Modern Device Management

Source:Microsoft With the help of Microsoft Intune, organizations can use the device states returned from the enrolled devices to Entra ID to identify whether these devices meet specific policy compliance requirements and accordingly enforce controls to grant or block access to corporate resources. With device states, once the user has successfully authenticated, a Primary Refresh Token (PRT) containing both user and device claims is issued. With conditional access policies requiring either a device-based control or a multifactor authentication control in place, the policy requirement can be met through its device state using PRT without attempting MFA. This is because when a PRT requests access to an application, its device, session, and MFA claims are trusted by Microsoft Entra ID. The PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device, providing users a resilient experience. With the currently available device states, Microsoft recommen

I recently worked on a project that required setting up Intune and Defender for Endpoint enrolment policies for iPadOS. While some might say that this is a pretty routine task and in an absolute sense, it may very well be to some extent, I actually went another way. Let me start by mentioning that the iPadOS devices in scope were existing devices and in some come cases BYO so resetting them was not an option. Therefore, a user based enrolment had to be the choice of enrolment. Now back in the days, one would normally enroll the iOS\iPadOS devices using Company Portal and while this is still supported, with the introduction of support of Single Sign On extensions (SSO) of Apple devices, I chose to configure Web based device enrolment together with Just-in-time (JIT) for iPadOS devices. Web-based enrolment utilizes just in time (JIT) registration with the Apple single sign-on (SSO) extension to facilitate Microsoft Entra registration within the work apps thus reducing the number of authe

On August 15 2024, Microsoft released a communication  stating that enabling multifactor authentication (MFA) will be enforced by October 15 2024, in order to access Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center.  The enforcement is planned to be rolled out in 2 phases: Phase 1: Starting in the second half of 2024, MFA will be required to sign in to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase won't impact other Azure clients such as Azure CLI, Azure PowerShell, Azure mobile app, or IaC tools.  Phase 2: Beginning in early 2025, MFA enforcement gradually begins for sign in to Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools. Some customers may use a user account in Microsoft Entra ID as a service account. It's recommended to migrate these user-based service accounts to secure cloud based service accounts with wor