Support for Azure AD user creation on behalf of Azure AD Applications for Azure SQL DB

by Contributed | May 12, 2021 | Technology

This article is contributed. See the original author and article here.

We are announcing a general availability for Azure AD user creation support for Azure SQL Database on behalf of Azure AD Applications (service principals). See Azure Active Directory service principal with Azure SQL.

What support for Azure AD user creation on behalf of Azure AD Applications means?

Azure SQL Database and SQL Managed Instance support the following Azure AD objects: 

1. Azure AD users (managed, federated and guest) 


2. Azure AD groups (managed and federated) 


3. Azure AD applications  

For more information on Azure AD applications, see Application and service principal objects in Azure Active Directory  and Create an Azure service principal with Azure PowerShell. 

Formerly, only SQL Managed Instance supported the creation of those Azure AD object types on behalf of an Azure AD Application (using service principal). Support for this functionality in Azure SQL Database is now generally available.

This functionality is useful for automated processes where Azure AD objects are created and maintained in Azure SQL Database without human interaction by Azure AD applications. Since service principals could be an Azure AD admin for SQL DB as part of a group or an individual user, automated Azure AD object creation in SQL DB can be executed. This allows for a full automation of a database user creation. This functionality is also supported for Azure AD system-assigned managed identity and user-assigned managed identity that can be created as users in SQL Database on behalf of service principals (see the article, What are managed identities for Azure resources?).

Prerequisites

To enable this feature, the following steps are required:

1)   Assign a server identity (a system managed identity) during SQL logical server creation or after the server is created.

      See the PowerShell example below:

• To create a server identity during the Azure SQL logical server creation, execute the following command:  

         New-AzSqlServer -ResourceGroupName <resource group>
         -Location <Location name> -ServerName <Server name>
         -ServerVersion “12.0” -SqlAdministratorCredentials (Get-Credential)
         -AssignIdentity  
         (See the New-AzSqlServer command for more details)  

• For existing Azure SQL logical servers, execute the following command:

         Set-AzSqlServer -ResourceGroupName <resource group>
         -ServerName <Server name> -AssignIdentity     
         (See the  Set-AzSqlServer command for more details)  
         To check if a server identity is assigned to the Azure SQL logical 
         server, execute the following  command:
         Get-AzSqlServer -ResourceGroupName <resource group> 
         – ServerName <Server name> 
         (See the Get-AzSqlServer command for more details)

2)   Grant the Azure AD “Directory Readers” permission to the server identity
      created above 
     (For more information, see Provision Azure AD admin (SQL Managed Instance) 

How to use it

Once steps 1 and 2 are completed, an Azure AD application with the right permissions can create an Azure AD object (user/group or service principal) in Azure SQL DB. For more information, see the step-by-step tutorial doc
(see Tutorial: Create Azure AD users using Azure AD applications ).

Example

Using SMI (System-assigned Managed Identity) set up as an Azure AD admin for SQL DB,
create an Azure AD application as a SQL DB user.

Preparation

Enable steps 1 and 2 indicated above for the Azure SQL logical server

• In the example below, the server name is ‘testaadsql’


• The user database created under this serve is ‘testdb’

• Enable SMI on the Azure VM (see What are managed identities for Azure resources?)
  
  
  
  • In the example below, the SMI name is ‘mytestvm’
  
  
  
  




• Copy the display name of the SMI which is your VM name


• Create an Azure AD application
  See How to: Use the portal to create an Azure AD application and service principal that can access resou…

• Copy the display name of the application




• In the example below the app name is ‘myapp’




• Using the Azure portal, assign your SMI (display name mytestvm) as an Azure AD admin for the Azure SQL logical server  (see the screenshot below).

• Create Azure AD application user in SQL DB on behalf of the SMI




• From your Azure VM, execute the PowerShell script indicated below that creates an Azure AD application user in SQL DB on behalf of the SMI that is an Azure AD admin for this server
  (For more information on the SMI access see Tutorial: Use a Windows VM system-assigned managed identity to access Azure SQL)


• Alternatively, the SMI could be also be represented as a regular Azure AD user created in the database ‘testdb’ with dbo permissions allowing to create other Azure AD users ( see an example in Tutorial: Create Azure AD users using Azure AD applications )




• To check that the user ‘myapp’ was created in the database ‘testdb’ you can execute the T-SQL command select * from sys.database_principals.

PowerShell Script

# PS script creating a SQL user myapp from an Azure AD application on behalf of SMI “mytestvm”
#  that is also set as Azure AD admin for SQ DB
# Execute this script from the Azure VM with SMI name ‘mytestvm’   
# Azure AD application – display name  ‘myapp’
# This is the user name that is created in SQL DB ‘testdb’ in the server  ‘testaadsql’

# Metadata service endpoint for SMI, accessible only from within the VM:

$response = Invoke-WebRequest -Uri

 ‘http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fdatabase.windows.net%2F‘ -Method GET -Headers @{Metadata=”true”}  

$content = $response.Content | ConvertFrom-Json
$AccessToken = $content.access_token

# Specify server name and database name
# For the server name, the server identity must be assigned and “Directory Readers”
# permission granted to the identity

$SQLServerName = “testaadsql”
$DatabaseName = ‘testdb’

$conn = New-Object System.Data.SqlClient.SQLConnection
$conn.ConnectionString = “Data Source=$SQLServerName.database.windows.net;Initial Catalog=$DatabaseName;Connect Timeout=30”
$conn.AccessToken = $AccessToken

$conn.Open()

# Create SQL DB user [myapp] in the ‘testdb’ database
$ddlstmt = ‘CREATE USER [myapp] FROM EXTERNAL PROVIDER;’

$command = New-Object -TypeName System.Data.SqlClient.SqlCommand($ddlstmt, $conn)      
Write-host ” “
Write-host “SQL DDL command was executed”
$ddlstmt
Write-host “results”
$command.ExecuteNonQuery()
$conn.Close() 

For more information see

• Azure Active Directory service principal with Azure SQL. and


• Tutorial: Create Azure AD users using Azure AD applications 

For feedback/questions on this preview feature, please reach out to the SQL AAD team at SQLAADFeedback@Microsoft.com  

MidDay Cafe Episode 9 – MBAS, Single Platform, VIVA Connections

by Contributed | May 12, 2021 | Technology

This article is contributed. See the original author and article here.

MidDay Cafe Episode 9 – MBAS, Single Platform, VIVA Connections

In this episode of MidDay Cafe host Michael Gannotti is joined by Microsoft’s Kendra Burgess and Sue Vencill as they discuss the Microsoft Business Application Summit (MBAS)), Why I Came to Microsoft/Single Platform, and Next Generation Intranets with Microsoft VIVA Connections. 

Resources:

• General information on Teams Online Meetings and Conferencing Software | Microsoft Teams for Work


• Teams as a Platform – Training VoDs. Microsoft Teams platform on the Microsoft Virtual Hub – Microsoft Adoption


• Building Apps for Teams Build apps for the Microsoft Teams platform – Teams | Microsoft Docs


• Introducing Microsoft Viva Connections  


• Microsoft Viva Connections to start rollout to general availability – Microsoft Tech Community


• Add Viva Connections for Microsoft Teams desktop – SharePoint in Microsoft 365 | Microsoft Docs
  
  
  
  • Contains information on: Preparation for Viva Connections, Viva Connections requirements and recommendations, step-by-step guide to setting up Viva Connections desktop, and onboarding end users for Viva Connections.
  
  
  
  


• Additional resources to prepare for Viva Connections.
  
  
  
  • Set up a home site for your organization.
  
  
  • Enable and set up global navigation in the SharePoint app bar.
  
  
  • Introduction to SharePoint Online Management Shell
  
  
  
  

Keep up to date with MidDay Café:

• The MidDay Café Blog Board 


• Subscribe to the MidDay Café YouTube Playlist  


• Audio Podcast Subscriptions




• Audio Podcast RSS Feed 


• Subscribe to the Audio Podcast on Anchor 


• Subscribe to the Audio Podcast on Spotify  


• Subscribe to the Audio Podcast on Apple Podcasts  


• Subscribe to the Audio Podcast on Google Podcasts


• Subscribe to the Audio Podcast on Pocket Casts


• Subscribe to the Audio Podcast on Radio Public 

Thanks for visiting – Michael Gannotti   LinkedIn | Twitter

Michael Gannotti

Developer Experiences – Manage Scanning Data Plane using REST APIs.

by Contributed | May 12, 2021 | Technology

This article is contributed. See the original author and article here.

We are happy to announce that REST APIs for scanning data plane are now released. Software engineers or developers in your organization can now call these APIs to register data sources, set up scans and classifications programmatically to integrate with other systems or products in your company.

Purview Scaning Data Plane Endpoints

You need to have the purview account name to call scanning APIs. Below is how the endpoint will look:

https://{your-purview-account-name}.scan.purview.azure.com

Set up authentication using service principal.

To call the scanning APIs, the first thing you need to do is to register an application and create a client secret for that application in Azure Active Directory.  When you register an application a service principal is automatically created in your tenant. For more information on how to create a service principal (application) and client secret, please refer here.

Once service principal is created, you need to assign ‘Data source Admin’ role of your purview account to the service principal created above. The below steps need to be followed to assign role to establish trust between the service principal and purview account.

1. Navigate to your Purview account.


2. On the Purview account page, select the tab Access control (IAM)


3. Click + Add.


4. Select Add role assignment.


5. For the Role select Purview Data Source Administrator from the drop down.


6. For Assign access to leave the default, User, group, or service principal.


7. For Select enter the name of the previously created service principal you wish to assign and then click on their name in the results pane.


8. Click on Save.

You’ve now configured the service principal as an application administrator, which enables it to send content to the scanning APIs. Learn about roles here.

Get Token

You can send a POST request to the following URL to get access token.

https://login.microsoftonline.com/{your-tenant-id}/oauth2/token

The following parameters needs to be passed to the above URL.

• client_id:  client id of the application registered in Azure Active directory and is assigned ‘Data Source Admin’ role for the Purview account.


• client_secret: client secret created for the above application.


• grant_type: This should be ‘client_credentials’.


• resource: This should be ‘https://purview.azure.net’

Figure 1: Screenshot showing a sample response in Postman.

Scanning Data Plane REST APIs

Once you have followed all the above steps and have received access token you can now call various scanning APIs programmatically. The different types of entities you can interact with are listed below:

• Classification Rules


• Data Sources


• Key Vault Connections


• Scans and scan related functionality like triggers and scan rule sets.

The below examples explains the APIs you need to call to configure a data source , set up and run a scan for the data source but for complete information on all the REST APIs supported by scanning data plane refer here –

1. To create or update a data source using APIs the following REST API can be leveraged:

PUT {Endpoint}/datasources/{dataSourceName}?api-version=2018-12-01-preview

You can register an Azure storage data source with name ‘myStorage’ by sending a PUT request to the following URL

{Endpoint}/datasources/myStorage?api-version=2018-12-01-preview with the below request body:

{

  “name”: “myStorage”,

  “kind”: “AzureStorage”,

  “properties”: {

    “endpoint”: “https://azurestorage.core.windows.net/“

  }

}

2. To create a scan for a data source already registered in Purview the following REST API can be leveraged:

PUT {Endpoint}/datasources/{dataSourceName}/scans/{scanName}?api-version=2018-12-01-preview

You can schedule a scan ‘myStorageScan’ using a credential ‘CredentialAKV’ and system scan rule set ‘AzureStorage’ for the already registered data source ‘myStorage’ by sending a PUT request to the following URL with the below request body:

{Endpoint}/datasources/myStorage/scans/myStorageScan?api-version=2018-12-01-preview

{

  “kind”: “AzureStorageCredential”,

  “properties”: {

    “credential”: {

      “referenceName”: “CredentialAKV”,

      “credentialType”: “AccountKey”

    },

    “connectedVia”: null,

    “scanRulesetName”: “AzureStorage”,

    “scanRulesetType”: “System”

  }

}

The above call with return the following response:

{

  “name”: “myStorageScan”,

  “id”: “datasources/myDataSource/scans/myScanName”,

  “kind”: “AzureStorageCredential”,

  “properties”: {

    “credential”: {

      “referenceName”: “CredentialAKV”,

      “credentialType”: “AccountKey”

    },

    “connectedVia”: null,

    “scanRulesetName”: “AzureStorage”,

    “scanRulesetType”: “System”,

    “workers”: null

  },

  “scanResults”: null

}

3. Once the scan is created you need to add filters to the scan which is basically scoping your scan or determining what objects should be included as part of scan. To create a filter, you can leverage the following REST API

PUT {Endpoint}/datasources/{dataSourceName}/scans/{scanName}/filters/custom?api-version=2018-12-01-preview

You can create a filter for the above scan ‘myStorageScan’ by sending a PUT request to the following URL with the below request body. This will create a scope to include folders /share1/user and /share1/aggregated and exclude folder /share1/user/temp/ as part of the scan.

{Endpoint}/datasources/myStorage/scans/myStorageScan/filters/custom?api-version=2018-12-01-preview

{

  “properties”: {

    “includeUriPrefixes”: [

      “https://myStorage.file.core.windows.net/share1/user“,

      “https://myStorage.file.core.windows.net/share1/aggregated“

    ],

    “excludeUriPrefixes”: [

      “https://myStorage.file.core.windows.net/share1/user/temp“

    ]

  }

}

The above call will return the following response:

{

  “name”: “custom”,

  “id”: “datasources/myStorage/scans/myStorageScan/filters/custom”,

  “properties”: {

    “includeUriPrefixes”: [

      “https://myStorage.file.core.windows.net/share1/user“,

      “https://myStorage.file.core.windows.net/share1/aggregated“

    ],

    “excludeUriPrefixes”: [

      “https://myStorage.file.core.windows.net/share1/user/temp“

    ]

  }

}

4.To run a scan, you need to use the following REST API

PUT {Endpoint}/datasources/{dataSourceName}/scans/{scanName}/runs/{runId}?api-version=2018-12-01-preview

You can now trigger the above scan ‘myStorageScan’ by sending a PUT request to the below URL. The runId is a guid.

{Endpoint}/datasources/myStorage/scans/myStorageScan/runs/138301e4-f4f9-4ab5-b734-bac446b236e7?api-version=2018-12-01-preview

The above call will return the following response:

{

  “scanResultId”: “138301e4-f4f9-4ab5-b734-bac446b236e7”,

  “startTime”: “2019-05-16T17:01:37.3089193Z”,

  “endTime”: null,

  “status”: “Accepted”,

  “error”: null

}

To learn more about Azure Purview, check out our full documentation today.

Central Laser Facility uses WinUI and Uno Platform to envision a new control system for EPAC

by Contributed | May 12, 2021 | Technology

This article is contributed. See the original author and article here.

The Central Laser Facility (CLF) carries out research using lasers to investigate a broad range of science areas, spanning physics, chemistry, and biology. Their suite of laser systems allows them to focus light to extreme intensities, to generate exceptionally short pulses of light, and to image extremely small features.

The Central Laser Facility is currently building the Extreme Photonics Applications Centre (EPAC) in Oxfordshire, UK. EPAC is a new national facility to support UK science, technology, innovation and industry. It will bring together world-leading interdisciplinary expertise to develop and apply novel, laser based, non-conventional accelerators and particle sources which have unique properties.

The software control team inside Central Laser Facility develops applications that enable scientists to monitor and communicate with a wide range of scientific instruments. For example, the application can be used to move a motorised mirror to direct the laser beam toward a target, to watch a camera feed showing the current status of the system, or to configure and record data from a suite of cutting-edge scientific instruments such as x-ray cameras or electron spectrometers. These applications aggregate data and controls for specific tasks that a user needs to undertake – say, point the laser at a new target – and present them in a single screen to avoid the need to individually access all the different hardware necessary to make that happen.

The Challenge: Moving forward the control system for EPAC

As CLF started planning the design of a new control system for EPAC, their main goal was to tackle some of the challenges they were facing with the existing set of applications:

• Minimise the adaptations needed to run on multiple operating systems. CLF currently supports Windows and Linux, with other platforms like Android and Web in planning.


• Maximize code reuse while, at the same time, creating a scalable user interface. Their applications need to scale from mobile devices to large displays placed around the facility.


• Support advanced graphical features, like themes for easily changing colour schemes; the palette needed for viewing a screen through laser goggles in a laboratory is different than one would use in a control room, where no goggles are necessary.

The Solution

WinUI and Uno Platform were a perfect combination to tackle these challenges.

WinUI provides a state-of-the-art UI platform, which offers the powerful rendering capabilities needed by the application to show the real time feed coming from the cameras; to generate complex graphs that display in real-time the data captured by the instruments; to adapt to different layouts and form factors; ultimately, to easily create easy-to-use experiences thanks to a wide range of modern controls with full support to accessibility and multiple input types. Uno Platform is enabling the Central Laser Facility to take these features which empower the experience built for Windows and run it with no or minimal code changes on all the other platforms targeted by Central Laser Facility: Linux, Android and Web.

“Thanks to WinUI and Uno Platform, we were able to leverage the excellent set of developer tools that exists in .NET, and provides access to the reusable content in the Windows Community Toolkit and the XAML controls gallery.” shared Chris Gregory, Software Control Engineer. “The primary attraction for us was the ability to deploy applications cross-platform. This will allow us to visualise what’s happening with our instrumentation on the Windows machines in the control room, the Linux systems running the back end, on a tablet inside the laboratory, or on a mobile device for off-site monitoring.

This flexibility means that scientists and engineers can see a uniform presentation of the information they need no matter where they are in our facility, with minimal extra developer effort. Added to this, the availability of such a rich set of controls will result in the development of applications that are much more intuitive to use”.

Adopt a Zero Trust approach for security — Essentials Series — Episode 1

by Contributed | May 12, 2021 | Technology

This article is contributed. See the original author and article here.

Adopt a Zero Trust approach for security and benefit from the core ways in which Microsoft can help. In the past, your defenses may have been focused on protecting network access with on-premises firewalls and VPNs, assuming everything inside the network was safe. But as corporate data footprints have expanded to sit outside your corporate network, to live in the Cloud or a hybrid across both, the Zero Trust security model has evolved to address a more holistic set of attack vectors.

Based on the principles of “verify explicitly”, “apply least privileged access” and “always assume breach”, Zero Trust establishes a comprehensive control plane across multiple layers of defense:

Identity

Azure Active Directory assigns identity and conditional access controls for your people, the service accounts used for apps and processes, and your devices.

Endpoints

Microsoft Endpoint Manager assures devices and their installed apps meet your security and compliance policy requirements

Applications

Microsoft Endpoint Manager can be used to configure and enforce policy management. Microsoft Cloud App Security can discover and manage Shadow IT services in use.

Network

Get a number of controls, including Network Segmentation, Threat protection, and Encryption.

Infrastructure

Azure landing zones, Blueprints and Policies can ensure newly deployed infrastructure meets compliance requirements for cloud resources. Azure Security Center and Log Analytics help with configuration and software update management for on-premises, cross-cloud and cross-platform infrastructure.

Data

Limit data access to only the people and processes that need it.

Filters Public Preview – Overview and Known Issues

by Contributed | May 12, 2021 | Technology

This article is contributed. See the original author and article here.

Today we released an exciting new feature in Microsoft Endpoint Manager that we call “Filters”. The feature adds greater flexibility for assigning apps and policies to groups of users or devices. Using filters, you can now combine a group assignment with characteristics of a device to achieve the right targeting outcome. For example, you can use filters to ensure that an assignment to a user group only targets corporate devices and doesn’t touch the personal ones. Read more about the announcement here and review the feature documentation here.

The feature is enabled with the service-side update of the 2105 service release, so you can expect to see it in the Microsoft Endpoint Manager admin center starting May 7 and continuing as the service-side updates.

Here is an overview of the feature: Use Microsoft Endpoint Manager filters to target apps and policies to specific users | YouTube.

The feature is released for Public preview and is supported by Microsoft to use in production environments. The following known issues apply. We will remove items off this list as issues are resolved.

Known issues:

• Compliance policy for “Risk score” and “Threat Level”: If your tenant is connected to a partner Mobile Threat Detection (MTD) partner service or Microsoft Defender for Endpoint (MDE), Compliance policies for Windows 10, iOS or Android can include the optional setting “Require the device to be at or under the machine risk score” or “Require the device to be at or under the Device Threat Level”. Using this setting configures the Microsoft Endpoint Manager compliance calculation engine to include signals from external services in the overall compliance state for the device. Using Filters on assignments for compliance policies with these settings is not currently supported.
  
  


• Available Apps on Android DA enrolled devices: Filter evaluation for available apps requires Company Portal app version 5.0.4868.0 (released to Android Play store August 2020) or higher for filter evaluation. If a device does not have this version (or higher) installed, apps will incorrectly show as available in the Company portal but be blocked from installing on the device.
  
  


• OSversion property for macOS devices: MacOS version numbers are reflected in Intune as a string that combines version number and build version in Intune, for example: “11.2.3 (20D91)” includes version number 11.2.3 along with build version 20D91. When creating a filter based on OS version for macOS device you can specify the full string including both components. There is a known issue where the device check-in gateway does not gather the full build version for evaluation, resulting in an incorrect evaluation result. For example, if you specified a filter (Device.OSversion -eq “11.2.3 (20D91)”) and a device of this version was evaluated, the result would be “Not match” because only the first half of the version number is evaluated.

Known issues for reporting:

• Filter evaluation reports for Available Apps: Evaluation results are currently not collected for apps assigned to groups with the “Available” intent. The “Managed Apps” (Device > [Devicename] > Managed Apps) “Resolved intent” column incorrectly shows a status of “Available for install” even if the device should be excluded by a Filter.
  
  


• Delay in filter evaluation report data: There is a case where filter evaluation reports (Devices > All Devices > [Devicename]> Filter evaluation) are not updated with the most recent evaluation results. This case only occurs in a special case where a filter is used in an assignment, some evaluation results are produced and then the filter is later removed from that assignment. In this scenario the report may take up to 48 hours to reflect. Note, this occurs only if the filter is removed from the assignment and not if the assignment is recreated by removing the group and then re-adding it without a filter.
  
  


• Win32 apps reporting: There is a known issue where Win32 apps reports (Apps > All apps > [App Name] > Device install status] for a device may be incomplete when a filter was used for any of the targeted apps for a device. Apps that were filtered out during a check-in may fail to report evaluation status events back to the MEM admin center. This impacts the app that used the filter, along with other Win32 apps in the same check-in session.
  
  


• Unexpected policies for other platform types show up in filter evaluation report: The Filter evaluation report for a single device (Devices > All Devices > [DeviceName]> Filter evaluation (preview)) shows all policies and apps that were targeted at the device or primary user of the device for which there was a filter evaluation performed, even if the policy type is not applicable for the platform of the device you are interested in. For example, if you assign a Windows 10 configuration policy to a user (a group that contains the user) along with a filter, you will notice that the filter evaluation report lists of policies for that user’s iOS, Android and macOS devices will also show Windows 10 policies and evaluation results. Note: The evaluation results will always be “Not Match” due to platform.
  
  


• No way to see which policies and apps are using a filter: When editing or deleting an existing filter, there is no way in the UX to see where that filter is currently being used. We’re working on adding this (see “Features in development” below). As a workaround, you can use this PowerShell script that will walk through all assignments in your tenant and return the policies and apps where the filter has been used. See Get-AssociatedFilter.ps1 script here.

Features in development:

• Pre-deployment reporting – We’re working on adding reporting experiences that make it possible to know the impact of a Filter before using it in a workload assignment.
  
  


• Associated assignments – We’re working on an improvement to select a filter and be able to identify all the associated policies and apps where that filter is being used.
  
  


• More workloads – We’re adding filters to the assignment pages of more MEM workloads including Endpoint Security, Proactive remediation scripts, Windows update policies and more.

Frequently Asked Questions

Do filters replace group assignments?

No. Filters are used on top of groups when you assign apps and policies and give you more granular targeting options. Assignments still require you to target a group and then refine that scope using a filter. In some scenarios, you may wish to target “All users” or “All devices” virtual groups and further refine using filters in include or exclude mode.

What about “Excluded groups”? Can I use a filter on these assignments?

While filters cannot be added on top of an “Excluded group” assignment the desired outcome can be achieved by combining Included groups with filters. Filters provide greater flexibility than Excluded groups because the “excluded groups” feature does not support mixing group types. See: supportability matrix to learn more.

Excluded groups are still a great option for user exception management – For example, you deploy to “All Users” and exclude “VIP Users”.

Now with filters you can build on top of existing capability by mixing user and device targeting. You can, for example define a filter to – Deploy to “All Users”, exclude “VIP Users” and only install on the “Corporate-owned” devices.

Here is summary guidance on how to use Groups, Exclude groups and Filters:

• Filters complement Azure AD groups for scenarios where you want to target a user group but filter ‘in’/’out’ devices from that group. For example: assign a policy to “All Finance Users” but then only apply it on corporate devices.


• Filters provide the ability to target assignments to ‘All Users’ and ‘All Devices’ virtual groups while filtering in/out specific devices. The “All users” groups are not Azure AD groups, but rather Intune “virtual” groups that have improved performance and latency characteristics. For latency-sensitive scenarios admins can use these groups and then further refine targeted devices using filters.


• “Excluded groups” option for Azure AD groups is supported, but you should use it mainly for excluding user groups. When it comes to excluding devices, we recommend using filters because they offer faster evaluation over dynamic device groups.

General recommendations on groups and assignment:

• Think of Include/Exclude groups as an initial starting point for deploying. The AAD group is the limiting group so use the smallest group scope possible.


• Assigned (also known as static) Azure AD groups can be used for Included or Excluded groups, however it usually is not practical to statically assign devices into an AAD group unless they are pre-registered in AAD (eg: via autopilot) or if you want to collect them for a one-off, ad-hoc deployment.


• Dynamic Azure AD user groups can be used for Include/Exclude groups.


• Dynamic AAD device groups can be used for Include groups but there may be latency in populating group membership. In latency-sensitive scenarios where it is critical for targeting to occur instantly upon enrollment, consider using an assignment to User groups and then combine with filters to target the intended set of devices. If the scenario is userless, consider using the “All devices” group assignment in combination with filters.


• Avoid using Dynamic Azure AD device groups for Excluded groups. Latency in dynamic device group calculation at enrollment time can cause undesirable results such as unwanted apps and policy being delivered before the excluded group membership can be populated.

Are Intune Roles (RBAC) and scope tags supported?

Yes. During the filter creation wizard, you can add scope tags to the filter. (Note: The “Scope Tags” wizard screen only shows if your tenant has configured scope tags). There are four new privileges available for filters (Read, Create, Update, Delete). These permissions exist for built-in roles (Policy admin, Intune admin, School admin, App admin). To use a filter when assigning a workload, you must have the right permissions: You must have permission to the filter, permission to the workload and permission to assign to the group you chose.

Is the Audit Logs feature supported?

Yes. Any action performed by an admin on assignment filter objects is recorded in audit logs (Tenant administration -> Audit logs). This also includes the action of enabling the Filters feature in your account.

Can I use filters with user group assignments?

Yes. This is a good scenario for using filters. For example, you can assign a policy to “All finance users” and then apply an assignment filter to only include “Surface Laptop” devices.

Can I create a filter based on any device property I can see in MEM?

No, not yet but we plan to add more filter properties over time. The list of supported properties is here. Please let us know about the properties that would help in your scenarios to: aka.ms/MEMfiltersfeedback.

Can I use filters in any assignment in MEM?

While in preview, filters are available to use in a core set of workload types (Apps, Compliance and Configuration profiles). The list of supported properties is here. Please let us know about the properties that would help in your scenarios at aka.ms/MEMFiltersfeedback.

How does assignment filtering get reflected in device status and device install status reports in the MEM admin center?

Filter reporting information exists for each device under a new stand-alone report area called “Filter evaluation” and we’re working to further integrate reporting information into existing reports such as the “Device status” and “Device install” reports. As an example of where this is going, the apps report has a new column called “Filter (preview)” under Device install status. Over time you will see further integration of the filter information into other workload type reports.

If you deploy a policy (Compliance or Configuration) to a group and navigate to the “Device status” report, there is a row in the report for each targeted device. When each targeted device checks-in the device will be evaluated against the associated filter and this status will be updated (For example, the status will show “Not Applicable” if the assignment filter filtered the policy out). For apps, the experience (in the Device install status report) is similar, except that you can view details on the filter evaluation by clicking on the “Filters evaluated” link.

Example of filter evaluation under the Device install status report

How many filters can I create?
There is a limit of 50 filters per customer tenant.

How many expressions can I have in a filter?
There is a limit of 3072 characters per filter.

Can I use more than one filter in an assignment?

No. An assignment includes the combination of Group + Filter + Other deployment settings. While you can’t use more that one filter per assignment you can certainly use more than one assignment per policy or app. For example, you can deploy an iOS device restriction policy to “Finance users” and “HR users” groups and have a different assignment filter linked to each of those assignments. However, be careful not to create overlaps or conflicts. We don’t recommend it but have documented the behavior here.

How do Filters work with the Windows 10 “Applicability Rules” feature?

Filters are a super-set of functionality from “Applicability rules” and as such we recommend that you use filters instead. We do not recommend combining the two together or know of a reason to, but if you do have a policy assigned with both, the expected result is that both will apply. The filter will be processed first, then a second iteration of applicability will be undertaken by the applicability rules feature.

Documentation

• Microsoft Endpoint Manager – Intune Filters


• Use Microsoft Endpoint Manager filters to target apps and policies to specific users | YouTube


• Create filters in Microsoft Intune


• Supported filter device properties and operators in Microsoft Intune


• Platforms and policy types supported by filters in Microsoft Intune


• Filter reports and troubleshooting in Microsoft Endpoint Manager


• Public preview overview in Microsoft Intune

Let us know if you have any questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.