Author Archives: nhogarth

Tip – Using Azure AD Monitoring to track Conditional Access failures

If you ever wanted to have an overview of the devices in your environment that have have been blocked from accessing cloud resources due to Conditional Access, then you can use the Monitoring Sign-Ins feature in Azure AD. Using this really simple feature, you can view the user name, the application that the user used, the operating system, and the actual conditional access policy that blocked the user from accessing the cloud resource.

This post will show how you can use Azure AD Monitoring to find devices that failed to meet the needs of the Conditional Access. In my example I have a simple Conditional Access policy for iOS devices that require the device to be compliant to access Exchange Online. I will test accessing Exchange Online using the Outlook mobile app on an iOS device that is not enrolled in Intune.

In Azure Active Directory in either https://devicemanagement.microsoft.com/ or https://portal.azure.com, go to Azure Active Directory and you will see a section called Monitoring. Under Monitoring, you will see Sign-ins.

If you click on Sign-ins, you can then use the drop downs and buttons to view specific information. For example, if you click on Columns you can choose to hide or show certain columns to get the information that you need.

Columns

 

In the example below I have clicked the drop-down under Conditional Access and selected Failure so I can see the devices that have been blocked due to not meeting the Conditional Access policies. In the screenshot below you can see there is an iOS device that used the Outlook Mobile app with a Conditional Access failure.

CAPolicy

 

If you select this, you can then view more information about the device including Username, Application, Client App, and you can also view the Conditional Access policy name that it failed on by clicking on the Conditional Access tab.

In the example below you can see that I have a Conditional Access policy called “Exchange Online iOS Managed Only Devices” with the Grant control of “require compliant device” and that my device failed against this Conditional Access policy.

CADetails

Advertisements

Conditional access – third party apps

This post will show how you can add a third party app to Azure AD that supports SAML, and then create a conditional access policy so that only compliant devices can access the third party cloud resource.

In my example I have signed up for a GoToMeeting trial. I will add GoToMeeting app to Azure AD and configure the single sign-on options to use SAML, and then on the GoToMeeting side I will configure Azure AD to be the Identity Provider. Once this is set up, I will create a Conditional Access policy that will require devices to be compliant in order for them to access GoToMeeting. When logging in with a work account to GoToMeeting, GoToMeeting will then redirect me to sign in through Azure AD, and then the conditional access policy will kick in.

Always test conditional access with test users, and plan thoroughly for any changes in a Production environment. The information below is for testing purposes.

Recommended reading:

Single Sign-On SAML protocol
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

Single sign-on to applications in Azure Active Directory
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on

Tutorial: Azure Active Directory integration with GoToMeeting
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrix-gotomeeting-tutorial

What is conditional access in Azure Active Directory?
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Tutorial: Configure GoToMeeting for automatic user provisioning
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrixgotomeeting-provisioning-tutorial

In Azure Active Directory, go to Enterprise applications then click on New application.

01

Search for the application. Note that it says it supports SAML based sign-on for the Single Sign-On Mode. Click on Add.

02

Once the application has been added, I will give access to my test users by clicking on Users and groups, and then Add user.

011

Now I will configure SAML for the single sign-on mode. Click on Single-Sign-On on the left hand side, then select SAML.

04

In the Identifier (Entity ID) I have put in https://authentication.logmeininc.com/saml/sp and Reply URL (Assertion Consumer Service URL) https://authentication.logmeininc.com/saml/acs and Relay State
https://global.gotomeeting.com

05.jpg

Now I am going to download the Federation Metadata XML and upload it to the GoToMeeting site.

06

When logging in with my admin account in https://organization.logmeininc.com/ on the Identity provider section, I have selected to Upload SAML metadata file. This will contain all the Azure AD information and then configure Azure AD as the identity provider.

07

Now with a user I will login to https://www.gotomeeting.com/meeting/sign-in and select My Company ID so it can redirect me to my identity provider (Azure AD)

08

As expected, it has redirected me to Azure AD. I can confirm that the the SAML single sign-on mode has been configured successfully.

09

Next I will add the conditional access policy.

10

For the Cloud apps, you can see that GoToMeeting now appears because we added it earlier. I will select this as the Cloud app.

11

I will configure it to apply to all device platforms.

12

I have configured it to apply to Browser, and mobile apps etc.

13

In this test example, I have configured it to require only Intune enrolled compliant devices to access GoToMeeting.

14

Now lets login to https://www.gotomeeting.com/meeting/sign-in with the My Company ID

08

It will redirect us to Azure AD as we configured Azure AD as the identity provider earlier (and the domain used in my UPN was also added and confirmed in GoToMeeting)

15

Now because my device is not enrolled into Intune, I am blocked from accessing the GoToMeeting cloud resource as expected.

16

I have installed the GoToMeeting app on an Android phone, and it is the same expected user experience.

IMG_1295

On an Intune enrolled compliant device I can login fine as expected (or you can launch the app from myapps.microsoft.com

17

SCCM Current Branch 1810 – Windows Store for Business

This post will show how you can integrate Windows Store for Business with SCCM Current Branch 1810, to sync applications and deploy WSfB applications to machines like Company Portal app.

Suggested Reading for prerequisites: Manage apps from the Microsoft Store for Business with Configuration Manager

In the SCCM console, go to Cloud Services > Azure Services > Configure Azure Services

wsfb01

Enter in the Name, and then select Microsoft Store for Business and click Next.

wsfb02

If you already have other Azure services configured in SCCM (Cloud Management Gateway for example), then it will automatically pull the server app, then you can click Next. If it doesn’t find a web app, then follow the instructions below.

wsfb17

If it doesn’t find a web app, click on Browse and we will create it.

wsfb03

Click on Create.

wsfb04

Give it a name and sign in to create the web app.

wsfb05

Click on Next.

wsfb06

Enter in a path and select your languages and click Next.

wsfb07

Now we need to login to the Microsoft Store for Business and give the web app we created before permission. Log in to https://businessstore.microsoft.com/en-gb/store and go to Manage > Settings > Distribute > Add management tool

wsfb08

Enter in the name of the web app that was either created earlier in the Azure Services wizard, or the one that you imported.

wsfb09

Click on Activate.

wsfb10

Back in the SCCM console, select the Microsoft Store for Business and click Sync from Microsoft Store for Business

wsfb11

The sync status should change to Successful.

wsfb12

You can view the WsfbSyncWorker.log for more information.

After a successful sync, you should see your MSfB apps in License Information or Store Apps.

wsfb13

To deploy one of these apps, right click on the app and select Create Application and then follow through the wizard.

wsfb14

wsfb15

The application will then appear in the Applications section. You can now deploy it as normal.

wsfb16

Further reading: Manage apps from the Microsoft Store for Business with Configuration Manager

SCCM Current Branch – Currently logged on user in Console not displaying

One of the new features that came out in SCCM Current Branch 1806 was the ability for the SCCM console to show the currently logged on user.

I had an issue where this field was blank. First thing I checked was that the SCCM client on the device was up to date (1806 or later)

On all clients, in the ccmmessaging.log I noticed:

No reply message from Server. Server may be temporarily down or a transient network error.
Post to http://<mp>/ccm_system_windowsauth/request failed with 0x8000000a.

Then when checking the IIS status codes on the Management Point IIS logs it said:

CCM_POST /ccm_system_windowsauth/request 401.2 (401.2 – Logon failed due to server configuration.)
CCM_POST /ccm_system_windowsauth/request 500.0 (500.0 – Module or ISAPI error occurred.)

This was due to Active Directory User Discovery being disabled in my site.

2019-01-18_9-52-32

Once it was enabled and the users were discovered, the errors went away in the ccmmessaging.log and as well as the MP IIS logs. Now the Last logged on username appears in the ConfigMgr console.

2019-01-18_11-27-54

SCCM Co-management – MDM enrollment failed with error code 0xcaa9001f ‘Integrated Windows authentication supported only in federation flow.’

Recently I was setting up Co-Management in SCCM Current Branch 1810. I was having issues with clients not being enrolled into Intune.

First I confirmed that the device was Hybrid Azure AD joined (this is a requirement, the device needs to be registered in Azure AD) then when looking at the CoManagementHandler.log file on the client I saw the error:

MDM enrollment failed with error code 0xcaa9001f ‘Integrated Windows authentication supported only in federation flow.’. Will retry in 240 minutes…

I found this error to be misleading. I am using Azure AD Connect with password sync, and not ADFS.

comgmt01

In my case, this error was caused by an enrollment restriction being set that blocked Windows 10 devices from being enrolled.

In Intune (portal.azure.com or devicemanagement.microsoft.com) in Device enrollment > Enrollment restrictions

In my Default restriction in Properties, then Select platforms, I had Windows (MDM) set to Block.

comgmt02

After allowing Windows (MDM) to Allow, the CoManagementHandler.log said Queuing enrollment timer to fire at 01/15/2019 21:42:19 local time

After trying again it was successfully enrolled into Intune and you can see the Managed By now says MDM/ConfigMgr Agent

comgmt03

How can I view information, errors and warnings about my Intune tenant?

Intune now has a new Tenant Status section. This new section will give you information about your Intune tenant such as

  • Tenant Name
  • MDM Authority
  • Tenant Location
  • Service Release (the Intune build, this is handy to see if the latest Intune build has been released to your tenant)
  • Total Licensed Users
  • Total Intune Licenses
  • Total Enrolled Devices

You can also view the Connector Status of the Auto Pilot last sync date and Windows Store for Business last sync date and others.

Intune Service Health is on the Tenant Status, this will let you know of any issues or active incidents.

Intune News is also there. This includes categories like Stay Informed where you can see whats new in the later builds of Intune, and Prevent or Fix Issues where you can view known issue and resolved issues.

For more information see https://docs.microsoft.com/en-us/intune/tenant-status#intune-service-health

To get to the Tenant Status screen to view information about your Intune Tenant, you will find it in https://portal.azure.com , under Intune, then Tenant Status. Here is what it looks like:

intunetenantstatus

Prevent Personal Windows 10 devices from enrolling into Intune

This post will show how you can easily configure Enrollment Restrictions in Intune to prevent personal Windows 10 devices from enrolling into Intune. It will also show what Intune authorizes as corporate enrollment, and the end user experience of when a user with a personal device tries to enroll.

The Intune enrollment restrictions support the following platforms:

  • Android
  • Android work profile
  • iOS
  • macOS
  • Windows

However this post will focus on Windows 10.

Further reading: Set enrollment restrictions https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

Intune will allow the following corporate methods to be enrolled:

  • The enrolling user is using a device enrollment manager account.
  • The device enrolls through Windows AutoPilot.
  • The device is registered with Windows Autopilot but is not an MDM enrollment only option from Windows Settings.
  • The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)
  • The device enrolls through a bulk provisioning package.
  • The device enrolls through automatic enrollment from SCCM for co-management.

These corporate enrollment methods will be blocked:

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)
  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

These personal enrollment methods will be blocked:

  • Automatic MDM enrollment with Add Work Account from Windows Settings*.
  • MDM enrollment only option from Windows Settings.

How to block the enrollments that aren’t authorized corporate devices:

To block the enrollment of Windows personal devices, inn portal.azure.com or https://devicemanagement.microsoft.com, select Intune, Device Enrollment, Enrollment restrictions, then Create restriction (you can modify the Default restriction if you like, but be careful as it targets all users)

enrollrestrictions01

Give it a name, and select Device Type Restriction, then click select platforms. In my example I have allowed all platforms then clicked OK.

enrollrestrictions02

Click on Configure platforms. Now for Windows (MDM) I am going to block personal enrollments then click OK.

enrollrestrictions14

 

It now needs to be assigned to a group.

enrollrestrictions03.jpg

So what happens if I try to enroll a personal Windows 10 device?

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)

enrollrestrictions04enrollrestrictions05

  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

enrollrestrictions06enrollrestrictions07

  • Automatic MDM enrollment with Add Work Account from Windows Settings

enrollrestrictions08enrollrestrictions09

  • MDM enrollment only option from Windows Settings.

enrollrestrictions10enrollrestrictions11

You can also view the errors in the Enrollment Status page under Device Enrollment. If I click on the Windows data then I can see the Enrollment failures saying Enrollment restrictions not met.

enrollrestrictions12

enrollrestrictions13