There are a handful of topics that consistently come up whenever I meet with our customers and partners – and one of the most common has to do with how to balance productivity for end users with the need for security and control of company data. The tension between these two needs is the stage upon which an even bigger challenge constantly looms: Every IT team on earth being asked to do more with less at a time when technology keeps accelerating and the landscape of their own industry shifts beneath their feet.
The request I get in these meetings is very clear and consistent: We need efficient solutions that make it easier to manage and control growing complexity; can you help us reduce the complexity we are dealing with?
This is where we bring in the good news: Managing Intune and Conditional Access together with Azure AD just got a lot easier for our rapidly growing community of IT Professionals. As of today, we have reached two important milestones for Microsoft Intune and for EMS Conditional Access capabilities: Both new admin experiences are now Generally Available in the Azure portal!
Here’s how Intune’s redesign helps your organization
Intune’s move to the Azure portal is, in technical terms, a really big deal. Not only did the Intune console change, but all of the components of the EMS console experience have now come together. The process of migrating capabilities into the new portal was an incredible opportunity to reimagine the entire admin experience from the ground up – and what we are shipping today is an expression of our unique vision for mobility management shaped by needs of our over 45K unique paying customers.
I love the progress we’ve made here because Intune on Azure is great for our existing customers because they can now manage all Intune MAM and MDM capabilities in one consolidated admin experience, and they can leverage all of Azure AD seamlessly within one experience. Awesome.
There is actually a whole lot more going on “behind the scenes” of the new administrative experience. Not only have the administrative experiences converged, but we also converged Intune and Azure Active Directory onto a common architecture and platform. Converging the architectures dramatically simplifies the work we do to support it, the work you do to use it, and it enables some incredible end-to-end scenarios across Identity and Enterprise Mobility Management.
Here are the 3 things you need to know about Intune on Azure:
- It’s built to leverage Azure’s hyper scale
The Azure platform provides huge increases in elasticity and reliability for Intune, and it provides the foundation for nearly unlimited scale. The new admin experience will also run on any browser on any device form-factor. Now you can manage Intune from anywhere – even from your phone!
The redesigned architecture and new console bring nearly unlimited scale to the service. We currently have customers that are rapidly growing to 100,000s of devices in a single tenant. No problem! One customers has shared that they associated a sophisticated policy to ~200,000 users – and what took hours in the past was done in less than 3 minutes. Now, because this is built into the Azure console, you get all the rich role-based administration for delegation of authority.
- It’s optimized for cross-EMS workflows
With Intune’s move to Azure and the Azure Portal, we now share a console experience with other core EMS services like Azure Active Directory and Azure Information Protection. Having the collective power of these services living side-by-side makes them more effective and easier to manage across identity and access management, MDM and MAM, and information protection workloads.
For example: If you’ve just finished creating a set of conditional access policies to control access to data using Intune in the same portal environment, you’re now just a click away from adding additional app protection policies that ensure that your data is protected after it’s been accessed and is in use on mobile devices.
The Intune transition to Azure also delivers deep integration with Azure Active Directory groups, which can represent both users and devices as native, dynamically targeted groups that are fully federated with an organization’s on-premises Active Directory.
- You can simplify, automate, and integrate management with Microsoft Graph
Built on the Microsoft Graph API, the new Intune experience also opens the door for broader systems integration and automation. This means that our customers can now simplify, automate and integrate workflows across Intune and the other services they are using however they see fit. For more information about what you can do with this, I really recommend this post. Microsoft Graph API capabilities are currently in preview; expect a GA announcement for this functionality in the coming quarter.
If you haven’t tried Intune on Azure, we invite you to jump into this new experience with us. To check it out for yourself, log into the Microsoft Azure portal right now. We’re always listening and learning from your feedback, and we want to hear what you think! Since we put this into preview in December there have been more than 100k paying and trial tenants provisioned!
Conditional Access – the new admin experience in the Azure portal
The new conditional access admin experience is also Generally Available today. Conditional access in Azure brings rich capabilities across Azure Active Directory and Intune together in one unified console. We built this functionality after getting requests for more integration across workloads and fewer consoles. The experience we’re delivering today does exactly that.
Organizations everywhere face the challenge of enabling users on an ever-expanding array of mobile devices, while the data they are tasked with protecting is moving outside of their network perimeter to cloud services – and all of this happens while the severity and sophistication of attacks are dramatically accelerating. IT teams need a way to quantify the risks around the identity, device, and app being used to access corporate data while also taking into consideration the physical location – and then grant or block access to corporate apps/data based upon a holistic view of risk across these four vectors. This is how you win.
Conditional access allows you to do this and ensure that only appropriately authenticated and validated users, from the compliant devices, from approved apps, and under the right conditions have access to your company’s data. The functionality at work here is technologically incredible, but it’s not always obvious how granular and powerful these controls really are. The new conditional access experience on Azure now makes the power of this technology crystal clear by showcasing the deep controls you have at every level in one consolidated view:
Now you can easily step through a consolidated flow that allows you to set granular policies that define access at the user, device, app and location levels. Over the last 6 months, as I have shown this integrated experience to 100s of customers, the most common comment has been: “Now I completely see what Microsoft has been talking about how Identity management/protection has needed to work with Enterprise Mobility Management to protect our data.” Microsoft’s Intelligent Security Graph is also integrated here, delivering a dynamic risk based assessment into the conditional access decision.
You can also control access to resources based on a user’s sign-in risk via the vast data in. Once your policies are set, users operating under the right conditions are granted real-time access to apps and data – however, as conditions change, intelligent controls kick in to make sure that your data stays secure. These controls include:
- Challenging a user with MFA to prove that they are who they say they are.
- Prompting the user to enroll their device in Intune.
- Guiding the user to make adjustments to their device to meet your org’s security requirements
- Blocking access all together or even wiping a device.
- Granting different access privileges when using a native app (Word) vs. a web app (Word Online)
We believe Microsoft is uniquely positioned to deliver solutions that are this comprehensive and sophisticated yet remain simple to operate. With EMS, these types of functionalities are possible because we’re building them together, from the ground up, to deliver on our commitment for secure and mobile productivity.
You can access the new conditional access console in the menu within both the Intune and Azure AD blades. To see this functionality in action, check out this Endpoint Zone episode.
Our commitment to ongoing innovation means we never stop listening, shipping and reaching for what’s next. Looking ahead, we’ll continue to release new features and enhancements at a steady pace throughout the year. From this point forward, all new Intune and conditional access features will be delivered in the new portal, so keep an eye out.
Also: Don’t hesitate to let us know what you think; our dialog with customers is our most valuable development input.
One last note: This is a really significant day for all of us. I am so pleased with the work that has been done here at Microsoft on the architecture and administrative experiences. I’m happy for the team and what has been accomplished. I am so pleased with the feedback that has come in from so many customers about the richness and vibrancy of the new admin experience as well as how performant the services are. And, at the risk of sounding redundant, I’m happy to hear how much this has simplified your work while delivering incredible new, unique value such as the integrated Conditional Access.