You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/protect/endpoint-security-account-protection-policy.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ keywords:
7
7
author: brenduns
8
8
ms.author: brenduns
9
9
manager: dougeby
10
-
ms.date: 01/26/2022
10
+
ms.date: 01/31/2022
11
11
ms.topic: reference
12
12
ms.service: microsoft-intune
13
13
ms.subservice: protect
@@ -89,16 +89,18 @@ The following are the configurations you can make:
89
89
90
90
-**User selection type**: Choose how to select users. Options include:
91
91
92
-
-**Users**: Select the users and user groups from your Azure AD.
93
-
-**Manual**: Specify Azure AD users and groups manually, by username, domain\username, or the groups security identifier (SID).
92
+
-**Users**: Select the users and user groups from your Azure AD. (Supported for Azure AD joined devices only).
93
+
-**Manual**: Specify Azure AD users and groups manually, by username, domain\username, or the groups security identifier (SID). (Supported for Azure AD joined and hybrid joined devices).
94
94
95
95
-**Selected user(s)**: Depending on your selection for *User selection type*, you’ll use one of the following options:
96
96
97
97
-**Select user(s)**: Select the users and user groups from your Azure AD.
98
-
-**Add users(s)**: This opens the **Add users** pane where you can then specify one or more user identifiers as they appear on a device. You can specify the user by *Username, Domain\username*, or by *security identifier (SID)*.
98
+
-**Add users(s)**: This opens the **Add users** pane where you can then specify one or more user identifiers as they appear on a device. You can specify the user by *security identifier (SID)*, *Domain\username*, or by *Username*.
99
99
100
100
:::image type="content" source="./media/endpoint-security-account-protection-policy/add-user.png" alt-text="Screen shot of the Add users page.":::
101
101
102
+
Choosing the Manual option can be helpful in scenarios where you want to manage your on-prem Active Directory users from Active Directory to a local group for a hybrid Azure AD joined device. The supported formats of identifying the user selection in order of most to least preferred is through the SID, domain\username, or member’s username. Values from Active Directory must be used for hybrid joined devices, while values from Azure AD must be used for Azure AD join. Azure AD group SIDs can be obtained using [Graph API for Groups](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation).
103
+
102
104
### Conflicts
103
105
104
106
If policies create a conflict for a group membership, the conflicting settings from each policy are not sent to the device. Instead, the conflict is reported for those policies in the Microsoft Endpoint Manager admin center. To resolve the conflict, reconfigure one or more policies.
@@ -115,4 +117,4 @@ Because the policy can contain multiple rules, consider the following:
0 commit comments