Category Archives: Enterprise Mobility and Security

Analytics in Azure Information Protection

When we are managing cloud based solutions, it is important to have visibility to anything that can impact availability, performance and compliance. Analytics in Azure Information protection (AIP) gives deeper insights on usage reports, Activity logs, Data discovery and recommendation

This analytics service in AIP gives the organization complete visibility and control of the user activity and device activity with respect to documents/emails which are getting classified and protected.

Few examples of metrics being collected for AIP

Usage report:

  • Labels being applied to a document/email
  • Number of documents/emails classified/protected
  • Count of users and devices labeling the documents/emails

Activity report:

  • Labeling actions performed by a user/device
  • Which users have accessed a specific document
  • which labeling actions were performed by a specific application

These reports make use of Azure monitor service to store the data in Log Analytics workspace the organization owns which provides single source for monitoring Azure sources.


  • Azure subscription that includes log analytics with Azure Monitor. For pricing, refer here 
  • Windows-10 client machine which is installed with AIP agent.

Steps to enable Analytics in AIP:

login to Azure portal


Navigate to Azure Information protection pane



Enable Analytics for Azure tenant 




Create  a new Log Analytics workspace


Create sample AIP Labels 


login to a client machine which is installed with AIP client

AIP client can be downloaded from here

Classify few sample documents and emails 6


Navigate to Analytics section and validate the user activity with respect to labeling




Hence, these analytics will help us to get the granular details of the user and device activity for classification and protection














Enterprise Mobility and Security – Software updates with Windows Intune

What’s Changed in Enterprise Mobility Suite:

Enterprise Mobility Suite is renamed as Enterprise Mobility and Security. The existing enterprise Mobility Suite becomes Enterprise Mobility + Security E3 with no change for existing customers. A new upcoming plan will be known as Enterprise Mobility + Security E5.

Intune and its changes:

New Management Capabilities which includes Windows Updates, Windows Firewall and Endpoint protection

Azure AD Premium and its changes:

The existing Azure Active Directory Premium becomes Azure Active Directory Premium P1 with no change for existing customers

Azure Active Directory Premium P2 which will be available in coming days includes all the capabilities of Azure Active Directory Premium P1 as well as Identity Protection and Privileged Identity Management capabilities

Azure RMS and its Changes:

Azure Rights Management Premium becomes Azure Information Protection Premium P1 with no change in existing customers and Azure Information Protection Premium P2 adds advanced capabilities

Managing Windows with Microsoft Intune Client software:

Get a trial version of EMS here

Instead of enrolling windows PC as a mobile device, we can now enroll and manage windows PC’s by installing a client software. This has got the new management capabilities which supports Software updates, windows firewall and Endpoint protection


The following management capabilities are added with Intune client software:

  1. Application Management : Deploying Applications
  2. Endpoint protection : Managing and monitor malware attacks
  3. Windows Firewall : Configuring windows firewall settings
  4. Hardware and software inventory
  5. Remote control : Remote assistance request
  6. Software updates : Managing software updates

In this discussion, I am showcasing the software updates capabilities with Windows Intune Client software

  1. Download the client software

Intune Client software can be downloaded from here Or from the Intune Admin Console as shown below

Login to Intune portal at




2. Enroll the windows Machine

Once the Intune Client software is downloaded and installed, the windows machine reports to Intune



We can check the status of the machine in company portal too  at



Now we can manage the updates for this Windows Machine with Intune

Software Updates in Windows Intune:

This feature is similar to the software update feature in System Center Configuration Manager where we can keep the windows Machines up to date with the latest software updates. These updates can be from Microsoft/non-Microsoft. When we enroll a Windows Machine in Intune with Intune Client software, that Machine reports to Intune wherein we can see the no of updates required, manage the updates by approving/declining, see the status of the installation and compliance.

A sample Intune Dashboard showing software updates


Different Types of Updates: There are 7 different types of updates available out of which some are mandatory updates which doesn’t prompt for approval


Microsoft vs Non-Microsoft Updates:

Software Updates by Microsoft:  Before we configure Microsoft updates, we have to configure product categories and update classifications

Navigate to Intune console – > Admin -> Updates where we can select the category and classification as per our requirement



 Now, as we selected the product category and update classification, all the updates are synchronized to Intune console


Automatic approval rules – These rules automatically approve specified types of update and reduce your administrative overhead. For example, you might want to automatically approve all critical software updates.


Update Software not made from Microsoft:

We can also update the software which is not from Microsoft. To achieve this, we have to upload the software through upload wizard which will be saved in the cloud storage and later we can approve/decline and deploy to the specific collection as we do for Microsoft updates

Deploying a sample Microsoft update to enrolled computer:

Now, we installed a Intune client software, enrolled a computer to Intune console, selected the product category and classification, synchronised the updates to Intune. Let us try deploying a security update to the enrolled computer.

The enrolled computer has 96 software updates that need approval


Select any update and approve it


Create a collection ( group ) and deploy the update to the collection


Select the approval settings. These are similar to the settings in System Center Configuration Manager


Select the deadline to install the update


Open Microsoft Intune Center ( This is similar to Software Center in System Center Configuration Manager ) in the client machine and check for updates


You can see that the updates are getting installed

Check for the updates installation in control panel


Deploying a sample Non – Microsoft update to enrolled computer:

We can even deploy Non-Microsoft Applications and updates with Intune by uploading the application/update to the Intune storage and then deploying to the specific collection or a group. In this case, I have chosen Google chrome as a Non-Microsoft application which is to be deployed to the enrolled computer. We can also try with Java updates as Non-Microsoft updates if Java is installed in the machine

Navigate to Intune console -> updates -> All Updates and click on upload



Specify the location of update setup file



This is quite interesting section. This will allow to select the architecture and Operating system so that we can have these filters at deployment level


This section will gives the system the ability to check if the update/application is already installed in the targeted machine. This will avoid the re installation of the same application and avoids the overriding of previous versions


In this section we can specify command line arguments for custom installation








Deploy to the collection ( group )


Select the approval settings


Open Microsoft Intune Center in the client machine and check for the updates.


Confirm the installation in Control Panel


Configuring Azure AD Application Proxy

Many  Organizations have their web portals and applications which are hosted on- premise and there are many methods to give access to these applications on internet

One of the traditional methods is to have a Virtual Private Network configured, which will establish a secured connection between corporate network and internet users

Azure helps us to give access to in-house portals to internet with the help of Azure Application Proxy which avoids the need of using a separate virtual private Network configuration

For this demo, I am using Azure classic portal ( )

Components for Configuring Azure Application Proxy

  1. Azure Subscription
  2. Azure Application Proxy connector ( This can be downloaded from Azure Portal )
  3. An in-house portal which can be added to Azure

Azure Subscription :

you can get a free trial subscription from

If you have any existing Azure subscription ( either through EMS or O365, login to the Azure portal with Global Admin credentials )

Configuration of Azure Application Proxy 

Navigate to Azure portal from

Azure Sign in page

Navigate to Active Directory

AD Navigation

Click on Dashboard and scroll down to the end, where you can see Application Proxy

Click on Configure

Application Proxy enable

Scroll down to Application Proxy section

By default, Application proxy is disabled. Switch to enabled

Download the connector from the url

Download APplication proxy connector

It is recommended to install the connector in Windows Server 2012 R2 Server which has access to Corporate Network as well as internet

Connector installation 1

The installation will prompt for the Azure Admin credentials

connector login

Run the Connector troubleshooter

Connector Finish

You will be prompted with a command prompt on successful installation

Cmd prompt

Go back to the azure portal ( ) and come to the section of application proxy through the dashboard

Click on Manage Connectors if you install multiple connectors for redundancy

Manage Connectors

Connector status

Adding in-house portal to Azure :

For this demo, I am using an in-house portal http://*****mysalary/, which can be accessed only through my corporate network

Url : http://*****mysalary/

kartik salary page.PNG

Now, I will add this portal in Azure and configure it, to access from internet

Access Azure portal ( )

Navigate to Active Directory and click on Applications


Click on Add button which is at the bottom of the page and select the third option which is “publish an application that will be accessible from outside your network”

Add application

Give the details of the portal

portal name

Add the users to which you want to give access to this portal and navigate to Configure section as highlighted below

configuring portal

External url is the one which will allow you to access this portal through internet as you can see it has https in the url

payroll config2.PNG

To access this portal, Navigate to and sign in with Azure credentials

This will give you the list of applications and portals for which you were given access from Azure

In our scenario, payroll proxy is the App which will allow us to access my in-house portal through internet


I am able to login to the portal through internet and you can see the url with https://*****

payroll https.PNG

Cross Check :

If you want to cross check whether proxy is configured correctly, you can access the app in mobile phone

Download “My Apps” application from Play store which will provide the list of applications under your login

List of apps available :

My apps in mobile (1).png

As you can see, I am able to access my payroll portal through https://***  in my mobile phone

payroll proxy in mobile.png