Intune: Conditional Access for Exchange Online

Posted on Updated on

One the promises of Mobile Device Management (MDM) and Mobile Application Management (MAM) is the ability to separate the user’s personal data from corporate data. This capability enhances BYOD scenarios as a selective wipe can be performed on a device removing only the corporate data and leaving the personal data intact when a user leaves the organization or a device is retired from corporate use.

In Intune this functionality works in conjunction with MAM. Managed mobile apps are “wrapped” so that any data that they use is stored in a secure container that can be remotely wiped by the management platform.

This month a new conditional access capability has been introduced into Windows Intune that helps achieve this segregation. Conditional access policies can now be enforced preventing email client applications from connecting to Office 365’s exchange Online service unless the application is MAM managed application. This will prevent users from accessing corporate email with an unmanaged email app.


Windows Store for Business – Managing Paid Apps with Intune

Posted on

This post will walk you through simple management of Windows Store for Business (WSfB) apps that require a paid license.

You will need the following prerequisites:

  1. Configure synchronization between WSfB and Microsoft Intune
  2. Configure a payment method for license fees

Once you have met the prerequisites you can follow along below.


  1. Login to the Windows store for Business with your management account.
  2. Navigate to Shop

  3. Use the category browser or the search tool to find the application that you wish to purchase. For this walk through I have chosen EZDictionary

  4. Click the app that you wish to purchase
  5. On the App page select Buy Now

  6. From the Buy dialogue select the quantity of licenses you wish to purchase and then click Next

  7. Verify your purchase information including payment method, price, quantity and total and then click Next

  8. You will receive a transaction completion notice. Click Close.

  9. Navigate to Manage>Inventory and verify that the app is available. Be sure to check the number of available licenses.

  10. Login to the Microsoft Intune Management Portal and navigate to Administration>Mobile Device Management>Windows>Store for Business and select Sync Now

  11. Once the Sync completes, navigate to Apps>Volume Purchased Apps and verify that the app is available to be managed. Notice that you get information about the number of licenses available and deployed.

Add Users to Windows Store for Business

Posted on

You can add additional users to the Windows Store for Business (WSfB). In addition to the first account you add which is automatically the Global Admin, there are three additional built in roles:

  1. Admin: Manage account settings, acquire aps, distribute apps, sign policies and catalogs
  2. Purchaser: acquire and distribute apps
  3. Device Guard signer: sign policies and catalogs

To add an account, follow these instructions:

  1. Login to the Windows store for Business with your management account.
  2. Navigate to Settings>Permissions

  3. On the Permissions screen click Add People

  4. On the Assign roles to people screen, add the email address of the person you wish to add, assign them a role, and then click Save

Adding a Payment Method to your Windows Store for Business Account

Posted on Updated on

Whether you are using the Windows Store for Business alone or integrated with Microsoft Intune or System Center Configuration Manager, in order to perform bulk purchases of apps that require a paid license in the Windows Store for Business (WSfB), you will need to add a payment method to your account. This will involve adding a credit card to the account. This process is fairly straight forward, and most SysAdmins should have no problem with this process. So why then, did I create this blog post?

In many larger organizations, the SysAdmin is not responsible for procurement and does not have access to the corporate credit card that will be used to make purchases. So you can pass this on to your procurement office and let them enter the credit card information for you. You can add an additional account to the WSfB for the procurement officer if required.


  1. Login to the Windows store for Business with your management account.
  2. Navigate to Manage>Account information

  3. Select Show my payment options

  4. Select Add new payment method

  5. Add the appropriate credit card information and then click Next

  6. Verify your information and then click Save

  7. Once you see the payment method listed including the credit card’s last four digits and the expiry date, click Close

    Now you can make paid license purchases from the WSfB.

Horton Hears a Who: Why Identity Matters

Posted on Updated on

When moving to Microsoft Online services such as Dynamics Online, Office 365 and Intune the first thing you will need to do is setup your Azure Active Directory. You can just replicate your existing on premise AD to Azure but there is an opportunity to rethink your Identity Management (IdM) Strategy.

When we talk about securing data or securing devices (mobile or otherwise) what are we really trying to achieve? Do we really care if somebody has a copy of our data if we still have a copy? I suppose it depends on the nature of that data. If I run an eCommerce site and the data is my product catalog you probably don’t care. If the data happens to be credit card information from online transactions, you probably care – especially if the data gets into the wrong hands. We probably care more about who (remember that word: “who“) has access to the data, rather than that the data has been copied. In fact, creating and managing copies is part of a complete disaster recovery or business continuity plan.

Similarly, we might care that a mobile phone, tablet, laptop or desktop has been lost or stolen but for most organizations, the replacement cost of the device is rather inconsequential. In reality, the risk associated with a lost device is the access to data that the device might provide – either data on the device or data that the device might have online access to.

There are many ways to secure data mostly associated with some form of encryption. Encryption is useful in preventing access to data but what’s the point of data if nobody has access to it?

At some point, somebody will have a legitimate reason to access the data whether it is for processing an online transaction or modifying a document. Of course we care about who (there’s that word again) has the access. Preventing unauthorized access is important but is it more important than enabling authorized access? That’s a topic for another day.

The point is that it’s about people. The only reason we have devices, applications and data is to allow people to do something productive.

We care about who has access to our data on which devices and in which locations. In reality we really only care about the devices and location because if we don’t trust the device or location the data may become accessible to somebody who should not have the access. If we could guarantee the security of the device and the location, we would still care about who has access. If we could guarantee who has access, we probably wouldn’t care too much about the location or the device.

Let’s circle back to Microsoft online services. Both Office 365 and Enterprise Mobility Suite provide some powerful features to help you secure data, devices and applications. I encourage you to investigate the use cases for these in your organization but remember that at the foundation of your security strategy lies the user. This is a great opportunity to revisit your IdM strategy go beynd just deciding on Cloud Identity, Directory Synchronization or Federated Identity.  If you do, I predict you will be able to get more out of your investment in Microsoft Online services.

In the classic Dr. Seuss book Horton Hears a Who, Horton the elephant is the only one able to notice the Whos. Be like Horton.  Focus on the WHO!

Microsoft Intune – How to add Free Apps from the Windows Store for Business

Posted on Updated on

While you can use both Microsoft Intune or System Center Configuration Manager
(ConfigMgr) to deploy and perform some management tasks on applications from the Windows Store for Business (WSfB), you will still need to use the WSfB console to actually acquire apps. Once acquired they can be synchronized with your preferred management platform (Intune or ConfigMgr)

In a previous post I described how to setup Intune to work with the Windows Store for business. In this post I will describe how to acquire new apps from the store. This post will not cover LOG apps or the Private store. I’ll save those for future posts.


These instructions assume that you have already have a WSfB account that is synchronized with an Intune subscription. You can find details on how to set that up in my previous post Managing Windows Store for Business Apps with Microsoft Intune.

These instructions assume that you are adding free apps. I have other posts on configuring payment methods and purchasing and managing paid apps. No credit card is required to follow these instructions.


  1. Login to the Windows store for Business with your management account.
  2. Select Shop

  3. Use the search tool or the category browser to find the application you want to add to your account

  4. Click on the app tile to go to the App page. On the App page click Get the app

  5. Once the app is added to your inventory you will get a confirmation message. Click Close

  6. The application should now appear in you inventory. To verify this, navigate to Manage>Inventory

  7. Check the list for the app you just added

  8. Login to the Microsoft Intune Management Portal and navigate to Administration>Mobile Device Management>Windows>Store for Business and select Sync Now

  9. Once the Sync completes, navigate to Apps>Volume Purchased Apps and verify that the app is available to be managed.

Managing Windows Store for Business Apps with Microsoft Intune

Posted on

This rest of post assumes that you already have a Windows Store for Business (WSfB) account associated with the Intune Global administrator account. If you don’t have one sign up for one first. Go to, and click Sign up. You can also signup from within the Microsoft Intune Admin Console.

  1. Sign into Windows store for Business with your existing WSfB account.

  2. If you are presented with services agreement. Print out a copy, send it to your lawyer and wait for him to review the agreement and approve it. Or just accept it and move on.
  3. From the WSfB console, navigate to Settings>Management Tools

  1. You may see more than one tool listed. Look for Microsoft Intune and check the status. If it is set to Inactive. Activate it by selecting

  2. If you are prompted to show offline-licensed apps, make the selection appropriate to your use case by selecting either Yes or No. You can always change your selection later

  3. Login to the Intune Admin console and navigate to Administration>Mobile Device Management>Store for Business and click Configure Sync

  4. Check the box to Enable Windows Store for Business sync and select the language for application metadata to be presented in the Admin console.
  5. Click OK

  6. On the Store for Business Click Sync Now

  7. Once the Sync completes, you can manage volume purchased licenses from Apps workspace. You can deploy WSfB apps the same way as other Intune managed Apps.