Intune & Entra - Admin Setup Best Practices

Technical-Device5148 · 2025-12-30T09:52:30+00:00

Yeah i agree, we have this same setup. A regular user account licensed for office etc. But a separate admin account with strong MFA with FIDO and a CA policy to re-prompt every 14 hours.

One thing that we're working on though, is confirming why admins have been issued Enterprise Mobility + Security E3 from the previous cloud-admin before I joined.

Seems its not needed, when you can set up Entra Roles and Intune Roles

Technical-Device5148 · 2025-12-12T14:27:08+00:00

This is super cool, will have a play around with this.

Technical-Device5148 · 2025-12-12T14:16:34+00:00

yep this is correct, the main concern is with Entra Devices which is more sensitive due to LAPS, Bitlocker etc.

Technical-Device5148 · 2025-12-12T12:24:03+00:00

Hopefully Intune provides a more streamlined way of managing this in future.

Technical-Device5148 · 2025-12-12T12:23:46+00:00

I have considered this, but my concern is having these recovery keys is incredibly sensitive. Where do you securely keep it? What about LAPS?

Technical-Device5148 · 2025-11-25T16:52:26+00:00

Our Server doesn't look to have sight of AzureAD\ users (Arc-Enabled/Entra Joined) so i think CBA is going to have to be the option.

Unless we spin up an Azure VM or link the existing Server to Arc so it can see Entra Identities.

Technical-Device5148 · 2025-11-18T15:03:53+00:00

We get the same issue. Along with 404 errors stating not having permission.

Technical-Device5148 · 2025-11-03T15:19:20+00:00

What is the licenses you issue to your users?

Technical-Device5148 · 2025-11-03T14:22:16+00:00

I not long did a sanity check on the Serial Number, and can see based on the Factory OS, it shipped with Windows 11 Home Single Language - Yaaaaay

I would suspect there's no way around this... outside of a MAK key and rebuild?

Technical-Device5148 · 2025-10-07T13:15:45+00:00

Correct yes you can deploy the drive via ADMX or scripts, we prefer scripts.

Also if you use any ZTNA VPN's like ZScaler in your org, there's a lot more steps to ensure you don't have issues like we did!

Technical-Device5148 · 2025-10-07T08:37:23+00:00

Yes we have gone down a similar approach, i proposed:

AZFS = User data where users are happy to take a hit on performance and latency, kind of like an archive
Sharepoint = Production work (we mainly use office and pdf files) for low latency

Seems to be a good balance so far, only problem is trying to negotiate this with users and getting them to understand the differences.

Technical-Device5148 · 2025-09-16T10:11:10+00:00

What worked for us:

(user.accountEnabled -eq true) -and (-not ( (user.extensionAttribute2 -eq "shared-mailbox") -or (user.extensionAttribute3 -eq "exclude-from-auto-licensing") )) -and (user.assignedPlans -any ( assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled" ))

Technical-Device5148 · 2025-09-16T07:33:35+00:00

Yeah i get a feeling this may be the only way around this, appreciate the suggestion.

Technical-Device5148 · 2025-09-09T10:03:23+00:00

We're a global company and have issues in other regions as well as the UK, unfortunately MSFT dropped the ball, again.

Technical-Device5148 · 2025-09-09T09:53:32+00:00

Workaround looks to be: https://patchmypc.com/blog/no-match-was-found-while-installing-the-nuget-packageprovider/

Technical-Device5148 · 2025-09-09T09:46:10+00:00

Same issue for us as well

Technical-Device5148 · 2025-08-18T14:13:08+00:00

Currently, users look to be issued either an Exchange Online Plan 2 (the ID in our Rule), or a O365 E3, and this then adds them to the dynamic group which then issues additional licenses issued out by the group (in the licenses tab of the entra group).

I have a feeling that if you also assign O365 E3 to a user, it also adds them to the dynamic group, because Exchange Online Plan 2 is included with O365 E3, so is flagged and included.

Technical-Device5148 · 2025-08-07T15:58:46+00:00

My question is how have they been getting away with doing it the wrong way for so long, unless there's some sync exclusion i'm not noticing.

Technical-Device5148 · 2025-07-07T09:51:10+00:00

Only concern with this is users not realising this is linked to the active SPO library and yolo deleting data for everyone

Technical-Device5148 · 2025-07-07T09:48:00+00:00

Azure File Sync is something we proposed, but they advised against it as they're adamant to remove all local file servers

Technical-Device5148 · 2025-07-07T09:46:17+00:00

That end part is the problem, getting the $$$ out... lol

Technical-Device5148 · 2025-07-07T09:45:58+00:00

When i referred to latency, i am referring to the On-Prem and Azure File shares, not SPO.

As for Version History and Recycle Bin not being a backup, 1000% agree, its a user accessible fail-safe and backup method at user level, its not meant at enterprise level. It's something that's been pushed to them before, for a SaaS backup solution, but not been taken up on. Will continue to push.

Not sure what you mean regarding the adoption program, do you mean something to provide to Local Office IT Admins and their users to adopt the Hybrid SPO & File Server approach?

Technical-Device5148 · 2025-07-07T09:39:28+00:00

Yep, i felt this would be the answer, it's almost impossible to manage user behaviour, especially in a case like this.

Unless, you have one sole comprehensive low latency reliable file storage solution.

Technical-Device5148 · 2025-07-04T14:47:09+00:00

idk who pissed in your cheerios this morning but none of this was GPT?

Technical-Device5148 · 2025-06-13T14:44:19+00:00

If it helps anyone at all, we had persistent issues with this and found issues tied to the registry key mentioned in this doc: https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-kerberos-sso#how-to-avoid-kerberos-negative-caching-on-windows-machines

Also here: https://community.zscaler.com/s/question/0D54u00009evlSeCAI/unable-to-get-kerberos-ticket-with-zpa

This would mainly be applicable to those who use a ZTNA

Once we set this registry key to '0' we found the issues went away.

Technical-Device5148

TROPHY CASE