Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post. Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune RBAC Roles Permissions in the Intune Admin Center Portal

This post explains Intune RBAC roles and permissions in the Intune Admin Center Portal. We will discuss the access rights of the built-in Intune RBAC role and Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles, depending on the scope. Before going into details, let me explain the scope.

Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option exists in SCCM 2012 and the CB console.

Granular control delegates permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Intune admins’ assigned permissions are limited to specific user or device groups. View permissions of Intune objects can be controlled/managed using RBAC.

Intune RBAC Strategic Options – Video

This video will explain Intune RBAC Strategic Options, Role-Based Access Controls, Scope Groups, Intune Objects, and Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal – Video 1

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.

In this post, I will explain the access rights of Intune’s default role, Configuration Policy Manager. I have created a user named Kaith in the Azure Active Directory. This user is assigned Configuration policy manager access, and the scope is set to the group “All Bangalore Users.”

The Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will conduct a deep dive to understand more details about the access rights for this role.

Configuration Policy Manager – Permissions:-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1

Intune RBAC – Tired Hierarchy

Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions—Azure AD. This means that user identities and access rights are managed through Azure AD, which integrates easily with Intune. For Intune Full Admin permissions, users need corresponding permissions in Azure AD.

Global Admin Role (Tier 1)
Intune Service Admin Role (Tier 2)
Intune RBAC Permissions – Intune Portal
Tier 3 Roles – App Admin, Helpdesk Admin, etc…

Updated Built-In Inutune RBAC Roles

Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal. The permissions in Azure AD are crucial for managing users, devices, and policies effectively within Intune.

Updated Built-In Inutune RBAC Roles	Details
Application Manager	Built-in Role
Endpoint Security Manager	Built-in Role
Read-Only Operator	Built-in Role
School Administrator	Built-in Role
Policy and Profile manager	Built-in Role
Help Desk Operator	Built-in Role
Intune Role Administrator	Built-in Role
Cloud PC Administrator	Built-in Role
Cloud PC Reader	Built-in Role

Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1

Endpoint Manager Roles

Let’s understand the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles, which I have given examples of in previous posts.

Intune RBAC Policy and Profile Manager

Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. You are allowed to edit the Intune Policy and Profile Manager.

Even the profile is ONLY deployed to out-of-scope users/groups.
Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.

This should NOT be allowed. Editing should be allowed only to profiles assigned ONLY to the Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.

Access is denied to remove and add assignments to a profile already deployed to users outside the scope. However, if the admin tries to deploy profiles to users in the scope, the addition and removal of assignments should be allowed.

Access is denied to remove assignments to profiles targeted to the users or groups in scope. This should be allowed!

They can delete all the profiles, even if they target out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.

They can enable/disable certificate authority connectors for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

Login to MEM Admin Center (Intune).
Navigate to tenant admin -> Roles -> Endpoint Manager Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2

Intune RBAC Access Rights – Application Manager

It is allowed to remove assignments of applications that are already targeted to users outside the scope of an Intune Application Manager. This should NOT be allowed. If the application is deployed/assigned to users who are in scope, then removal of the assignment should be allowed.

Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for them. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.

Assignments should be added to the Application policy only when the targeted users are within the scope of an Intune application manager.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3

Intune RBAC – Endpoint Security Manager

Let’s discuss Intune RBAC—Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles and create and configure custom Endpoint Manager Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4

Intune Read-Only Operator

Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot change Intune.

More details -> Intune Read-Only Admin Experience After RBAC Solution

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5

Intune School Administrator

Name—School Administrator. Description—School Administrators can manage apps and settings for their groups. They can also remotely manage devices, including locking, restarting, and retiring them from management.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6

Intune RBAC – Help Desk Operator

Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7

Intune Role Administrator

Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8

Cloud PC Administrator

Name: Cloud PC Administrator. Description: The Cloud PC Administrator has read and write access to all Cloud PC features within the Cloud PC blade.

More Details on Cloud PC (Windows 365) Provisioning -> Windows 365 Cloud PC Deployment Provisioning Process Step By Step Guide.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9

Intune RBAC – Cloud PC Reader

Name: Cloud PC Reader. Description: The Cloud PC Reader has read access to all Cloud PC features within the blade.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10

Intune Admin Configuration Policy Manager Intune RBA Permissions Issues

Discuss the Intune Admin Configuration Policy Manager and Intune RBA Permissions Issues. The video below explains all the details about these topics.

Intune RBAC Roles Permissions in the Intune Admin Center Portal – Video 2

Overall Access Rights of Intune Tiles

Allowed to perform administrative activities in configuring devices and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.

Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
You can view objects in the Manage Users tile – Users and Groups.
Access is denied to create/delete new or existing groups. It doesn’t matter if the Intune policy manager is editing the groups in SCOPE.
Access is denied to change device and user settings in the Manage user tile.
Access is denied to the Intune Silverlight console.

Intune Administrator Role Permissions

Let’s check Intune administrator Role permissions from the following table. The table below helps you show the Actions and their corresponding details. Read, Delete, Wipe, Assign, Create, and Update are Intune permissions that can be assigned for each Intune object.

Admin Groups – Admin group users are the administrators assigned to this role
Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups
Scope tags – Who all can view this RBAC Role

Actions	Description
microsoft.directory/bitlockerKeys/key/read	Read bitlocker metadata and key on devices
microsoft.directory/contacts/create	Create contacts
microsoft.directory/contacts/delete	Delete contacts
microsoft.directory/contacts/basic/update	Update basic properties on contacts
microsoft.directory/devices/create	Create devices (enroll in Azure AD)
microsoft.directory/devices/delete	Delete devices from Azure AD
microsoft.directory/devices/disable	Disable devices in Azure AD
microsoft.directory/devices/enable	Enable devices in Azure AD
microsoft.directory/devices/basic/update	Update basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/update	Update the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/update	Update the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/update	Update the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/update	Update registered owners of devices
microsoft.directory/devices/registeredUsers/update	Update registered users of devices
microsoft.directory/deviceManagementPolicies/standard/read	Read standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/read	Read standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/read	Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/create	Create Security groups, excluding role-assignable groups
microsoft.directory/groups.security/delete	Delete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/update	Update basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/update	Update the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/update	Update the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/update	Update members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/update	Update owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/update	Update the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/update	Update basic properties on users
microsoft.directory/users/manager/update	Update manager for users
microsoft.directory/users/photo/update	Update photo of users
microsoft.azure.supportTickets/allEntities/allTasks	Create and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasks	Manage all aspects of Windows 365
microsoft.intune/allEntities/allTasks	Manage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasks	Create and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/read	Read basic properties on all resources in the Microsoft 365 admin center

Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2

41 Intune Objects List

Let’s check the list of 41 Intune Objects from the Intune RBAC perspective. The list includes Android FOTA, Android for work, Audit data, etc.

Android FOTA
Android for work
Audit data
Certificate Connector
Chrome Enterprise (preview)
Cloud attached devices
Corporate device identifiers
Customization
Derived Credentials
Device compliance policies
Device configurations
Device enrollment managers
Endpoint Analytics
Endpoint protection reports
Enrollment programs
Filters
Intune data warehouse
Managed Device Cleanup Settings
Managed Google Play
Managed apps
Managed devices
Microsoft Defender ATP
Microsoft Store For Business
Microsoft Tunnel Gateway
Mobile Threat Defense
Mobile apps
Multi Admin Approval
Organization
Organizational Messages
Partner Device Management
Policy Sets
Quiet Time policies
Remote Help app
Remote assistance connectors
Remote tasks
Roles
Security baselines
Security tasks
Telecom expenses
Terms and conditions
Windows Enterprise Certificate

References:-

Role-based access control (RBAC) for Microsoft Intune

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts

Let’s discuss how to Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts. Now, Microsoft Graph API is the buzzword. How can Microsoft Graph API fetch the details from Azure Active Directory (Azure AD/AAD) and Microsoft Intune? And a list of Intune PowerShell Scripts samples. I won’t provide any Graph API scripts to fetch details in this post.

APIs have always been an alien term for me. The rest of the API was everywhere; now it’s Graph API. Have you ever tried Facebook Graph API? So, the entire industry is taking the path of Graph API!

In one of our articles, we provide a detailed guide on using Microsoft Graph Explorer, emphasizing its utility for beginners. This tool is pivotal for understanding Graph API queries, particularly for those starting. We walk users through the initial steps of accessing and utilizing the Graph Explorer, focusing on its simplicity and user-friendly interface.

The blog post “Configuring Intune Bitlocker grace period“ illustrates a real-world example of using Intune Graph Explorer. This scenario involves setting up a grace period for BitLocker, a feature not configurable through the MEM Admin Center portal.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts

Microsoft Graph is a versatile Application Programming Interface (API) offering a unified endpoint, https://graph.microsoft.com, to access a wealth of data, intelligence, and insights across Microsoft 365 and other Microsoft Cloud services.

NOTE! – Intune PowerShell Script Samples with Microsoft Graph – https://github.com/microsoftgraph/powershell-intune-samples

In this post, I would like to help by providing basic details of the Microsoft Graph API. I will explain how to start using Graph API graphically (not programmatically) and how Graph API would be helpful for IT Pros in their day-to-day lives. Microsoft Intune admins can analyze a device’s or user’s details from Graph API.

We can only get limited details of objects from the Azure AD portal; however, loads of more information can be fetched from Graph API via Web browsers. You can perform all the GET and other supported operations from the following URL. Remember to sign in to the tenant.

Intune Graph API Query | Sample Queries | Easiest Method | Tips | Tricks

This video guide teaches you how to use Intune Graph Query and some sample queries. It’s a beginner’s guide, so it starts with the basics. Microsoft Graph Explorer is a special tool for system admins and developers. With it, you can talk to Intune and ask it to fetch, change, or remove information.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Video 1

Microsoft Graph

Graph Explorer is one way to fetch, change, or remove data or configurations from Intune services. You can quickly sign in to the graph—microsoft portal with Intune Admin credentials.

Launch Microsoft Graph - URL --> https://graph.microsoft.io/en-us/graph-explorer

https://developer.microsoft.com/en-us/graph/graph-explorer

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.2 — Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.2

When you sign in for the first time, you need to agree to give Graph Explorer the following permissions. Click on the Agree button to proceed.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.3 — Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.3

There are two versions of Graph Explorer available at the moment: 1.0 and Beta. I was having a hard time connecting to the Graph API, but it was okay when I wanted to retrieve my user information.

But when I tried to fetch the details for the entire tenant, it was asked to agree or accept new Admin consent, as you can see in the following paragraph.

This query requires additional permissions. If you are an administrator, you can click here to grant them for your entire organization. You can also try the same request against your tenant by creating a free Office 365 developer account.

When I tried to click on the “HERE” button to accept the consent, it gave me an odd error: “AADSTS90002: No service namespace named ‘organizations‘ was found in the data store.” Ryan and Panu helped me get rid of this error.

To accept this admin consent, you don’t have to create manual applications or run any PowerShell scripts! It’s already available in your enterprise applications blade in the Azure console.

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.4 — Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.4

The following are some samples of graph API GET queries to retrieve details from Intune and Azure Active Directory (AAD). Graph API also allows for the following three types of actions: POST, PATCH, and DELETE.

https://graph.microsoft.com/beta/users/anp@SCZ.onmicrosoft.com/ownedDeviceshttps://graph.microsoft.com/beta/deviceAppManagement/mobileAppshttps://graph.microsoft.com/beta/users/https://graph.microsoft.com/beta/applications Following is some of the extracts of device management mobile app.
WhatsApp is one of the applications at “https://graph.microsoft.com/beta/deviceAppManagement/mobileApps.” Similarly, we can retrieve a user’s owned devices and device status through Graph API GET commands. Some of these details are available ONLY through Graph API. This will be an excellent help for Intune admins when troubleshooting issues.

Graph AP Actions
POST
PATCH
DELETE

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Table 1

cache-control: private
content-type: application/json;odata.metadata=minimal;odata.streaming=true;
request-id: 604557b1-409b-4749-8w32d-d754844b2181
client-request-id: 6se357b1-409b-4349-864d-d754844b2181
Status Code: 200
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceAppManagement/mobileApps",
"value": [
{
"@odata.type": "#microsoft.graph.iosStoreApp",
"id": "ab8a5364-887d-44e7-a6cd-9684d2f279c3",
"displayName": "WhatsApp Messenger",
"description": "WhatsApp Messenger is a FREE messaging app available for iPhone and other smartphones. WhatsApp uses your phone's Internet connection (4G/3G/2G/EDGE or Wi-Fi, as available) to let you message and call friends and family. Switch from SMS to WhatsApp to send and receive messages, calls, photos, videos, and Voice Messages. \n\nWHY USE WHATSAPP:  \n\n• NO FEES: WhatsApp uses your phone's
"publisher": "WhatsApp Inc.",
"largeIcon": null,
"createdDateTime": "2017-01-22T06:40:24.696692Z",
"lastModifiedDateTime": "2017-01-22T06:40:24.696692Z",
"isFeatured": false,
"privacyInformationUrl": null,
"informationUrl": null,
"owner": "",
"developer": "",
"notes": "",
"uploadState": 1,
"installSummary": null,
"bundleId": "net.whatsapp.WhatsApp",
"appStoreUrl": "https://itunes.apple.com/us/app/whatsapp-messenger/id310633997?mt=8&uo=4",
"applicableDeviceType": {
"iPad": false,
"iPhoneAndIPod": true
},
"minimumSupportedOperatingSystem": {
"v8_0": true,
"v9_0": false,
"v10_0": false
}
},

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts - Fig.5 — Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts – Fig.5

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

How do you organize the Endpoint Manager Portal Neat Clean for Intune Activities? The MEM portal is a one-stop shop for all the services in the Microsoft cloud. When users log in to a MEM portal for the first time, they can see all these services, which are already selected as favorite services by default.

The selection of favorite services in the MEM portal for individual users is not based on the user’s profile or access rights of the user. This is not good for new users in the Intune portal. They will struggle to find out their role-related services.

One of our articles helps you by showing the Intune Admin Portal walkthrough guide. It is one of the first things you have to learn. From this post, you understand what is where in the Intune admin portal (aka Microsoft Intune Admin Center).

Microsoft recently changed its brand name from MEM (Microsoft Endpoint Manager) to Microsoft Intune. For more information, refer to the Top 50 Latest Intune Interview Questions and Answers, and if you are interested, check out the Top 50 Latest SCCM Interview Questions and Answers.

How to Make Your Azure Intune Console Look Better – Video

The video guide on improving the look of your Azure Intune console is really helpful. It explains all the details step by step and provides easy-to-follow tips for making your console more visually appealing and user-friendly.

It’s an excellent resource for anyone who wants to enhance their Intune console’s visual experience and usability, whether they’re new to Intune or already using it.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Video 1

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities

For example, you are an Intune admin and can only access Intune and Azure AD users and groups. But if you log into the MEM portal, you will see loads of services that make no sense. You will also find it messy, and I’m sure you will get lost in the portal until you find the search button or Intune services.

Microsoft Azure Features
Create a resource
Home
Dashboard
All services
FAVORITES
SOL
All resources
Resource groups
App Services
Function App
SQL databases
Azure Cosmos DB
Virtual machines
Load balancers
Storage accounts
Virtual networks
Microsoft Entra ID
Monitor
Advisor
Microsoft Defender for Cloud
Cost Management + Billing
Help + support

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Table 1

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.1 — How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.1

Don’t worry—a very friendly search option is available in the Azure portal. If you are an Intune admin, click on more services and type “Intune” in the search menu. You can see two Intune services: one for Intune (MDM) and the second for Intune App Protection (MAM without enrollment).

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.2 — How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.2

To keep your Azure portal well organized, you must spend only 2-3 minutes when logging in for the first time. What do we need to do to get a neatly organized Azure portal? You log in to the Azure portal, click on the More services button, and then remove the services that are not relevant to you.

For example, Intune admins have nothing to do with “Virtual Machines,” so you can remove the Virtual machine service from your favorite menu. This will help you remove the Virtual machine shortcut from the left-side menu of the MEM portal.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.3 — How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.3

END Result:- Clean and Tidy Azure portal for Intune Admins. Remove all the services from the Azure portal except Azure Active Directory, Users and Groups, Intune, and Intune protection services.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune - Fig.4 — How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune

Key Takeaways

Dynamic device security groups automatically manage Windows devices in Microsoft Entra ID.
Devices are grouped based on ownership type (Personal for BYOD, Company for CYOD).
No manual device addition is required – membership is fully automated.
Device attributes are assigned automatically during Intune enrollment.

Creating an Entra ID Dynamic Device Security Group for Windows BYOD and CYOD devices using Microsoft Intune means that it automatically groups Windows devices based on how they are owned and enrolled, without adding devices manually. BYOD (Bring Your Own Device) refers to personal devices owned by users, while CYOD (Choose Your Own Device) usually means company-approved devices that are controlled by the organization.

Table of Content

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune

In Microsoft Intune, when a Windows device is enrolled, Entra ID automatically assigns device attributes such as ownership type (personal or company). A dynamic device security group uses these attributes to decide which devices belong to the group.

In this grouping personal Windows devices can be automatically added to a BYOD group, and company-owned Windows devices can be added to a CYOD group. These groups are then used in Intune to assign policies, apps, or restrictions, ensuring the right settings are applied to the right type of device without manual effort.

You can easily create the Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices by following the below steps.
Sign in to Microsoft Intune admin center. Go to Groups > All groups > New Group

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.1 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.1

Configure Basic Details in the New Group Window

In the New group window, you need to fill in the basic information required to create the group. This includes selecting the Group type, entering a clear Group name, adding a meaningful Group description, and choosing the appropriate Membership type (such as Dynamic device).

Group Type	Group Name	Group Description	Membership type
Security	Windows BYOD and CYOD Devices	Entra ID Dynamic Device Security Group for Windows	Dynamic Device

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Table 1

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.2 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.2

Easily Add a Dynamic Device Query

In the New Group window, select Dynamic device as the membership type. Once this is selected, the Add dynamic query option becomes available. Click Add dynamic query to define the rule that determines which devices are automatically added to the group based on their attributes.

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.3 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.3

Create Dynamic Membership Rules

On the Configure Rule tab, add the dynamic membership expressions that define which devices should be included in the group. First, select the Property as deviceOwnership, set the Operator to Equals, and choose the Value as Company. Next, add another expression by selecting the Property DeviceOSType, set the Operator to Equals, and choose Windows as the value.

Rule Syntax – (device.deviceOwnership -eq “Company“) and (device.deviceOSType -eq “Windows”)

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.4 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.4

Notification – Dynamic Device Group Created Successfully

After clicking the Create button, a notification appears confirming that the group Windows BYOD and CYOD Devices has been created successfully. This message indicates that the dynamic device security group is now available in Microsoft Entra ID and will start automatically adding eligible Windows devices based on the configured rules.

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.5 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.5

Verify the Created Dynamic Device Group

After creating the group, go to Groups > All groups in the Microsoft Entra ID portal. Use the search box to find the newly created group by name. Once you open the group, you can view important details, including the group name, Object ID, group type, membership type (Dynamic device), and related information. This confirms that the group has been created correctly and is ready for use.

Name	Object ID	Group Type	Membership Type
Windows BYOD and CYOD Devices	d645274f-95e0-4212-8d9a-831d7	Security	Dynamic

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Table 2

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.6 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.6

View Dynamic Group Details and Membership Status

After selecting the group, you can view all the important details on the group overview page. This includes the Membership type, Source, Type, Object ID, Created on date, and the option to Pause processing. These details help you confirm the group configuration and manage how dynamic membership updates are processed.

Membership type	Type	Object ID	Created on
Dynamic	Security	d645274f-95e0-4212-8d9a-831d7	1/29/2026, 9:29 PM

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Table 3

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.7 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.7

View End Result and Membership Summary

In the end result, you can see other important details about the group, such as the total direct members, users, groups, and devices, along with additional membership-related information. These details help you understand how many objects are currently included in the group and confirm that the dynamic membership rule is working as expected.

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune - Fig.8 — Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune – Fig.8

Need Further Assistance or Have Technical Questions?

Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community  and the Whatsapp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.

Author

Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment

Microsoft Intune will automatically enroll CYO or BYO devices. You can scope automatic enrollment to some Azure AD users, all users, or none. This is an old post, but the concepts are still the same.

The old classic Azure portal offers an option to set up Automatic Intune MDM enrollment for Windows 10 devices. A similar option is available in the new Azure portal, which has new names and a new look. This post explains more details about the Windows 10 Intune Auto Enrollment Process.

One of the first things you must learn is how to use the Intune Admin Portal. This post will help you understand where the Intune admin portal is, officially known as the Microsoft Intune Admin Center.

The Intune Auto Enrollment option will help you perform two (2) things, as explained in the video below. It’s an old video now; the patch to configure auto-enrollment has changed a bit, and I have described it in the new Intune portal walkthrough video below.

First, whenever a Windows 10 device is joined to Azure AD, it will automatically enroll in Intune for MDM Management. Second, only the allowed users in the MDM user scope group can enroll devices in Intune.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Intune Portal Walkthrough | MEM Admin Center | Training

The Intune Admin Portal, officially known as the Microsoft Endpoint Manager (MEM) Admin Center, is a crucial tool for managing devices and applications within an organization. IT administrators must effectively navigate this portal to oversee and control various aspects of their endpoints.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Video 1

NOTE! – For Windows 10 BYOD devices, the MAM user scope takes precedence if both the MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configure them) rather than being enrolled by MDM.

Windows 10 Intune Auto Enrollment Process

The following is where you can set the MDM enrollment configuration in the new Azure portal. When your MDM User scope is set to None, none of the enrolled devices get the proper policies, and those devices won’t work as expected.

Choose Devices -> Device Onboarding – Enrollment -> Windows in the Microsoft Intune admin centre.
Click on the Automatic Enrollment button.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.1 — How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.1

Select the MDM user Scope to All or Custom Azure AD group per your requirement. If it is set to None, users won’t be able to enroll the devices into Intune management.

The simplest option is to specify “all users” in the MDM user scope so that all the users in your organization can enroll their devices into Intune. Windows 10 devices will automatically enroll in Intune when the users perform Azure AD Join.
User groups can manage this option. When you want to allow a specific group of users to enroll their devices into MDM/Intune, this is the place to configure that user group. Click on the SOME option in the MDM User scope and select the user group to which you want to provide access.
From the same place, you can perform a granular or phase-wise approach to moving users to new MDM management from the same place. This blade has 3 URL options; you can configure these URLs according to your MDM vendor.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.2 — How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.2

Video Windows 10 Intune Auto Enrollment Process

This is an old video recorded using the Azure portal UI. The concept is the same, but the new portal UI has different options.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Video 1

Windows 10 Airwatch Mobileiron Auto Enrollment Process?

If Airwatch or Mobileiron manages your devices, you can specify those. The new Azure portal for Intune automatically configures all the URLs in MDM. This blade has three different URLs.

New Azure Portal for Intune MDM	Description	Link
MDM Terms of use URL	The URL of the terms of use endpoint of the MDM service	https://portal.manage.microsoft.com/TermsofUse.aspx
MDM Discovery URL	This is the URL of the enrollment endpoint of the MDM service. The enrollment endpoint is used to enroll devices for management with the MDM service. The URL given below is the Intune enrollment endpoint URL.	https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MDM Compliance URL	This is the URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliance device.URL can navigate to this URL hosted by Intune service in order to understand why their device is considered noncompliant. Users can also initiate self-service remediation so their devices become compliant and they can continue to access resources.	https://portal.manage.microsoft.com/?portalAction

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Table 1

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.3 — How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.3

So, where is the option in the new Azure portal to configure the MDM auto-enrollment setting for Windows 10 devices and MDM enrollment for the rest of the devices (Android, iOS, and macOS)? The following is where you can configure the Intune MDM enrollment option: Microsoft Azure—Mobility (MDM and MAM).

Windows 10 Intune Auto Enrollment Process Screen capture.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.4 — How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.4

Reference Link

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

How to Restrict Personal iOS Devices from Enrolling on Intune

How can I restrict Personal iOS Devices from Enrolling in Intune? Have you already seen the new Intune options in the MEM portal? If not, I recommend watching the following video post to get an overview of the new Intune portal.

The new Intune portal allows for more granular restrictions for MDM enrollments. On-prem services like ADFS or any federated access management system don’t need tweaking.

Now, we can block personal iOS devices from Intune enrollment. You can set this policy at the Enroll Devices node in the Intune Azure portal. Under “Enrolment restrictions,” you can find details about granular enrollment restriction policies.

Enrollment restriction policies help us restrict/block a set of devices from enrolling in Intune. This post explains how to Restrict Personal iOS Devices from Enrolling in Intune Endpoint Manager.

How to Restrict Personal iOS Devices from Enrolling on Intune

There are two types of restrictions within enrolment restriction rules: device type and limit restrictions. Device limit restrictions are already available in the Intune Silverlight portal. In contrast, Device Type Restriction is new in the Intune Azure portal, allowing us to restrict or block specific platform devices from enrolling.

Types of Restrictions
Device Type Restrictions
Device Limit Restrictions

How to Restrict Personal iOS Devices from Enrolling on Intune – Table 1

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.2 — How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.2

You can disable/block Android device enrollment from the new portal to restrict Android devices from enrolling in your Intune MDM enrollment. However, I’m unsure how we can allow ONLY “Android for Work” enabled devices to enrol in Intune.

I hope there are some limitations from the Android platform side to restrict the Android devices that are not enabled for the Android Work type of management.

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.3 — How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.3

The device type restriction policy is very helpful if you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) to enrol on Intune.

The most exciting feature, which is very helpful for any organization, is restricting personal iOS devices from enrolling on Intune.
Corporate/company-owned iOS devices can be enrolled using the Apple DEP program.
In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

For example, when you try to enrol a device in Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties and user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user can enrol. After this positive verification, Intune will allow the user to enrol on the device.

How do you restrict personal iOS devices from enrolling in Intune Endpoint Manager?

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.4 — How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.4

New Intune Home Page Redesign

The newly redesigned Intune Admin Portal Home Page comprehensively reviews the changes and the updated Intune Admin Portal Journey. The dynamic Home Page is used for Intune Administrators, and spotlight options highlight premium features, ensuring easy access to key functionalities.

How to Restrict Personal iOS Devices from Enrolling on Intune – Video 1

MEM Admin Portal

Below is a video on the Intune Admin Center Walkthrough for the latest updates. The Intune Admin Portal is one of the first things you must learn. This post explains where the Intune admin portal (aka Endpoint Manager) is. The official name of the Intune admin portal is the MEM Admin Center.

How to Restrict Personal iOS Devices from Enrolling on Intune – Video 2

Resources

How to Configure Intune Enrollment Setup for iOS macOS Devices

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Quick Overview Comparison between Intune Azure and Silverlight Portal

Quick Overview Comparison between Intune Azure and Silverlight Portal? I’m excited to share the comparison video and post about Intune Silverlight and the new Intune in the MEM portal.

There are many new features and many perfect changes. All the new Azure tenants with a new Microsoft EMS subscription can access a preview version of Intune in the MEM portal.

Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center HTMD Blog (anoopcnair.com).

The Intune console’s performance, look, and feel are far better than those of the Intune Silverlight console. Intune in the MEM portal helps us eliminate the duplication of work needed to create Azure AD and Intune groups.

In the new portal, we can directly deploy applications, policies, profiles, etc… to Azure Active Directory Dynamic device groups and user groups. Enrolment restriction rules and RBA for Intune admins are other most exciting features for me within the new portal.

Microsoft recently changed the brand name from MEM (Microsoft Endpoint Manager) to Microsoft Intune. You can also refer to the Top 50 Latest Intune Interview Questions and Answers, and if you are interested, check out the Top 50 Latest SCCM Interview Questions and Answers.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.1 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.1

Video Tutorial to know Intune Silverlight Portal Experience

Video tutorial to learn about the Intune Silverlight Portal Experience. The Intune blade in the Azure portal is like a special section where you can manage many things for your devices. It’s part of the Azure portal, where you do all sorts of stuff with your cloud services.

This Intune blade has many new features and tools to help you manage your devices even better.

Quick Overview Comparison between Intune Azure and Silverlight Portal – Video 1

Quick Overview Comparison between Intune Azure and Silverlight Portal

Manage Apps node is where you can create apps from the Android, Apple, and Windows stores. The most exciting feature in Manage Apps is that you can directly search the Apple App Store (Yes, I think for preview, we have only the option to select the US store) and fetch the application from there.

Hence, you don’t need to specify the app’s properties. Deployments in the new MEM portal are called ASSIGNMENTS. You can directly deploy applications to AAD groups. One thing missing in the review version of Intune is an option to upload MSI applications.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.2 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.2

The Configure Device node is in the new Azure console, where you can create configuration policies for iOS, Android for Work, Android, and Windows devices. Configuration policies in the Intune Silverlight portal have built-in generic policies for Windows, iOS, Android, etc. Similarly, the new Intune portal in Azure has built-in profiles.

We have different profile types, such as Device Restriction policies, WiFi profiles, VPN profiles, SCEP deployment profiles, and eMail profiles. Device restriction policies are the built-in configuration policies for specific device platforms.

Configuration Type
Custom

Quick Overview Comparison between Intune Azure and Silverlight Portal – Table 1

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.3 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.3

Set device compliance is the node where you can create new, improved compliance policies for all the supported devices like iOS, Android, and Windows. The improvement over the Silverlight Intune portal is that we can select the device platform explicitly in the compliance policies.

Also, depending upon the device platform, separate compliance policies will be applied to different devices (even if a user is targeted to iOS, Android, and Windows compliance policies). Compliance policies are deployed via assignments in the Intune portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.4 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.4

The conditional Access node in the new Intune portal has very few options compared to Intune Silverlight conditional access options. All the device-based conditional access rules have been moved out of Intune and are now part of Azure Active Directory. Device-based conditional access policy has loads of granular options, more conditions, more control options, etc.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.5 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.5

The Enroll Devices node is where you can define enrolment restriction rules. These rules help to prevent devices from enrolling in Intune. The enrolment restriction rule comes before conditional access verification. Within enrolment restriction rules, we can have different types of restrictions, such as Device Type restrictions and Device Limit restrictions.

Device type restriction is where we can select device platforms and platform configurations. The Enroll Devices node is where you can also define/configure Windows Hello for business and check the MDM management authority, Terms and conditions, Corporate device identities, and Apple MDM push certificates.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.6 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.6

Access control is where we can define custom security permissions for Administrator users. Role-based administrator (RBA) is enabled in the new Intune portal, where you can create your own customized Intune admin roles.

Once you create a security role, you can assign it to a new Member Group and Scope Group. The Intune review portal offers the following permission options: Device Configurations, Managed Apps, Managed Devices, Mobile Apps, Organization, Remote tasks, Roles, Telecom Expenses, and Terms and Conditions.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.7 — Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.7

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Learn how to Delete Devices from Azure Active Directory | Azure Portal. For effective device management, we need to delete and disable the Azure AD and Intune options.

A device can be retired and deleted from the Intune console (Silverlight), and I’m sure the new MEM portal will indeed have these options.

If you are an SCCM admin, you may recall that the SCCM console has an option to delete and disable a device. However, I have seen that when you retire and delete a device from the Intune console, that device will be removed from the Intune console but will still stay in Azure AD.

Managing devices in Azure Active Directory (AAD) and the Azure portal is crucial for maintaining organizational efficiency and security. The process remains similar whether you need to remove outdated devices or restrict access for specific ones.

How to Delete Devices from Azure Active Directory

So, it’s critical to delete these devices from Azure AD and keep the environment clean. I have created a video tutorial to help you with this topic, “Learn How to have a Clean and Tidy Intune and Azure AD Environment“.

Name	Enabled/Disabled
DESKTOP-LNK7273	Enabled
DESKTOP-213GHPA	Enabled
DESKTOP-9GTRJRV	Enabled

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Table 1

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices - Fig.1 — Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Fig.1

Back to delete and disable device options in the new Azure AD portal. We will first cover the disable/enable device option and then discuss the delete option. Consider a hypothetical emergency scenario where you want to disable an AAD device to prevent further damage to your organization.

Go to the MEM portal’s All Users and Groups blade to disable a device. Select All Users and select the Devices option from that blade. This will give you a list of devices. You can choose one device from that list and click on disable/enable the option per the requirement.

You can review the video attached to this post for a real-time experience. We don’t have to disable the option in the Intune console, so the only way to disable a device is from the Azure AD portal. Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices?

Delete Devices from Azure Active Directory

Now, we can see the delete device option in the Azure portal. This is a critical option that is very helpful in keeping your Azure AD environment clean. It will also help device management admins get better results from configuration/compliance policy and application deployments. To disable a device, go to the Azure portal’s All Users and Groups blade here.

Select All Users and the Devices option from that blade. This will give you a list of devices; you can choose one device and click delete.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices - Fig.3 — Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

Let’s discuss how to Exclude a Device from Azure AD Dynamic Device Group or Azure Active Directory Dynamic Group.

In my previous post, “How to Create Azure AD Dynamic Groups for Managing Devices via Intune,” we discussed creating Azure AD Dynamic Device or User groups. Another question I usually get is, “How do you remove or Exclude a device from Azure Active Directory Dynamic Device Group?”.

I expect this could be one of the scenarios used in deploying security/configuration policies via Intune. It is a very valid scenario; you can’t avoid it in device management. If you are an experienced SCCM Admin, no explanation is needed.

Removing a single device directly from the AAD Dynamic device group is impossible. Yes, a remove button is available, but when you select a device and click on it, a confirmation popup with a YES button will appear.

Exclude a Device from Azure AD Dynamic Device Group

Clicking the YES button will give an error message stating that you can’t remove the device from the Azure AD dynamic device group: “Failed to remove member LENexus 5 from group _Android Devices.” However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups.

Device	Details
Member	LGENexus 5
Group	Android Devices
Membership Type	Dynamic
Member Type	Device

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Table 1

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups - Fig.1 — How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Fig.1

Advanced rules for AAD Dynamic membership are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression is separated by a conditional operator, either ‘and” or “or“. You can play around with this conditional operator to remove the devices from the AAD dynamic device or user groups.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups - Fig.2 — How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Fig.2

Following is the advanced membership rule query I used to remove a device in the AAD dynamic device group. In this query, the conditional operator between 2 binary expressions is -and.

(device.deviceOSType -contains "Android") -and (device.displayName -notcontains "LGENexus 5")

I don’t know the result or whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume it will work because I can see a difference in the device icon called “LGENexus 5.” That is the device that I tried to exclude using the above query.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups - Fig.3 — How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership

Key Takeaways

Entra ID Dynamic Membership rules automatically add devices to groups based on defined conditions.
The deviceOSVersion property is used to identify devices by their Windows OS build number.
Using the Starts With operator allows targeting a specific Windows version range (for example, 10.0.26100).
The rule syntax is auto-generated by Entra ID, reducing errors and simplifying configuration.
Devices matching the specified OS version are added to the group automatically.
This approach makes it easier to assign Intune policies, apps, and compliance settings to specific Windows OS versions.

How to Create and Pause Entra ID Dynamic Groups for Device Management in Intune. Using a dynamic membership rule based on the Windows OS version provides better control and automation in Microsoft Intune. Devices are added or removed from the group automatically as their OS version changes, ensuring that policies and apps are always targeted accurately. This approach reduces manual effort, helps avoid configuration mistakes, and makes it easier to test, troubleshoot, or roll out settings for specific Windows builds.

Table of Content

How to Create and Pause Entra ID Dynamic Groups for Device Management in Intune

You can easily create and pause Entra ID dynamic groups for device management in Microsoft Intune. First, sign in to the Intune admin center and navigate to Groups > All groups > New group. The below window helps you to show more details.

Create a Dynamic Device Security Group for Windows 11 24H2

In the New Group window, select Security as the group type and enter the group name as Windows 11 24H2 Device Group. Provide a clear description such as HTMD Windows 11 24H2 Device Group to identify the purpose of the group. Next, choose Dynamic device as the membership type so that devices running the specified Windows version are added automatically based on the configured dynamic membership rule.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.2 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.2

Configure the Dynamic Device Membership Rule

At the end of the New Group window, you will see the Dynamic device members section. Under this setting, an Edit dynamic query hyperlink is available. Click this link to define and add the dynamic membership rule that determines which devices are automatically included in the group based on the specified criteria.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.3 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.3

Configure the Dynamic Membership Rule

In the Configure Rules window, set the Property to deviceOSVersion, select Starts With as the operator, and enter 10.0.26100 as the value. Based on these selections, Entra ID automatically generates the rule syntax as
(device.deviceOSVersion -startsWith “10.0.26100”). This rule ensures that all devices running a Windows OS version starting with this build number are automatically added to the dynamic group.

Dynamic Membership Rules	Details
Property	deviceOSVersion
Operator	Starts With
Value	10.0.26100

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Table 1

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.4 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.4

Pause Entra ID Dynamic Group Updates

Pausing an Entra ID Dynamic Group update allows administrators to temporarily stop automatic membership changes without deleting the group or its rules. This is useful when testing new dynamic queries, troubleshooting issues, or preventing unintended device additions or removals. While the update is paused, the existing group members remain unchanged.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.5 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.5

How to Create Entra ID Dynamic Groups for Windows Device in Intune

You can easily create an Entra ID dynamic group for Windows devices in Microsoft Intune. Start by selecting Security as the group type, then provide the group name as Windows Devices and add a description such as Add all Windows devices in your Intune environment into a single group. Next, select Dynamic device as the membership type. Finally, click the Add dynamic query hyperlink to define the rule that automatically includes all Windows devices in the group.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.6 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.6

Create an Entra ID Dynamic Group for iPhone and iPad Devices

You can easily create an Entra ID Dynamic Group for Windows devices by adding a dynamic membership rule. Set the Property to deviceOSType, choose Equals as the operator, and enter Windows as the value. Based on these selections, Entra ID automatically generates the rule syntax as (device.deviceOSType -eq “Windows”). This rule ensures that all Windows devices are automatically added to the group, making it easier to manage and target them with Microsoft Intune policies and apps.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.7 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.7

Create an Entra ID Dynamic Group for iPhone and iPad Devices

You can easily create an Entra ID dynamic group for iPhone and iPad devices in Microsoft Intune. Start by selecting Security as the group type, then enter the group name as iPhone and iPad Devices and add a description such as Grouping iOS devices in Microsoft Intune. Next, choose Dynamic device as the membership type. Finally, select the Add dynamic query hyperlink to define the rule that automatically includes iPhone and iPad devices in the group.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.8 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.8

Create an Entra ID Dynamic Group Rule for iPhone and iPad Devices

You can easily create an Entra ID Dynamic Group for iPhone and iPad devices by adding a dynamic membership rule. Set the Property to deviceOSType, choose Equals as the operator, and use iPhone and iPad as the values. Based on these selections, Entra ID automatically generates the rule syntax as (device.deviceOSType -eq “iPhone”) or (device.deviceOSType -eq “iPad”). This rule ensures that all iPhone and iPad devices are automatically added to the group, making it easier to manage and target iOS devices with Microsoft Intune policies and apps.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.9 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.9

Create an Entra ID Dynamic Group for Android Devices

You can easily create an Entra ID dynamic group for Android devices in Microsoft Intune. Start by selecting Security as the group type, then enter the group name as Android Devices and add a description such as Group all Android devices in Intune. Next, select Dynamic device as the membership type. Finally, click the Add dynamic query hyperlink to define the rule that automatically includes all Android devices in the group.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.10 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.10

Create an Entra ID Dynamic Group Rule forAndroid Devices

You can create an Entra ID Dynamic Group rule for Android devices by configuring a dynamic membership query based on the device operating system type. Set the Property to deviceOSType, choose Equals as the operator, and enter Android as the value. Entra ID automatically generates the rule syntax as (device.deviceOSType -eq “Android”), ensuring that all Android devices are automatically added to the group.

How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership - Fig.11 — How to Manage Windows OS Version-Based Device Groups in Intune using Entra ID Dynamic Membership – Fig.11

Need Further Assistance or Have Technical Questions?

Author

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? A Clean Intune environment always gives us better deployment results, and one of the important steps to keep your environment clean is explained in this post.

This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to ensure that you don’t have duplicate copies of policies and applications.

Moreover, you should avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.

We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM, then that device record will automatically get removed from On-prem Active Directory or not.

Introduction – How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune

The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility, and this should be handled separately by on-prem Active Directory.

So how are these operations handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory? In most cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).

To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure a clean environment with clean Azure AD.
You can get a better understanding of this issue from the above video tutorial.
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

How to Delete Clean Tidy Intune Azure Active Directory?

In the above example, Intune console shows me only one device assigned to my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account, you can see there are a total of 3 devices, and all the 3 devices have been shown as managed by Intune.

This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

I suppose we should have a better accuracy/sync between Intune and Azure AD databases. I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in the near future or not.

To ensure better results for Intune device management policies, when you delete a device from Intune, you should make sure that the device record is removed from Azure AD. I’m planning to post a video tutorial showing how to delete a device from Azure AD to have a clean and tidy environment.

Name	Enabled/Disabled	Platform	Trust Type	Is Compliant	Managed by
DESKTOP-LNK7273	Disabled	Windows 10.0.1439	AzureAd	True	Intune
DESKTOP-213GHPA	Enabled	Windows 10.0.1439	AzureAd	True	Intune

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Table 1

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune - Fig.2 — How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Fig.2

Resources

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Validate Azure AD Dynamic Group Rules | Intune

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

How to Troubleshoot Windows 11 10 Intune MDM Issues

This blog post teaches you how to Troubleshoot Windows 11 10 Intune MDM Issues. There are several options to troubleshoot, and some of them are explained here.

Windows 11 or 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you use Intune or SCCM + Intune hybrid to manage Windows 10 machines, all the management policies are deployed through the MDM channel. This post is Windows 10 MDM Troubleshooting Guide.

There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I will share the 3 easy ways to start MDM troubleshooting. Yes, it’s different from the SCCM/ConfigMgr client’s way of troubleshooting, as there are no log files for the MDM client.

MDM client is in build with the Windows 10 operating system, and events logs are the best place to troubleshoot Windows 10 MDM issues. The 3rd way mentioned in this post is very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips, as you can see above.

[Related Posts – How to Start Troubleshooting Intune Issues]

Related Posts

Understand Windows 10 MDM Architecture

For example, if an Intune policy is deployed to a Windows 10 machine but is not getting applied, how do we start troubleshooting? First, we need to understand Windows 10 management architecture.

The following is the high-level architecture diagram for Windows 10 management. If we know this high-level architecture, troubleshooting Windows 10 MDM issues will be easy. This post will help us as a Windows 10 MDM Troubleshooting Guide.

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.1 — How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.1

Video Tutorial – Windows 10 MDM Troubleshooting Guide

Windows 10 MDM Troubleshooting Guide video tutorial to help IT Pros! This video teaches you how to fix problems with Windows 10 MDM (Mobile Device Management) using the registry, WMI (Windows Management Instrumentation), and Event Logs.

It breaks down troubleshooting into simple steps, showing you how to identify and solve issues with your device management. You can learn to resolve common problems efficiently by following along with the video.

How to Troubleshoot Windows 11 10 Intune MDM Issues – Video 1

Troubleshoot with Windows 10 Event Logs

Event Logs :- Microsoft->Windows->DeviceManagement-> Enterprise-Diagnostics-Provider/Admin

Event logs in Windows 10 machines are the best to start troubleshooting MDM-related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined, all the events related to Intune/SCCM policies are recorded in “this” event log section.

AAD event logs are also very useful in this Windows 10 MDM issue, and you can check out the following location for AAD-related event logs: “Microsoft-Windows-AAD/ Operational”. Event logs are an integral part of the Windows 10 MDM Troubleshooting Guide.

The event logs are the best way to troubleshoot Windows 10 MDM issues. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether or not the deployed policies are reached and applied on that machine. There is also a way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to the work or school page.

[Related Posts – How to Start Troubleshooting Intune Issues]

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.2 — How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.2

Troubleshoot Windows 10 with WMI Explorer

WMI Explorer way of Checking whether the Policy Settings are Applied or Not:-

WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on the windows 10 system or not. As you can see in the following screen capture, this is how to check whether MDM policies are correctly applied to a Windows 10 machine.

I have deployed the Windows Defender policy from Intune to this Windows 10 machine, and you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting, the best place to begin with is event logs.

We can also check this via WBEMTEST, but we may need to start WBEMTEST from the system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) have been applied to a machine.

[Related Posts – How to Start Troubleshooting Intune Issues]

Registry way of Checking Windows 10 MDM Policy Settings

Troubleshoot Windows 10 with Registry Entries

The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is the registry key. Following is the registry location where you can find MDM policy settings. You want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers

In this below screen capture, you can see the Windows Defender settings I applied to Windows 10 machines through Intune policies. The only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi

System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).

Steps
System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).

How to Troubleshoot Windows 11 10 Intune MDM Issues – Table 1

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.3 — How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.3

Troubleshoot Windows 10 with MDMDiagReport

These GUID IDs can be found in the MDMDiagReport.xml file, and this XML can be decoded into HTML file MDMDiagReport.html using the tool.

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.4 — How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.4

[Related Posts – How to Start Troubleshooting Intune Issues]

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

2016 Top 10 Posts about SCCM ConfigMgr Intune Windows 10

How to Manually Add Users to Intune Console Portal Azure AD

How to Change Intune MDM Authority Office 365 MDM Authority to SCCM or Intune

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

Let’s discuss the Intune Starter Kit, a Helping Hand for IT pros who want to learn Intune. Loads of people requested a starter kit for Intune, as I have one for the SCCM 2012 starter kit, and the SCCM 2012 starter kit page was handy for the community (I think that is why people are requesting the Intune Starter Kit).

This post will mainly concentrate on Intune standalone (not Intune Hybrid and Office 365 Intune MDM). In most cases, there is no need/very minimal need for on-prem infrastructure if you go with Intune standalone and all the other cloud components like Azure Active Directory, Office 365, etc. I’ll keep adding new things to this page. This is just starting 😉

I started working with Intune in the latter part of 2012, and Microsoft Intune has evolved a lot over the years. In 2013, I started a post called “Microsoft Intune Wiki” (most of the links are outdated, but it’s worth going through if you want to see how Intune was).

We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here

What is Microsoft Intune? – Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

Intune is Microsoft’s enterprise mobility management (EMM) solution. The EMM provider helps manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune combines Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. Only Intune will provide access to company or corporate resources (corporate mail, SharePoint, etc.) if the devices meet those conditions.

Previously, I mentioned Microsoft Intune as a lighter version of SCCM or ConfigMgr in the cloud. However, I don’t want to make it so simple this time. Intune architecture is entirely cloud-based and agile. To get a more detailed idea about Intune (Yes, this video is old and outdated in some parts as Intune evolved along with Microsoft’s Enterprise Mobility and Security (EMS).

Read more – What is Microsoft Intune?

Management Options using Intune?

I’m going to explain this in a slightly different way. Let me know if this is confusing. We can manage devices with an Intune client agent and arguably without one. For example, Intune company portal application(s) in different app stores like Google Play and Apple Store are Intune client agents.

So, when you install the Intune company portal onto your Android or iOS devices, you are doing agent-based management. Also, the Microsoft Intune client MSI can be downloaded once you have a valid Intune subscription. You can download and install it on Windows machines that you want to manage.

I have an old post (published in Dec 2012) here to help you understand the basics of Intune MSI agent installation. Once you install the Intune MSI agent on Windows machines, Intune will “fully manage” those machines.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune - Fig.1 — Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.1

So, what is arguably agent-less Intune management? Within Windows 10, we have a “build—Native” MDM agent as part of the operating system. We can enrol Windows 10 devices in Intune using the “in build—Native” MDM agent. In this scenario, we must use the Intune company portal to install applications like a shopping cart.

So, the Intune company portal does not act as an Intune agent in native MDM enrolment scenarios. Native MDM-managed devices are arguably NOT fully managed devices (at this point). I’m sure this will change sooner or later. The Windows 10 in-built MDM agent can enrol your Windows 10 devices in any other MDM management software, such as VMware Airwatch, Mobileiron, etc.

Enrolled via the Intune company portal.
Enrolled via Installation of Intune MSI client.
Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment.
MAM without MDM enrolment.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune - Fig.2 — Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.2

How Do you Get an Intune Account and Start Working/Testing with Intune?

Download the Microsoft EMS step-by-step guide from here. This guide will help you get a free trial version of Office 365, Azure AD, and Intune subscription. If you already have an Azure AD (Azure AD premium) subscription, things are straightforward, as I posted in the blog here.

Suppose you don’t have an Azure AD subscription. It is better to start with an Enterprise Mobility Suite (EMS) trial account, an Azure Free Trial Account (an Azure trial account is already created as an EMS trial account), and an Office 365 free trial subscription. Creating a NEW outlook.com account and getting ready with credit card details to activate the Azure trial subscription is better for getting these trail accounts.

Getting a trial version of Azure AD, Office 365, and Intune is very straightforward if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test all its features.

Note: Intune can also be signed up separately from here. If you want to test only Intune now, this is the way to go.

How to Start using Microsoft Intune Console

Once you have completed the subscription steps, you can log in to the Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is necessary for the Intune console to work). Internet Explorer with the Silverlight plugin is the best internet browser for the Intune console.

However, the Intune console will work on any internet browser that can add Silverlight as a plugin. It might even work without the Silverlight plugin, and I would love to see this soon.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune - Fig.3 — Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.3

How Do you Select the MDM Authority from the Intune Console?

MDM authority and management options are significant to me. Please note that you won’t be able to change it once you set MDM (Mobile Device Management) authority to Intune in the following place at the Intune console.

To change Intune MDM authority, you must raise a ticket with CSS or a service request via the Intune/Office 365 portal. So be very careful when you click on any links on the following page at the Intune console.

What Types of Management Authority Do We have for Intune?
Microsoft Intune
Configuration Manager (SCCM)
Office 365 (lightweight Intune)

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Table 1

Quick question: Do I need to re-enrol devices if the MDM authority is changed from o365 MDM to Intune MDM? It works without re-enrolment of devices; it is just a compliance check, and everything looks okay on the device. I heard it’s supported, as both use Intune for MDM.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune - Fig.4 — Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.4

How to Start Managing Windows/iOS /Android Devices with Intune?

Managing Windows devices is very straightforward. Yes, Windows 10 management is very straightforward; earlier, we needed side loading and key SEP certificates to manage/deploy apps for Windows and Windows Phone devices.

Most of these certificates and sideloading essential requirements have been removed for most scenarios. Managing Android devices is also very straightforward. It takes 10 minutes to sync your Windows Store for Business and Microsoft Intune. More details are provided in the post “Integrate Windows Store for Business” h e re.

If you want to install store apps without using a Microsoft account, read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.

However, iOS\MAC OS device management has certificate requirements, and we need to go to the Apple portal, upload your cert for the tenant, and get the certificate for your Intune tenant.

The process for SCCM CB is explained in the following video, but the process is similar for Intune. More details here Microsoft document specifically for Intune.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Video 1

How Do I Deploy MSI Applications to Windows PCs using Intune?

Like SCCM, Intune can also deploy different applications to other devices. The types of applications that Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, and APPX—APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or applications available to devices via three methods.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune - Fig.5 — Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.5

1. Software Installer – select the type of software you want to install
2. External Link – this can be used for deploying the applications in the Google Store via deep linking
3. Managed iOS apps from Apps Store – this can be used to deploy the apps in the Apple Store via the deep linking method

The following post, “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune Part 1,” will help you understand the application deployment process using Intune.

Creating policies in Intune is another crucial step in configuring and managing devices through Intune. The following is the list of policies you can create and deploy via Intune.

Configuration Policies
Compliance Policies
Dynamics CRM Online Conditional Access Policy
Exchange Online Conditional Access Policy
Exchange On-premises Conditional Access Policy
SharePoint Online Conditional Access Policy
Skype for Business Online Conditional Access Policy
MAM Application Policy
MAM Browser Policy

What is the difference between the Intune Configuration and Intune Compliance Policy? You can see similar settings in compliance and configuration policies in some cases. So, what is the exact difference? Compliance policy works with conditional access policies; however, configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS, whereas Configuration policies can be deployed to Devices and Users.

The Following Video will Explain How to Create and Deploy Intune Compliance Policies from the Console.

Compliance policy won’t force the device to change its configuration; rather, it will wait until the device enters the compliance stage to provide access to company resources like mail/SharePoint (in case a Conditional access policy is set). The configuration policy forces the device or user to change the configuration setting mentioned in the policy (which is arguably not true in all scenarios).

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Video 2

What are MAM (Mobile Application Management) Policies?

Mobile Application Management policies are application-specific policies you can set up via Intune. What is the difference between configuration, Compliance policies, and MAM policies? Configuration and Compliance policies are for the entire device. It applies to everything on the device. MAM policies will be used only for the application with which it’s associated.

The following post, “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune,” will guide you through deploying MAM policies to iOS or Android devices.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune - Fig.6 — Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.6

What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?

This is another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment? These are Mobile Application Management policies without enrolling in Intune. They help secure corporate data using BYOD/personal devices to access corporate mail, SharePoint, etc.

Why is the Intune option visible in the Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time, it’s Intune MAM (Mobile Application Management) without MDM enrolment.

For complete mobile device management, we must use the original Intune portal (https://manage.microsoft.com). Forums and other communities regularly asked whether Intune could coexist with MDM products like Airwatch or Mobile Iron.

How Do You Manually Add Users to the Intune Console?

How do you add users to the Intune console and provide permissions to users in the Intune console? We don’t have to do this when Intune Silverlight console is migrated to the Azure portal??

Before you try to provide service administrator access (limited roles available in Intune Silverlight console Full Access, Read-Only access, or Helpdesk—Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in the Intune administrator console. More info here.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Table of Contents

Intune RBAC Strategic Options – Video

What is Intune RBAC?

Intune RBAC – Tired Hierarchy

Updated Built-In Inutune RBAC Roles

Endpoint Manager Roles

Intune RBAC Policy and Profile Manager

Intune RBAC Access Rights – Application Manager

Intune RBAC – Endpoint Security Manager

Intune Read-Only Operator

Intune School Administrator

Intune RBAC – Help Desk Operator

Intune Role Administrator

Cloud PC Administrator

Intune RBAC – Cloud PC Reader

Intune Admin Configuration Policy Manager Intune RBA Permissions Issues

Overall Access Rights of Intune Tiles

Intune Administrator Role Permissions

41 Intune Objects List

References:-

Author

Table of Contents

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts

Intune Graph API Query | Sample Queries | Easiest Method | Tips | Tricks

Microsoft Graph

Author

Table of Contents

How to Make Your Azure Intune Console Look Better – Video

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities

Author

Key Takeaways

Table of Contents

Create Entra ID Dynamic Device Security Group for Windows BYOD and CYOD Devices using Microsoft Intune

Configure Basic Details in the New Group Window

Easily Add a Dynamic Device Query

Create Dynamic Membership Rules

Notification – Dynamic Device Group Created Successfully

Verify the Created Dynamic Device Group

View Dynamic Group Details and Membership Status

View End Result and Membership Summary

Need Further Assistance or Have Technical Questions?

Author

Table of Contents

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Intune Portal Walkthrough | MEM Admin Center | Training

Windows 10 Intune Auto Enrollment Process

Video Windows 10 Intune Auto Enrollment Process

Windows 10 Airwatch Mobileiron Auto Enrollment Process?

Reference Link

Author

Table of Contents

How to Restrict Personal iOS Devices from Enrolling on Intune

New Intune Home Page Redesign

MEM Admin Portal

Resources

Author

Table of Contents

Video Tutorial to know Intune Silverlight Portal Experience

Quick Overview Comparison between Intune Azure and Silverlight Portal

Author

Table of Contents

How to Delete Devices from Azure Active Directory

Delete Devices from Azure Active Directory

Author

Table of Contents

Exclude a Device from Azure AD Dynamic Device Group

Author

Key Takeaways

Table of Contents

How to Create and Pause Entra ID Dynamic Groups for Device Management in Intune

Create a Dynamic Device Security Group for Windows 11 24H2

Configure the Dynamic Device Membership Rule

Configure the Dynamic Membership Rule

Pause Entra ID Dynamic Group Updates

How to Create Entra ID Dynamic Groups for Windows Device in Intune

Create an Entra ID Dynamic Group for iPhone and iPad Devices

Create an Entra ID Dynamic Group for iPhone and iPad Devices

Create an Entra ID Dynamic Group Rule for iPhone and iPad Devices

Create an Entra ID Dynamic Group for Android Devices

Create an Entra ID Dynamic Group Rule forAndroid Devices

Need Further Assistance or Have Technical Questions?