Unlocking the Mysteries of Microsoft Entra ID Governance: Your Go-To Guide!

Hey there!  Today, we're diving into something that might seem a bit daunting at first: Microsoft Entra ID Governance Licensing. But fear not! By the end of this post, you'll be navigating these waters like a pro. Let’s get started, shall we?

What’s the Buzz About?

Microsoft recently rolled out some clarifications on Entra ID Governance licensing. This is great news because it means we get a clearer picture of what's included and how we can make the most of it. Think of it as getting a map for your treasure hunt—way less wandering and more finding the gold!

Alright, let's break it down into bite-sized chunks:
Choosing the right license is like picking the perfect ice cream flavor. Here’s a quick rundown of your options:

• Free: Comes with your Microsoft cloud subscriptions like Microsoft 365.

• Entra ID P1: Available standalone or with Microsoft 365 E3/Business Premium.

• Entra ID P2: Available standalone or with Microsoft 365 E5.

• Entra ID Governance: An advanced package for P1 and P2 users, offering top-tier identity governance features.

Getting Started: The Essentials

To get the most out of Entra ID Governance, you’ll need to have the right prerequisites. Depending on your chosen package, you might need an active subscription to Entra ID P1, P2, or other compatible Microsoft products.

Feature	Free	Microsoft Entra ID P1	Microsoft Entra ID P2	Microsoft Entra ID Governance
API-driven provisioning		+	+	+
HR-driven provisioning		+	+	+
Automated user provisioning to SaaS apps	+	+	+	+
Automated group provisioning to SaaS apps		+	+	+
Automated provisioning to on-premises apps		+	+	+
Conditional Access - Terms of use attestation		+	+	+
Entitlement management - Basic entitlement management			+	+
Entitlement management - Conditional Access Scoping			+	+
Entitlement management MyAccess Search			+	+
Entitlement management with Verified ID				+
Entitlement management + Custom Extensions (Logic Apps)				+
Entitlement management + Auto Assignment Policies				+
Entitlement management - Directly Assign Any User(Preview)				+
Entitlement management - Guest Conversion API				+
Entitlement management - Grace Period(Preview)			+	+
My Access portal			+	+
Entitlement management - Microsoft Entra Roles (Preview)				+
Entitlement management - Sponsors Policy				+
Privileged Identity Management (PIM)			+	+
PIM For Groups			+	+
PIM CA Controls			+	+
Access Reviews - Basic access certifications and reviews			+	+
Access reviews - PIM For Groups				+
Access reviews - Inactive Users reviews				+
Access Reviews - Inactive Users recommendations			+	+
Access reviews - Machine learning assisted access certifications and reviews				+
Lifecycle Workflows (LCW)				+
LCW + Custom Extensions (Logic Apps)				+
Identity governance dashboard		+	+	+
Insights and reporting - Inactive guest accounts				+

Unlocking Features: What Can You Do?

With the right license, you can:

• Automate user provisioning and access reviews.

• Use entitlement management to streamline access packages.

• Implement lifecycle workflows for smooth onboarding and offboarding.

• Leverage Privileged Identity Management (PIM) to secure privileged roles.
  
  

FAQs: Your Burning Questions Answered

Do I need to assign licenses to each user? Nope! But you need enough license seats for all users in scope or those configuring the features.
What about business guests? Business guests also need licenses, but a new model for these licenses is coming soon, offering more flexibility.
What happens if a license expires? Features like PIM will no longer be available, but permanent role assignments remain unaffected.

Wrapping Up

Microsoft Entra ID Governance is your ally in managing identities and ensuring compliance. With the right licenses, you can unlock powerful features that streamline operations and enhance security. Ready to get started? Dive into the Entra ID Governance world and make identity management a breeze!

Unlock the Magic of Platform SSO for macOS: Now in Public Preview!

Hello, Mac lovers! If you've ever dreamt of a seamless sign-on experience on your beloved macOS devices, you're in luck. Microsoft's new Platform SSO (Single Sign-On) for macOS is now in public preview, and it's here to make your digital life a breeze. Get ready to wave goodbye to the hassle of multiple sign-ins and say hello to smooth sailing with this exciting new feature. 

Let's dive in!

What is Platform SSO for macOS? 

Picture this: You log into your macOS device, and boom—you're automatically signed into all your Microsoft apps and services without lifting a finger. That's the magic of Platform SSO. It streamlines your work, saves you time, and enhances security by reducing the need for multiple passwords. Now, let's get you set up!

Here's how it works.

Step 1: Update Your macOS

First things first, make sure your macOS is up-to-date. Platform SSO requires macOS 10.15 or later. Head to your System Preferences and click on Software Update to check for the latest updates.
Step 2: Enroll Your Device in Microsoft Endpoint Manager
Next, you'll need to enroll your device in Microsoft Intune. If you haven't done this before, don't worry—it's a piece of cake.

1. Open the Company Portal app on your macOS device.
2. Sign in with your work or school account.
3. Follow the on-screen instructions to complete the enrollment process.

Step 3: Configure Platform SSO

Now that your device is enrolled, it's time to configure Platform SSO. Here's how:

1. Sign in to the Microsoft Intune admin center.
2. Navigate to Devices > Configuration profiles.
3. Click + Create profile.
4. Set Platform to macOS, then choose Templates > Device features.
5. Give your profile a descriptive name, like "macOS SSO Configuration".
6. Under Configuration settings, select Single sign-on app extension.
7. Choose Microsoft Entra ID as the SSO app extension type.
8. Configure additional settings such as:
   App bundle ID: Enter bundle IDs for apps that don’t support MSAL.
   AppPrefixAllowList: Recommended value is com.microsoft.,com.apple..
   browser_sso_interaction_enabled: Set to 1 to allow sign-in from Safari.
   disable_explicit_app_prompt: Set to 1 to reduce unnecessary prompts.
9. Assign the profile to your macOS devices.

Step 4: Sync Your Device
Almost there! To apply the new configuration, you'll need to sync your device with Microsoft Endpoint Manager.

1. Open the Company Portal app again.
2. Click on your device.
3. Select Sync to update the settings.

Step 5: Enjoy Seamless Sign-On
That's it! You've successfully enabled Platform SSO for your macOS device. From now on, enjoy the magic of automatic sign-ins across your Microsoft apps and services. No more juggling multiple passwords—just pure, unadulterated productivity.

Why You'll Love Platform SSO

• Convenience: One sign-in to rule them all. Once you're logged into your device, you're automatically signed into all your Microsoft apps and services.

• Enhanced Security: Fewer passwords mean fewer opportunities for breaches. Platform SSO leverages your macOS device's secure authentication mechanisms to keep your data safe.

• Boosted Productivity: Spend less time logging in and more time getting things done. With Platform SSO, you can jump straight into your work without missing a beat.

Final Thoughts

Platform SSO for macOS is a game-changer for anyone who uses Microsoft services on their Apple devices. It's simple to set up, boosts your productivity, and keeps your data secure. So, why wait? Give it a try and experience the magic for yourself. Happy signing in, folks!