Azure AD Join为用户提供ADMIN权限 - 退回IT安全,是吗? [英] Azure AD Join gives ADMIN rights to user - A STEP BACK IN IT SECURITY, IS IT?
问题描述
因此,我们目前正在我们的组织中试用Microsoft EMS,并为试点项目建立了一个跟踪环境。我们的产品由独立的PC或LAN /工作组
中的一组PC组成,我们没有任何本地ADDS或ADFS。简而言之,仅限云设置。
话虽如此,我们有我们一直在尝试为我们的Windows 10 Pro设备(笔记本电脑和台式机)设置Self Provisioning和Out-of-Box注册/ AD加入,符合
提供的指导说明Docs& Technet门户网站,用于为设备设置Azure AD连接,但到目前为止还没有运气。
以下是我们面临的主要问题:
- < span style ="text-decoration:underline"> IF 我们
让员工为他们的公司拥有的设备执行Azure AD加入,然后员工成为管理员,然后在加入发生后,其余的MDM注册过程开始......所有策略都设置为MDM,限制等。这里的挑战是
,我们不能让最终用户/非IT员工在其工作笔记本电脑/台式机上以管理员身份提升权限。
< p style ="margin:0in 0in 0.0001pt 48pt;字体大小:12磅; font-family:'Times New Roman'; text-indent:-48pt">
让员工在设备上使用管理员权限有两个关键问题:
- 用户可以从任何地方在线安装任何应用程序,并在具有提升权限的设备上运行它,
这是一个主要风险,并且无法使用Intune或任何其他MDM来防止这种情况。这是我们无法承担的风险。 - 如果发生任何事情,任何IT公司/托管服务提供商都不会采取行动,因为他们对机器上具有管理员权限的最终用户不满意。
OR
- IF 我们
让IT管理员为我们所有设备执行AD加入(和MDM注册)(在设备交给最终用户之前),然后我们面临的问题当设备被提供给最终用户并且他以其Office365凭证作为其他用户登录时,
就是这样,用户无法访问需要条件访问的office365资源(devcies必须是兼容的或域加入) 。
当考虑访问时,例如Exchange Online,会向用户显示错误:"您的IT管理员确保此设备符合规定,这可能需要一些时间。要检查状态,请检查
公司门户网站"。现在,在公司门户网站上,它说"你必须注册这个设备"并显示和注册按钮,它基本上是一个下载Intune客户端的链接。当我们尝试下载Intune客户端时,我们再次向我们展示错误消息:"此
设备已由MDM管理",即Windows 10的内置MDM"。
任何 指导/帮助解决这个难题,将非常感谢。非常感谢。
Hello,
我们正在检查查询,很快就会回复你。
我为此带来的不便表示歉意,并感谢您在这件事上的时间和耐心。
问候,
Vijisankar
So, we’re currently trialing Microsoft EMS in our organization and have set up a trail environment for a pilot program. Our estate is made up of standalone PC’s or a group of PC’s in a LAN/Workgroups and we do not have any on-prem ADDS or ADFS in place. In short, a cloud only setup.
With that said, we have been trying to set up Self Provisioning and Out-of-Box Enrolment /AD join for our Windows 10 Pro devices (laptops and desktops), in line with the guidance notes provided on the Docs & Technet portal for setting up Azure AD join for devices, but have had no luck so far.
Here are the key issues we’re facing:
- IF we let the employees perform Azure AD Join for their corporate owned devices, then the employee is made Administrator and then after the joining happens, rest of MDM Enrolment process kicks in… with all the polices set in the MDM, restrictions etc. The challenge here is, we cannot let the end user/ non IT staff have elevated permissions as administrator on their work laptops/desktops.
Leaving employee with Admin premissions on the device has 2 key issues:
- The user can install ANY application from anywhere online and run it on the device with elevated permissions, which is a major risk and there is NO way to prevent this using Intune or any other MDM out there. This is a risk we cannot take.
- Any IT company / Managed Servcie Provider would not take resposibilty if aything happens because they’re not comfortable with the end user left with Admin permissions on the machine.
OR
- IF we have an IT Admin perform the AD Join (and MDM enrolment) for all of our devices (before a device is handed over to the end user), then the issue we’re facing when the device is given to the enduser and he logs in as Other User with his Office365 credentials, is that, the user is not able to access the office365 resources which require conditional access (devcies must be compliant or domain joined).
When attepting to access, say Exchange Online, the user is presented with the error: "Your IT Admin is a ensuring this device is compliant and this may take some time. To check the status check the company portal". Now, in the company portal, it says "you must Enrol this device" and shows and Enrol button which is basically a link to download Intune Client. And when we try to download Intune Client, again we’re presented with an error message: "This device is already managed by an MDM", i.e. the built in MDM of Windows 10".
Any guidance / help with this conundrum, will be highly appreciated. Many thanks.
Hello,
We are checking on the query and would get back to you soon on this.
I apologize for the inconvenience and appreciate your time and patience in this matter.
Regards,
Vijisankar
这篇关于Azure AD Join为用户提供ADMIN权限 - 退回IT安全,是吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
