Earlier today we also announced Intune for Education – an administrative experience that is tailored for schools. We are incredibly excited to share these new experiences with you, and I want to share some of the philosophy and architecture behind the experience we’ve built.
It goes without saying that this is an exciting time for all of us working on and using Intune, Azure Active Directory Premium (AADP), and EMS. In addition to the work we’ve done with Intune for Education, we have been working on a new, integrated console for EMS that is built on the Azure console.
The work we’ve done here resets and redefines Enterprise Mobility.
I talk about these updates in great detail and show the console in this month’s edition of The Endpoint Zone.
An Integrated EMS Admin Experience
One area where Microsoft’s Enterprise Mobility vision has been most clearly articulated is convergence of identity management/protection, device and app management, security, data protection and productivity. A number of years ago, as we defined and started engineering what has come the Enterprise Mobility + Security (EMS), we had a perspective that the key scenarios Enterprise organizations would need were these:
Delivering these three things has required us to build comprehensive end-to-end scenarios across a number of services – Intune, Azure Active Directory, Azure Information Protection, Cloud App Security, and Office 365. The apps and backend services of these solutions are now in constant communication with each other as users access and use corporate data and apps. What we are delivering with this new EMS console is an integrated administrative experience that makes the end-to-end scenarios we’ve enabled far simpler, much more powerful, and even more flexible!
Here is an example of what I think is one of the most powerful scenarios that this new administrative console + integrated service infrastructure enables. Conditional Access enables IT to define the rules under which they will allow access to corporate data – which EMS then enforces in real-time.
With an integrated EMS console, we can now bring together all the different areas where IT wants to define risk polices that govern access – this allows you to define a complete and comprehensive set of rules. This is the new console experience for defining conditional access policies. Now you can define your access policies based on identity risk (e.g. is there anything suspicious about how an identity is being used), device risk (i.e. does the device meet your MDM policies), application risk (e.g. you could have different polices for a known/approved app vs. accessing through a browser), and location (i.e. apply different policies when on a corporate/known network vs. a public networks).
We will now evaluate in real-time the risk in each of those areas and only grant access to a service/application if the risk is within the constraints you define. These policies can be applied to 3,000+ SaaS apps as well as the applications you are hosting in your datacenter.
All of this means that you no longer have to go to one console to set identity policies, and then another console to set device/app policies. It’s all together!
Additionally, not only is it all in one place, but the capabilities of the service are also deeply integrated. In the example noted above, the Intune, AADP, and Office 365 services are all working together to the deliver and enforce the policies you define.
Built on the Microsoft Graph
The way we architected this new experience is really interesting.
To the right is a simplified view of how this all comes together. The console itself calls through an authentication layer (AAD, of course) into what we call the Microsoft Graph. The Microsoft Graph then directs the call to the appropriate Microsoft service – Exchange Online, OneDrive for Business, AAD, Intune, etc. You should think of the Microsoft Graph as effectively “the Microsoft API.” All of the services we are building at Microsoft are being built on the Microsoft Graph.
One of the especially cool things about the Microsoft Graph is that it is a single interface where all the Microsoft services can be reached through a set of REST APIs. Every object (user, group, device, etc.) and every policy can be reached through that API. It is really impressive how every object now has a URL that actions can be taken on/against via this command line. If you want to read more about Microsoft Graph go to: http://graph.microsoft.com.
Many of you have asked when Intune is going to have APIs. Well here it is! You can learn more about Microsoft Graph in the link above, and check out this documentation if you want to start learning about the specifics of working with Intune using Microsoft Graph.
Looking ahead, I’ll be writing and talking about two different graphs from Microsoft – and I want to make sure you understand the difference. Think of the Microsoft Graph discussed above as the management plane and API for Microsoft. Through the Microsoft Graph you have access to all the administrative capabilities. We have also been talking about the Microsoft Intelligent Security Graph. Think of this as the data plane for all of the telemetry and signal that comes back to Microsoft from the 200+ Global services that we operate – this is something I spoke about at length at Ignite. We now offer all the intelligence from all the Microsoft services and pull them together with our machine learning and data analytics capabilities – all to help protect your organization.
One last word on architecture: This new console is a built on top of a unified Intune/AAD infrastructure. One of the most important things we have done over the past year is completely aligning the Intune and AAD services. They now use common users, groups, and devices – and this is a significant move for our users because of how dramatically it reduces complexity and enables new scenarios (like the conditional access experience above).
Microsoft Graph Gives You Incredible Flexibility
Many IT Professionals want to do everything from a command line and not through a console (how often do you still go to a command prompt? 🙂 ) . With the integration of Intune and the other EMS components into Microsoft Graph, you can now have a command line for everything.
Since last September, we’ve been showing customers the new console and it’s integration with other Microsoft solutions. The customer reaction to the power of these command line capabilities (and the flexibility it brings) has been overwhelmingly positive. IT teams all over the world love these capabilities.
Over the 14 years I have worked on ConfigMgr, it has been common to see organizations create specialized administrative consoles or want to integrate specific features/scenarios of ConfigMgr into another administrative experience. Now, you can do that for any administrative tasks or to get data from any object in Intune, AADP and EMS. The way we have architected this is simple: Every call we make from the console is exposed via Graph.
A really interesting application of this that ties into what we announced today with Intune for Education. This is a specialized administrative experience that is tailored for schools where the individual(s) doing the administrative actions could be the computer science teacher or a principal. In this administrative experience, we simplified what is shown in the console, used descriptors like “teachers” and “students,” and really tailored the experience for this specific use. This is essentially a UI skin customized to a specific need, that makes calls to Microsoft Graph, which then calls to the Intune service. I encourage you to read the blog from the Official Windows Blog about Intune for Education, and check out this video showing just how simple and focused this experience is:
The new EMS Console is currently in public preview, and it will be fully released and generally available within the next couple months. New tenants (trial and paid) that are provisioned are automatically enabled to use the new console. We will be transitioning the 10,000’s of existing Intune customers over the next several weeks. You will be notified in the existing Silverlight console when your tenant has access to the new console. If you don’t want to wait until then you can create a new trial tenant here and start experimenting with the new console today! We can’t wait to hear your feedback!
If you want to see a few demos of the new integrated console, as well as some examples of what you can do via the command line through Microsoft Graph, I would encourage you to watch the 1701 edition of The EndPoint Zone. This month’s edition of EPZ is entirely dedicated to the new console and the Intune for Education console.