locked
Working on initial intune setup and it's making me crazy. RRS feed

  • Question

  • I am starting to think that this is a bad time to try to setup Intune and I am looking for some clarification because I can't seem to find any concise information on how all the pieces of office 365 work together.  Additionally all the admin portals are making things even more confusing.  For instance the majority of Intune lies in the legacy Intune portal that runs on Silverlight, the Intune functions to configure MAM are under the "new" azure portal.  The Legacy Azure portal is used to configure AD multifactor and the  standard 365 user portal / azure to enable multifactor on a per user level.  Did I get that right?

     

    Some questions with all of this.

     

    1. Intune seams to require that i use multifactor when configuring, which is great!  I think that’s because I enabled multifactor for users in azure?
    2. Having Multifactor enabled in azure seems to require app passwords if we want to use the native mail clients, is that correct?(I can live with that because I believe that most users will be fine with the outlook app)?
    3. Is there a good way to block access to desktop outlook from non-corporate devices? Or at least require multifactor? but allow it to work without intune being deployed on the corporate network.
    4. If I am using online office 365, do I still need to setup service to service connector, or is that only for on premise?  (that screen is confusing).  In either case when I do try to set it up I keep getting "Cannot find an email address to use for the server ice to service connector, though my o365 admin user has been granted an exchange online account with full access. 
    5. Do I need to setup ADFS?  I see some reports saying that it's needed for multifactor, other reports of people saying don't bother because it's too complex.   Additionally when I enabled multifactor at the user level in azure then multifactor is required to setup Intune anyway. 
    6. Also a side question that might be out of scope for this forum, I have an ip address configured in the azure portal so that multifactor is not required when on premise.  Seams to work fairly well with the exception that my outlook seems to be bouncing back and forth.  I can tell because when it's not working I keep getting a password prompt that won't take my user password but will work with app passwords.  Then if I leave it site for an undefined period of time it (with it not working and without entering an app password and without making any admin changes in o365) it will start to work.  It's driving me NUTS!  I feel like there is something going on at MS that is preventing this from working properly.  As far as I can tell MS supposedly implemented modern authentication in both 2016 and 2013 last month and I have the latest current release (16.0.7070.2026).  I at least expected to get the multifactor login when logging into outlook when on an off premise pc. 
    Tuesday, July 19, 2016 3:58 PM

Answers

All replies

    1. Depends on where you've configured MFA and for which purpose;
    2. The default mail apps don't understand modern auth, which is required for MFA to work. The Outlook app is indeed capable of handling modern auth;
    3. Conditional access will help you with blocking email access to for example non-domain joined devices. For even more control you can look at using ADFS;
    4. The service-to-service connector is only for reporting purposes. It will provide you the information about the potential impact of configuring conditional access;
    5. If you have an on-premises AD it can be beneficial. It provides you with true single sign-on and more control of users/ devices accessing Office365 and Intune;
    6. Modern auth is enabled by default for Office 2016 and must be enabled for Office 2013.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Tuesday, July 19, 2016 6:07 PM
  • Thanks, I have a couple of follow ups.

    3. for conditional access policies are you referring to https://manage.microsoft.com -> Policy from the left hand menu -> conditional access -> exchange online policy? I assume i would need ADFS in order to do non-domain joined devices policing?

    6. this one has me very confused, i have the latest version of 2016 on the current release but have been having weird behavior.  Yesterday after work both mine and my coworkers outlook stopped working.  shortly after we came in his started working but mine did not. When he first came it it wasn't working when he entered his normal password but about 1 hour later it did work, but 6 hours later mine still wasn't working.  

    I sat back thinking about any changes i made yesterday and the only one i had made was enabling app password to test active sync on my native phone client.  I deleted the app password and my outlook nearly immediately started working.  Multi-factor itself is still enabled and was always working.  Also i assume that if 2016 supports modern auth, that i should be getting the traditional 365 modern login screens?   Does that sound weird to you?  I have a ticket opened with Microsoft but but the guy left me hanging until his next shift.


    Travis Huizenga

    Tuesday, July 19, 2016 7:41 PM
  • Yes, to work with the domain joined option you need to use ADFS.

    About your other question, I would first wait for the engineer to get back to you.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Wednesday, July 20, 2016 6:23 AM
  • Hi,

    I'm glad I'm not the only one trying to get my head around this.

    Management of mobile devices is all over the place. In addition to the portals you mentioned above what about Mobile device mailbox policies in Exchange online?

    Let's say I want to allow users to access email using a mobile device and push out some managed applications do I need to do the following?

    Exchange admin center – Configure mobile device mailbox policy

    Portal.office.com – configure mobile device security policy

    Microsoft Intune portal – configuration policies / compliance policies and conditional access

    Azure Portal – MAM policies

    It’s ridiculous.

    Friday, July 22, 2016 1:24 PM
  • At this moment you should be able to perform all those configurations through the Microsoft Intune console, once you've configured the service-to-service connector.


    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, July 24, 2016 6:08 PM
  • i thought that service to service connector was mostly just for reporting?  That is what i was told at least?

    Travis Huizenga

    Wednesday, July 27, 2016 8:34 PM
  • You may find this recently published document helpful, Controlling Access to Office 365 and Protecting Content on Devices at  https://www.microsoft.com/en-us/download/details.aspx?id=53317&wa=wsignin1.0


    Dean MCTS-SQL 2005 Business Intelligence, MCITP SharePoint 2010, MCSA Office 365

    Wednesday, July 27, 2016 8:51 PM
  • Hi,

    I'm glad I'm not the only one trying to get my head around this.

    Management of mobile devices is all over the place. In addition to the portals you mentioned above what about Mobile device mailbox policies in Exchange online?

    Let's say I want to allow users to access email using a mobile device and push out some managed applications do I need to do the following?

    Exchange admin center – Configure mobile device mailbox policy

    Portal.office.com – configure mobile device security policy

    Microsoft Intune portal – configuration policies / compliance policies and conditional access

    Azure Portal – MAM policies

    It’s ridiculous.

    Honestly i haven't figured out if the MDM policies in exchange apply yet if they are managed in intune.  I know we still have our base exchange policy configured but in intune i have it configured to require management of the device before email is allowed.  I know this is working because if i take the outlook app on my android and try connecting it then in exchange it shows as being disabled and i can't manually enable it, but once i comply to my intune it changes to being allowed.  My guess is if your client is intune enabled than those policies override exchange's.  

     I had an issue on my android policy where i needed to allow both the company portal app and outlook access to my contacts before my policy would apply (it was driving me mad).  I finally opened up a support case with Microsoft and after a week of getting escalated to an security engineer, he told me this in 5 seconds.  

    If i go to mobile device management in portal for office 365 it says "you don't need to setup mobile device management for office 365 because your organization is already protected by microsoft intune.  

    My understanding that the azure MAM policies only apply to the apps covered in the list and that all the "legacy" MAM apps are covered by one of the base policies in intune.  URL to all the MAM apps... https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-partners 

    to your it's ridiculous comment, yes it is!  We even worked with a consultant that specialized in Intune and it still was confusing as hell not to mention things that weren't working as expected.  

    Another gotcha (which was item 6 of mine) which revolved around multifactor auth in outlook https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517?ui=en-US&rs=en-US&ad=US   Basically to get multifactor to work with desktop outlook we had to go into our tenant and manually enable modern authentication for outlook before multifactor would work on the desktop clients.  Additionally we had to do the same thing for skype.    


    Travis Huizenga


    • Edited by TravisH5000 Wednesday, July 27, 2016 8:58 PM typos
    Wednesday, July 27, 2016 8:56 PM
  • i thought that service to service connector was mostly just for reporting?  That is what i was told at least?

    Travis Huizenga


    That is correct. However, it also enables an aditional node, which allows you to configure Exchange Access Rules. For more information, please refer to: https://docs.microsoft.com/en-us/intune/deploy-use/exchange-access-rules-for-mobile-devices

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Thursday, July 28, 2016 6:42 AM