Azure AD Joined/Azure Device Registration/Intune Enrollment
I have spent a lot of time over the past few months working with Azure and Intune, there are a lot of toys to play with and a lot you can do and can’t do with it. Azure AD join is not the same as on Premise AD (despite what is implied sometimes), its more of a different approach.
There are many blog posts on Microsoft and others in the community sites to explain, Azure AD join and Azure AD Registration so its worth reading up on this first.
In this post I am going to cover these areas.
- User Licensing (Azure AD Premium)
- Enable Auto-Enrolment for Intune
- Deploy the Company Portal
- Example 1 – Azure AD joined and Intune Auto Enrollment
- Example 2 – Azure AD Registered and Intune Manual Enrollment
Below is a nice chart from David Trejo on the different options
Azure AD Joined and Auto Enrollment in Intune
Ok so in this scenario, I am going to show how to enroll a brand new Windows 10 device in Azure AD and have it auto enroll into Intune. Once that is done also deploy the company portal.
So this user, lets just call him Terence has two licences assigned to him, EMS E5 and Office 365. I deployed Office 365 in a different post. AD premium licenses are needed for MFA.
- Login to the Azure Portal – Azure Active Directory
- Go to Mobility (MDM and MAM)
- Now go to Microsoft Intune
- In configure under MDM Scope select “Some”.
- You will need to assign this to a user group(a device group wont work).
Deploy Company Portal to Intune Enrolled Machines
Once the machine has been deployed and enrolled I want the Company Portal deployed to the device immediately.
- In the Azure Portal go to Intune – Mobile Apps
- I synced the Company Portal from Windows Store for Business, you can do it manually as well.
- Now i will assign this to “Intune Auto-Enrolled Users”
Example 1 – Azure AD join and Auto-enrolment in Intune
- So in this example im using Windows 10 1703 and I am just building the VM off the ISO.
- So the OOBE is asking for a region.
- Now the keyboard layout.
Now if I have a second keyboard.
- Now you can sign in, this will join the device to Azure AD and should enrol in Intune.
- Now your password.
- Now you have to choose the privacy settings.
- Next screen will ask you to setup a pin if you have Windows Hello enabled, I have MFA setup so I have to approve the sign in using Authenticator on my phone
- Now set up your Pin and you are good to go.
- Once the user has logged in I can see straight away that the Company Portal has been deployed and our site branding has been implemented.
- In Azure check the status of the new machine, I can see that its Azure AD Joined and MDM is set Microsoft Intune.
Example 2 – Azure AD Registered and Intune Manual Enrolment
The process is the same as Example 1 but without auto enrollment the end-user will have to enroll manually.
- In Azure you can see the device but it’s not managed by Intune
- Once the machine has been deployed go to Windows store and search for Company portal.
- Under the Company portal setting you can see that it’s not enrolled in Intune.
- Click Next to begin the enrollment process.
- Enter your credentials
- Now when I look in Azure i can see that the device is now an Azure AD Registered device, when a user manually enrolls his or her device it’s classed under ownership as Personal not Corporate. This is what we would see when a user enrolls a phone (BYOD).
Next up is the new Windows Auto-Pilot.
- Traditional Management vs Modern Management – Part 1 – Encryption
- Traditional Management vs Modern Management – Part 2 – Office 365
- Traditional Management vs Modern Management – Part 3 – AAD/Auto MDM Enrollment
- Traditional Management vs Modern Management – Part 4 – Windows AutoPilot
- Traditional Management vs Modern Management – Part 5 – Security