This short post will explain the new capabilities of Microsoft Entra Private Access to: Enable access to internal apps and protocols when connected with the Global Secure Access client Secure access with Conditional Access Enable MFA for protocols which never was possible before! In the next steps I am going to briefly show you how to setup Private Access…

During my research and testing with the new Windows LAPS I have discovered a strange behavior for the post-authentication action. Continue reading if you are interested in the blog and how I was in contact with Microsoft resolving it. View my full blog post: Windows LAPS: the comprehensive guide (oceanleaf.ch) Post-authentication action …

Are you looking for a way to create Entra Azure AD custom roles with PowerShell? Read on to learn how. How it works For it to work we are going to leverage Microsoft Graph + PowerShell + Invoke-Webrequest. First we manually need to create a custom role, go to Azure AD>Roles and administrators>New…

If you are looking for a way to granularly control access to LAPS local admin passwords, you should consider Azure Administrative Units. How it works You can collect users, groups and devices into a virtual container, called Administrative Unit (AU). Membership election can be assigned, but also Dynamic User/Device. Here you can add Roles and administrators. All these assignments are only effective for the users, groups and devices in the Administrative Unit.

Windows offers some energy and power management settings. Of course we can configure them through Intune. But first on the Windows side we have the following options: Energy plan Actions

Some time ago there was a use case to block some selected devices that are Azure AD joined from company resource access. Of course we think of a Conditional Access control policy. But what if you cant identify the(se) device(s) through any condition? …

I am sure we are all aware that for Intune assignments we can’t use user and device groups for the include or exclude intent of the same profile, at the same time. This “mix” is an unsupported scenario and leads to unexpected behaviors, errors, generally a conflict. …

There are several remote actions for an end user that affect his devices and involve Intune or Azure AD. This short post will give an overview about the capabilities. Mainly there are the following portals: My Account — Devices Here are all devices listed where the user signed-in, which resulted in an Azure AD…

Windows can be setup in shared PC or Kiosk mode. I have already written a blogpost about this. The aim is to provide a Windows experience for multiple users on one device, where the user may not even has his own (AAD) account. Now on these devices you may want…