Microsoft Enterprise

Mobility
Hero Demo Guide

Updated: April, 2016

This document is provided “as-is”. Information and views expressed in this document, including URL and
other Internet Web site references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft
product. You may copy and use this document for your internal, reference purposes.

© 2016 Microsoft. All rights reserved.

2
Demo Guide En

Table of Contents
EMS Demo Requirements and Scenarios.................................................................................................................................................................. 5
Demo Pre-Requisites................................................................................................................................................................................................... 5
Scenario 1: Manage Mobile Productivity.............................................................................................................................................................. 5
Scenario 2: Deploy and Manage All of Your Applications Using Enterprise Mobility..........................................................................5
Scenario 3: Comprehensive Protection of Your Corporate Data with EMS............................................................................................. 6
Demo 1: Manage Mobile Productivity........................................................................................................................................................................ 7
Pre-Demo Checklist...................................................................................................................................................................................................... 7
Demo Sequence............................................................................................................................................................................................................ 7
Opening....................................................................................................................................................................................................................... 7
Managing Office Mobile Apps without Device Enrollment...................................................................................................................... 8
Conditional Access and Device Enrollment.................................................................................................................................................... 8
Mobile Application Management.................................................................................................................................................................... 10
Demo Reset Instructions.......................................................................................................................................................................................... 12
Demo 2: Deploy and Manage All of Your Apps with EMS................................................................................................................................ 13
Pre-Demo Checklist................................................................................................................................................................................................... 13
Demo Sequence.......................................................................................................................................................................................................... 13
Add SaaS Apps: Salesforce................................................................................................................................................................................. 13
Add an App and Configure SSO: Twitter...................................................................................................................................................... 14
Use MyApps to Access Applications............................................................................................................................................................... 15
Self-Service on MyApps Portal......................................................................................................................................................................... 16
Access to Windows-based Apps...................................................................................................................................................................... 16
Close........................................................................................................................................................................................................................... 17
Demo Reset.................................................................................................................................................................................................................. 17
Demo 3: Comprehensive Protection of Corporate Data with EMS................................................................................................................ 18
Pre-Demo Checklist................................................................................................................................................................................................... 18
Demo Sequence.......................................................................................................................................................................................................... 18
Use MyApps to Access Applications............................................................................................................................................................... 18
Review Azure Security Reports......................................................................................................................................................................... 19
Microsoft Advanced Threat Analytics............................................................................................................................................................. 21
Introducing Microsoft Cloud App Security (CAS)...................................................................................................................................... 23
Demo Reset.................................................................................................................................................................................................................. 28
Appendix 1: Configure your Demo Tenant............................................................................................................................................................ 28
Add Your Authentication Phone and Email (for MFA verification) to Hero User................................................................................28

3
Demo Guide En
Grant EMS License to Global Admin user.......................................................................................................................................................... 28
Configuring Tenant for iOS Devices.................................................................................................................................................................... 29
Create an Apple ID for Your Demo Tenant (if necessary)....................................................................................................................... 29
Configure Intune Admin Settings for iOS Device Management.......................................................................................................... 29
Apply Contoso Branding to Intune Company Portal..................................................................................................................................... 31
Create an App Policy for MAM without Enrollment...................................................................................................................................... 32
Add SaaS Applications to AAD.............................................................................................................................................................................. 32
Configure Salesforce SSO Integration................................................................................................................................................................. 33
Configure Twitter Integration................................................................................................................................................................................. 40
Appendix 2: Installing/Configuring Azure RemoteApp (ARA)......................................................................................................................... 42
Installing Azure RemoteApp................................................................................................................................................................................... 42
Configuring Azure RemoteApp............................................................................................................................................................................. 43
Appendix 3: Configure Your Demo Devices........................................................................................................................................................... 44
Mobile Device Requirements................................................................................................................................................................................. 44
Device Setup Steps.................................................................................................................................................................................................... 44
Set Up Device #1 (iOS or Android).................................................................................................................................................................. 44
Set Up Device #2 (iOS or Android).................................................................................................................................................................. 45

4
Demo Guide En

EMS Demo Requirements and Scenarios

This demo guide contains 3 key scenarios – each demonstrating different value propositions of the Enterprise Mobility
Suite. Each scenario can be performed independently. Prior to running through these demo scenarios, please ensure the
one-time demo environment and device requirements are met.

Demo Pre-Requisites
 Follow the steps documented in the EMS Demos – Getting Started Guide to create your free, personal, 90-day
Office 365 demo tenant with EMS add-on.
 Preform one-time manual setup steps against your demo environment as detailed in Appendix 1.
 If you’d like to include the Desktop Virtualization scenario to your demos, perform installation/configuration of
Azure RemoteApp (ARA) as detailed in Appendix 2.
 Prepare your demo devices as detailed in Appendix 3.
 Prior to each demo, perform the pre-demo checklist steps listed at the beginning of each demo scenario.
 After each demo, perform post-demo reset steps to ensure you’re able perform the demo again in the future.

Scenario 1: Manage Mobile Productivity

One of the first challenges in the mobile-first, cloud-first world is to deliver secure email to employees’ on-the-go. This
scenario, demonstrates how EMS provides employees with secure and seamless access to corporate email and documents
using familiar productivity experiences with Office mobile apps such as Outlook, Word, Excel, PowerPoint, and OneDrive.
EMS also helps to protect corporate data on the device itself and beyond with multi-layer protection, all without impacting
personal data.
Features
 Familiar productivity experience with Office mobile apps
 Managing access to email and documents with conditional access
 Enable secure access for corporate email, SharePoint and One Drive
 Comprehensive protection of corporate data at 4 layers: identity, device, application, and data
 Flexible architecture
Services
 Active Directory Premium
 Microsoft Intune
 Azure Rights Management

Scenario 2: Deploy and Manage All of Your Applications Using Enterprise Mobility
Demonstrate the flexibility to deploy and manage apps that employees need to be productive. Using this scenario, you
can show how Enterprise Mobility supports SaaS apps, native apps and Windows apps on a variety of devices. You can
deep dive into Azure Active Directory, Intune and Azure RemoteApp app management to show how Enterprise Mobility
solutions offer security and management for your apps.

5
Demo Guide En
Features
 One common identity across on-prem and cloud
 Single sign-on to cloud and on-premises apps with multi-factor authentication
 Cloud App Discovery
 Cross-platform Company Portal
 Mobile Application Management
 Enable users to access Windows apps and data from any device and any location
Services
 Active Directory Premium
 Microsoft Intune
 Azure Rights Management

Scenario 3: Comprehensive Protection of Your Corporate Data with EMS

Demonstrate how Enterprise Mobility Suite (EMS) provides the most comprehensive protection of corporate data across 4
layers: identity, device, application, and data. This demo will cover how different components of EMS help to keep the
corporate data protected.
Features
 One Identity across on-prem & cloud
 Access to resources, apps and files
 Additional security to sensitive apps (MFA)
 Self-service and automation for password and groups
 Mobile application management
 File level protection - virtually all types on any device platform
 Protect on-premises identity
 Stop external threats from stealing corporate information
Services
 Active Directory Premium
 Microsoft Intune
 Azure Rights Management
 Microsoft Advanced Threat Analytics

6
Demo Guide En

Demo 1: Manage Mobile Productivity

One of the first challenges in the mobile-first, cloud-first world is to deliver secure email to employees on-the-go. This
scenario demonstrates how EMS provides employees with secure and seamless access to corporate email and documents
using familiar productivity experiences with Office mobile apps such as Outlook, Word, Excel, PowerPoint, and OneDrive.
EMS also helps to protect corporate data on the device itself and beyond with multi-layer protection, all without impacting
personal data.

Pre-Demo Checklist
Follow these steps prior to each demo presentation to ensure a smooth and speedy demo experience:
1. Prepare your mobile devices (iOS or Android) as outlined in Appendix 2. If you only have one device available,
consider presenting the following demos via a custom PowerPoint slideshow:
o Managing Office Mobile Apps without Device Enrollment
o Device Enrollment for Conditional Access
2. Launch the native Notes app on your device and jot down the login credentials of your demo persona (so you can
quickly access it during the demo and minimize typos).
o Demo persona’s corporate account : garthf@<tenant>.onmicrosoft.com and password: pass@word1
o Demo persona’s personal email account: <your demo Live ID user account info>
o Copy the demo persona’s corporate account email and keep it in device’s clipboard.
3. MFA authentication requires a valid phone number. Ensure your demo persona’s Azure AD account has your
mobile phone number set up as verification number.
4. <If presenting demo remotely via Skype> Launch a iOS screen sharing utility (such as AirServer or Reflector 2)
on your Windows PC and mirror your device onto the PC’s screen.
5. Launch a new browser session on a browser that supports Silverlight (IE or Firefox) and navigate to the demo
tenant’s Intune management portal, at https://manage.microsoft.com. Login with your demo tenant’s Global
Admin user (admin@<tenant>.onmicrosoft.com and pass@word1), then minimize the browser.

Demo Sequence
Speaker Script Click Steps

Opening
I think you would agree with me that one of the main
things your employees want on their mobile devices is
access to their corporate email and documents. And
they expect to do it in fast and easy way without the
need of going through multiple complex steps or
calling the help desk. IT on the other hand wants to
keep the corporate data secure wherever it is.
Let me show how you can solve both of these

7
Demo Guide En

Speaker Script Click Steps

problems with Office 365 and EMS.

Managing Office Mobile Apps without Device Perform these steps on mobile device #1 (iOS or Android)
Enrollment 1. On your mobile device, launch Word app.
A new capability of Microsoft Intune allows Mobile 2. Ensure you’re logged in to the Word app as your demo
Application Management (MAM) without requiring the persona (e.g. GarthF@<tenant>.onmicrosoft.com).
device to be enrolled for IT management. In short 3. Go to Open > SharePoint > Documents > Northwind
“Intune MAM without enrollment”. This is Proposal.
particularly useful for BYO scenarios where end users
don’t want to or can’t enroll their devices for IT 4. In the Word menu, tap File > Duplicate.
management. This capability is also useful in cases
where a device is already enrolled in another MDM
solution.
An increasing number of Office mobile apps support
MAM without enrollment for both iOS and Android
platforms.
This new capability is an addition to the existing Intune
MAM capabilities that require enrollment into Intune
mobile device management (MDM).
Here, I’m accessing a Word document from SharePoint.
This document is considered corporate data. As such,
I’m disallowed from saving it outside of corporate
locations.
I’m also not allowed to copy/paste the contents of this
document to non-corporate locations.
Although this device is not enrolled with my
organizations, the application policies set by my
5. Choose <device> (iPad or Android, as applicable).
organization block me from taking my data outside of
my organization – thereby protecting my corporate 6. Note the prompt that disallows saving to non-
data. corporate locations due to policy set by Administrator.

Conditional Access and Device Enrollment Perform these steps on mobile device #1 (iOS or Android)

When employees add their corporate Office 365 1. On your device, launch Outlook app.
account in the Outlook app, they expect to get access 2. Tap Get Started, then dismiss app
to all of their email, but with EMS you can enable initialization/welcome messages, if necessary.
conditional access which ensures that employees
7. Add an Account > Office 365 account as follows:
access corporate email only from managed and
compliant devices. a. Email: garthf@<tenant>.onmicrosoft.com (paste
it in)
The first thing I see as I type in my corporate email
alias is my company’s logo: a branding I’m familiar b. Password: pass@word1
with. With the power of Azure AD, this form already then tap Sign in.
recognized me as a user of my corporation; and the
8. Note the Conditional Access policy message that
customized branding ensures me I’m signing in to a
blocks access to email:
trusted location so I can type in my password without

8
Demo Guide En

Speaker Script Click Steps

concern.

As you can see here, they are blocked and are

informed that in order to get access they need to first
enroll their device to Intune.

9. Tap Enroll.
10. Tap OPEN to launch Microsoft Intune Company Portal
app.
Next they need to install the Intune company app
which has already been done to save time. 11. Tap Sign in, then sign in to Intune Company Portal as:
garthf@<tenant>.onmicrosoft.com (paste it in)
pass@word1 (type it in).
12. On Company Access Setup page, type Begin.
Employees then need to login with their corporate 13. On Device Enrollment page, tap Enroll. You will be
Azure AD identity (same credentials one employees directed to the built-in iOS Settings app.
would use to access email), and go through the
14. On Install Profile page, tap Install.
standard iOS enrollment process that includes
applying a management profile and certificates for 15. Enter device passcode (promoted only if device
secure communication between the device and currently has a passcode).
Microsoft Intune. 16. Tap Install.
17. On Warning page, tap Install.
18. On Remote Management dialog, tap Trust.
19. On Profile Installed page, tap Done. You’ll be re-
There are few things are happening behind scenes directed back to the Intune Company Portal app.
here. First, Intune gets device information without 20. On Company Access Setup page, tap Continue.
collecting personal data since this is a personal device.
21. Tap Done to complete Company Access Setup.
Next, Intune also registers this device with Azure AD,
so now both Intune and Azure AD know that this 22. You should now see the Intune Company Portal
device belongs to this employee which useful for few home page, similar to the screen shot below.
other scenarios when the employees wants to access
corporate resource from this device. Intune also starts
to deploy and enforce device settings like password
requirements, resource access profiles such as WiFi and
VPN, certificates, and applications.

9
Demo Guide En

Speaker Script Click Steps

Once the enrollment is completed, employees need to

ensure that their device is compliant with the
corporate policies. This is a great solution since
employees get access to email with just few simple
steps but IT is also happy because the corporate data
is accessed only from managed devices.

23. Press the device’s home button. You will see a

Passcode Requirement dialog where you must change
passcode within 60 minutes.
24. Tap Continue, then set a new device passcode. If your
device has a passcode currently, you’ll be prompted to type
that in first.
Tip: For a complex, 4-character passcode, use 1111 so it’s
easy to remember.
25. Re-launch the built-in Mail app.
Note the Inbox is now populated with GarthF’s emails from
Exchange server.

Mobile Application Management

Since the device is managed and compliant, employees Perform these steps on iOS device #2 (one that’s already been
now have access to the corporate email. They just need enrolled and configured with Managed Apps.)
to re-enter their Azure AD credentials, and the access
to email will be granted. Behind the scenes, when
1. Launch Outlook app (which is now configured with 2
employees login, Office 365 checks with Azure AD to
email accounts: one corporate mailbox and one personal).
see, if the device is managed and compliant which in
this case it is. Because of that, Office 365 enables the 2. In GarthF’s corporate inbox, scroll down and tap on an
access to email. Since the device is now managed, email from Alex Darrow (subject Northwind Proposal).
Employees can also access internal company apps as Tip: You may open any email in the user’s corporate inbox
well as public apps from the Intune Company Portal. with a Word document attachment.
For the next part of my demo I actually need to install
few of these applications, but to save time I am 3. Tap on the attachment file name to preview contents.

10
Demo Guide En

Speaker Script Click Steps

going to switch to another iPad for same user that 4. On a text paragraph, tap and hold, then Copy.
already has these apps installed.

As Brad Anderson showed at Ignite, Intune is uniquely

able to manage and enforce app restrictions for
Outlook and Office mobile apps on iOS and Android.
This provides best in class and consistent user
experience for email, productivity and collaboration
while protecting corporate data. Employees are
productive with real Office, not Office like proprietary
apps with limited functionality and confusing user 5. Tap Close to dismiss document preview.
interface. When employees launch Outlook they need
6. Tap the Reply icon.
to enter their PIN since it was configured in Intune by
IT. In this example, this email has useful information 7. In the reply message body (whitespace) tap and hold
that they want to keep for a project. If they try to copy for a second to reveal Paste option, then tap Paste.
it and paste to app, it doesn’t work since this is a
personal app. But, if they try to paste into Microsoft
Word app, it works since this is a managed app. This
provides a consistent user experience for employees
and helps to keep corporate data within the managed
app ecosystem.

8. Discard the email message (by tapping the X icon, then

confirming Delete draft).
9. Press the home button, then launch the built-in iOS
Notes app.
10. Create a new note and attempt to paste (tap+hold on
whitespace.) Note the Paste option is not available.

11. Double-press the home button, then return to

Outlook app.
12. Back in the Northwind Proposal email, tap Open in
Word link under the included email attachment.
The Word app will launch.

11
Demo Guide En

Speaker Script Click Steps

13. Dismiss any introduction video, tips and guides that

may be prompted by the Word app until the attachment
document (Northwind Traders Proposal) opens in the app.
14. Tap the File menu icon in Word app, then Duplicate.
15. Tap Dropbox.
16. Tap Duplicate.
17. At alert box with message: “Your administrator
doesn’t allow saving to personal locations.” tap OK.
18. Tap Save again.
19. Tap OneDrive for Business, then Save.
20. Close the Northwind Traders Proposal document by
tapping the close icon ().

Demo Reset Instructions

Follow these steps to reset the demo at the conclusion of each presentation:
Device #1:
1. Un-enroll the device from Intune Comp Portal.
2. Delete the Exchange mailbox that was added during the demo:
a. Go to the built-in device Settings app.
b. Tap Mail, Contacts, Calendars then Exchange.
c. Tap Delete Account, then Delete from my iPhone/iPad.
3. Close any open documents in Word app (by tapping back arrow icon: ).
Device #2:
1. Browse to GarthF’s OneDrive Pro for Business web site (https://<tenant>-my.sharepoint.com/, logged in as
GarthF) then delete the Northwind Proposal document from the root.
2. Go through steps of Setup Device #2 in the appendix so the same device is ready for your next demo. You may
skip the steps where the configurations from prior run are already there (e.g. Dropbox setup, personal inbox
setup, etc.)

12
Demo Guide En

Demo 2: Deploy and Manage All of Your Apps with EMS

Pre-Demo Checklist
Follow these steps prior to each demo presentation to ensure a smooth and speedy demo experience:
1. Launch a new browser session in IE or Edge and navigate to the MyApps portal, at https://myapps.microsoft.com.
Login with your demo Hero user (garthf@<tenant>.onmicrosoft.com and pass@word1). Minimize the browser.
2. Launch a separate, InPrivate browser session (IE or Edge) and navigate to the demo tenant’s Azure management
portal, at https://manage.windowsazure.com. Login with your demo tenant’s Global Admin user
(admin@<tenant>.onmicrosoft.com and pass@word1).
3. In the Azure Management Portal, ensure the user GarthF has a Authentication Phone number supplied and
configured with a mobile phone number that you possess. This is required for multi-factor authentication demo.
See Appendix 1 for details.
4. Launch the Azure RemoteApp desktop client on your PC and connect to your tenant’s RemoteApp collection as
the user GarthF. Minimize the ReportApp client.
o If you have not done so yet, please refer to Appendix 2 in order to install and configure Azure
RemoteApp.

Demo Sequence
Speaker Script Click Steps

Let me show you how to ensure your users have access

to the applications they need to be productive.
The first solution I’ll show you leverages the power of
Azure Active Directory to enable access to Software as
a Service, and web-based applications.

Add SaaS Apps: Salesforce

You probably recognize that I’m starting in the Azure
Portal. Navigate to applications for your active 1. Bring up the browser session with Microsoft Azure
directory. You’ll see the list of applications that have Management Portal (Global Admin user).
been added 2. In the ACTIVE DIRECTORY workspace, click Contoso
Adding a SaaS app is very straightforward. There are 3 <TenantName>.
types of applications that can be added
3. Click the APPLICATIONS tab.
 Application my organization is developing – a 4. Click Add.
custom application that your company has created,
1. In the What do you want to do? window, review the
that can be integrated with Azure AD to provide
options that are available.
secure sign in and authorization for their services.
 Application from the gallery – add an application  Application my organization is developing
from a list of SaaS apps that are pre-integrated  Application from the gallery
with Azure AD and many of them offer deep  Publish an application to be available from outside
integration like provisioning of users using your network
federation. 2. Click Add an application from the gallery.

13
Demo Guide En

Speaker Script Click Steps

 Publish an application to be available from outside 3. Review the applications that are available in the application
your network – enables you to make your internal gallery.
web-based applications available externally
4. Click Custom, and review the benefits.

We’ll start by adding an application from the gallery - 5. Click FEATURED APPLICATIONS, type Salesforce in the
There are over 2400 SaaS applications listed, such as search box and click Search.
Twitter, Dropbox, or Workday – these applications are 6. Click Salesforce, and in the DISPLAY NAME text field type
pre-integrated and can be easily configured for single Salesforce-Demo, and then click Complete.
sign on.
7. Review the items on the Quick Start page.
If the SaaS application is not on the list, it can be added
 Configure single-sign on
as a custom application
 Configure account provisioning
 Assign accounts
I’ll add Salesforce
When the application is added, the quick start page is
displayed, showing our next steps
There are just 3 steps and you can have this SaaS app
available
The first step is to Configure single sign-on
Windows Azure AD Single Sign-on – this option
enables users to authenticate to Salesforce with their
account in Azure AD using federation
Configure App URL – the sign on URL is the custom
URL for your domain on Salesforce
Finally configure single sign-on on Salesforce, by
downloading the certificate you will need to upload at
Salesforce when you configure that side of the
federation, and verifying proper configuration and
clicking complete
The second step is to Configure user provisioning. Add
your Salesforce admin credentials to enable automatic
user provisioning. This enables user provisioning and
deprovisioning based on changes made in Azure Active
Directory. (optional)
The third step is to assign users and or groups you
want to access SaaS app.
When these steps are completed the SaaS application
will be available in MyApps.

Add an App and Configure SSO: Twitter Note: Ensure you have a demo Twitter account (and login info
available) prior to performing this section.
Many organizations rely upon software as a service
(SaaS) applications such as Office 365, Box, and 1. Bring up the browser session with Microsoft Azure

14
Demo Guide En

Speaker Script Click Steps

Salesforce for end user productivity but IT has typically Management Portal (Global Admin user).
had to create and update user accounts for each SaaS
2. In the ACTIVE DIRECTORY workspace, click Contoso
app, Users had to remember their credentials for each,
<TenantName>.
which gets messy fast.
3. Click the APPLICATIONS tab.
Azure AD enables integration to many of today’s
4. Click ADD.
popular SaaS applications (e.g., Box, Twitter, and so on).
It provides identity and access management, and 5. Click Add an application from the gallery.
delivers an access panel for users, in which they can 6. In the Search box, type twitter and press Enter.
discover what application access they have and single 7. Click Twitter.
sign-on to access their applications. 8. In the DISPLAY NAME box, type Twitter-Demo.
I’ll demonstrate this two ways, starting with password 9. Click OK.
single sign-on to the Twitter app. 10. Click Configure single sign-on.

11. Select Password Single Sign-On, then (Complete).

Configuring password-based single sign-on enables
12. In the SHOW list, click All Users, and click OK.
Azure to automatically sign users in to third-party SaaS
applications by using the SaaS application’s user
account information. When you enable this feature, 13. Click Assign accounts.
Azure AD collects and securely stores the SaaS app’s
user account information and the related password. 14. Select Show Groups then (OK).
Azure AD can support password-based single sign-on 15. Click sg-Sales & Marketing to highlight
for any cloud-based app that has an HTML-based sign- 16. Click ASSIGN button (at the bottom of the screen).
in page. By using a custom browser plugin, Azure AD 17. Select the I want to enter Enterprise Twitter credentials
automates the sign in process by securely retrieving to be shared among all group members check box.
application credentials, such as the username and the
18. In the User Name box, type the user name for the Twitter
password, from the directory, and entering these
account.
credentials in to the application’s sign in page on
behalf of the user. 19. In the Password box, type the Twitter account’s password.
20. Click OK.
Here you see that no users have access to this app.
Likewise, you see that no groups have access to this
21. Highlight sg-Sales & Marketing.
app. I will give the Sales & Marketing group access to
the Twitter app, and everyone in the group will share 22. Click EDIT ACCOUNT.
the same set of app credentials. 23. Click Cancel.

The last step is to copy the single sign-on URL to the

clipboard. This is the URL that I will share with members 24. Click DASHBOARD.
of the Sales & Marketing team. 25. In the SINGLE SIGN-ON URL box, click Copy to Clipboard.

Use MyApps to Access Applications Important: Use GarthF’s browser session (in IE or Edge) for this
portion of the demo.
In your Enterprise, you may have Mac users such as
graphic designers. You’ll want to ensure all platforms 1. Bring up the browser session with the My Apps Portal
can be equally productive. (logged in as GarthF).

MyApps is accessible using iOS, Android, Mac, and

Windows to view available applications. 8. In the applications page, click Office 365 SharePoint
Online. Note the login-free SSO experience in new brower
I’ll log in to MyApps using my corporate credentials,

15
Demo Guide En

Speaker Script Click Steps

and I can see all the applications available to me. tab.

Applications can be easily launched (office 365, 9. Go back to the Access Panel Apps browser tab.
Corporate Twitter). Using single sign-on I am redirected 10. Click Salesforce.
directly to the page.
11. Authorize the login on your phone (multi-factor
Notice there are SaaS apps, custom apps, and on- authentication) by accepting the call on your mobile phone
premises apps, displayed. and responding to the authentication request.
12. Note the login-free SSO experience to Salesforce in a new
browser tab.
I also have the ability to perform self-service on my
account that really empowers me to get my work done.
I can add myself to groups, to add applications. I can 13. Go back to the Access Panel Apps browser tab.
reset, and change my own password. Self-service is a 14. Click groups.
very effective cost cutting method by reducing help
15. Change My groups drop-drown to All.
desk calls.
16. Scroll down the page, then click on ssg-Contoso Bug
By joining the Contoso Bug Bashers security group, I Bashers.
was automatically granted access to the BrowserStack
17. Click Join group.
application.
18. In the pop-up window, click Request. (You will be auto-
approved.)
19. Click applications to go back to the applications page.
20. Refresh the page. Note the inclusion of a new application
on the page: BrowserStack.

Self-Service on MyApps Portal Important: Use GarthF’s browser session (in IE or Edge) for this
portion of the demo.
I also have the ability to perform self-service on my
account that really empowers me to get my work done. 1. Bring up the browser session with the My Apps Portal
I can add myself to groups, to add applications. I can (logged in as GarthF).
reset, and change my own password. Self-service is a 21. Click profile.
very effective cost cutting method by reducing help 22. Click Register for Password Reset.
desk calls.
23. Review the options for alternate verification options:

Password reset ties back to password write-back. When a. Authentication Phone

changes are made to Azure AD, those changes are b. Authentication Email
sync’ed with Active Directory. 24. Click Cancel.
25. Click Change password.
26. Review the password change form, then click cancel.

Access to Windows-based Apps Note: Perform these steps on your Windows PC.

Next question is how do I enable access to Windows- 1. Launch the Azure RemoteApp program on your demo
based applications across all the devices in my device.
enterprise? 21. If necessary, log in with your demo persona credentials.
The next solution I’ll show you is Azure RemoteApp
that enable organizations to provide windows-based
applications for employees to work across devices,
from anywhere. As you saw in Brad’s keynote, he 22. Review the list of available applications.

16
Demo Guide En

Speaker Script Click Steps

accessed Dynamics using an iPad. This windows-based 23. Review the available applications under Work
application could be accessed from many different Resources.
mobile devices.

Let me show you the client experience using Microsoft 24. Launch Excel.
Remote Desktop app here on my iPad.

25. Review functionality within Excel.

I have signed in using my corporate credentials, and
the list of applications published to me is displayed. a. Go to File > Open > OneDrive – Contoso
Using the RD Client I can see all of the applications I <Tenant>
have available in a single location. b. Select Contoso Purchasing Data – Q1.xlsx to open
it.
Different kinds of apps can be published: line of
business applications productivity apps, or Windows- c. Enable Editing once the document opens.
based apps. (Launch Excel) d. Click anywhere on the table area (e.g. cell A1).
I want to show you the power of this service, running e. In the ribbon bar, go to INSERT, SLICER, then check
an application in Azure, accessing corporate resources Card Type and OK.
securely on-premises. f. Click MasterCard on the Card Type slicers to filter
the table data.
I selected a file I have been working with. This file is
securely accessed from the cloud, and contains some
sensitive data like credit card information. I’m still able
to work on it without storing it on my local device. This
way, even if this device is lost or comprised, the data
remains protected.
Notice I can use Excel as if the application were local, the
functionality is exactly the same. I can use the slicers to
manage the data that is displayed.

This Remote Desktop client experience is available on iOS,

Android, Mac and Windows.

Close
As you’ve seen today, Azure Active Directory and Azure
RemoteApp enables users to be productive anywhere
on a variety of devices. Everything I’ve shown you is
available today and delivered by Azure.
Thank you.

Demo Reset
1. Go back to the Azure Management Portal browser session and delete any SSO Applications you added during the
demo (i.e. Twitter-demo, Salesforce-demo). Do NOT delete the apps that you had configured previously, before
the demo.

17
Demo Guide En
2. Go back to the MyApps portal (as GarthF) and leave group for sso-Contoso Bug Bashers.
3. Ensure the Excel file you opened in the Azure RemoteApp session is closed. Do NOT save changes to the files.

Demo 3: Comprehensive Protection of Corporate Data with

EMS
Pre-Demo Checklist
Follow these steps prior to each demo presentation to ensure a smooth and speedy demo experience:
1. Launch a new browser session in IE or Edge and navigate to the MyApps portal, at https://myapps.microsoft.com.
Login with your demo Hero user (garthf@<tenant>.onmicrosoft.com and pass@word1). Minimize the browser.
2. Launch a separate, InPrivate browser session (IE) and navigate to the demo tenant’s Azure management portal, at
https://manage.windowsazure.com. Login with your demo tenant’s Global Admin user
(admin@<tenant>.onmicrosoft.com and pass@word1).
3. In the same browser session, open a new browser tab, then log in to the Intune management portal at
https://manage.microsoft.com (as Global Admin).
4. In the Azure Management Portal, ensure the user GarthF has a Authentication Phone number supplied and
configured with a mobile phone number that you possess. This is required for multi-factor authentication demo.
See Appendix 1 for details.
5. In the same browser session, open a new browser tab, then log in to the staged Cloud App Security demo site as
follows:
o Browse to https://acme.console-demo.adallom.com/
o Login as: admin@<tenant name>.onmicrosoft.com with password: Pass@word1

Demo Sequence
Speaker Script Click Steps

I will demonstrate how Enterprise Mobility Suite

(EMS) provides the most comprehensive protection
of corporate data across 4 layers: identity, device,
application, and data. This demo will cover how
different components of EMS help to keep the
corporate data protected.

Use MyApps to Access Applications Important: Use GarthF’s browser session (in IE or Edge) for
this portion of the demo.
In your Enterprise, you may have Mac users such as
graphic designers. You’ll want to ensure all platforms 1. Bring up the browser session with the My Apps Portal
can be equally productive. (logged in as GarthF).

MyApps is accessible using iOS, Android, Mac, and

Windows to view available applications. 27. In the applications page, click Office 365 SharePoint

18
Demo Guide En

Speaker Script Click Steps

I’ll log in to MyApps using my corporate credentials, Online. Note the login-free SSO experience in new
and I can see all the applications available to me. brower tab.
Applications can be easily launched (office 365, 28. Go back to the Access Panel Apps browser tab.
Corporate Twitter). Using single sign-on I am 29. Click Salesforce.
redirected directly to the page.
30. Authorize the login on your phone (multi-factor
Notice there are SaaS apps, custom apps, and on- authentication) by accepting the call on your mobile
premises apps, displayed. phone and responding to the authentication request.
31. Note the login-free SSO experience to Salesforce in a
new browser tab.
I also have the ability to perform self-service on my
account that really empowers me to get my work
done. I can add myself to groups, to add applications. 32. Go back to the Access Panel Apps browser tab.
I can reset, and change my own password. Self- 33. Click groups.
service is a very effective cost cutting method by
34. Change My groups drop-drown to All.
reducing help desk calls.
35. Scroll down the page, then click on ssg-Contoso Bug
By joining the Contoso Bug Bashers security group, I Bashers.
was automatically granted access to the BrowserStack
36. Click Join group.
application.
37. In the pop-up window, click Request. (You will be auto-
approved.)
38. Click applications to go back to the applications page.
39. Refresh the page. Note the inclusion of a new application
on the page: BrowserStack.

Review Azure Security Reports Note: Use Global Administrator’s browser session for this
portion of the demo.
You can use Azure AD Premium’s access and usage
reports to learn the integrity and security of your 1. Bring up the browser session with Microsoft Azure
organization’s directory. With this information, you Management Portal (Global Admin user).
can better determine where possible security risks 5. In the ACTIVE DIRECTORY workspace, click Contoso
might exist so that you can adequately plan to <TenantName>.
mitigate those risks. There are four categories I will 6. Click the REPORTS tab.
show you today: anomalous activity, activity logs,
integrated applications, and premium reports.
40. Click Sign ins from unknown sources.
You can use Azure AD Premium’s access and usage
reports to learn the integrity and security of your
organization’s directory. With this information, you 41. Click Sign ins after multiple failures.
can better determine where possible security risks 42. Click CONFIGURE.
might exist so that you can adequately plan to 43. In the NUMBER OF CONSECUTIVE FAILED SIGN INS
mitigate those risks. There are four categories I will CONSIDERED ANOMALOUS box, type 5.
show you today: anomalous activity, activity logs, 44. Click SAVE.
integrated applications, and premium reports.
Anomalous activity reports
This report indicates users who have successfully 45. Click Sign ins from multiple geographies.
signed in to your directory while assigned a client IP 46. Click Users.

19
Demo Guide En

Speaker Script Click Steps

address that has been recognized by Microsoft as an 47. Click Aarif Sherzai to highlight, then point to the buttons
anonymous proxy IP address. People often use these at the bottom of the page:
proxies if they want to hide their computer’s IP
address, and they might be used for malicious intent
—sometimes hackers use these proxies. Results from
this report will show the number of times a user
successfully signed in to your directory from that 48. Click MANAGE MULTI-FACTOR AUTH.
address and the proxy’s IP address. 49. Place checkmark next to Aarif Sherzai’s display name.
Sign ins after multiple failures report indicates 50. Under quick steps, click Enable.
users who have successfully signed in after multiple 51. Review About enabling multi-factor auth, then click
consecutive failed sign-in attempts. Possible causes Cancel.
include users had forgotten their passwords, or users
are victims of successful password-guessing brute
force attacks. Results from this report will show you
the number of consecutive failed sign-in attempts
made prior to the successful sign-in and a timestamp
associated with the first successful sign-in.
Sign ins from multiple geographies report includes
successful sign-in activities from a user where two
sign ins appeared to originate from different regions
and the time between the sign ins makes it
impossible for the user to have travelled between
those regions. Possible causes include users sharing
their passwords, users using remote desktop
connections to launch a web browser for sign in, or a
hacker signing in to a user’s account from a different
country. Results from this report will show you the
successful sign-in events, together with the time
between the sign ins, the regions where the sign ins 52. Go back to the Active Directory browser tab, if necessary,
appeared to originate from, and the estimated travel then click Audit report.
time between those regions.

53. Click Account provisioning activity.

Activity Logs reports
This audit report shows records of all audited events 54. Click Sign ins from IP addresses with suspicious
within the last 24 hours, last 7 days, or last 30 days. activity.
Categories include:
 Credential updates 55. Click Password reset activity.

 Device management
56. Click Password reset registration activity.
 Directory synchronization
 Domain management 57. Click Self-service groups activity.
 Group management
 Partner administration 58. Click Application usage.

20
Demo Guide En

Speaker Script Click Steps

 Policy management (MFA)

 Role changes
 User account changes
 User licensing
 User, group, and contact management

Integrated Applications reports

This report provides a history of attempts to
provision accounts to external applications.
Use this report to monitor errors that occur during
the synchronization of accounts from SaaS
applications to Azure AD.
Premium reports
This report includes sign-in attempts that have been 59. Click Sign ins from IP addresses with suspicious
executed from IP addresses where suspicious activity activity.
has been noted. Suspicious activity includes many
failed sign-in attempts from the same IP address over
a short period of time and other activity that was
deemed suspicious. This might indicate that a hacker
has been trying to sign in from this IP address.
Results from this report will show you sign-in
attempts that were originated from an IP address
where suspicious activity was noted, together with
the timestamp associated with the sign in.

Microsoft Advanced Threat Analytics Note: The ATA demo suggested here will be performed using
a static web site with limited functionality. For fully functional
Microsoft Advanced Threat Analytics or ATA, is an on- ATA demo, please connect to https://atademo in the
premises product, that helps IT protect their Microsoft CorpNet or use the ATA Center demo virtual
enterprise from advanced targeted attacks by machine.
automatically analyzing, learning and identifying
normal and abnormal entity behavior. Entity can be a 1. Browse to the static ATA demo site, located at
user, a device or simply a resource in the network. https://atademoui.azurewebsites.net/.

Using deep packet inspection technology, ATA

analyzes all Active Directory traffic. It can also collect
relevant events from SIEM or Windows Event logs.
The constant reporting of traditional security tools 2. Scroll down the page to 11:54 PM “Suspicion of Identity
and sifting through them to locate the important and Theft based on Abnormal Behavior”.
relevant alerts can get overwhelming. Instead, ATA
provides an easy to consume, simple to drill down, 3. Point mouse to the bulleted list of 4 suspected behaviors.
social media feed-like report helping IT to focus on
what is important fast. Presenting this quantity of
data as a timeline gives you the power of perspective,
21
Demo Guide En

Speaker Script Click Steps

and insight into who’s accessing what, when they’re

accessing it, and how they’re accessing that data.
Event Timeline
Here’s an event indicating suspicion of identity theft
based on abnormal behavior of a user. ATA provided
an alert as this user activity deviated from this user’s
normal behavior.
With ATA, these alerts happen once suspicious
activities are contextually aggregated to its own
behavior, as well as to the other entities in its 7. Click on 6 Abnormal computers.
interaction path. So multiple events were used and 8. Hover mouse over EXTVENDOR-TS (last item on the
correlated to detect it. Four in this case. ATA also Abnormal Computers list).
compared this user’s behavior to all the other users in
his interaction map, in order to avoid any reduce false
positive or negative alerts.
Let’s take a look at the list of abnormal devices that
contributed to this alert.
The user, a full time employee, suddenly logs on to
an external vendor terminal server, raising suspicion.
It is even more suspicious that the user did so outside
of their normal working hours. This is another
behavioral aspect that ATA tracks.

Suspicious Activity Profile

We begin the investigation process by clicking on the 9. Click on the EXTVENDOR-TS label to go to the terminal
External Vendor Terminal Server, taking us to the profile view page.
profile view.
We then get to see the attack timeline from the 10. Click the Suspicious Activities tab.
Terminal Server’s perspective, by clicking on the
Suspicious activities tab.
11. Scroll down the bottom of the timeline, then up slightly
As with many attacks, this one begins with a to Reconnaissance Using Account Enumeration.
reconnaissance phase where we see the attacker
attempting to guess usernames.
Ultimately, the attacker(s) succeeded and guessed
three different accounts, one of them being the
User’s account.
In the next phase of the attack, we will clearly see the
12. Scroll up to Brute Force Attack Using LDAP Simple
attacker attempting a brute force attack including
Bind.
them guessing the user’s password.
Once the Users account was compromised, we can
13. Under Attacked Accounts, click on the picture of
see the user behaving abnormally. With the list of
Michael Dubinsky to view his User Profile Page.
alerts prior to this, we have sufficient evidence to
conclude that this user’s credentials are now 14. Click Suspicious activities tab.

22
Demo Guide En

Speaker Script Click Steps

compromises. Eventually we see the attacker 15. Click Back (browser navigation) to return to Timeline.
attempting to elevate their privilege to a domain
administrator account, possibly their ultimate goal.
In this instance the attack was detected by ATA with
16. Scroll up to Suspicion of Identity Theft based on
the help of data provided by a third party SIEM
Abnormal Behavior.
solution which was configured to forward Windows
security events to ATA – in this case a SIEM solution.
The third-party software was already collecting these 17. Scroll up to Identity Theft Using Pass-the-Ticket
events, so no additional configuration was required Attack.
there beyond the event forwarding itself.
All of ATA’s detection algorithms are self-learning,
allowing it to detect suspicious activities from the first 18. Scroll up to Remote Execution Attempt Detected.
minute it’s deployed, without the need to configure
or tweak rules, baselines, or thresholds; you simply
plug it in and off it goes.
Also you can configure ATA to send an event to your
SIEM system for each suspicious activity with a link to
the specific event on the attack timeline.
In summary, ATA uses machine learning in its
deterministic and detection engine to establish an
understanding of the normal patterns of behavior for
both users and entities, and it’s that unique capability
that allows us to provide timely and accurate alerts
across a huge variety of attack vectors.

Introducing Microsoft Cloud App Security Note: To get a better understanding of CAS you will be using
(CAS) a static website (canned environment) with full functionality.
This is a shared environment accessible to others who are
As an IT professional to Executive Officer of any also interested in CAS. So please use this site to only VIEW
business, ask yourselves these questions when and EXPLORE ONLY. DO NOT MAKE ANY EDITS TO THIS
referencing Cloud Applications: Do you know how DOCUMENT.
many cloud apps your users may be using? Do you
know if customers Personally Identifiable Information
(PII) are located on these apps? Do you know if these
apps are secure or not?
Now to introduce you to Microsoft’s CAS. This newly
added feature does not just apply to Microsoft
specific cloud applications but also public and line of
business applications as well. The vision behind CAS
is to empower businesses of all sizes with:
 Visibility: the ability to Discover & Investigate
 Protection: the ability to Control & Respond
We'll look at how you can gain deeper visibility,
stronger controls and enhanced security for your

23
Demo Guide En

Speaker Script Click Steps

cloud apps with this new feature.

General Dashboard
 The Dashboard provides an overview of your Ensure Pre Demo step 5 is complete and display the CAS
cloud security status. browser session.

 The service provides a wide set of capabilities 1. On the Top Navigation Bar, click Discover.
for securing cloud applications, allowing companies 60. Click Discovery Dashboard.
to discover, investigate, control and protect their data
in the cloud.
 Discovery Dashboard
 Moving on to the discovery dashboard.
 The Discovery Dashboard provides a detailed
overview of all cloud applications being used in the
organization. It identifies all users and IP addresses
accessing the application. It also conducts a risk
assessment and automated risk score for each app.

 Since the data is collected via logs, through
firewalls and proxies, there is no need to deploy
additional agents. These tasks can also be automated.

 As you can see the company has 500+ apps
and 12 are specifically risky. If you scroll down, you
can also see top services used and top risky services.
You can also see if the apps being used are
sanctioned or unsanctioned.
 Discovered Apps
To drill down, let’s click on discovered apps:
Here you see all of the discovered apps in the
organization. You can see all sanctioned (approved
by my organization) and unsanctioned apps. You can 61. On the Cloud Discovery Navigation Bar, click 512
easily filter based on the name, activity time frame or Discovered App.
the risk score associated with the application. You can
62. Scroll down until you see the Categories section in the
also filter by a category: for instance collaboration
Left Navigation Bar.
apps.
63. Under Categories, click Collaboration to filter only
You can also drill down on a specific app. For this, Collaboration apps.
let’s click on Office 365. With a simple drill down here
is the risk assessment and risk score for Office 365.
CAS not only discovers more than 13,000 cloud 64. Scroll up to the top of the page.
applications in use but it also provides an automated 65. Under the Score column, click Office 365’s score, 10.
risk score by evaluating each discovered service Note: Do not click on the Office 365 label itself (this will take
against more than 60 parameters. you to a different page, described later).
Here you can see all of the different parameters used 66. Scroll down to parameter labeled HTTP Security
for the risk evaluation. You can dive into more details
24
Demo Guide En

Speaker Script Click Steps

for a specific parameter to get a breakdown on the Headers and hover over it.
score. You can also interact with this risk assessment
67. Scroll up to the top of the page.
by reporting new data or requesting score update.
68. Under the Score column, click on Office 365’s score, 10,
App Overview Charts to minimize the app details.
Discovering which apps are in use across your
organization is just the first step in making sure your
sensitive corporate data is protected. CAS also
provides powerful reporting and analytics capabilities
for you to gain the complete context of your cloud 69. Under the Name column, click Office 365.
usage: such as the breakdown of usage, app activity
or we can delve into specific users or IPs.
File Log
Once you sanction an app, you can gain granular
visibility into that app. You also have the ability to see
all activities across all apps and can easily apply filters
to this log.
You know that employees can make a simple mistake 70. On the Top Navigation Bar, click Investigate.
and make a file link viewable by the public. This type
71. Click Files.
of mistake can turn into a costly security incident.
Thanks to CAS you can now see and govern all files in
the cloud, with a very powerful and easy to use query
engine. It also provides all the information that you
need to perform a detailed investigation by showing
you who the owner(s) and collaborator(s)are of the
file. It can also show you the folder hierarchy, inspects
the content and provides easy mitigation options.
For example, you can sort by access level and find all
public files. Here you see all files and folders viewable
to the public.
File-Level Investigation
Let’s review 2 different scenarios regarding file-level
violations, to an existing policy that is currently in
72. On the Filtering Bar, click on the Access Level drop
place. Within these scenarios, the following topics
down menu.
about policies will be covered 1) allow you to
authorize legitimate files and 2) how to take action 73. Select Public (not Public Internet).
against suspicious/costly file violations.
For this, you will go to the Control menu at the top
navigation bar and click on policies: 74. On the Top Navigation Bar, click Control.
Within CAS, There is a very wide set of policies 75. Click Policies.
available to configure. You can either use out of the
box policies or build and customize your own.
Let’s filter the policies to find the file level policies.

25
Demo Guide En

Speaker Script Click Steps

The file-level policy you will be looking at is the PCI

compliance policy. The purpose of this policy is to
identify files containing customer credit card numbers
that are publicly shared and also providing options
for investigation and remediation. 76. On the Filter Bar, click on the Type drop down menu.
Let’s click on this policy, to see if there are any files 77. Click File Policy.
violating this policy. 78. Click outside of the drop down menu to minimize it.
Now that you are viewing the results of our
investigation for the PCI Compliance policy, you can
see that there are 2 files currently violating this policy.
Scenario 1: Investigating & Remediating a Violation
For the 1st scenario, let’s investigate the Payment 79. Click on the PCI Compliance.
schedule and details.xlsx file. To dive deeper into this
file, all you need to do is click on the file to expand its
description bar.
By expanding the file details, you can see the owner
80. Click on the Payment schedule and details.xlsx file.
of the file, the collaborators, when it was created and
when it was modified.
You can also view the violation matches, which can
provide a little more detail for your investigation.
Upon opening the matches window, you can see that
it produces a match for credit card information.
You can also see file hierarchy by clicking on view
hierarchy in details. 81. Under the Violation Count column for the Payment
It seems like this file is located under one of the schedule and details.xlsx file, click Matches.
customer information folders and it is available in a 82. Click Close.
public link, which seems suspicious. Based on the 83. Below the file name, click on View Hierarchy.
information found while investigating, you can now
84. Click Done to exit.
take action.
By clicking on the more information icon, you can
view all of the options available in order to remediate
this violation.
To prepare for the next scenario, exit the hierarchy
window.
85. On the far right side, click on the more information icon
(3 vertically stacked dots) for the Payment schedule and
details.xlsx file.
Scenario 2: Authorizing Legitimate Files 86. Click the more information icon again to close drop
down menu.
For the 2nd scenario, you will investigate the
Test_file_for_DLP_test.docx file. To start off, let’s
expand the file description bar.
Now let’s view the results in the matches window. As

26
Demo Guide En

Speaker Script Click Steps

you can see none of the results look real.

To further investigate, you want to view the file 87. Click Test_file_for_DLP_test.docx file.
hierarchy, which will show you where this file resides.
Viewing the hierarchy of this file, you can see that this
file resides in a folder named “Test Files”.
88. Under the Violation Count column for the
( For the purpose of this demo, you will be shown
Test_file_for_DLP_test.docx file, click Matches.
how to authorize this file but DO NOT click the check
mark.) 89. Click Close.
90. Below the file name, click View Hierarchy.
Now you have determined that this is a test file. Since
this file isn’t violating this policy you can take further 91. Click Done to exit.
action and authorize this file, which will remove it
from the Unauthorized Violations filter. Note: The following step is just to show you how to authorize
Alerts a legitimate file. DO NOT CLICK THE CHECK MARK.

Visibility and controls are not enough if not coupled 92. To the left of the more information icon, locate the
with a powerful detection engine that can provide check mark but do not click it.
insights and alerts.
The alerts center gathers alert of a wide variety of
categories, including threat detection, privileged
accounts and compliance violations.
Let’s see how CAS helps you detect anomalies and
prevent threats.
To do this you will go to the “Alerts” menu. The alerts
center gathers all the red flags identified by CAS
including anomaly and threat detection compliance
violations and privileged accounts.
Let’s look into the general anomaly detection alert:
CAS advanced machine learning heuristics learns how 93. On the Top Navigation Bar, click Alerts.
each user interacts with each SaaS app and through
behavioral analysis, assesses the risk in each
transaction.
Here you can see a user who is an administrator
94. Scroll down to the first General Anomaly Detection
performing suspicious activities such as logging in
alert.
from a new anonymous location and two countries
simultaneously within an hour with several failed 95. Click General Anomaly Detection.
login attempts. you can take look at the details of
the activity and take action to mitigate any threats Note: If you click on any alert in the Activity Log, you can
right away. view a detailed report of that specific alert.
This concludes this demonstration. As you have seen,
Microsoft CAS is a comprehensive solution for
gaining deeper visibility, stronger controls and
enhanced security for your cloud apps. I would like to
emphasize - We not only support Microsoft cloud

27
Demo Guide En

Speaker Script Click Steps

apps. We are committed to help you secure third

party cloud apps as well.
For more information regarding Cloud App Security,
Please visit: www.cloudappsecurity.com

Demo Reset
1. Go back to the MyApps portal (as GarthF) and leave group for sso-Contoso Bug Bashers.

Appendix 1: Configure your Demo Tenant

These steps need to be performed only once per demo tenant, and are required prior to performing demos or configuring
devices for demoing.

Add Your Authentication Phone and Email (for MFA verification) to Hero User
Note: You may already have performed these steps for Azure AD demo configuration.
1. Open a new browser session in InPrivate mode (<CTRL>+Shift+P).
1. Log in to your demo tenant’s Azure admin portal https://manage.windowsazure.com/ as Global Admin,
admin@<TENANT>.onmicrosoft.com (corporate account) and password: pass@word1
2. In the list of ALL ITEMS, locate and click on your tenant’s directory name, labeled as Contoso <TENANT>.
3. Click USERS to view list of all directory users.
4. Locate and click on Garth Fort (garthf@<tenant>.onmicrosoft.com) in the directory.
5. In the WORK INFO page, scroll down to Authentication Contact Info, then fill in the following info:
a. Authentication Phone: (provide your actual, real world mobile phone number)
b. Authentication Email: (provide your actual, real world email address)
6. Click Save.

Grant EMS License to Global Admin user

Note: Your demo tenant has free EMS licenses for up to 100 users. Most of the users in the demo AD are already assigned
a license.
7. Go to LICENSES page, then click ASSIGN button (at bottom of the page).
8. Review the ASSIGNMENT STATUS column. Most of the users should already be Enabled.
9. Locate the global admin user (admin@<tenant>.onmicrosoft.com).
10. Ensure the admin user is Enabled. If not, add to ASSIGN then click Complete (checkmark icon).

28
Demo Guide En
11. Repeat steps 10-11 for any other users/custom demo personas that you may have added that require an EMS
license.

Configuring Tenant for iOS Devices

Estimated Setup Time: 15 minutes
These steps need only be performed once per tenant. Perform these steps using a desktop/laptop device (Windows
8.1 or higher) (not an iOS device) using Internet Explorer or Firefox browser.
Before you can manage iOS mobile devices with Intune, you need an Apple Push Notification service (APNs)
certificate. This certificate allows Intune to manage iOS devices and establish an accredited and encrypted IP connection
with the mobile device management authority services. One Apple ID can be used for multiple demo tenants/demo iOS
devices. Skip to step #5 if you already have an Apple ID from a previous demo tenant setup.
Note: no such setup/certificates are required for Android device enrollment. However, you will need a Google Play
account for downloading apps to your Android device.

Create an Apple ID for Your Demo Tenant (if necessary)

1. Navigate to the following URL https://appleid.apple.com/ and click Create an Apple ID.
12. Fill in the My Apple ID form as required:
a. First Name: Demo
b. Last Name: Admin
c. Apple ID: admin@<tenant>.onmicrosoft.com (replace <tenant> with appropriate value)
The following values are provided as example only. Feel free to put in your own values that you can remember
later.
d. Password: Contoso1 (do not use pass@word1 as it does not satisfy complex password requirement)
e. Choose the 3 security questions from the drop-downs
f. Security question answer 1: Contoso 1
g. Security question answer 2: Contoso 2
h. Security question answer 3: Contoso 3
i. Date of Birth: January 1, 1980
j. Mailing Address: (your business address)
k. Uncheck Email preference options.
l. Type in the captcha text as you see on the screen.
13. Click Create Apple ID.
14. To verify your email address:
a. Browse to https://outlook.office365.com/.
b. Log in with your Domain Admin credentials (same account you used for Apple ID above).
c. Locate the email from Apple with subject Verify your Apple ID, then click Verify now > link in the body
of the email.
d. Log in with the user name and password you set up earlier for your Apple ID.

Configure Intune Admin Settings for iOS Device Management

29
Demo Guide En
15. In the same browser session, navigate to the Intune management console site, at https://manage.microsoft.com. If
you closed the previous browser session and are prompted for login, provide your demo tenant’s global admin’s
credentials.
16. In the left navigation pane, click ADMIN (icon at the bottom).
17. Under Administration links, click Mobile Device Management.
18. In the Mobile Device Management page, under iOS section, click Enable the iOS and Mac OS X platform.
19. In the Upload an APNs Certificate page, click button Download the APNs Certificate Request (step 1).
20. In the Save As pop-up window, provide a file name by typing it (e.g. “MyDemoCSRFile”). Take a note of the local
folder location you’re about to save the file to, then click Save.
21. Back on the Intune Admin page, click the link Apple Push Certificates portal (step 2). You will be taken to Apple
Push Certificates Portal web site.
Note: If you closed the previous browser session and are prompted for login, provide the Apple ID credentials you
set up earlier in step #2. Note: the password is not pass@word1 here!
22. Click Create a Certificate.
23. Accept Terms of Use by checking appropriate box and clicking Accept.
24. In the Create a New Push Certificate page, click Browse… under Vendor-Signed Certificate Signing Request.
25. Point to the .CSR file you saved to your local computer earlier (in step 6 above) and click Open.
26. Click Upload.
o If you see a prompt to download a .json file, ignore it.
o If you are not re-directed to a new page after 30 seconds, click Cancel, which will take you to Apple Push
Certificates Portal page.

27. Click Download to download the mobile Device Management certificate. Save the file to a local folder on your PC
with .pem file extension.
28. Return to the Intune Administration > Upload an APNs Certificate page.

30
Demo Guide En
29. Click Upload the APNs Certificate button.
30. Point to the APNs certificate you downloaded earlier (.pem file), type in the demo admin’s Apple ID, and click
Upload.
31. In the Apple ID field, type in the Apple ID email address used to register the certificate, then click Upload.

32. You will see a confirmation page stating iOS is ready for enrollment.
Your demo tenant is now ready to accept iOS devices for enrollment!

Apply Contoso Branding to Intune Company Portal

Estimated Setup Time: 3 minutes
1. Download Contoso company logo locally to your PC from
http://emsassetspub.blob.core.windows.net/demoassets/Logo.png.
2. Log in to the Microsoft Intune management console, if necessary (https://manage.microsoft.com) as your demo
tenant’s Global Administrator.
3. Go to ADMIN > Company Portal page.
4. Fill in the form as follows:
a. IT department contact name: IT Admin
b. IT department phone number: 800-555-1234
c. Support website URL: https://<tenant>.sharepoint.com/sites/contoso/Employee/ITWeb
d. Website name: IT Web
e. Customization: Include company logo to ON
f. Select a logo to use on top of the selected color scheme (second option), click Browse…
g. Point to the Contoso log you downloaded locally in step #1 above, then Open.
h. Set Show the company name next to your company logo to unchecked.
5. Click Save. [Note: there is no save confirmation!]

Create an App Policy for MAM without Enrollment

Estimated Setup Time: 4 minutes
31
Demo Guide En
If you wish to demo Intune’s Mobile Application Management without device enrollment, you will need to define a policy
for your demo tenant using the new Azure portal:
1. Log in to the new Azure portal (https://portal.azure.com) as the Global Administrator user of your tenant
(admin@<tenant>.onmicrosoft.com and appropriate password).
2. In the left navigation, click Browse > Intune.
3. In the Settings blade, click App Policies
4. Click Add a policy, then complete the policy details as follows:
a. Policy name: MAM without enrollment
b. Platform: iOS
c. Apps: (select all apps available by clicking checkmark next to each: Word, Excel, PowerPoint, OneDrive).
Click Select to save selection.
d. Settings: (leave default/recommended values). Click OK to save settings.
e. Click Create.
5. In the App policy blade, click on the policy label just created to reveal policy settings blade.
6. Click User groups > Add user group
7. Select sg-Sales and Marketing, then click Select.
8. Repeat steps 4 – 7 above for Android platform.
Please note: the Apps available for Android platform may be fewer than for iOS.

Next, you’ll need to ensure another Intune conditional access policy does not conflict with this policy (i.e. ensure
another policy that requires device enrollment for access to a corporate resource like SharePoint does not require
device enrollment:

9. Using Internet Explorer or FireFox browser, log in to the Intune management portal
(https://manage.microsoft.com) as a Global Administrator user of your demo tenant.
10. Go to POLICY > Conditional Access > SharePoint Online Policy
11. Ensure the Enable conditional access policy checkbox is UNCHECKED. If not, modify form values as follows:
a. Select Device platforms: All platforms
b. Select Targeted Groups: All users
c. UNCHECK Enable conditional access policy
d. Click Save.

Add SaaS Applications to AAD

These steps need to be performed only once per demo tenant, and are required prior to performing demos.
Estimated Setup Time: 5 minutes
1. Open a new browser session in InPrivate mode (<CTRL>+Shift+P).
3. Log in to your demo tenant’s Azure admin portal https://manage.windowsazure.com/ as Global Admin,
admin@<TENANT>.onmicrosoft.com (corporate account) and password: pass@word1
33. In the list of ALL ITEMS, locate and click on your tenant’s directory name, labeled as Contoso <TENANT>.
34. Go to APPLICATIONS.
35. Click ADD, then Add an application from the gallery.

32
Demo Guide En

36. Choose Salesforce then click complete (checkmark icon).

37. Go back to APPLICATIONS tab and repeat steps 5-6 to add the following SaaS applications.
Note: Most of the apps are optional (goal is to make a busy app dashboard later in the demo). Salesforce,
BrowserStack and Twitter are required as some demo scenarios specifically depend on them.

a. BrowserStack (required for self-service group demo)

b. Twitter (required for password rollover demo)

c. Evernote (optional)

d. Concur (optional)

e. LinkedIn (optional)
38. Configure BrowserStack application:
a. Click BrowserStack from the list of applications.
b. In the Quick Access page ( ), click Assign accounts.

c. In the SHOW Groups STARTING WITH text box, type “ssg” then click search (checkmark icon ).
d. Highlight ssg-Contoso Bug Bashers, then click ASSIGN.
e. Click checkmark icon to Complete.
39. [Optional] Repeat step 8 for the following apps: Evernote, LinkedIn, Concur and ASSIGN to All Employees group.

Configure Salesforce SSO Integration

Estimated Setup Time: 30 minutes
You can use Salesforce as an example to demonstrate secure, single sign-on integration with a third-party SaaS
application. For this demo to succeed, you’ll need to create a new Salesforce account for your demo tenant and configure
the SSO.

Sign up for a Salesforce Developer Account:

You can sign up for a free Salesforce Developer Environment account through the Salesforce website, as detailed
below.

33
Demo Guide En
1. In a new browser tab, navigate to https://developer.salesforce.com/signup.
2. Fill up the form as follows:
a. First Name: Contoso
b. Last Name: Admin
c. Dropdown option: Developer
d. Email: admin@<tenant>.onmicrosoft.com
e. Company: Contoso
f. Country/Postal Code: (as appropriate)
g. Username: admin@<tenant>.onmicrosoft.com
3. Check Master Subscription Agreement checkbox, then click Sign me up.
4. When promoted to check email to confirm account:
h. Launch a new, InPrivate browser session.
i. Sign in to https://outlook.office365.com as admin@<tenant>.onmicrosoft.com and pass@word1.
j. Locate the email from Salesforce and click on the link provided. You’ll be taken to Salesforce web site.
5. Provide a new password: pass@word1
6. Pick a security question and answer it.
7. Click Save. You’ll be taken to the Salesforce Home page. Keep this page open.

Configure Azure to Salesforce Single Sign-On:

8. In a new browser session, log in to the Azure Management Portal (https://manage.windowsazure.com) as your
tenant’s Global Admin user (admin@<tenant>.onmicrosoft.com).
9. Go to your demo Active Directory, APPLICATIONS, then click Salesforce.
10. Click Configure single sign-on.
11. Select Microsoft Azure AD Single Sign-On, then next icon ().
12. For SIGN ON URL, type https://<tenant>-dev-ed.my.salesforce.com (Important: replace <tenant> with your
appropriate value), then click next.
13. On the Configure single sign-on at Salesforce page, to download your certificate, click Download certificate,
and then save the certificate file locally on your computer.

34
Demo Guide En

Important: Keep this page/dialog window open as you’ll need to copy values into Salesforce later.
14. Switch to the browser session with Salesforce.
15. In the left navigation, under Administer, expand Security Controls, then click Single Sign-On Settings.

16. Under Single Sign-On Settings, click Edit.

35
Demo Guide En
17. Select SAML Enabled, and then click Save.
18. Under SAML Single Sign-On Settings, click New.
19. Fill in the SAML Single Sign-On Settings form as follows (also see screen shot on next page for example):
a. Name: AzureSSO
b. Issuer: [Copy+Paste the ISSUER URL value from the Azure configuration dialog]
c. Entity ID: https://<tenant>-dev-ed.my.salesforce.com (replace <tenant> with appropriate value)
d. Identity Provider Certificate: [Click Browse and point to the certificate file you downloaded earlier from
Azure].
e. SAML Identity Type: default selection (Assertion contains User's salesforce.com username).
f. SAML Identity Location: default selection (Identity is in the NameIdentifier element of the Subject
statement).
g. Identity Provider Login URL: [Copy+Paste the Remote Login URL value from the Azure configuration
dialog].
h. Identity Provider Logout URL: [Copy+Paste the Remote Logout URL value from the Azure configuration
dialog].
i. Leave all other fields with their default values.
j. Click Save to apply your SAML single sign-on settings.

20. On the left navigation pane in Salesforce, expand Domain Management, then click My Domain.
21. Under My Domain, type your tenant name (e.g. MOD46935) in the Subdomain text box, as shown:

22. Click Check Availability to verify, check Terms and Conditions, then click Register Domain.

36
Demo Guide En
23. Wait 10 minutes while your custom domain name is being published. Refresh until you see the graphic status on
the page move to Step 3 Domain Ready for Testing.

24. Click button labeled Click here to login.

25. If necessary, login with your Salesforce administrator user ID (admin@<tenant>.onmicrosoft.com) and
pass@word1.
26. When prompted to register your mobile phone, click I Don’t Want to Register My Phone.
27. Back in the My Domain page, click Deploy to Users. Click OK to dismiss warning prompt.
28. Under Authentication Configuration, click Edit.
29. Fill in the Authentication Configuration form as follows, then Save.
a. Header Logo: (click Browse…, then upload logo from file located at
http://emsassetspub.blob.core.windows.net/demoassets/Logo-250.png)
b. Authentication Service: AzureSSO (uncheck other options).

30. Go back to Security Controls > Single Sign-On Settings > AzureSSO, then click Edit.
31. Under Service Provider Initiated Request Binging, select HTTP Redirect, then Save.
32. Switch to the browser tab/session with Azure AD SSO configuration page.
33. Check the box for Confirm that you have configured single sign-on, then click next ().

37
Demo Guide En

34. Click Complete icon .

Configure User Provisioning for Salesforce:

35. In the Azure Management Portal page, click Configure account provisioning.
36. Fill in Salesforce Admin user name: admin@<tenant>.onmicrosoft.com and password (pass@word1).
37. Switch to the browser window/tab with Salesforce.
38. Click Contoso Admin (user menu at top of the page), then My Settings.
39. In the left navigation, expand Personal, then click Reset my Security Token.
40. Click Reset Security Token button. A security token will be sent to the current user (Admin) via email.
41. Switch to the browser window/tab with Admin’s email, then locate the new email from Salesforce.
42. Copy the Security Token from the body of the email (e.g. Jaw9XnUhe0PxN1flSE6P5GVwF).
43. Return to the Azure Management Portal page.
44. Paste the security token under User Security Token field, then click next ().
45. Click Start Test to verify SSO integration.
46. Once confirmed, click next () twice.

47. Check the Start automatic provisioning now option, then click Complete icon .

Configure User Provisioning for Salesforce:

48. Under Assign users to Salesforce, click Assign accounts.
49. In the USERS AND GROUPS page, choose SHOW Groups (dropdown), under STARTING WITH type “sg-“, then
click checkmark.

38
Demo Guide En

50. Highlight sg-Sales and Marketing, then click ASSIGN.

51. Select Salesforce Profile to Chatter Free User, then click Complete.

Configure Salesforce Access Rule to Require MFA:

52. Under Assign users to Salesforce, click Assign accounts.
53. In the Salesforce application page, click CONFIGURE.
54. Scroll down to multi-factor authentication and location based access rules and configure the following values:
a. ENABLE ACCESS RULES: ON
b. APPLY TO: ALL USERS (default)
c. RULES: Require multi-factor authentication (default)
55. Click Save.

39
Demo Guide En

Configure Twitter Integration

Estimated Setup Time: 10 minutes
You will be using the Twitter app to demonstrate password roll-over feature in Azure AD.

Sign up for a Demo Twitter Account:

You will need to sign up for a new Twitter account just for this demo tenant, at twitter.com.
1. In a new InPrivate browser session, navigate to https://twitter.com/signup.
2. Fill up the form as follows:
k. Full Name: Contoso Demo
l. Email address: admin@<tenant>.onmicrosoft.com
m. Password: pass@word1
n. Username: Contoso<tenant>, e.g. ContosoMOD45654
Important: This will be the Twitter handle, hence needs to be unique!
3. Click Sign Up.
4. On the Enter your phone page, provide your mobile phone number, then click Continue.
5. Click Let’s go.
6. In the What are you interested in? page, check Business, then click Continue.
7. In the Suggestions just for you page, check to unselect all items, then click Continue.
8. Click Upload your photo > Upload photo.
9. In the File name field, paste the Contoso logo URL:
https://spdoclibrary.blob.core.windows.net/documents/Contoso-200x200.png, then click Open.
10. Click Apply to apply the logo as display image for the new Twitter account.
11. Click Continue.
12. In the Find people you know page, click Skip this step.

Confirm email address for Twitter account:

13. In a new browser tab, navigate to https://outlook.office365.com and login as
admin@<TENANT>.onmicrosoft.com.
14. Locate the email from Twitter, then click Confirm now link on the email body.

Configure Single Sign-On

15. In a new browser tab (same browser session), navigate to Azure Management Portal,
https://manage.windowsazure.com. You will be logged in as your demo tenant’s global admin.
16. Go to the demo tenant’s Active Directory, APPLICATIONS page, then click Twitter.
17. Click Configure single sign-on.
18. Select Password Single Sign-On, then click Complete.
19. Click Assign Accounts.
20. Highlight sg-Sales and Marketing, then click ASSIGN.

40
Demo Guide En
21. In the Assign Groups dialog, check I want to enter Twitter credentials to be shared among all group members.
22. Type in the Twitter user name and password you set up earlier.

23. Check I want to enable automatic password rollover, then click next ().
24. In the Configure Password Rollover page, leave the default value (4 weeks) then click Complete.

41
Demo Guide En

Appendix 2: Installing/Configuring Azure RemoteApp (ARA)

Important Notes:
 If you want to perform Desktop Virtualization demo using Azure RemoteApp (ARA), you’ll need to manually
deploy an app collection to your Azure tenant.
 If your demo tenant was provisioned prior to March 18 2016, a RemoteApp collection may have been provisioned
already.
 The free trial of a RemoteApp collection is free, but has the following limitations:
o Expires 30 days from the date of provisioning.
o Limit of 2 free RemoteApp collections per Subscription ID.
 If your RemoteApp collection free trial period has expired, you have the option to continue your subscription but
will be charged.
o Please refer to the Azure RemoteApp Pricing Plans for more details.

Installing Azure RemoteApp

1. Open a new browser session in InPrivate mode (<CTRL>+Shift+P).
2. Navigate to the Azure Management Portal, https://manage.windowsazure.com/
40. Log in using your demo tenants Global Admin credentials, i.e. admin@<TENANT>.onmicrosoft.com.
NOTE: (IMPORTANT INFORMATION for Step 8)
Upon logging in your default view should be in the ALL ITEMS window, if not, please navigate to the all items
window. In the ALL ITEMS window, please take note of the REGION your Azure Active Directory (AAD) is
located in. This can be found under the LOCATION column, the far right column (next to the search bar)
41. Using the Navigation Bar, located on the left hand side, locate and click on the REMOTEAPP tab.
42. Locate and click on the CREATE A REMOTEAPP COLLECTION button
a. Performing this action will enable your free 30-day trial, which limits you to 2 RemoteApp collections per
subscription.
43. Type desired NAME (Name can only contain letters and numbers, no spaces)
44. Choose a REGION:
NOTE:
In order to minimize cost, select the region closest to the location of your storage. If you do not currently have a
storage, base your choice of REGION using your AAD location (storage location should also be based off of your
AAD location as well). This is referencing the note from Step 3.
45. Leave PLAN type as default setting: Basic
46. Select TEMPLATE IMAGE: Office 365 ProPlus
47. Click CREATE REMOTEAPP COLLECTION when done
NOTE:
Once you click CREATE REMOTEAPP COLLECTION, this will start the actual creation of your ARA. This process
can take up to 2 hours.
48. Continue to the next section, Configuring Azure RemoteApp, to finalize ARA.
42
Demo Guide En

Configuring Azure RemoteApp

1. Upon completing the creation of your ARA, you should already be in the REMOTEAPP tab. If not, navigate to the
REMOTEAPP tab.
2. You should see your named ARA in the RemoteApp tab
3. Click on your ARA
4. In the Top Menu Bar, click on the Publishing tab
NOTE:
The publishing tab is where you select or deselect applications you wish to have available in ARA.
***There is the option to add third party applications but that will not be covered in this guide.
5. Verify all Office 365 items in this tab has a green check mark and is labelled as PUBLISHED under the STATUS
column.
6. Upon verifying your published applications, navigate to the USER ACCESS tab located on the Top Menu Bar.
NOTE:
By default, your admin@<TENANT>.onmicrosoft.com account will be the only account located in the user access tab.
7. To add new users to your subscription, type the user’s email address, xxxxxx@<TENANT>.onmicrosoft.com, into
the text box labelled ENTER USER NAME (located right below your administrator account). Once you type the
user’s email address into the text box, ARA will search for that user in AAD then add him/her to the subscription.
Repeat this step for additional users.
a. For demo purposes, here is a list of user credentials you can use:

43
Demo Guide En
Once finished adding users, click SAVE.

Appendix 3: Configure Your Demo Devices

Currently, the demo configuration and documentation has been tested against iOS devices only. We are working on
incorporating other devices (Android and Windows Phone) as well.

Mobile Device Requirements

 iOS (iPad or iPhone) running latest version of iOS; or Android device (phone or tablet) running OS v4.4.2 or higher.
o Ideally, two such devices to be able to perform Conditional Access and Mobile Application Management
demos back-to-back without setup time in between.
 Ensure devices are free of Office mobile apps (delete if they exist). If feasible, perform factory reset of the device.
 Ensure you have an Apple ID (if using iOS device) or Google Play account (for Android device) as you’ll be
prompted for credentials during the setup. If you need to setup a new Apple ID, refer to the Create Apple ID
section under Appendix 1.

Device Setup Steps

Estimated Setup Time: 30-45 minutes

Set Up Device #1 (iOS or Android)

The following demos will be presented on Device #1: MAM without Enrollment and Conditional Access policy.
1. Go to the App Store (for iOS) or Google Play Store (for Android) and download/install the following apps:
a. Microsoft Intune Company Portal
b. Microsoft Outlook
c. Microsoft Word
2. Launch Word application. Dismiss any app initialization/startup messages/prompts.
3. In Word, sign in as your demo persona (e.g. GarthF@<tenant>.onmicrosoft.com and password).
4. Tap Open > SharePoint.
5. You’ll see a prompt to set a PIN for the app (since you’re about to access company data). Set a 4-digit numeric
PIN (e.g. 1111).
6. Tap on the label of SharePoint instance of your tenant (e.g. Contoso <TenantName>) then open a Word
document from SharePoint (e.g. DemoDocs folder > Northwind Proposal.docx )
7. If necessary, sign in again as your demo persona (e.g. GarthF@<tenant>.onmicrosoft.com and password).
8. Attempt to make an offline copy (a.k.a. Save As or Duplicate) of the file as follows:
a. Tap File > Duplicate
b. Choose location to duplicate: <local device> (e.g. iPad)
c. Tap Duplicate.

44
Demo Guide En
9. If you see a prompt saying “Your administrator doesn’t allow saving to personal locations.” then your MAM
Without Enrollment policies are working!
10. Tap OK, then Cancel to dismiss Save As attempt.
11. Tap back arrow () to close the Word document, then close Word app on your device.

Set Up Device #2 (iOS or Android)

You will perform the majority of mobile demos, including the Mobile Application Management demo, on this device.
1. Go to the App Store (for iOS) or Google Play Store (for Android) and search for Microsoft Intune.
12. Download/install the app Microsoft Intune Company Portal.
13. Launch the installed app.
14. Sign in to Intune Company Portal with the following account: garthf@<tenant>.onmicrosoft.com and
pass@word1
TIP: copy the account email address in your device’s buffer so you can paste it easily later, instead of typing it
each time!
15. On Device Enrollment dialog, tap Enroll. You will be re-directed to device settings app.
16. On Install Profile, tap Install.
17. Enter device passcode (prompted if device currently has a passcode).
18. On Install Profile, tap Install.
19. On Warning, tap Install.
20. On Remote Management, tap Trust.
21. On Profile Installed, tap Done. You’ll be directed back to the Company Portal app.
22. On Device Enrolled confirmation, tap OK.
23. On Compliance Details, wait for compliance confirmation (“This device is no longer out of compliance” message)
tap OK.
24. If your device does not have a passcode, you’ll see a prompt to set a passcode within 60 minutes. Tap Continue,
then set a 4-digit passcode (e.g. 1111)
Important: Note your new passcode. You’ll need this passcode to unlock your device each time from now!
25. Back in Intune Company Portal app, tap Company Apps.
26. Tap on each of the following apps then Install (note: for each app, you’ll see App Installation confirmation pop-up
message after 10-20 seconds. Tap Install to confirm).
a. Outlook (required for demo flow)
b. Word (required for demo flow)
c. Managed Browser (required for demo flow)
d. My Apps (optional but recommended)
e. PowerPoint (optional but recommended)
f. Excel (optional but recommended)
g. RMS Sharing App (optional but recommended)
h. OneDrive for Business (optional but recommended)

45
Demo Guide En
Note: Depending on your internet speed, it may take 10-30 minutes for these apps to finish installing to your
device! We recommend you start by installing Outlook first as it requires further setup.

Setup Outlook/Emails/Dropbox:
27. When Outlook app has finished installing, tap on its icon to launch it.
28. If prompted to set up a numeric pin, tap an easy to remember 4-digit number, e.g. 1111.
29. In Add an Account page, tap Office 365.
30. In the Office 365 login page, paste Garth Fort’s corporate email address (garthf@<tenant>.onmicrosoft.com).
31. Type in GarthF’s password (pass@word1) then tap Sign in.
32. Dismiss the Outlook app tips.
33. Tap Settings at the bottom of the screen, then + Add Account.
34. Tap Outlook.com.
35. In the Outlook.com Sign in page, type your demo Live ID user email address (e.g. [email protected])
and select/copy the email address in clipboard memory (for use later).
36. Type the Live ID password then tap Sign in.
37. Let this app access your info? Tap Yes.
38. Tap Settings at the bottom of the screen, then + Add Account.
39. Tap Files > Dropbox.
40. In the Dropbox sign in page, paste your demo Live ID email address (e.g. [email protected]), type
password, then tap Sign in.
41. At the prompt “Let this app access your account info” tap Yes.

Setup/Configure Word
42. In Garth’s corporate inbox, scroll down and tap on an email from Alex Darrow (subject Northwind Proposal).
43. Tap Open in Word for the included email attachment. The Word app will launch.
44. Since this is the first time you’re launching Word app on this device, you’ll see several welcome messages and tips.
Dismiss all such messages.
45. When prompted to sign in to Office 365, provide GarthF’s credentials, and continue.
46. When the attachment document finally opens, tap the File menu icon in Word app, then Duplicate.

46
Demo Guide En

47. Tap Add a Place.

48. Tap Dropbox.
49. In the Dropbox login page, paste Garth Fort’s personal email address ([email protected]), and type his
password (Contoso1) then tap Sign in and Link.
50. Tap Dropbox – Personal to select it, then tap Save.
If you see an alert box with message: “Your administrator doesn’t allow saving to personal locations.” then your
MAM smoke test is successful
51. Dismiss/cancel the pop-up dialog boxes in Word.

52. Close the Northwind Traders Proposal document by tapping the exit icon, .

Setup Azure RemoteApp Access

53. Install the Microsoft Remote Desktop app from the iOS App store:
a. Launch the App Store app on your device.
b. Search for the app Remote Desktop (see app icon below as hint), then install it.

c. If promoted, provide your Apple ID credentials for authentication to the App Store.
54. Launch the app on your device (the app will be labeled as RD Client.)
55. Within the Microsoft Remote Desktop app, tap the + button (top-right corner), then Add Azure RemoteApp, and
Continue.
56. In the Sign In page, provide your demo persona’s corporate login credentials: garthf@<tenant>.onmicrosoft.com,
then continue.
57. You will see the Microsoft Remote Desktop apps page, similar to below:

47
Demo Guide En

58. Tap Excel icon to launch. You may be prompted with a login screen again. Provide your demo persona’s email
address and password.
59. In the RemoteApp session of Excel, you’ll be prompted to Activate Office. Once again, provide your demo
persona’s email address, work account, and password.
60. In the First things first pop-up, choose Use recommended settings, then click Accept.
61. If you see no files listed under Open, Recent Workbooks, follow these steps:
a. Click Open Other Workbooks, One Drive – Contoso <Tenant>, then Browse.
b. Open the file Contoso Purchasing Data - 2014.xlsx from Garth Fort’s OneDrive for Business.
62. Close the Excel application window.

48