After completing the main configuration of our new environment, we can look at its administration. The items available within Tenant Administration are tenant-wide and cover a variety of options, from user experience to administrative tasks for you as an admin.

This chapter will cover all of the main items and, where possible, how to access them via Graph.

It is important to understand all of the options that are available for an Intune administrator to ensure a smooth service for your end users, as well as to make your day-to-day tasks as time-efficient as possible. By following this chapter, you will be in a better position to maintain your tenant in the long run.

In this chapter, we will cover the following recipes:

• Reviewing your connectors
• Adding filters
• Configuring Intune roles
• Using scope tags
• Customizing the end user experience
• Deploying organizational messages
• Setting up terms and conditions
• Configuring multi...

For this chapter, you will need a modern web browser and a PowerShell code editor such as Visual Studio Code or PowerShell ISE.

All the scripts that are referenced in this chapter can be found here: https://github.com/PacktPublishing/Microsoft-Intune-Cookbook.

We will start by looking at an important aspect you must keep an eye on – third-party connectors such as the Apple VPP connector, which we covered in Chapter 6, Apple iOS Device Management. A large selection is available, but not all of them will be used in every environment, so you need to monitor the ones that are important to you.

Getting ready

Here, we will learn about the various connectors that are available.

In the Intune portal, navigate to Tenant administration and select Connectors and tokens.

This will take you to a new section consisting of many different options. Let us take a look at what is available:

• Windows enterprise certificate: If you are using a code-signing certificate with MSIX packages, this is where you upload it to your tenant. After adding it, this page will show you the status of the certificate and, more importantly, its expiry date.
• Microsoft Endpoint Configuration Manager: If you are using Co-Management...

As mentioned in a few of the previous chapters, filters are an excellent (and quicker) way to use the All users or All devices assignment but restrict who it applies to. At the time of writing, it is also the only way to add device filtering to user assignments.

At the time of writing, filters are only applicable to devices and apps (Android and iOS), while for user-based queries you need to use a Dynamic Entra Group.

To use filters during assignment, you must create them. This is what we will be covering in this recipe.

The following filter options are available:

• Managed apps:
  • App version
  • Device management type – unmanaged, Apple Business Manager, Kiosk, Android Enterprise, and so on
  • Device manufacturer
  • Device model
  • Operating system version
• Managed devices:
  • Device name
  • Manufacturer
  • Model
  • Device category
  • Operating system version
  • Is rooted (iOS, Android)
  • Device ownership – personal or corporate
  • Enrollment profile name
  • Device trust type (Windows) ...

While we have configured our environment using the Intune Administrator role, you may want to use different roles for different administrators within the tenant, giving admins the least privileges required for their job function. To do this, you can either use the built-in roles or create a custom role with the permissions individually selected. In this recipe, we will run through how to configure a custom role using both the GUI and PowerShell.

How to do it…

Follow these steps to configure a new Intune role.

1. Navigate to Tenant administration and then Roles.

Important note

Before creating a role, you can click on My permissions to see the current permissions you have in the tenant.

Back in All roles, clicking on any of the built-in roles will take you to the page for that role. If you click Properties, you can view the permissions that have been assigned to that role. Clicking Assignments after will let you assign them to administrators...

We have seen scope tags throughout this book when we created various policies or applications. Now, it is time to learn what they are used for and how to create them.

First, we will clear up the differences between scope groups and scope tags.

Scope groups are configured within an Intune role and specify which users or devices an administrator can perform actions against for roles with actions configured. They are similar to administrative units within Entra ID, where administrators can be locked out from accessing all devices and users in the tenant.

Scope tags are configured on individual items within the tenant and can be used to allow or restrict access to these items. For example, you could configure a subset of your policies with a specific scope tag and allow only certain administrators to amend this policy. For larger organizations with multiple administrative teams, this can be useful to give the local admins some freedom, but only on their own devices...

We have spent all of this time and effort to make the user experience as straightforward as possible, packaged the apps for self-service installation, and configured settings for the ultimate experience. However, there is one thing we have not done – that is, making Company Portal and the general sign-in experience look better.

This recipe will concentrate primarily on the Intune side of things and configuring custom settings for Company Portal. However, in the There’s more… section, we will run through how to customize the sign-in experience within Entra and the Microsoft 365 Admin portal.

How to do it…

Follow these steps to customize your environment for a better end user experience:

1. Navigate to Tenant administration and click Customization.
2. Here, we can either edit the default settings or, right at the bottom of the page, configure multiple policies with group assignments should different groups...

Organizational messages are a Windows-only feature (for Android and iOS, we have custom messages which will be covered in There’s more… section of this recipe) to display important messages on end user devices.

There are three areas where these messages can appear:

• Taskbar messages: These appear just above the taskbar, similar to a traditional toast notification
• Notification area messages: These appear within the notification area, along with email alerts, Teams messages, and more
• Get Started app messages: These are run-once messages for post-provisioning and appear in the Get Started app

There is a licensing requirement to use organizational messages that you must confirm you have before continuing. You will require one of the following licenses:

• Microsoft 365 E3
• Microsoft 365 E5
• Windows 10/11 Enterprise E3 with Intune Plan 1
• Windows 10/11 Enterprise E5 with Intune Plan 1

There are...

When enrolling a device, you want users to agree to organizational terms, especially if they are enrolling at home or using BYOD.

There are two options to do this: Terms and conditions within Intune and Terms of use within Entra Conditional access. Terms of use are significantly more powerful and give you more flexibility, but we will cover both options here to give you the full picture.

You can learn about the differences between the two here: https://techcommunity.microsoft.com/t5/intune-customer-success/choosing-the-right-terms-solution-for-your-organization/ba-p/280180.

Now that we have seen our options, let us learn how to configure them.

How to do it…

We will start with Intune’s terms and conditions, which give a very simplified set of terms for the user to accept.

Setting up terms and conditions

Follow these steps to configure your Intune terms and conditions:

1. First, navigate to Tenant administration...

Multi-admin approvals is a new feature that you can implement to provide an extra layer of security when you are making changes to an environment. At the time of writing, if configured, any scripts or applications that are deployed will need to be approved by a second administrator before they can go live. Anything other than scripts and applications is currently unsupported.

How to do it…

Follow these steps to set up multi-admin approvals in your tenant.

1. Navigate to Tenant administration and click on Multi Admin Approval.

   Here, you can see any current requests (All requests), any requests you have submitted (My requests), and the policies that have been configured (Access policies).

2. Click on Access policies and click + Create.
3. Specify your policy’s Name and Description and select if it is for App or Script. Then, click Next.
4. On the Approvers screen, you need to select a group that contains administrators who...

Intune has regular updates with monthly major service updates. At the time of writing, these are in YYMM format – for example, September 2023 would be 2309.

You can follow all of the new features here: https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new.

As Intune is globally distributed across multiple data centers worldwide, when a new version is released, it may not necessarily update your tenant straight away. For that, we can check out the tenant version.

How to do it…

Follow these brief steps to check the tenant version in your environment:

1. Navigate to Tenant administration and click on Tenant status.
2. In the first tab, you can view your tenant details, including the tenant version and location:

Figure 13.5 – Tenant details

3. The Connector status tab will show a quick overview of the connectors that have been configured. If you see any issues here, you...

We have created our tenant using best practices, carefully packaged our applications, and tested everything to ensure it is working. However, we all know that users are users and things will go wrong. For that, we need to be able to troubleshoot issues. Fortunately, Intune has excellent troubleshooting tools where we can quickly review what issues a user may be having.

How to do it…

Follow these steps to troubleshoot your devices:

1. Click on Troubleshooting + support. Then, from the menu, click Troubleshoot.
2. Select a user from the list; all their information will be grabbed automatically.

   The first thing we must do is look under User status to rule out anything basic, such as a disabled or unlicensed user.

   The Summary screen gives an overview of everything for the user across devices, policies, compliance, applications, and more.

   The following tabs are available:

   • Devices: All devices for the user, including Intune compliance...

Introduced in release 2301 (January 2023), enrollment notifications alert a user when a new device has been added to Intune from their account. At the time of writing, it only alerts the user and there is no way of alerting admins without exchanging mail forwarding rules.

How to do it…

Follow these steps to configure enrollment notifications for your users:

1. First, click on Devices, then click on Enrollment. Select the tab for the platform you wish to set the notifications for. You will need one policy per platform.
2. Click on Enrollment notifications and click + Create notification.
3. Specify your notification’s Name and Description and click Next.
4. On the Notification Settings screen, you can select which type of notification to send – that is, Push notification or Email notification (or both).

   For a push notification, you simply need the title and text to include:

Figure 13.6 –...

Device restrictions are an often overlooked yet critical part of managing your Intune environment. With the inclusion of MAM across platforms, the first step is to block the enrollment of personal devices, which can only be performed within Intune.

You can also specify device limits, as well as operating system versions and even manufacturers and models of devices!

How to do it…

There are two different settings to configure here: device limit restrictions and device platform restrictions. We will look at device limit restrictions first.

Device limit restrictions

To set up device limit restrictions, follow these steps:

1. Click on Devices, then Enrollment.
2. Select any platform and click Device limit restriction.

   Here, you can create new restrictions or edit the default restriction, which applies to all. The restrictions are queried in numerical order, with the highest number being queried first. When it finds the restriction...

Introduced in the 2305 release of Intune (May 2023), Quiet time policies give admins a way to mute Outlook and Teams notifications on devices centrally, either by day of the week or for specific date ranges on Android and iOS devices (only).

This can be used to stop notifications out of hours, such as on weekends, for a standard Monday-Friday user. The date-specific option is useful should you want to add public holidays in addition to the standard weekly quiet times.

How to do it…

Follow these steps to configure your Quiet time policies:

1. To configure Quiet Time policies, click on Apps, then Quiet time.
2. Click the Policies tab and then click + Create Policy.
3. In the flyout, select the Policy type value you wish to set and click Create.
4. Specify your policy’s Name and Description and click Next.
5. The first option you have here is giving the user the ability to change the settings. Unless you have strict requirements...