BUILD AN APPROVAL PROCESS FOR ENDPOINT MANAGER APPS USING AZURE IDENTITY GOVERNANCE

Ever wanted to create an approval process for your Windows applications in Endpoint Manager? Some apps require approval as they generate licensing cost at the back end. Sure, you can use many solutions for that like Power Platform (Prefered if you’re not using Identity Governance), Active Role Server, ServiceNow and more – you name it.

But actually there is a “built-in” solution for that. Not built in with MEM but built in with Azure and Identity Governance. If you’re licensed to use Identity Governance and you use it for services such as Privileged Identity Management (PIM) or Access Reviews your good to go. If not, you first have to onboard it. For the solution here, you need at least an Azure AD Premium P2 license or EMS E5/A5 as user.

In a first step create an application within MEM. Go to the MEM Portal https://endpoint.microsoft.com and select Apps, for example create a line-of-business app using a simple MSI. I have downloaded the latest MIP (AIP) client and uploaded it to Intune without any special configuration or silent install commands (for now).

In a second step, create a group with no user assignment and assign the group to the application created before . This could be an AD synced group or a cloud group. Still nothing special here.

Now the interesting part starts!
Browse to Identity Governance in the Azure Portal / Azure Active Directory and start creating a new Access Package using Entitlement Mangement.

From the Basics settings provide a proper name and description, such as “APP – MIP Client (requires approval)”. This name will also be populated to your end-users (also the description).

Under Resource role select + Groups and Teams and browse for the group you have created earlier. In my case mem-app-u-mip-client. Don’t forget to select also the role the user will have within this group. Usually this is just the “Member” role.

On the Request page you will have 3 options you can select. In the case here, we will use For users in your directory and All members (excluding guests). This does guest users not allow to see or request this particular access package.

Enable the Require approval toggle to Yes. This will give you the options to configure the Approval flow. I have selected the following options, but of course your free to change them:
– Require requestor justification: Yes
– How many stages: 1
– First approver: “my demo user”
– Decision in days: 14 (default)
– Require approver justification: Yes
– If no action taken, forward to alternate approvers?: No (advanced request)
– Enable: Yes

Under Requestor information (preview) you have the option to define some specific questions for the requester of the package. For example, you can request to provide some more information about the reason of the usage of this particular app with some multiple choise values.

Within the Lifecycle options we can now define the time of availability of the Acccess Package itself. Let’s say, this access package is only available for the rollout of our MIP Client and we like to define a timeframe of 1 year (365 days) of availability (this is just a random pick) and we do not allow to extend access to the package.

As next we would also like to enable the Access Review of the package and check back within a couple of month who has access and if this access is still needed (Review of access to our Intune deployed application). The Reviewers could be a specific user (Application Owner for example) or a Self-review where the user has to review the access by himself. Choose the values they fit as its best to your use case.

Review and create your Access Package. This will populate a my access link myaccess.microsoft.com followed by your tenant name and the OpjectId of your Access package. This site is where all the packages and access reviews can be found, ether for the end user to request the package (application) or to review as an application owner.

Enduser experience

Your users are now able to browse to your organization myaccess site by browsing the URL https://myaccess.microsoft.com/ To request the application they select Access package, where our just created package APP – MIP Client (Require approval) will be listed. The request is super easy. The requester has to select + Request access – provide the required information such as the Business reason & justification (if configured within the package) and then to submit the request. During the request process, the user has the opportunity to see the current status of the request including the approval process under his Request history.

Approver experience

The configured approver of the package (which could also be the Manager, currently in Preview) will receive an email to approve or deny the request. As soon the access has been granted, the user account will be added to our created group and the user will receive the assigned application ether to install the application by himself using the Company Portal or if the assignment is set to required within MEM, the application will be forced to install.

Depending on the configured Access review time, the reviewer will receive a similar email to review the access. This could be Self-service for the user or another person within your organization.

Hope this helps to use Access package as your approval process for MEM deployed Windows applications. Let me know what you think! Stay save.

SPEAKING AT CLOUD8 – VIRTUAL SUMMIT

I’m excited to be chosen as a speaker at the Cloud8 virtual summit (Part II). Cloud8 2020 is again held all virtual, on November 13th. The event is an IT community conference focused on Microsoft cloud, datacenter, security and modern workplace topic, with Microsoft MVPs, Microsoft Regional Directors and other industry experts. Check out the event website.

MY SESSION

I will speak about Zero Trust, protecting your identities and implementing Identity Governance. My session title and speaking slot:

Identity Governance – A valid and secured Identity is gold!
– Session 17, 3PM –
Use this link to go to the whole session catalog: LINK

SOME WORDS ABOUT Cloud8

Cloud8 is all virtual, as mentioned above. This year, it is the second time that Cloud8 will be held and that’s why is called part II :-).

Community leader Drago Petrovic started in spring with this great event and first edition. If you are interested in Microsoft cloud topics, this is a must event. You can join all sessions using Microsoft Teams and as it is a real community event, it’s free. However, it needs a lot of working hours to raise an event like that. So, thanks a lot to the organizers!

HUB Zone
There ist a HUB Zone where you can meet others. In the HUB Zone you have the possibility to exchange and connect with other visitors and speakers of this event. Use this platform as a virtual meeting zone and who knows… Possibly new synergies will arise. It’s easy to join as well, just klick on the “join HUB meeting link”. Would be cool to see you there, virtual!

Official hahstag used: #cloud8

We just had our briefing call with Drago:

So do not miss to check out the great speakers line-up.
See you there!

SPEAKING AT EXPERTS LIVE SWITZERLAND 2020

I’m excited to be chosen again as a speaker at Experts Live Switzerland . Experts Live Switzerland 2020 will take place on September 30 at “Welle 7” in Bern Switzerland. Experts Live Switzerland is an IT community conference focused on Microsoft cloud, datacenter, security and modern workplace topic, with Microsoft MVPs, speakers from Microsoft and other industry experts.

MY SESSION

I will speak about Zero Trust, protecting your identities and implementing Identity Governance. My session title and speaking slot:

Identity Governance – A valid and secured Identity is gold!
– Track 3, 3PM –
Find the all sessions here.

Experts Live Switzerland will be the first in-person event for me since more than 6 month, all pretty well organized with all the COVID-19 rules & regulations.

SOEME WORDS ABOUT EXPERTS LIVE

The first time this year since #ELCH all sessions are being presented in english.

Experts Live Switzerland 2020 is limited to only 150 attendees. There will be a lot of other great sessions and a lot of experts from the Microsoft Cloud community across Europe. One of the main advantages of joining the Experts Live events is that you get this great networking opportunity to learn from each other.

Check out the Experts Live Switzerland website for more detailed information’s. Would be cool to see you there!

PIN RESET NOT WORKING ON AZURE AD JOINED DEVICES

You may get this error when you try to reset the PIN of your Azure AD Joined Device:

CAA2000B. AADSTS500014: The service principal for resource cred.microsoft.com is disabled. This indicates that a subscription within the tenant has lapsed, or that the administrator for the tenant has disabled the application, preventing tokens from being issued for it.”

Based on that, you will recognize that an Admin had to setup the PIN Reset feature for your tenant and provide consent to the app. A detailed instruction to onboard it to your Azure Active Directory Tenant can be found on this docs article here.

This setup deploys two OAuth apps to your Enterprise Applications in Azure called Microsoft Pin Reset Client Production and Microsoft Pin Reset Service Production.

On the properties page of the Pin Reset Service Production, the Application was disabled in my case. But even after enabling the OAuth application, it still did not work to resetting the PIN on an Azure AD Joined device. We received the same error above.

In this case, make sure that the Security or Global Admin did not block the OAuth App within Cloud App Security. You can verify the blocked app by navigating to your Cloud App Security portal by:
https://tenantname(without .onmicrosoft.com).portal.cloudappsecurity.com / Investigate / OAuth apps and search for “Microsoft Pin Reset“. This will show you the both apps you also have in Azure Active Directory Enterprise Applications.

In case one app is blocked, click on the red block sign an unblock the app to get a green tick :-). If one is blocked, users won’t be able to reset their PIN. This was the case here.

After that, I had to give consent to the Microsoft Pin Reset Client Production app again using the Enterprise Application Permission blade and an account with sufficient rights to grant consent.

SOME OTHER THOUGHTS
Some other features such as Self-Service-Password-Reset (SSPR) and the combined registration for security information’s is recommended (Users can use the combined security information registration experience). Consider also Azure AD Connect to use Password Hash Sync and Password Hash Writeback in Hybrid Identity deployments. Hope this helps.

Happy PIN Reset!

SPEAKING @ “REMOTE Cloud Workplace Meetup #6”

The “REMOTE Cloud Workplace Meetup” Number 6 will be held on June 9th. As COVID-19 still blocks us to meet in person, this event will be a virtual event with two sessions. I’m very happy to serve the first session.

WHAT IS THE CONTENT

We will talk about Identity and Access Management. As this is only a 35 minutes slot, incl. Q&A, I will only cover thre topics:
– Zero Trust (very short)
– Azure Multifactor Authentication based on Conditional Access
– Access Reviews for Teams or Microsoft 365 groups (Former Office 365 groups)
Feel free to register here: Remote Cloud Workplace Meetup #6

SESSION OUTLINE

A valid and secured Identity is gold!

Azure Active Directory (Azure AD) brings you several options to achieve this goal.

First of all you should enable Azure MFA for all users. But hey: What about all the Admin Accounts and what in case of Azure MFA fails. We will show how to enable Azure MFA in a right way and make sure you have a protected identity.

What else: Using Identity Governance and Access reviews you have a tool on board which helps you to review access to your Office platform such as Microsoft Teams.

Hope to see you there!