deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #4930 from MicrosoftDocs/master

Browse Source 
3/18/2021 10:30 AM publish
This commit is contained in:
Jeff Borsecnik 2021-03-18 10:38:49 -07:00 committed by GitHub
commit 0e42d5f207
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -13,7 +13,7 @@ author: lomayor
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
@ -52,19 +52,19 @@ Two Azure AD MDM enrollment scenarios:
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure AD integrated enrollment
### MDM endpoints involved in Azure ADintegrated enrollment
Azure AD MDM enrollment is a two-step process:
@ -113,26 +113,38 @@ The keys used by the MDM application to request access tokens from Azure AD are
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Log in to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667)
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
@ -347,6 +359,7 @@ The following claims are expected in the access token passed by Windows to the T
</tr>
</tbody>
</table>
<br/>
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
@ -355,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A
Here's an example URL.
```console
```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@ -647,7 +660,7 @@ Alert sample:
## Determine when a user is logged in through polling
An alert is send to the MDM server in DM package\#1.
An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
@ -925,5 +938,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di

4
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -47,10 +47,10 @@ To use either of these supported SIEM tools, you'll need to:
- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
- Configure the supported SIEM tool:
- [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- [Configure Micro Focus ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md).
For more information on the list of fields exposed in the Detection API, see [Defender for Endpoint Detection fields](api-portal-mapping.md).

4
windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
View File

@ -105,8 +105,8 @@ getfile c:\Users\user\Desktop\work.txt -auto
>
> The following file types **cannot** be downloaded using this command from within Live Response:
>
> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
> * [Sparse files](/windows/desktop/fileio/sparse-files/)
> * [Reparse point files](https://docs.microsoft.com/windows/win32/fileio/reparse-points)
> * [Sparse files](https://docs.microsoft.com/windows/win32/fileio/sparse-files)
> * Empty files
> * Virtual files, or files that are not fully present locally
>

13
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -31,14 +31,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.
> [!TIP]
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
>[!TIP]
@ -64,14 +61,6 @@ The following features are included in the preview release:
- [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
>[!NOTE]
>Partially available from Windows 10, version 1809.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)