7. Choose right identity model
• Cloud only identity, synced identity, federated identity
• Do not sync complete Active Directory
• Select OU with “cloud users"
• Select OU with “cloud groups”
Cloud Identity
Independent cloud identity
Synchronized Identity
Single identity, enabling a same
sign-on experience with
password hash sync
Federated Identity
Single federated identity,
enabling single sign-on in some
scenarios and additional
flexibility
8. How many global admins do you have?
• Microsoft best practice is to use up to five global admins.
• Use Role Based Access Control (RBAC) model
• Use Azure Privileged Identity Management (PIM)
User Administrator UserAdministrator privileges
expire after a specified
interval
9. Identity protection
• Protect your identity with
• Monitoring for risks / risky behavior
• MFA based Conditional Access
12. Device and app based conditional access
•Configure App Based conditional access to
• Control data leakage for Exchange and SharePoint Online
• Web services via Intune Managed Browser or Edge
•Enable device based conditional access to
• Allow access only on managed or controlled devices
•Look at legacy protocols like POP, IMPA, EWS with legacy authentication
•Legacy authentication for EWS in Exchange Online deprecated at Oct. 13, 2020
Still have CA v1 policies active?
Be sure to move to CA v2!!
13. Enhance Compliance
•Enhance device compliance by adding
• Mobile Threat Protection of
• Lookout for Work
• Symantec Endpoint Protection
• Check Point SandBlast Moblie
• Zimperium
• Windows Defender ATP
•General Compliance configuration
(default state)
16. App Management
• App Protection
• App Protection with or without enrollment for Windows, iOS and Android
• App Configuration
• App Configuration for supported apps on iOS and Android (with or without enrollment)
• App Deployment
17. Azure AD Application Proxy
• Use Azure AD Application Proxy to
• Publish Internal Web Services
• Control access via Azure AD
Conditional Access
• Publish NDES via Azure
Web Application Proxy
• Provides DDOS prevention out of the ‘box’
• Integrate with Managed Browser
• Integrate with Conditional Access
• Allow wildcard access
(*.emskings.com)
20. Move of Android legacy management!
Deprecation announced
◦ Announced publicly by Google Dec 19
(https://cloudblogs.microsoft.com/enterprisemobility/2017/
12/19/modern-android-management-with-microsoft-
intune/)
◦ Deprecated in Android 9/P (~2018)
◦ Removal in Android 10/Q (~2019)
Android Enterprise
◦ One common experience
21. Android Enterprise management modes
Designed for BYOD
• Managed work profile
exists alongside personal
profile
• Enrollment initiated by
IW by installing CP app
For IW
• Privacy and separation
assurances
For IT
• Management and
containerization
Corp-owned
• Device is fully managed
• No personal Google account required
Must be provisioned at device setup
• Options: NFC, QR, Android Zero-
touch enrolment
Several deployment scenarios
• Single use (COSU)
• Business only (“worked managed” or
COBO)
• Personally enabled (“work managed,
personally enabled”)(COPE, 8.0+)
Managed Google Play Store leveraged across all Android enterprise modes
to provide app deployment and configuration
22. Migration to Android Enterprise
•BYOD scenario:
•Unenroll from Android Device Administrator (Legacy)
•Enroll in Android Enterprise (work profile)
•COSU, COBO, COPE
•Factory reset of device, enroll via QR, code or NFC
23. Supervised mode
• Enable supervised mode for corporate owned iOS devices
via
• Apple Device Enrollment Program
• Apple Configurator
• Lots more policies and management options
• Devices are marked as company owned
24. Windows 10 - AutoPilot
• Start evaluating Windows 10 AutoPilot
• Configure Windows 10 OBEE Enrollment experience
• Windows Store for Business integrates with Intune, SCCM and 3rd party MDM.
25. Share your ideas
Share your voice / ideas!
◦http://microsoftintune.uservoice.com/
◦http://configurationmanager.uservoice.com/