AAD Dynamic Groups, Controlled MFA Registration, Intune + Admin Templates and AIP Log Analytics

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

Hi folks – this morning, I’m taking a little side-trip away from my series about the modern Microsoft productivity platform for a brief review of a handful of new or lesser-known gems.


I’m going to touch on four capabilities, all of which are part of the “E3” license-class of EMS/M365 (as such, I bet many of you own/have access to these now).

  • My goal here is to intrigue you, not to provide a deep-dive. I’m showing you the water; it’s up to you if you want to drink or not.

Azure AD - Dynamic Groups for Devices

Dynamic groups are neat – as you’d expect, the membership is populated (and de-populated) based on attributes of in-scope objects (users or devices) - https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-create-rule


For devices, there are numerous ways to use dynamic groups, such as our AutoPilot PC deployment system. It can leverage dynamic device groups to target the “right” deployment profiles to the “right” devices - https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group


In my lab environment, I have that setup, but I also setup my own dynamic device groups to filter Intune Policies.


First, I created “Device Categories” in Intune for “Field Device” and “Corporate Device” types.


As users enroll devices into Intune, they are prompted to select ‘Field Device’ or ‘Corporate Device.’ This sets a tag on the device itself and on the device object in Intune.

  • Company Portal enrollment UI:


  • Company Portal device settings UI:


  • Device object properties in Intune:


  • In AAD, I created two dynamic device groups that key on that ‘deviceCategory’ tag/attribute:


  • One dynamic group pulls in devices where that value = ‘Corporate Device’
  • Another pulls in all devices where that value = ‘Field Device’
    • Here’s my “Field Devices” Group and the iPhone ‘member’ (from above):


Intune policies are then assigned to those groups accordingly:

  • Field Devices get policies assigned to the Field Devices Group
  • Corporate Devices get policies assigned to the Corporate Devices Group

Azure AD - Secure MFA registration

This one has been brought up frequently: “Provide controls for MFA registration based on CA ‘Conditions’ (such as trusted/compliant device, trusted networks, etc.).”

In my lab, I defined a Conditional Access Policy (CAP) that only allows MFA registration from one of my trusted locations (which I’ve also defined in AAD).



In this case, the policy definition structure for the “Locations” condition in CA is akin to a ‘whitelist’ model - you block access from everywhere (in this case, to security registration), but then you “exclude” the policy from applying within ‘All trusted locations.’


Intune - Administrative Templates

This one has also been a frequent customer request: “For decades, we’ve defined our policy settings for Windows via GPOs. Why can’t we mirror those GPO settings easily for deployment to Windows via Intune?”

Intune Configuration Profiles now include “Administrative Templates” support and there is a spot in the UI where those settings are all listed, searchable and sortable. Of course, as new ADMX files are released, Intune will reflect those updates, too.




BONUS - the Office ADMX settings are in there, too!



Azure Information Protection - Log Analytics and Centralized Client Logging

If you’ve been a reader of my previous posts, you know that I bring up auditing from time to time and I consider end-to-end auditing a pre-requisite for any enterprise solution. I want to be able to answer: “Who, what, where, when and why.” Answering ‘why’ can be difficult because ‘intent’ is usually in a person’s brain and not captured in an audit log. However, as you’ll see, with AIP logging, we can even answer ‘why’ sometimes.

In older versions of the AIP client, we only logged client activities in the local Event Log on the specific PC. In order to ‘centralize’ end-user AIP activities, one needed to setup Event Log Forwarding from all the target PCs. Don’t get me wrong, Event Log Forwarding is a helpful feature, but it’s certainly not ‘cloud-first; mobile-first.’

The AIP Product Group is not a team who sits on their heels (except Moser), so, they developed the AIP Log Analytics capability to improve on things.

  • All of the Product Groups do a heck of a job bringing out updates and new, progressive features to these cloud services each month - and they keenly listen to your Uservoice feedback to prioritize improvements and features - so keep on providing that feedback!

Starting with AIP client v1.41.51.0, activities are logged in the local system’s Event Log AND that log data can also be sent up to an Azure Log Analytics workspace you create in your Azure tenant. Once the data is there, we provide some nice UIs and filters so you can visualize your data and glean immediate insights (the raw data is also accessible from there, if you want to ‘roll your own’ queries).

  • NOTE – If you're wondering about the latency here, from end-point to cloud, it's brief – less than a minute to a few minutes vs hours or 1x per day.  Take a look at the portal log entry time-stamp below and the corresponding event log entry.  It's quick.







  • Below is a drill-down for the above “’Downgrade label” Activity entry (top-most in the logs)
    • A sensitive Excel file had been labeled and encrypted (“Credit Card” was the label before and it had protection)
  • The user manually ‘downgraded’ the file’s label to “Public” - which doesn’t have protection.
  • In my policy settings, if a user downgrades or removes a label, the user is required to justify the change, answering to some degree ‘why?’
    • Portal setting:


    • End-user UI prompt:


    • AIP Activity Logs Portal UI:


NOTE – Here’s the corresponding local PC event log entry:




  • Drill-down details for files from one of the “Locations” above (a user’s OneDrive for Business site):
    • NOTE – The red boxes log another label downgrade action, so again, we require the user to justify the change – and log the ‘why’


If you like this stuff (and I know you do, or you wouldn’t be reading this), there are TONS more capabilities like these in the “value meal” that is the EMS suite which is also rolled up into the bigger “value meal” of Microsoft 365.


As I mentioned at the beginning of this post, many organizations own some/most/all of these capabilities. If you aren’t sure how to deploy or even how to get started, you’re not alone - and we can help!


If you could use some assistance, reach out. Microsoft offers many avenues from self-help, such as our deployment docs/guidance (AAD, Intune, AIP), to collaboration with our FastTrack program, Premier Services (hit up your Technical Account Manager), as well as Microsoft Partners.



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.