Create a Post
Showing results for 
Search instead for 
Did you mean: 

Has anyone succesfully used Entra-ID accounts/groups in Harmny Endpoint rules?

Hey All,


We have a couple of customers, who are slowly moving towards Entra ID over On-Prem AD. And that also means joinning machines to Entra and authenticating against Entra...

The result is that users & Machines that are not using on-prem AD, does not get the correct policies applied 😕


Has anyone found a way to correct this?



4 Replies

Below is a description of the relevant functionality as supported on Harmony Endpoint

1) From which release is support for Microsoft Entra ID be available? Windows Client Release E88.00

2) Are there related management changes for this support?

Yes. There is an additional AD scanner type that needs to be defined. This will be available on cloud management at time of E88.00 release

Schedule for on-premise management availability to be confirmed

A sample of the new AD scanner definitions can be seen in the attached powerpoint

3) Some related implementation aspects

  • Once connected to Entra ID the following operations can be performed
    • You can import devices, groups, users, and administrative units from Azure Active Directory to Harmony Endpoint Management
    • Any imported objects appear in Asset Management> Organization Tree > Directories -> Azure Directory
  • For a deployment where both On-prem AD and Entra ID are configured the data from the on-prem AD is given the highest priority
  • Multiple Azure AD directories can be defined on Harmony Endpoint management. Device information is taken from where the client is joined

4) Are there any functional limitations with this support

4.1 Hybrid Mode

When working in hybrid mode, there is a both an on-premise AD and Entra ID cloud based component. Data may be synchronized between the two

For hybrid mode two corresponding scanners need defined on HEP management for the on-premise and cloud based components

This enables full client functionality in this configuration

4.2 Standalone / Cloud Only

When moving from on-prem to cloud based AD many authentication related aspects are changing and this can cause issues across some capabilities

In such a configuration there are caveats on the following functionality

  • Use of Smart Cards together with MEPP package
    • These are not currently supported
  • Mac clients
    • Mac Clients with Entra ID support is not supported currently by Microsoft. Microsoft is providing additional capabilities to allow this. We will look to align when becomes available
    • Mac Clients can be used in this configuration when working with Intune. Related configuration for this option is outside scope of Harmony endpoint support
  • Issues with password change for FDE
    • In pure Entra ID environments (only) a password change cannot be intercepted by the credential provider.
    • This leads to a limitation that the end user must lock their screen after changing a password for the password change to take effect in FDE/preboot
    • Without lock screen preboot password is not synced with Windows password. This means that the old password will be in effect in preboot and potentially could cause a locked user.

Hi Jonny,

Thanks a lot! 🙂

However, the E88 has been realeased a while ago, and I don't see the "Add Azure AD Scanner" anywhere 😕 Is there anything that should be enabled before getting this?

0 Kudos

If you do not see the option on the cloud management then please send me the tenant ID and version (can unicast) and may need to schedule upgrade for the management

0 Kudos

This is where option should be

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events