Below is a description of the relevant functionality as supported on Harmony Endpoint
1) From which release is support for Microsoft Entra ID be available? Windows Client Release E88.00
2) Are there related management changes for this support?
Yes. There is an additional AD scanner type that needs to be defined. This will be available on cloud management at time of E88.00 release
Schedule for on-premise management availability to be confirmed
A sample of the new AD scanner definitions can be seen in the attached powerpoint
3) Some related implementation aspects
- Once connected to Entra ID the following operations can be performed
- You can import devices, groups, users, and administrative units from Azure Active Directory to Harmony Endpoint Management
- Any imported objects appear in Asset Management> Organization Tree > Directories -> Azure Directory
- For a deployment where both On-prem AD and Entra ID are configured the data from the on-prem AD is given the highest priority
- Multiple Azure AD directories can be defined on Harmony Endpoint management. Device information is taken from where the client is joined
4) Are there any functional limitations with this support
4.1 Hybrid Mode
When working in hybrid mode, there is a both an on-premise AD and Entra ID cloud based component. Data may be synchronized between the two
For hybrid mode two corresponding scanners need defined on HEP management for the on-premise and cloud based components
This enables full client functionality in this configuration
4.2 Standalone / Cloud Only
When moving from on-prem to cloud based AD many authentication related aspects are changing and this can cause issues across some capabilities
In such a configuration there are caveats on the following functionality
- Use of Smart Cards together with MEPP package
- These are not currently supported
- Mac clients
- Mac Clients with Entra ID support is not supported currently by Microsoft. Microsoft is providing additional capabilities to allow this. We will look to align when becomes available
- Mac Clients can be used in this configuration when working with Intune. Related configuration for this option is outside scope of Harmony endpoint support
- Issues with password change for FDE
- In pure Entra ID environments (only) a password change cannot be intercepted by the credential provider.
- This leads to a limitation that the end user must lock their screen after changing a password for the password change to take effect in FDE/preboot
- Without lock screen preboot password is not synced with Windows password. This means that the old password will be in effect in preboot and potentially could cause a locked user.