Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM

Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM? Android for work is always an exciting topic for me. I’m a fanboy of android devices 🙂 I started testing Intune + SCCM MDM management with Android devices back in 2014, you can refer to that post here. I was eagerly waiting for “Android for Work” support with Intune.

A few months back, Microsoft announced Intune’s supportability for Android for Work (A4W). Since then I was waiting for an A4W supported device 😉 Yes, that means all the android devices are not supported by A4W. Here is the list of A4W supported devices from Google.

Latest Post How to Configure Intune Enrollment Setup for Android Enterprise Device management

Video

A more detailed explanation is in the above video or you can click here

Beginners Guide Intune Android for Work Google Play for Work Setup

In this post, I will try to cover the prerequisites of Android for Work, Intune portal admin configurations, Add Google play apps to Google for Work, Android for Work Device enrollment, Work profile creation, and Removal of Android for the work profile.

First of all, you need to create a baseline of Android devices which you want to support in your environment. Following are some of the points which we need to take care of as part of the Android for Work implementation:-

Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM

Preparation Work – Android for Work Admin configurations:

  • Devices with Android 5.0 Lollipop and later will only have work profile and Android for work support as per Google. This is nothing to do with Microsoft and Intune.
  • Some of the Android for Work settings are available only for Android 6.0 and later.
  • It’s important to understand Android for Work does NOT support all android devices in the market- a list of supported devices -is here.
  • Bind your Intune and Google for Work account from the Silverlight Intune portal. Because Azure Intune blade is not enlightened with this feature yet.
  • Create a Google account or use an existing account to sign up for Android for Work with the EMM provider. More details here
  • Add applications from Google Play to Google for Work store and then sync these apps to Intune. You can click on the Sync button in Intune console to initiate a new sync between Intune and Google store for work.
  • Sync the apps from Intune console – Admin > Mobile Device Management > Android for Work. After Sync the apps will be visible under – Intune console – Apps – Volume Purchased app
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
  • I recommend using the following option after the pilot testing in your production environment. Enable the option “Manage supported devices as Android for Work – (Enabled) All devices that support Android for Work are enrolled as Android for Work devices. Any Android device that does not support Android for Work is enrolled as a conventional Android device”.
  • The only caveat is that we don’t have the option to restrict the devices which are NOT supported by Android for Work from enrolling into Intune. Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?

Notes from the Field – Android for Work security policies:-

  • As an initial release Intune out of the box “Security and Work profile policies are very limited for A4W”. I suppose you have to use the combination of A4W and Android policies together to support Android devices in your organization.
  • OMA URI custom policies are supported with A4W. However, only a few options are supported by custom policies along with Intune. I know only 2 policies that are supported by this feature and those are WiFi and VPN profiles. More details here.
  • To upload LOB apps to Google Store for Work – we need to have access to the developer console $25 – https://play.google.com/apps/publish/signup/

Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?

Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM

End-User Experience – Android for Work:-

  • Enrollment of Android for work devices is straightforward as the normal Android device enrollment for the first part of it. The second part is more towards, logging into Intune company portal from the Android for Work context and continuing the process of enrollment.
  • Work profile on Android devices will get created via Intune company portal enrollment. This will happen only for Android for Work supported devices. If you have a device that is not supported for Android for Work by Google then the enrollment won’t create a work profile etc… it will be normal enrollment.

How to enroll devices to Android for Work
How to sync Google play for Work app store with Intune
How to create a work profile for Android devices
How to complete configuration task to support Android for Work with Intune

Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune RBAC Roles Permissions in the Intune Admin Center Portal

Intune RBAC roles and permissions in Intune Admin Center Portal are explained in this post. We will discuss the access rights of the built-in Intune RBAC role called Configuration policy manager.

Ideally, this role should have access to Manage and deploy configuration settings and profiles depending on the scope. Before going into details, let me explain, what is the scope.

Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console.

Granular control to delegate the permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Limit assigned permissions of Intune admins to specific user or device groups. Control/Manage the view permissions of Intune objects using RBAC.

Intune RBAC Strategic options – Video

In this video, we will explain Intune RBAC Strategic Options | Role-Based Access Controls | Scope Groups | Intune Objects | Roles.

Intune RBAC Strategic options – Intune RBAC Roles Permissions in the Intune Admin Center Portal

What is Intune RBAC?

RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.

In this post, I will try to explain the access right of Intune’s default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and the scope is set to the group “All Bangalore Users”.

Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will go into deep dive to understand more details about the access rights for this role.

Configuration Policy Manager – Permissions:-
Assign Device settings to AAD security groups
Create Device Settings
Delete Device Settings
Read Device Settings
Update Device Settings

Read More -> Intune Read-Only Experience Learn To Create Read-Only Operators Roles

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1

Intune RBAC – Tired Hierarchy

Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions – Azure AD.

  • Global Admin Role (Tier 1)
  • Intune Service Admin Role (Tier 2)
  • Intune RBAC Permissions – Intune Portal
  • Tier 3 Roles – App Admin, Helpdesk Admin, etc…

Updated Built-In Inutune RBAC Roles

Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal.

Application ManagerBuilt-in Role
Endpoint Security ManagerBuilt-in Role
Read-Only OperatorBuilt-in Role
School AdministratorBuilt-in Role
Policy and Profile managerBuilt-in Role
Help Desk OperatorBuilt-in Role
Intune Role AdministratorBuilt-in Role
Cloud PC AdministratorBuilt-in Role
Cloud PC ReaderBuilt-in Role
Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1

Endpoint Manager Roles

Let’s understand what are the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles. I have given examples of custom roles in the previous posts.

Read More -> Create Custom Intune Helpdesk Operator Role

Intune RBAC Policy and Profile Manager

Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. Allowed to edit the Intune Policy and Profile Manager.

  • Even the profile is ONLY deployed to out-of-scope users/groups. Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.

This should be NOT allowed. Editing should be allowed only to those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.

Access is denied to remove and add assignments to a profile that is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profiles to users in scope.

  • Access is denied to remove assignments to profiles that are targeted to the users or groups in scope. This should be allowed!

Allowed to delete all the profiles even if those profiles are targeted to out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.

Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.

  • Login to MEM Admin Center (Intune).
  • Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2

Intune RBAC Access rights – Application Manager

Allowed to remove assignments of applications that are already targeted to the users NOT in the scope of an Intune Application Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope, then removal of the assignment should be allowed.

Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for him/her. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.

The addition of assignment to the Application policy should be allowed only when the targeted users are within the scope of an Intune application manager.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3

Intune RBAC – Endpoint Security Manager

Let’s discuss, Intune RBAC – Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4

Intune Read-Only Operator

Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot make changes to Intune.

More details -> Intune Read-Only Admin Experience After RBAC Solution

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5

Intune School Administrator

Name – School Administrator. Description – School Administrators can manage apps and settings for their groups. They can take remote actions on devices, including remotely locking them, restarting them, and retiring them from management.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6

Intune RBAC – Help Desk Operator

Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7

Intune Role Administrator

Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8

Cloud PC Administrator

Name – Cloud PC Administrator. Description – Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.

More Details on Cloud PC (Windows 365) Provisioning -> Windows 365 Cloud PC Deployment Provisioning Process Step By Step Guide

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9

Intune RBAC – Cloud PC Reader

Name – Cloud PC Reader. Description – Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC blade.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10

Video Tutorial – Intune RBAC Roles

A more detailed explanation is in the above Youtube video or you can click here.

Intune RBAC Roles Permissions in the Intune Admin Center Portal Video

Overall Access Rights of Intune tiles

Allowed to perform some administrative activities in configuring devices, and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.

  • Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
  • Allowed to view objects in the Manage Users tile – Users and Groups.
  • Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
  • Access is denied to change device and user settings in the Manage user tile.
  • Access is denied to Intune Silverlight console.

Intune administrator Role permissions

Let’s check Intune administrator Role permissions from the following table.

ActionsDescription
microsoft.directory/bitlockerKeys/key/readRead bitlocker metadata and key on devices
microsoft.directory/contacts/createCreate contacts
microsoft.directory/contacts/deleteDelete contacts
microsoft.directory/contacts/basic/updateUpdate basic properties on contacts
microsoft.directory/devices/createCreate devices (enroll in Azure AD)
microsoft.directory/devices/deleteDelete devices from Azure AD
microsoft.directory/devices/disableDisable devices in Azure AD
microsoft.directory/devices/enableEnable devices in Azure AD
microsoft.directory/devices/basic/updateUpdate basic properties on devices
microsoft.directory/devices/extensionAttributeSet1/updateUpdate the extensionAttribute1 to extensionAttribute5 properties on devices
microsoft.directory/devices/extensionAttributeSet2/updateUpdate the extensionAttribute6 to extensionAttribute10 properties on devices
microsoft.directory/devices/extensionAttributeSet3/updateUpdate the extensionAttribute11 to extensionAttribute15 properties on devices
microsoft.directory/devices/registeredOwners/updateUpdate registered owners of devices
microsoft.directory/devices/registeredUsers/updateUpdate registered users of devices
microsoft.directory/deviceManagementPolicies/standard/readRead standard properties on device management application policies
microsoft.directory/deviceRegistrationPolicy/standard/readRead standard properties on device registration policies
microsoft.directory/groups/hiddenMembers/readRead hidden members of Security groups and Microsoft 365 groups, including role-assignable groups
microsoft.directory/groups.security/createCreate Security groups, excluding role-assignable groups
microsoft.directory/groups.security/deleteDelete Security groups, excluding role-assignable groups
microsoft.directory/groups.security/basic/updateUpdate basic properties on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/classification/updateUpdate the classification property on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/dynamicMembershipRule/updateUpdate the dynamic membership rule on Security groups, excluding role-assignable groups
microsoft.directory/groups.security/members/updateUpdate members of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/owners/updateUpdate owners of Security groups, excluding role-assignable groups
microsoft.directory/groups.security/visibility/updateUpdate the visibility property on Security groups, excluding role-assignable groups
microsoft.directory/users/basic/updateUpdate basic properties on users
microsoft.directory/users/manager/updateUpdate manager for users
microsoft.directory/users/photo/updateUpdate photo of users
microsoft.azure.supportTickets/allEntities/allTasksCreate and manage Azure support tickets
microsoft.cloudPC/allEntities/allProperties/allTasksManage all aspects of Windows 365
microsoft.intune/allEntities/allTasksManage all aspects of Microsoft Intune
microsoft.office365.supportTickets/allEntities/allTasksCreate and manage Microsoft 365 service requests
microsoft.office365.webPortal/allEntities/standard/readRead basic properties on all resources in the Microsoft 365 admin center
Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2
  • Read, Delete, Wipe, Assign, Create, and Update are Inutne permissions can be assigned for each Intune objects.

Admin Groups – Admin group users are the administrators assigned to this role
Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups
Scope tags – Who all can view this RBAC Role

41 Intune Objects List

Let’s check the list of 41 Intune Objects from Intune RBAC perspective.

Android FOTA
Android for work
Audit data
Certificate Connector
Chrome Enterprise (preview)
Cloud attached devices
Corporate device identifiers
Customization
Derived Credentials
Device compliance policies
Device configurations
Device enrollment managers
Endpoint Analytics
Endpoint protection reports
Enrollment programs
Filters
Intune data warehouse
Managed Device Cleanup Settings
Managed Google Play
Managed apps
Managed devices
Microsoft Defender ATP
Microsoft Store For Business
Microsoft Tunnel Gateway
Mobile Threat Defense
Mobile apps
Multi Admin Approval
Organization
Organizational Messages
Partner Device Management
Policy Sets
Quiet Time policies
Remote Help app
Remote assistance connectors
Remote tasks
Roles
Security baselines
Security tasks
Telecom expenses
Terms and conditions
Windows Enterprise Certificate

References:-

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts

Now, Microsoft Graph API is the buzzword. How to use Microsoft Graph API to fetch the details from Azure Active Directory (Azure AD/AAD) and Microsoft Intune? And a list of Intune PowerShell Scripts samples. I’m not going to provide any Graph API scripts to fetch details in this post.

APIs have always been an alien term for me. Rest API was everywhere and now it’s Graph API. Have you ever tried Facebook Graph API? So the entire industry is taking the path of Graph API!

A more detailed and latest explanation -> Intune Graph Query Samples Starters Guide

Fetch Intune Azure AD Details from Graph API Intune PowerShell Scripts 4

NOTE! – Intune PowerShell Script Samples with Microsoft Graph – https://github.com/microsoftgraph/powershell-intune-samples

In this post, I would like to help by providing basic details of the Microsoft Graph API. How to start using Graph API graphically (Not programmatically) and how Graph API would be helpful for IT Pros in their day-to-day life. Microsoft Intune admins can analyze the details of a device or user from Graph API.

We can get only limited details of objects from the Azure AD portal, however, loads of details can be fetched from Graph API via Web browsers. You can perform all the GET and other supported operations from the following URL. Remember to sign in to the tenant.

Latest video on Intune Graph

Launch Microsoft Graph – URL –-> https://graph.microsoft.io/en-us/graph-explorer

https://developer.microsoft.com/en-us/graph/graph-explorer
Intune PowerShell Scripts sample
Intune PowerShell Scripts sample

When you sign in for the first time you need to agree to provide the following permissions to Graph explorer. Click on Agree button to proceed further.

Intune PowerShell Scripts sample
Intune PowerShell Scripts sample

There are two versions of Graph explorer available at the moment. Version 1.0 and Beta. I was having a hard time connecting to Graph API. It was ok when I wanted to retrieve my user information. But when I tried to fetch the details for the entire tenant, it was asked to agree or accept new Admin consent as you can see in the following paragraph.

This query requires additional permissions. If you are an administrator, you can click here to grant them on behalf of your entire organization. Or, you can try the same request against your own tenant by creating a free Office 365 developer account.

When I tried to click on the “HERE” button to accept the consent, it was giving me an odd error as follows:- “AADSTS90002: No service namespace named ‘organizations’ was found in the data store.” Ryan and Panu helped me to get rid of this error mentioned above. To accept this admin consent, you don’t have to create any manual applications or run any PowerShell scripts! It’s out of the box set now in your enterprise applications blade in the Azure console.

Intune PowerShell Scripts sample
Intune PowerShell Scripts sample

Following are some of the samples of graph API GET queries to retrieve details from Intune and Azure Active Directory (AAD). The other 3 types of actions are possible with Graph API and those are POST, PATCH, and DELETE.  

https://graph.microsoft.com/beta/users/[email protected]/ownedDeviceshttps://graph.microsoft.com/beta/deviceAppManagement/mobileAppshttps://graph.microsoft.com/beta/users/https://graph.microsoft.com/beta/applications   Following is some of the extracts of device management mobile app.

WhatsApp is one of the applications “https://graph.microsoft.com/beta/deviceAppManagement/mobileApps“. Similarly, we can retrieve the owned devices of a user and the status of a device through Graph API GET commands. Some of these details are only available ONLY through Graph API. This will great help for Intune admins at the time of troubleshooting issues.

Intune PowerShell Scripts sample
Intune PowerShell Scripts sample

cache-control: private
content-type: application/json;odata.metadata=minimal;odata.streaming=true;
request-id: 604557b1-409b-4749-8w32d-d754844b2181
client-request-id: 6se357b1-409b-4349-864d-d754844b2181
Status Code: 200
{
“@odata.context”: “https://graph.microsoft.com/beta/$metadata#deviceAppManagement/mobileApps”,
“value”: [
{
“@odata.type”: “#microsoft.graph.iosStoreApp”,
“id”: “ab8a5364-887d-44e7-a6cd-9684d2f279c3”,
“displayName”: “WhatsApp Messenger”,
“description”: “WhatsApp Messenger is a FREE messaging app available for iPhone and other smartphones. WhatsApp uses your phone’s Internet connection (4G/3G/2G/EDGE or Wi-Fi, as available) to let you message and call friends and family. Switch from SMS to WhatsApp to send and receive messages, calls, photos, videos, and Voice Messages. \n\nWHY USE WHATSAPP:  \n\n• NO FEES: WhatsApp uses your phone’s
“publisher”: “WhatsApp Inc.”,
“largeIcon”: null,
“createdDateTime”: “2017-01-22T06:40:24.696692Z”,
“lastModifiedDateTime”: “2017-01-22T06:40:24.696692Z”,
“isFeatured”: false,
“privacyInformationUrl”: null,
“informationUrl”: null,
“owner”: “”,
“developer”: “”,
“notes”: “”,
“uploadState”: 1,
“installSummary”: null,
“bundleId”: “net.whatsapp.WhatsApp”,
“appStoreUrl”: “https://itunes.apple.com/us/app/whatsapp-messenger/id310633997?mt=8&uo=4”,
“applicableDeviceType”: {
“iPad”: false,
“iPhoneAndIPod”: true
},
“minimumSupportedOperatingSystem”: {
“v8_0”: true,
“v9_0”: false,
“v10_0”: false
}
}, 

Reference Links Intune PowerShell Scripts sample

  • Intune Graph API Reference – here
  • Azure AD Graph API reference – here
  • Quickstart for the Azure AD Graph API – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities? MEM portal is a one-stop-shop for all the services in the Microsoft cloud. When a user logins to a MEM portal for the first time, he/she can see all these services which are already selected as favorite services by default.

The selection of favorite services in the MEM portal for individual users is not based on the user’s profile or access rights of the user. This is not really good for new users in Intune portal. They will struggle to find out their role-related services.

Video

A more detailed explanation is in the above video or you can click here

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities

For example, you are an Intune admin and you have only access to Intune and Azure AD users and groups. But if you log into the MEM portal you will see all loads of services that make no sense to you at all. You will also find it really messy and I’m sure you will get lost in the portal until you find the search button or Intune services.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

Don’t worry there is a very friendly search option available in the Azure portal. If you are Intune admin then you can just click on more services and type “Intune” in the search menu. You can see 2 Intune services one is for Intune (MDM) and the second one is for Intune App Protection (MAM without enrollment).

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

To keep your Azure portal well organized, you need to spend only 2-3 minutes when you log in to the portal for the first time. What do we need to do to get neatly organized Azure portal? You log in to the Azure portal and click on the more services button, then remove the services which are not relevant to you.

For example, Intune admins don’t have anything to do with “Virtual Machines” hence you can remove Virtual machine service from your favorite menu. So this will help you to get rid of the Virtual machine shortcut from the left side menu of the MEM portal.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

END Result:- Clean and Tidy Azure portal for Intune Admins. Remove all the services from the Azure portal except Azure Active Directory, Users and Groups, Intune, and Intune protection services.

How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous post here, you might have seen the basic process to create Azure AD dynamic user and device groups along with the explanations about the syntax of the queries/rules.

I have a feeling that we will also get some performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries and SCCM admins are very familiar with this kind of performance issue.

In this post, we will see how can we create dynamic device groups for Windows devices with the “Device Ownership” attribute in the Azure AD. This attribute is populated only when the devices are enrolled through MDM and if I understand correctly “Device Ownership” attribute is populated by Intune in this case.

So if this attribute is not getting populated then you need to make sure that the device is correctly enrolled to Intune or not. Because some of these types of attributes are available only when the Intune portal is migrated to Azure. If you are still using Intune Silverlight portal, you may need to wait for your Intune migration to complete.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

Following are the Advanced membership rules which you can use to create Azure AD, and dynamic Device groups, to segregate BYOD and CYOD devices!All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”)

All Windows BYOD Devices Query for Azure Active Directory

(device.deviceOwnership -contains “Personal”) -and (device.deviceOSType -contains “Windows”)

All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”)

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

Auditing of Azure Active Directory Dynamic groups is very important from ops teams’ perspective. These auditing options are available in the new Azure portal and it’s very useful to track the changes of a particular Azure AD dynamic group.   As you can see in the below table ACTOR is the one who performed the activity on that group. For example, when I created this group “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.  

Date  Actor  Activity  Target(s)
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PM[email protected]Add owner to groupUser : , Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PM[email protected]Add groupGroup : All Windows CYOD Devices
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

So, it’s recommended to look at the best practices when we create dynamic device or user groups in Azure Active Directory. You may not see the performance issues with AAD dynamic groups at the time of testing or POC but when you migrate all the users into Azure AD then this could surely impact.

Personally, I always try to use -eq rather than using -contains in the AAD dynamic rules but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune?


Reference:-

  Using attributes to create advanced rules for group membership in Azure AD – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment

Microsoft Intune to automatically enroll CYO or BYO devices. You can scope automatic enrollment to some Azure AD users, all users, or none. This is an old post, but the concepts are still the same.

There is an option in the old classic Azure portal to set up Automatic Intune MDM enrollment for Windows 10 devices. A similar option is available in the new Azure portal with new names and a new look. More details about Windows 10 Intune Auto Enrollment Process are explained in this post.

Intune Admin Portal is one of the first things you have to learn. From this post, you understand what is where in Intune admin portal. The official name of the Intune admin portal is the Microsoft Intune Admin Center.

Introduction

The Intune Auto Enrollment option will help you to perform two (2) things, as explained below in the video. It’s an old video now, the patch to configure auto-enrollment is changed a bit, and I have explained it in the new Intune portal walkthrough video below.

  • First, whenever a Windows 10 device is joined to Azure AD, then the device will automatically get enrolled into Intune for MDM Management.
  • Second, the allowed users in the MDM user scope group can enroll devices into Intune.
Intune Portal Walkthrough | MEM Admin Center | Training

More Details about Intune Auto-enrollment using Group Policy are explained in the following document here. And the Quick Start Guide for Windows auto-enrollment document here.

NOTE! – For Windows 10 BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.

Windows 10 Intune Auto Enrollment Process

Following is the place where you can set the MDM enrollment configuration in the new Azure portal. When your MDM User scope is set to None, then none of the enrolled devices get the proper policies, and those devices won’t work as expected.

  • In the Microsoft Intune admin center, choose Devices -> Device OnboardingEnrollment -> Windows.
  • Click on Automatic Enrollment button.
How to Configure Automatic Intune MDM Enrollment Fig.2
How to Configure Automatic Intune MDM Enrollment Fig.2

Select the MDM user Scope to All or Custom Azure AD group as per your requirement. If it is set to None, users won’t be able to enroll the devices into Intune management.

Free-Intune-Trial-Tenant-Forever-Fig.-22

The simplest option is to specify “all users” in the MDM user scope so that all the users in your organization can enroll their devices into Intune. Windows 10 devices will be automatically enrolled to Intune when the users perform Azure AD Join.

User groups can manage this option. When you want to provide a specific group of users the ability to enroll their devices into MDM/Intune, this is the place to configure that user group. Click on the SOME option in the MDM User scope and select the user group you want to provide access to.

From the same place, you can perform a granular or phase-wise approach to move users to new MDM management. There are 3 URL options in this blade, you can configure these URLs as per your MDM vendor.

Video Windows 10 Intune Auto Enrollment Process

This is an old video recorded using the Azure portal UI. The concept is the same, but the options are different in the new portal UI.

Windows 10 Airwatch Mobileiron Auto Enrollment Process?

In case your devices are managed by Airwatch or Mobileiron, then you can specify those URLs. All the URLs are automatically configured in the new Azure portal for Intune MDM. There are 3 different URLs in this blade.

1. MDM Terms of use URL – The URL of the terms of use endpoint of the MDM service

https://portal.manage.microsoft.com/TermsofUse.aspx

2. MDM Discovery URL – This is the URL of the enrollment endpoint of the MDM service. The enrollment endpoint is used to enroll devices for management with the MDM service. The URL given below is the Intune enrollment endpoint URL.

https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

3. MDM Compliance URL – This is the URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliance device.URL can navigate to this URL hosted by Intune service in order to understand why their device is considered noncompliant. Users can also initiate self-service remediation so their devices become compliant and they can continue to access resources.

https://portal.manage.microsoft.com/?portalAction

Windows 10 Intune Auto Enrollment
Windows 10 Intune Auto Enrollment

So where is the option in new Azure portal to configure the MDM auto-enrollment setting for Windows 10 devices and MDM enrollment for rest of the devices (Android, iOS, and macOS)? Following is the place where you can configure Intune MDM enrollment option –  Microsoft Azure – Mobility (MDM and MAM).

Windows 10 Intune Auto Enrollment Process Screen capture.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment 8

Reference Link :-Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered by the cloud! – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager? Have you already seen the new Intune options in the MEM portal? If not, I would recommend watching the following video post to get an overview of the new Intune portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. We don’t need any tweaking in on-prem services like ADFS or any federated access management system.

Now, we have the option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can set up this policy. “Enrolment restrictions” is the place where you can find the details about granular enrollment restriction policies.  

Enrollment restriction policies help us restrict/block a set of devices from enrolling into Intune.

How to Restrict Personal iOS Devices

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

Within enrolment restriction rules, we can have two types of restrictions  Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal, and that gives us the option to restrict or block specific platform devices from enrolling.

If you want to restrict Android devices from enrolling into your Intune MDM enrollment, you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY “Android for Work” enabled devices to enroll in Intune. I hope there could be some limitations from the Android platform side to restrict the Android devices which are not enabled for Android Work type of management.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

The device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) from enrolling into Intune.

The most interesting feature which is very helpful for any organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company-owned iOS devices can be enrolled using the apple DEP program. In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, then go to Platform Configurations and then BLOCK personally owned iOS devices.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager?

Resources

How to Configure Intune Enrollment Setup for iOS macOS Devices

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Quick Overview Comparison between Intune Azure and Silverlight Portal

Quick Overview Comparison between Intune Azure and Silverlight Portal? I’m excited to share the comparison video and post of Intune Silverlight and the new Intune in MEM portal.

Loads of new features and loads of very good changes.  All the new Azure tenants with a new Microsoft EMS subscription will be able to access a preview version of Intune in the MEM portal.

Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center HTMD Blog (anoopcnair.com)

The performance, look and feel of Intune console is far better than Intune Silverlight console. Intune in MEM portal helps us eliminate loads of duplication works that we need to perform to create groups in Azure AD and Intune groups.

In the new portal, we can direct deploy applications, policies, profiles, etc… to Azure Active Directory Dynamic device groups and user groups. Enrolment restriction rules and RBA for Intune admins are other most exciting features for me within the new portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Video Tutorial to know Intune Silverlight Portal Experience

Video Tutorial to know Intune Silverlight Portal Experience.

Video Tutorial to know Intune Silverlight Portal Experience

Overview Comparison between Intune Azure

Manage Apps node is the place where you can create apps from the Android store, Apple Store, and Windows store. The most exciting feature in Manage apps is that you can directly search the Apple App store (Yes, I think for preview, we have only the option to select the US store) and fetch the application from there.

Hence you don’t need to specify the properties of that app. Deployments in the new MEM portal are called ASSIGNMENTS. You can directly deploy applications to AAD groups. One thing missing in the review version of Intune is an option to upload MSI applications.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Configure Device node is the place in the new Azure console where you can create configuration policies for iOS, Android for Work, Android, and Windows devices. In the Intune Silverlight portal, configuration policies have build-in generic policies for Windows, iOS, Android, etc…similarly new Intune portal in Azure has build-in profiles.

We have different profile types called Device Restriction policies, WiFi profiles, VPN profiles, SCEP deployment profiles, eMail profiles, etc… Device restriction policies are nothing but the build-in configuration policies for specific device platforms.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Set device compliance is the node where you can create new, improved compliance policies for all the supported devices like iOS, Android, and Windows. The improvement over the Silverlight Intune portal is that we can select the device platform explicitly in the compliance policies.

Also, depending upon the device platform, the separate compliance policies will get applied to different devices (even if a user is targeted to iOS, Android, and Windows compliance policies). Deployment of compliance policies is done via assignments in Intune portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

The conditional Access node in the new Intune portal got very few options if you compare it with Intune Silverlight conditional access options. All the device-based conditional access rules are moved out of Intune. Now those device-based conditional access rules are part of Azure Active Directory. Device-based conditional access policy has loads of granular options, more conditions, more control options, etc…

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Enroll Devices node is where you can define enrolment restriction rules. Enrolment restriction rules are the rules which help to restrict the devices from enrolling into Intune. The enrolment restriction rule comes before conditional access verification. Within enrolment restriction rules, we can have different types of restrictions like Device Type restrictions and Device Limit restrictions.

Device type restriction is the place where we can select device platforms and platform configurations. Enroll Devices node is the place where you can also define/configure Windows Hello for business, check the MDM management authority, Terms and conditions, Corporate device identities, and apple MDM push certificates.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Access control is the place where we can define custom security permissions for Administrator users. Role-based administrator (RBA) is enabled in the new Intune portal, where you create your own customized Intune admin roles.

Once you create a security role, you can create a new assignment to it and add Members Group and Scope Groups. Following are the permission options available in Intune review portal – Device Configurations, Managed Apps, Managed Devices, Mobile Apps, Organization, Remote tasks, Roles, Telecom Expenses, and Terms and conditions.

Quick Overview Comparison between Intune Azure and Silverlight Portal
Quick Overview Comparison between Intune Azure and Silverlight Portal

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Learn How to Delete Devices from Azure Active Directory | Azure Portal? We need to have deleted and disabled options in Azure AD and Intune as part of effective device management.

A device can be retired and deleted from Intune console (Silverlight), and I’m sure the new MEM portal will surely have these options.

If you are an SCCM admin, you could recollect there is an option in the SCCM console to delete and disable a device. However, I have seen that when you retire and delete a device from Intune console,  that device will get removed from Intune console but will still stay in Azure AD.

How to Delete Devices from Azure Active Directory

So it’s very critical and important to delete these devices from Azure AD and keep the environment clean. I have created a video tutorial to help you with this topic, “Learn How to have a Clean and Tidy Intune and Azure AD Environment“.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Back to delete and disable device options in the new Azure AD portal. We will cover the disable/enable device option first and then discuss the delete option. Think about a hypothetical scenario, there is an emergency, and you want to disable the device AAD to prevent further damage to your organization.

To disable a device, you need to go to All users and groups blade in the MEM portal here. Select All Users and select the Devices option from that blade. This will give a list of devices, and from that list, you can select one device and click on disable/enable the option as per the requirement.

You can review the video attached to this post to get a real-time experience of this. We don’t have to disable the option in Intune console, so the only way to disable a device is from the Azure AD portal. Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices?

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Delete Devices from Azure Active Directory

Now, we can see the delete device option in the Azure portal. This is a critical option, which is very helpful in keeping your Azure AD environment clean. This will help device management admins to get better results of configuration/compliance policy and application deployments. To disable a device, you need to go to All users and groups blade in the Azure portal here.

Select All Users and select the Devices option from that blade. This will give a list of devices and from that list, you can select one device and click on delete.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups? We discussed creating Azure AD Dynamic Device or User groups in my previous post, “How to Create Azure AD Dynamic Groups for Managing Devices via Intune“.

Another question I usually get is “How to remove or Exclude a device from Azure Active Directory Dynamic Device Group”.

I expect this could be one of the scenarios which will be used in the deployment of security/configuration policies via Intune. This is a very valid scenario, and you can’t avoid this kind of scenario in the device management world. No explanation is needed if you are an experienced SCCM Admin.

Exclude a Device from Azure AD Dynamic Device Group

It’s impossible to remove a single device directly from the AAD Dynamic device group. Yes, there is a remove button available, but when you select a device and click on that remove button, it will give a confirmation popup with a YES button. 

If you click on the YES button, it will give an error stating you can’t remove the device from the Azure AD dynamic device group. “Failed to remove member LENexus 5 from group _Android Devices”. However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression is separated by a conditional operator, either ‘and” or “or“. You can play around with this conditional operator to remove the devices from the AAD dynamic device or user groups.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

Following is the advanced membership rule query I used in the AAD dynamic device group to remove a device. In this query, you can see the conditional operator between 2 binary expressions is -and.

(device.deviceOSType -contains "Android") -and (device.displayName -notcontains "LGENexus 5")

I don’t know the result and whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume that this will work because I can see a difference in the device icon for the device called “LGENexus 5”. And that is the device that I tried to exclude using the above query.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups 13
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update

Learn two things from this post. How to Create Azure AD Dynamic Groups for Managing Devices using Intune? and How to Pause AAD Dynamic Group Update?

This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.

These AAD groups can be used to target different policies for a specific group of devices. Latest postValidate Azure AD Dynamic Group Rules | Intune.

So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.

However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside AAD Dynamic groups.

Updated Post -> How To Create Nested Azure AD Dynamic Groups.

Create Azure AD Dynamic Groups

AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts Left parameter, the Binary operator, and the Right constant.

A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user.department).

A binary operator is nothing other than a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”

(user.department -startsWith "IT")

(user.department -match "IT")

(user.department -eq "IT")

Let’s take an example of creating an Azure AD dynamic group for Windows devices. The following are the steps to create the AAD dynamic Device group. You must have appropriate permissions to create Azure AD groups. Follow the steps to create the Device group for 22H2.

  • Login to Endpoint Manager Portal (endpoint.microsoft.com)
  • Navigate to the Groups node.
  • Click on “+ New Group. “
  • Select Security – Group Type from the drop-down option.
  • Enter Group Name “HTMD Windows 11 22H2 Device Group” (any name is fine).
  • Enter Group Description “HTMD Windows 11 22H2 Device Group” (any description is fine).
  • Select Dynamic Device as the Membership type.
  • Click on Add Dynamic Query under Dynamic Device Members.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 1
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 1

You need to hover over the properties column to get an option to select Azure AD dynamic device groups based on Windows on the Dynamic membership rules page.

You can create or edit rules directly by editing the syntax in the box below. Or you can use the Azure AD portal UI as shown below to create a dynamic group query rule. There are some scenarios where the device properties (e.g. nesting) are not published in the UI property list.

(device.deviceOSVersion -startsWith "10.0.22621")
  • Click on the SAVE button to save the query rule.
  • You also have the option to validate the Azure AD query from Validate Rules tab, as shown in the picture. More details are explained in the below section.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 2
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 2

You can now click on the CREATE button to complete the process of creating a Windows devices Azure AD dynamic group. You can also change the version numbers to get different results.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 3
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 3

How to Pause Azure AD Dynamic Group Update

Microsoft recently added an option to Pause Azure AD Dynamic Group Update. You can perform the PAUSE action from the Azure AD portal itself. You don’t have to do this using Microsoft Graph or any other crazy method.

There is an accidental deployment that happened to the Azure AD dynamic group and you must reduce the impact. What would be your first step? I think the update pause might help to pause the deployment with immediate effect at least for new devices.

You can navigate to the Azure AD dynamic group that you want to pause. From the Overview tab, you can enable the Pause Processing option for Azure AD Dynamic groups.

  • When the setting is set to YES, the processing of this dynamic group will pause.
  • When set to NO, processing will continue.

The Dynamic Rule Processing Status = Updates Paused once you enable the Pause Processing option from Azure AD dynamic group. The Dynamic Rule Processing Status shows whether or not this group is processing changes to the dynamic group rules. This is only applicable when a group is newly created or the rule was recently edited or the Pause Processing setting is changed. 

How to Pause Azure AD Dynamic Group Update Fig. 1
How to Pause Azure AD Dynamic Group Update Fig. 1

Maximum supported words/characters

I did a test to understand what is the maximum supported words/characters in Azure AD dynamic advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.

When I increased the numbers to 315 words and 3085 characters, it started giving an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune
How to Create Azure AD Dynamic Groups for Managing Devices using Intune

Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.

Dynamic Query

First, I wanted to group all windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule and 2. Advanced Rule. To group windows devices based on the operating system, it’s better to use simple queries via Azure portal GUI.

In case you want to use advance membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the complexity of the query and the size of the database) to populate the devices into the group.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune
How to Create Azure AD Dynamic Groups for Managing Devices using Intune

It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.

We need to have two constant values like iPhone and iPad. Following is the query which I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).

How to Create Azure AD Dynamic Groups for Managing Devices using Intune
How to Create Azure AD Dynamic Groups for Managing Devices using Intune

OK, here we go with a grouping of Android devices. I want to create an AAD dynamic device group using a simple membership rule in this scenario.

Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”

How to Create Azure AD Dynamic Groups for Managing Devices using Intune
How to Create Azure AD Dynamic Groups for Managing Devices using Intune

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? A Clean Intune environment always gives us better deployment results, and one of the important steps to keep your environment clean is explained in this post.

This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to ensure that you don’t have duplicate copies of policies and applications.

Moreover, you should avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.

Introduction

We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM, then that device record will automatically get removed from On-prem Active Directory or not.

The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility, and this should be handled separately by on-prem Active Directory.

So how are these operations handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory? In most cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).

To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure a clean environment with clean Azure AD. You can get a better understanding of this issue from the above video tutorial. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

How to Delete Clean Tidy Intune Azure Active Directory?

In the above example, Intune console shows me only one device assigned to my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account, you can see there are a total of 3 devices, and all the 3 devices have been shown as managed by Intune.

This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

I suppose we should have a better accuracy/sync between Intune and Azure AD databases.  I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in the near future or not.

To ensure better results for Intune device management policies, when you delete a device from Intune, you should make sure that the device record is removed from Azure AD. I’m planning to post a video tutorial showing how to delete a device from Azure AD to have a clean and tidy environment.

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

Resources

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Validate Azure AD Dynamic Group Rules | Intune

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Troubleshoot Windows 11 10 Intune MDM Issues

Learn how to Troubleshoot Windows 11 10 Intune MDM Issues from this blog post. There are several options to troubleshoot and some of them are explained here.

Windows 11 or 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you use Intune or SCCM + Intune hybrid to manage Windows 10 machines, all the management policies are deployed through the MDM channel. This post is Windows 10 MDM Troubleshooting Guide.

Related Posts

Understand Windows 10 MDM Architecture

For example, if an Intune policy is deployed to a Windows 10 machine, but it’s not getting applied on a Windows machine, then how do we start troubleshooting? First of all, we need to understand Windows 10 management architecture. Following is the high-level architecture diagram for Windows 10 management. Windows 10 MDM issues troubleshooting will be easy if we know this high-level architecture. This post will help us as Windows 10 MDM Troubleshooting Guide.

How to Troubleshoot Windows 11 10 Intune MDM Issues 1
How to Troubleshoot Windows 11 10 Intune MDM Issues 1

There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I will share the 3 easy ways to start MDM troubleshooting. Yes, it’s different from the SCCM/ConfigMgr client’s way of troubleshooting as there are no log files for the MDM client.

MDM client is in build with Windows 10 operating system, and events logs are the best place to start troubleshooting Windows 10 MDM issues. The 3rd way mentioned in this post is very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips, as you can see above.

[Related Posts – How to Start Troubleshooting Intune Issues]

Video Tutorial – Windows 10 MDM Troubleshooting Guide

Windows 10 MDM Troubleshooting Guide video tutorial to help IT Pros!

How to Troubleshoot Windows 11 10 Intune MDM Issues 1

Troubleshoot with Windows 10 Event Logs

Event Logs  :- Microsoft->Windows->DeviceManagement-> Enterprise-Diagnostics-Provider/Admin

Event logs in Windows 10 machines are the best to start troubleshooting MDM-related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined, all the events related to Intune/SCCM policies are recorded in “this” event log section.

AAD event logs are also very useful in this windows 10 MDM issue, and you can check out the following location for AAD-related event logs “Microsoft-Windows-AAD/ Operational”. Event logs are an integral part of the Windows 10 MDM Troubleshooting Guide.

The event logs are the best to start the Windows 10 MDM issues troubleshooting. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether the deployed policies are reached and applied on that machine or not. There is also a way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to the work or school page.

[Related Posts – How to Start Troubleshooting Intune Issues]

How to Troubleshoot Windows 11 10 Intune MDM Issues 1
How to Troubleshoot Windows 11 10 Intune MDM Issues 1

Troubleshoot Windows 10 with WMI Explorer

WMI Explorer way of checking whether the policy settings are applied or not:-

WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on the windows 10 system or not. As you can see in the following screen capture, this is how to check whether MDM policies are correctly applied to a Windows 10 machine.

I have deployed the Windows Defender policy from Intune to this Windows 10 machine, and you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting, the best place to begin with is event logs.

We can also check this via WBEMTEST, but we may need to start WBEMTEST from the system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) have been applied to a machine.

[Related Posts – How to Start Troubleshooting Intune Issues]

Registry way of checking Windows 10 MDM Policy settings

Troubleshoot Windows 10 with Registry Entries

The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is the registry key. Following is the registry location where you can find MDM policy settings. You want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers

In this below screen capture, you can see the Windows Defender settings I applied to Windows 10 machines through Intune policies. The only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi
  • System > Power Management > Button Settings
  • Select the Start menu Power button action (on battery)
  • Select the Start menu Power button action (plugged in)
  • Select the Start menu Power button action (plugged in)
  • Enabled – Select the Start menu Power button action (on battery).
How to Troubleshoot Windows 11 10 Intune MDM Issues 11
How to Troubleshoot Windows 11 10 Intune MDM Issues 11

Troubleshoot Windows 10 with MDMDiagReport

These GUID IDs can be found in the MDMDiagReport.xml file, and this XML can be decoded into HTML file MDMDiagReport.html using the tool here.  

How to Troubleshoot Windows 11 10 Intune MDM Issues 111
How to Troubleshoot Windows 11 10 Intune MDM Issues 111

[Related Posts – How to Start Troubleshooting Intune Issues]

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune | Endpoint Manager

Loads of people requested a starter kit for Intune as I have one for the SCCM 2012 starter kit, and the SCCM 2012 starter kit page was very useful for the community (I think that is why people are requesting the Intune Starter Kit). In this post, we will mainly concentrate on Intune standalone (not Intune Hybrid and Office 365 Intune MDM).

In most cases, no need/very minimal need for on-prem infrastructure if you are going with Intune standalone and all the other cloud components like Azure Active Directory, Office 365, etc. I’ll keep adding new things to this page. This is just starting 😉

63 Episodes Of Free Intune Training For Device Management Admins HTMD Blog (anoopcnair.com)

I started working with Intune in the later part of 2012, and Microsoft Intune has evolved during the years, and it has changed a lot. In 2013, I started a post called “Microsoft Intune Wiki” (most of the links in that post are outdated, but it’s worth going through if you want to see how Intune was ?).

We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

What is Microsoft Intune?

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud.

Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. If the devices met those conditions, only Intune would provide access to company or corporate resources (corporate mail, Share point, etc…). 

Previously, I mentioned Microsoft Intune as a lighter version of SCCM or ConfigMgr in the cloud. However, I don’t want to make it so simple this time. Intune architecture is entirely cloud-based and agile.  To get a more detailed idea about Intune (Yes, this video is old and outdated in some parts as Intune evolved along with entire Microsoft’s Enterprise Mobility and Security (EMS))

Management Options using Intune?

I’m going to explain in a bit different way. Let me know if this is confusing. We can manage devices with an Intune client agent and arguably without an Intune client agent. For example, Intune company portal application(s) in different app stores like Google Play and Apple Store are Intune client agents.

So, when you install Intune company portal onto your Android or iOS devices, you are doing agent-based management. Also, there is Microsoft Intune client MSI available to download once you have a valid Intune subscription. You can download and install it on Windows machines that you want to manage.

I have an old post (published in Dec 2012) here to help you understand the basic stuff about Intune MSI agent installation. Once you install Intune MSI agent on Windows machines, those machines are “fully managed” by Intune.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

So what is arguably agent less Intune management? Within Windows 10, we have an “in build – Native” MDM agent as part of the operating system. We can enroll Windows 10 devices to Intune using the “in build – Native” MDM agent. In this scenario, we have to use Intune company portal to install applications like a shopping cart.

So Intune company portal is not acting as Intune agent in native MDM enrolment scenarios. Native MDM-managed devices are arguably NOT fully managed devices (at this point in time). I’m sure this will change sooner or later. Windows 10 in-build MDM agent can be used to enroll your Windows 10 devices to any other MDM management software VMWare Airwatch, Mobileiron, etc…

  • Enrolled via Intune company portal
  • Enrolled via Installation of Intune MSI client
  • Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment
  • MAM without MDM enrolment
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

How to get an Intune account and start working/Testing with Intune?

Download the Microsoft EMS step-by-step guide from here. This guide will help you to get a trial version of Office 365, Azure AD, and Intune subscription for free. If you already have an Azure AD (Azure AD premium) subscription, things are very straightforward, as I posted in the blog here.

Suppose you don’t have an Azure AD subscription, then better to start with an Enterprise Mobility Suite (EMS) trial account, Azure Free Trial Account (Azure trial account is already created EMS trial account), and Office 365 free trial subscription. To get these trail accounts, it’s better to create a NEW outlook.com account and get ready with Credit Card details to activate the Azure trial subscription. 

Getting a trial version of Azure AD, Office 365, and Intune is a very straightforward process if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test/trial all the features of Intune.

Note:- Intune can be signed up separately as well from here. If you feel you are interested in testing only Intune now, this is the way.

How to start using Microsoft Intune Console

Once you have completed the subscription things and you can log in to Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is a must for Intune console to work). Internet Explorer with Silverlight plugin is the best internet browser for Intune console.

However, Intune console will work on any internet browser which can add Silverlight as a plugin. In the future, maybe, Intune console will work without the Silverlight plugin, and I would love to see this very soon.

The following documentation is where you can start reading about all the Intune topics:- Microsoft documentation Intune quick start guide here.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

How to select the MDM authority from Intune console?

For me, MDM authority and management options are very important. Please note once you set MDM (Mobile Device Management) authority to Intune in the following place at Intune console, then you won’t be able to change it.

To change Intune MDM authority, you have to raise a ticket with CSS or service request via Intune/office 365 portal. So be very careful when you click on any links on the following page at Intune console.

What are types of Management Authority do we have for Intune?

  1. Microsoft Intune
  2. Configuration Manager (SCCM)
  3. Office 365 (lightweight Intune)

Quick question:- Do I need to re-enroll devices if MDM authority is changed from o365 MDM to Intune MDM? – It is working without re-enrolment of devices, just a compliance check, and everything looks ok on the device. I think I heard it’s supported as both use Intune for MDM.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

How to start managing Windows/iOS /Android devices with Intune?

Managing Windows devices is very straightforward. Yes, Windows 10 management is very straightforward; earlier we need to have side loading and key SEP certificates to manage/deploy app Windows, windows phone devices.

Now, most of these certificates and sideloading key requirements have been removed for most scenarios. Managing Android devices is also very straightforward. It’s 10 minutes of work to sync your Windows Store for Business and Microsoft Intune. More details in the post “Integrate Windows Store for business” are here.

If you want to install store apps without using a Microsoft account, read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.

However, iOS\MAC OS device management has certificate requirements, and we need to go to the apple portal, upload your cert for the tenant, and get the certificate for your Intune tenant.

The process for SCCM CB is explained in the following video, but the process is similar for Intune. More details here Microsoft document specifically for Intune.

How to Deploy MSI applications to Windows PCs using Intune?

Similar to SCCM, Intune can also deploy different kinds of applications to different types of devices. The types of applications that Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, APPX – APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or application available to devices via 3 methods.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

1. Software Installer – select the type of software you want to install
2. External Link – this can be used for deploying the applications in Google Store via deep linking
3. Managed iOS apps from Apps Store – this can be used to deploy the apps in the apple store via the deep linking method

The following post will help understand the process of deploying applications using Intune “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune Part 1” – here. More details about deploying the application via Intune are given in the following links here and here.

How to create policies within Intune console?

Creating policies in Intune are one of the other thing important step as part of Intune configuration and device management through Intune. Following is the list of policies you can create and deploy via Intune.

  • Configuration Policies
  • Compliance Policies
  • Dynamics CRM Online Conditional Access Policy
  • Exchange Online Conditional Access Policy
  • Exchange On-premises Conditional Access Policy
  • SharePoint Online Conditional Access Policy
  • Skype for Business Online Conditional Access Policy
  • MAM Application Policy
  • MAM Browser Policy

What is the difference between Intune Configuration Policy and Intune Compliance Policy:- In some cases, you can see similar kinds of settings in compliance and configuration policies. So what is the exact difference? Compliance policy works with conditional access policies however configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS, whereas Configuration policies can be deployed to both Devices and Users.

Compliance policy won’t force the device to change the configuration at device rather it will wait until the device gets into the compliance stage to provide access to company resources like mail/SharePoint (in case of Conditional access policy is set). Configuration policy forces the device or user to change the configuration setting mentioned in the policy (arguably not true in all the scenarios).

The following video will explain to you how to create and Deploy Intune Compliance Policies from the console.

What are MAM (Mobile Application Management) policies?

Mobile Application Management policies are application specific policies that you can set up via Intune. What is the difference between configuration, Compliance policies, and MAM policies? Configuration and Compliance policies are for the entire device. It’s applicable for everything on the device. MAM policies will get applied only to the application with which it’s associated.

The following post will guide you through the process of deploying MAM policies to iOS or Android devices “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune” – here. Microsoft Intune documentation about MAM policy creation here.

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?

This one another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment? This is Mobile Application Management policies without enrolling to Intune. These policies are really helpful in BYOD/personal devices to get access to corporate mail and SharePoint, etc., securing the corporate data.

Why Intune option is visible in the Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time it’s Intune MAM (Mobile Application Management) without MDM enrolment.

For full management of mobile devices, we need to use the original Intune portal (https://manage.microsoft.com). It was a regular question in forums and other communities that can Intune coexist with other MDM products like Airwatch or Mobile Iron. More details here.

How to Manually Add Users to Intune Console?

How to add users to Intune console, and how to provide permissions to users in Intune console? We don’t have to do this when Intune Silverlight console is migrated to the Azure portal?? Before you try to provide service administrator access (Only limited roles available in Intune Silverlight console Full Access, Read-Only access, or Helpdesk – Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in Intune administrator console. More info here.

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…