Tải bản đầy đủ - 0 (trang)
Skill 3.3: Manage devices with Microsoft 365 Solution

Skill 3.3: Manage devices with Microsoft 365 Solution

Tải bản đầy đủ - 0trang

of Microsoft 365 management functionality for specific users, depending on how they are configured,

and to which groups they belong.

You can add users to Microsoft 365 in several ways including:

Create users manually in the Microsoft 365 Admin Center.

Synchronize user accounts with Active Directory Domain Services.

Import users from a comma-separated values (CSV) file.

IMPORTANT MICROSOFT 365 USER LICENSES

A user must have a license to your Microsoft 365 subscription before they can sign in and use the

Microsoft 365 service. When a user has a license, they are able to download the latest version of

Microsoft Office to their device. They can also enroll up to five devices into Microsoft Intune.



Creating users manually

You can create users manually within the Microsoft 365 Admin Center by entering the information

about each user. To create a user account in Microsoft 365 Admin Center, perform the following

steps:

1. Sign into Microsoft 365 using https://www.office.com, and click the Admin tile.

2. On the Admin center Home page, click Add a User in the Users area.

3. On the New user complete the fields (Display Name and User Name, Product licenses, are

required fields) and then click Next.

4. Click Add.



Synchronizing user accounts with Active Directory Domain Services

Microsoft 365 can integrate with Active Directory Domain Services (AD DS) to provide user

account synchronization from AD DS to Microsoft 365. This synchronization process enables you to

avoid duplicate account creation and information by leveraging the information already stored in your

on-premises Windows Server Active Directory (AD DS), and importing it into Microsoft 365 through

the synchronization process. Microsoft 365 uses Azure Active Directory (AAD) to store user

information, which can also be used with other Microsoft cloud products such as Microsoft Azure

and Office 365.

The primary component required by the synchronization process is the Azure Active Directory

(AD) Connect tool, which provides integration between AD DS and AAD. Once configured, Azure

AD Connect will synchronize selected AD DS user accounts and information to Microsoft 365. You

can synchronize Microsoft 365 with AD DS by using Azure AD Connect in two primary ways:

Azure AD Connect sync Azure Active Directory Connect synchronization services (Azure AD

Connect sync) synchronizes identity data between your on-premises environment and Azure AD.

Optionally, password information is synchronized from AD to AAD to enable the users to

maintain a single user account and password. An alternative to password synchronization is

passthrough authentication, where authentication requests are forwarded back to Azure AD

Connect on-premises.



Azure AD Connect and federation This method of synchronization leverages Active Directory

Federation Services (ADFS) to provide a single sign-on environment between Azure Active

Directory and your on-premises Active Directory Federation Services (AD FS). With federation

sign-in, users can sign in to Azure AD based services with their on-premises passwords.

MORE INFO DIRSYNC IS NO LONGER SUPPORTED

Directory Azure AD Connect replaces older versions of identity integration tools such as DirSync

and Azure AD Sync, which are now deprecated and DirSync reached the end of support on April

13, 2017.

There are many situations in which you do not have Active Directory Domain Services, or you

might have access to user information from another source such as another directory service or a

human resources database. In these cases, the information from the source can usually be exported to

a comma separated value (CSV) file, which can be used to create the users in Microsoft 365.

To import users from a CSV file, perform the following steps:

1.

2.

3.

4.

5.

6.

7.

8.



9.

10.



11.



Sign into Microsoft 365 using https://www.office.com, and click the Admin tile.

On the Admin center Home page, click Add a User in the Users area.

Click Users in the navigation pane.

On the Users page, click New, type Import into the search bar and click the Search icon.

In the results pane, select Import Multiple Users.

In the Import Multiple Users screen click Browse, locate the CSV file you want to use, and

optionally click Verify.

After the file has been selected, click Next.

On the Set User Options page, choose whether the users can sign-in the the account, select their

geographical location and allocate any product licenses that need to be allocated to the user. (If

you do not want to allocate a product license at this time, select the option to Create user

without product license).

Click Next.

On the View your results page you can choose to download the import results or email them.

Read the warning, that the initial system generated passwords for the new users will be

contained in the result reports.

Click Send and close.



Enroll devices into Microsoft 365 Business

When you enroll devices into Microsoft 365 Business, they must be running Windows 10 Pro, version

1703 (Creators Update) or later. If you have any Windows devices running Windows 7 Pro,

Windows 8 Pro, or Windows 8.1 Pro, the Microsoft 365 Business subscription entitles you to

upgrade them to Windows 10 Pro.

Microsoft 365 Business includes a set of device management capabilities powered by Microsoft

Intune, but not the full Intune solution, which is available with the Microsoft 365 Enterprise



subscription.

To enroll a brand new device running Windows 10 Pro into Microsoft 365 Business follow these

steps:

1. Go through Windows 10 device setup until you get to the How Would You Like To Set Up?

page as shown in Figure 3-11.



FIGURE 3-11



Windows 10 device setup



2. Choose Set up for an organization and then enter your username and password for Microsoft 365

Business subscription (the new user account not the tenant admin account.)

3. Finish Windows 10 device setup.

4. The device will be registered and connected to your organization’s Azure AD.

5. You can verify the device is connected to Azure AD by signing into the device and clicking the

Windows logo, and then the Settings icon.

6. In Settings, go to Accounts.

7. On Your info page, click Access Work Or School.

8. You should see that the device is Connected to your organization. Click your organization name

to expose the buttons Info and Disconnect.

9. Click on Info to get your synchronization status.

10. To verify that the device has been upgraded to Windows 10 Business edition, clicking the

Windows logo, and type About.

11. Confirm that the Edition shows Windows 10 Business as highlighted in Figure 3-12.



FIGURE 3-12



Windows 10 device setup



Even though Microsoft 365 Business does not include the full Intune support or provide a link from

the Microsoft 365 Business Admin portal, you do have access to Intune App Protection in the Azure

portal. This allows you to view app protection settings for Windows 10, Android, and iOS devices.

To access the Intune App Protection blade follow these steps:

1. Sign into the Azure portal at https://portal.azure.com with your Microsoft 365 Business admin

credentials.

2. Choose More Services, then type Intune into the filter, selecting Intune App Protection.

3. Select App Policy.

IMPORTANT MICROSOFT 365 LICENSE RESTRICTION

Take care when modifying settings within the Azure Intune portal, because the Microsoft 365

Business subscription provides you with a license to modify only the Intune settings that map to

the settings available in Microsoft 365 Business.



Enroll devices into Microsoft 365 Enterprise

For larger organizations, with over 300 users and devices, the Microsoft 365 Enterprise solution

includes Microsoft Intune for device & app management. Microsoft Intune supports enrollment in a

number of different ways, depending on the device being enrolled as described in the section related

to enrolling devices into Intune.

When enrolling devices into Microsoft 365 Enterprise, they must be running Windows 10

Enterprise, version 1703 (Creators Update) or later. Devices running an earlier version of Windows,

are able to upgrade to Windows 10 Enterprise as part of the Microsoft 365 Enterprise licensing.

If you want to enroll a large number of devices in an enterprise scenario, you can use the Device

Enrollment Manager (DEM) account in Microsoft Intune. The DEM is a special account in Microsoft

Intune that allows you to enroll up to 1,000 devices (By default standard users can manage and enroll

up to five devices). For security reasons, the DEM user should not also be an Intune administrator.

Each enrolled device will require a single Intune license.

By default, there is no device enrollment account user present in Microsoft Intune. You can create a

device enrollment account by performing the following steps:

1. In the Azure portal, choose More Services > Monitoring + Management > Intune.

2. On the Intune blade, choose Device Enrollment, and then under Manage, choose Device

Enrollment Managers.

3. Select Add.

4. On the Add User blade, enter the username for the DEM user, and select Add. The user is

promoted to the DEM role.

5. Close the Add User blade.

6. The list of Device Enrollment Managers now contains the new user as shown in Figure 3-13.



FIGURE 3-13



List of Device Enrollment Managers



MORE INFO ENROLL DEVICES USING DEVICE ENROLLMENT MANAGER

For more information on the DEM in Microsoft Intune, together with example scenarios and

limitations of devices that are enrolled with a DEM account, visit the following URL at

https://docs.microsoft.com/intune/device-enrollment-manager-enroll.



View and manage all managed devices

For Microsoft 365 Business subscription administrators, you can manage your enrolled devices

directly from the Microsoft 365 Business Admin portal Home screen as shown in Figure 3-14.



FIGURE 3-14



Microsoft 365 Business Admin portal Home screen



On the Microsoft 365 Business Admin portal Home screen, you have tiles available to perform the

following tasks related to devices:

Manage Device Policies Including Add policy, Edit policy and Delete policy.

Manage Device Actions Including Deploy Windows with Autopilot, Remove company data,

Factory reset, and Manage Office Deployment.

Perform Windows 10 Upgrade Including Install upgrade, Share the download link, create

installation media, and troubleshoot installation.

For Microsoft 365 Enterprise and businesses with a Microsoft Intune subscription managed

devices can be viewed from several different pages in either the classic Intune portal or from Intune

in the Azure portal.

The Groups page, in the classic Intune console, as shown in Figure 3-15, contains views for

devices based on Microsoft Intune group membership. The following default views will provide

access to a list of devices that correspond with the definition of that view:

All Devices

All Corporate Pre-enrolled devices



FIGURE 3-15



List of managed devices in the classic Intune portal



From these views, you can manage and interact with the devices listed, including retire or wipe a

device, and perform tasks, such as remotely lock the device.

In the modern Intune portal, in Azure, you can navigate to the devices pane, and view the devices

you manage, and perform remote tasks on those devices.

To access the devices workplace perform these steps:

1.

2.

3.

4.



Sign into the Azure portal at https://portal.azure.com.

Choose More Services > Monitoring + Management > Intune.

In Intune, choose Devices.

View information about devices and perform the remote device actions as follows:

Overview A snapshot of the enrolled devices you can manage.

All devices A list of the enrolled devices you manage. Select a device to view device

inventory.

Azure AD devices A list of the devices registered or joined with Azure Active Directory

(AD) as shown in Figure 3-16.



FIGURE 3-16



A list of managed Azure AD devices in the modern Intune portal



Device actions This option provides a history of the remote actions performed on enrolled

devices including the action taken, its status, time and who initiated the action.



Configure Microsoft Intune subscriptions

Microsoft Intune subscriptions dictate the capability and number of users that an instance of Microsoft

Intune can support. You configure several options for subscription management on the Microsoft 365

Admin center in the Billings section of the Microsoft 365 Admin center.

Subscriptions This page displays the active subscriptions and includes a summary of licenses

available and assigned for each subscription. For each subscription, the renewal date (or

expiration date for trial subscriptions) is shown. There is also an Add subscription link will

redirect you to the Purchase Services page where you can purchase additional licenses.

Bills From the Bills page, you can view bills and charges for your tenant for anytime in the

previous 12 months. You can then print or save a PDF copy of the invoice.

Licenses The Licenses page displays which licenses have been attached to the Microsoft 365

subscription, as shown in Figure 3-17. To add more licenses, you need open the Subscriptions

page, then choose the subscription that you want to add licenses to and then the Add/Remove

licenses.



FIGURE 3-17



The Licenses page in Microsoft 365



Purchase Services This page, allows you can purchase additional licenses.

Billing notifications Allows you to configure how your billing statement is sent. You can

configure each administrator to receive a separate email with the billing statement.



Configure the Microsoft Service Connection Point role

The System Center Configuration Manager service connection point is a role that allows an instance

of System Center Configuration Manager (Current Branch) to use Microsoft Intune as a management

point for Configuration tasks.

The Microsoft Intune Connection Point role is installed on System Center Configuration Manager

and communicates with the Microsoft Intune service to enable administration for Microsoft Intune

managed devices from the System Center Configuration Manager console, thereby extending the scope

of your System Center Configuration Manager environment to the Internet.

The service connection point can operate in either online or offline mode:

Online mode The service connection point automatically checks every 24 hours for updates. If

updates for your current infrastructure and product version are available these are downloaded

and made available in the Configuration Manager console.

Offline mode You must manually use the Service Connection Tool for System Center

Configuration Manager to import available updates.

To configure the Microsoft Intune Connection Point role in System Center Configuration Manager,

perform the following steps:

1. In the Configuration Manager console, click Administration.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Skill 3.3: Manage devices with Microsoft 365 Solution

Tải bản đầy đủ ngay(0 tr)

×