Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rasmuswiegman
Participant

Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

Hey All,

 

We have a couple of customers, who are slowly moving towards Entra ID over On-Prem AD. And that also means joinning machines to Entra and authenticating against Entra...

The result is that users & Machines that are not using on-prem AD, does not get the correct policies applied 😕

 

Has anyone found a way to correct this?

 

Rasmus

8 Replies
JonnyRabinowitz
Employee
Employee

Below is a description of the relevant functionality as supported on Harmony Endpoint

1) From which release is support for Microsoft Entra ID be available? Windows Client Release E88.00

2) Are there related management changes for this support?

Yes. There is an additional AD scanner type that needs to be defined. This will be available on cloud management at time of E88.00 release

Schedule for on-premise management availability to be confirmed

A sample of the new AD scanner definitions can be seen in the attached powerpoint

3) Some related implementation aspects

  • Once connected to Entra ID the following operations can be performed
    • You can import devices, groups, users, and administrative units from Azure Active Directory to Harmony Endpoint Management
    • Any imported objects appear in Asset Management> Organization Tree > Directories -> Azure Directory
  • For a deployment where both On-prem AD and Entra ID are configured the data from the on-prem AD is given the highest priority
  • Multiple Azure AD directories can be defined on Harmony Endpoint management. Device information is taken from where the client is joined

4) Are there any functional limitations with this support

4.1 Hybrid Mode

When working in hybrid mode, there is a both an on-premise AD and Entra ID cloud based component. Data may be synchronized between the two

For hybrid mode two corresponding scanners need defined on HEP management for the on-premise and cloud based components

This enables full client functionality in this configuration

4.2 Standalone / Cloud Only

When moving from on-prem to cloud based AD many authentication related aspects are changing and this can cause issues across some capabilities

In such a configuration there are caveats on the following functionality

  • Use of Smart Cards together with MEPP package
    • These are not currently supported
  • Mac clients
    • Mac Clients with Entra ID support is not supported currently by Microsoft. Microsoft is providing additional capabilities to allow this. We will look to align when becomes available
    • Mac Clients can be used in this configuration when working with Intune. Related configuration for this option is outside scope of Harmony endpoint support
  • Issues with password change for FDE
    • In pure Entra ID environments (only) a password change cannot be intercepted by the credential provider.
    • This leads to a limitation that the end user must lock their screen after changing a password for the password change to take effect in FDE/preboot
    • Without lock screen preboot password is not synced with Windows password. This means that the old password will be in effect in preboot and potentially could cause a locked user.
rasmuswiegman
Participant

Hi Jonny,

Thanks a lot! 🙂

However, the E88 has been realeased a while ago, and I don't see the "Add Azure AD Scanner" anywhere 😕 Is there anything that should be enabled before getting this?

0 Kudos
JonnyRabinowitz
Employee
Employee

If you do not see the option on the cloud management then please send me the tenant ID and version (can unicast) and may need to schedule upgrade for the management

0 Kudos
JonnyRabinowitz
Employee
Employee

This is where option should be

0 Kudos
LazarusG
Contributor
Contributor

Hi

I also don't see the entra-id option in my tenant and a customer has the same issue. Is this not available across the board or is it done on a case by case basis?

Is it limited by Checkpoint or MS licensing?

Thanks

 

 

0 Kudos
JonnyRabinowitz
Employee
Employee

Hi. I assume you have a cloud based tenant

Is not related to licensing but more dependent on upgrade cycle for your tenant. If wan to unicast your tenant details to me I can check schedule on updates

0 Kudos
LazarusG
Contributor
Contributor

thanks - mine is a dev tenant as a partner, so not uber critical (thanks for the offer though) - however will all tenants be upgraded in time? appreciate the response!

0 Kudos
JonnyRabinowitz
Employee
Employee

Yes. Over time all tenants get upgraded to latest. I do not know the cycle time by which all tenants are upgraded

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events