Oct19 Meetup: Modern Workplace Management by Mirko Colemberg

Transcript

1. MODERN WORKPLACE EVERY DAY

2. About me… Mirko Colemberg Workplace Mentor Windows Insider MVP /

   Enterprise Mobility MVP / MVM Contact Me: Twitter: @mirkocolemberg Blog: http://blog.Colemberg.ch Mail: [email protected]

3. Daily Challanges RBAC (Role Base Access Control) Graph API Compliance

   Reporting / Audit

4. RBAC in Azure/Intune

5. Overview RBAC

6. Scope Tags Tags are used to tag for example objects

   in Intune. These objects can be devices, policies, profiles and so on. If you have a group of device objects, you have to tag them separately. Unfortunately, there is no possibility of tagging a whole bunch of clients at the same time. In this case it is easier to use a script and do it with Graph API: https://github.com/microsoftgraph/po wershell-intune- samples/tree/master/RBAC#12- rbac_scopetags_deviceunassignps1

7. Scope Group Scope Group means that there are some users

   or devices to manage such as a limited group of objects like devices (iOS, Android or Windows) or only part of them such as all iOS from Marketing, etc.

8. Member Group Member are one or a group of people

   who have to manage the objects in the Scope Group.

9. Role Roles have different kinds of permissions. A role can

   have only “Read” rights on specific objects or “Write” or “Create” rights. We can for example grant access to create a new configuration profile or only change a Config profile with reading and writing access. A role can be used multiple times.

10. Assigenment The Assignment contains Tags, Groups and Group Members. They

    are assigned to a role, which is able to only one or even multiple assignments.

11. Scope tag on a Device

12. Microsoft GRAPH HTTPS://GRAPH.MICROSOFT.COM/ A unified REST API endpoint Single resource

    that proxies multiple Microsoft services Allows for easy traversal of objects and relationships Access to data and intelligence Eliminates the need to discover endpoints Only one OAuth access token needed Available as a public API

13. GRAPH

14. Intune in Azure

15. Microsoft graph – calling the API • Version: /v1.0 or

    /beta • Resource / Route: /users, /groups, /sites, /drives, /devices, more… • Member from collection: /users/dave • Property: /users/dave/department • Traverse to related resources via navigations: /users/dave/memberof • Query parameters: /users/dave/memberof?$top=5 o Format results: $select $orderby o Control results: $filter $expand /{version} ?{query-parameters} /{resource}/{id}/{property} /v1.0/users?$filter=u serPrincipalName eq '[email protected]'

16. Microsoft Graph – Query Format REST requests use Standard HTTP

    methods GET POST PUT PATCH DELETE Provides the ability to pull data from Microsoft Graph Provides the ability to POST / ADD data into Microsoft Graph Provides the ability to PUT / ASSIGN data into Microsoft Graph Provides the ability to PATCH / UPDATE resources Provides the ability to DELETE individual resources from Microsoft Graph Data returned in JSON format Data sent to the service in JSON format Data sent to the service in JSON format Data sent to the service in JSON format

17. Microsoft Graph – Relationships Microsoft Graph can show the relationships

    that it has with different resources GET: https://graph.microsoft.com/v1.0/me { "displayName": "Tenant Admin Account", "preferredLanguage": "en-US", "userPrincipalName": [email protected] } GET: https://graph.microsoft.com/v1.0/me/memberOf { "@odata.type": "#microsoft.graph.group", "id": "ee0af6a3-db7c-47dd-ac77-b74e2a1b8676", "displayName": "All Users" } GET: https://graph.microsoft.com/v1.0/me/ownedDevices { "value" : […] } GET: https://graph.microsoft.com/v1.0/me/assignedLicenses { "disabledPlans": [], "skuId": "9bc22083-45c4-4d60-93f1-39a540ac7649“ } Groups Devices Licenses

18. What is JSON? JSON (JavaScript Object Notation) is a lightweight

    data-interchange format A collection of name/value pairs. In various languages, this is realized as an object, record, struct, dictionary, hash table, keyed list, or associative array. An ordered list of values. In most languages, this is realized as an array, vector, list, or sequence. { "userPrincipalName": "[email protected]", "accountEnabled": true, "passwordProfile": { "password": "Password123", "forceChangePasswordNextLogin": false }, "mailNickname": "bob", "usageLocation": "GB", "displayName": "Bob Smith" }

19. Using the API – Graph Explorer Request and see responses

    from Microsoft Graph Supports v1.0 and beta APIs Provides Sample Queries Activity History

20. F12- Developer Mode • F12 in any web browser will

    bring you the developer mode • Here you can see all the Graph API calls and which methods that’s being used.

21. Intune – Powershell SAMPLES GITHUB https://github.com/microsoftgraph/powershell-intune-samples

22. Intune – PowerShell Module Available on GitHub today and in

    PowerShell Gallery: https://aka.ms/intunepowershell https://www.powershellgallery.com/pa ckages/Microsoft.Graph.Intune Supports v1.0 Graph Endpoints Parameter sets for properties PowerShell credentials for Authentication PowerShell Pipeline

23. Graph Tools / Scripts • https://github.com/petripaavola/Yodamiitti_In tuneManagementGUI_CommunityEdition

24. None
25. None

26. Compliance Waiting Time Security Severity -> 24h? Overview in Portal

27. Compliance

28. Reporting / Audit - Graph - Intune DWH - Overview

    - Seperated in every Section - Summary?

29. Reporting / Audit

30. Share your ideas •Share your voice / ideas! • http://microsoftintune.uservoice.com/

    • http://configurationmanager.uservoice.com/