p>&#10;<p><a href="https://msdnshared.blob.core.windows.net/media/2016/12/Controls-preview.png"><img width="400" height="508" title="Controls preview" style="padding-top: 0px;padding-left: 0px;padding-right: 0px;border: 0px" alt="Controls preview" src="https://msdnshared.blob.core.windows.net/media/2016/12/Controls-preview_thumb.png" border="0" /></a></p>&#10;<p>To learn more about how to get started with controls, you can read a <a href="https://aka.ms/cacontrols">detailed documentation article</a>.</p>&#10;<p>Were really excited about the wide range of scenarios that this new experiences lights up and hope you find it useful. As always, were looking forward to your feedback.</p>&#10;]]></content:encoded> <wfw:commentRss>https://blogs.technet.microsoft.com/enterprisemobility/2016/12/15/conditional-access-now-in-the-new-azure-portal/feed/</wfw:commentRss> <slash:comments>5</slash:comments> </item> </channel> </rss>