Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.
This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.
This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.
This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.
Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.
Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work? Android for Work enrollment to Enterprise Mobility Management (EMM) solution or Intune is slightly different if you compare it with iOS and Windows device enrollment.
This difference is not because of your EMM solution rather. This is the process/framework Google implemented to complete Android for Work enrollment. We need to configure Intune to support Android for Work, and I have a post that explains the prerequisites. More details here.
Video Intune How to Enroll Android for Work Supported Devices?
Android for Work Enrollment process experience has explained in the video here
Details Google Play Store for Work
First, we need to make sure that the Android for Work (A4W) is enabled for your Intune tenant and then configure your Intune to support A4W. Do you want to allow only android for work-supported devices to enroll in Intune? This option is not available as out of the box in Intune.
I’m sure Microsoft will come up with a new option in the new Azure portal, as I noted here in the previous blog post about the enrollment restriction rule in Intune. Android for Work is currently supported on devices running Android 5.0 Lollipop and later that support a work profile.
The second step is to ensure that you have configured Android for Work configuration policies in Intune and Android configuration policies. There are different sets of policies in Intune that only support Android for Work.
Intune Compliance policies are the same for “Classic” Android management and Android for Work management. Suppose you plan to deploy VPN and Wi-Fi profiles to Android for Work supported devices. In that case, there are some custom configuration policies (OMA-URI) supported by Intune.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Android for Work?
As a third step, you need to confirm whether your device has support for “Android for Work” or not. Where is the list of Android for Work supported devices? OK, no worries, Google has already published the list here.
If your device has not been supported, Intune will automatically enroll the device for “classic” Android management. So you won’t be able to see any work profile being created on your phone. Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work?
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
More Details
Once you have identified that the device you are trying to enroll in is supported, the process is to open the “Google Play Store” and Install Intune company portal. Once the company portal is installed, you can log in to the portal with your corporate credentials, and it will start the first phase of the setup, creating a Work profile for Android.
Once the Work profile has been created then, the company portal application will ask you to go to the Work profile and launch the company portal from the work profile to continue setup. So you need to log in to the company portal twice as part of Android for work enrollment.
The work profile will be controlled by an organization you have enrolled in, and the Company Portal app will have access to Work profile-related data.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Half of the enrollment process has been completed in the above step. Intune company portal application initiated the creation of the work profile. Once the work profile has been created, you need to log in to another instance of the company portal app, which resides in the work profile.
The company portal app in the work profile does the 2nd half of the enrollment process. The company portal helps the device complete Work Place Join, Azure AD Join, and Intune enrollment, as you can see in the above video.
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Google Play Store for Work
Once you complete the Company access setup, you can access company resources and apps depending on the Conditional access, compliance, and configuration policies. The android device must be in compliance with compliance policies, and it should also meet the conditions mentioned in the conditional access policies by the Intune Admin.
Once everything ok then, you can browse the applications from “Google Play Store for Work“. Browse and install applications from the Google play store for work. I will cover the Android application deployment scenarios in an upcoming blog here (coming soon).
Intune How to Enroll Android for Work Supported Devices for Management | Google Play Store for Work
Outlook is one of the applications you can directly deploy as “available” or “required” from Intune portal. Once the Outlook app has been installed, you can directly configure your official mail without any particular configuration. Email profile deployment via Intune has not required for automatic corporate mail configuration.
You need to put in the email ID. No other configuration is required; rather, everything is automatically configured. You can add applications to the google play store for work with the existing Gmail account, as I mentioned in the blog post here. Once these apps are synced with Intune, you can deploy these apps to groups.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune Application Policy Manager RBA Controls In MEM Portal | Endpoint Manager Role-Based Access? We will discuss the access rights of the build-in Intune RBA role called Intune Application Manager.
Ideally, this role should have access to administrate Managed apps, Mobile apps and read device information depending upon the scope of users/devices assigned to this role.
Do you know what the scope is? “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail here.
Intune Application Policy Manager
In this post, we will see the permissions associated with Intune application manager build-in role. As per the Microsoft documentation, this role is to “Manage and deploy applications and profiles”.
We will do a deep dive into this topic and explain the exact actions an Intune app admin can perform from the MEM portal. Following are the access permissions given to Intune APP Manager RBAC role.
Assign managed apps to a security group Create managed apps Delete managed apps Read managed apps Update managed apps Wipe Managed apps Managed Devices No Access to delete devices Access to read device information No Access to update device properties Mobile Apps Assign mobile apps to a security group Create mobile apps Delete mobile apps Read mobile apps Update mobile apps Overall Access Rights of Intune tiles
It is allowed to administrate some actions in managing apps and configuring devices tiles.
Access is denied to perform any activities in Conditional Access, Device Enrollment, Access control, and Set device compliance tiles.
Allowed to set up certificate authority in Configure devices tile. However, no access to view profiles.
Allowed to view the device information in the Device and Groups tile.
Access is denied to create/delete new/existing groups or users profiles. It doesn’t matter whether the Intune policy manager is editing the groups in SCOPE or not. In a lot of places, save and add buttons are enabled, but when we try to save, it will give an error.
Access is denied to change device and user settings in the Manage user tile.
Access is denied to access Intune Silverlight console.
Access is denied to Intune App Protection section. Intune mobile application management is not allowed for Intune App Managers. All these app protection options are probably already part of Intune – Manage Apps tab in the Azure portal.
Access rights – Manage Apps (Manage Apps and Mobile apps) – Intune Application Policy Manager RBA Controls
Allowed to edit mobile apps which are uploaded by admins. Access is Denied to edit the managed apps, which are automatically uploaded.
Access is denied to remove assignments/deployments to a group out of scope for Intune application manager.
Access is denied to remove assignments/deployments to a group in scope for Intune application manager. This SHOULD be allowed!
Allowed to add an assignment to mobile/manage app if the user group is in the scope of Intune application manager.
Access Denied adding an assignment to mobile/manage app if the user group is out of scope of Intune application manager.
App Protection Policies are getting hung while trying to edit (or create) existing (or new) app protection policies from Intune App manager account.
Allowed to perform App Selective wipe option from Intune app manager account. Allowed to perform app selective wipe only on “in scope users/devices”.
Access is denied to edit Company portal Branding from Intune app manager account.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM? Android for work is always an exciting topic for me. I’m a fanboy of android devices 🙂 I started testing Intune + SCCM MDM management with Android devices back in 2014, you can refer to that post here. I was eagerly waiting for “Android for Work” support with Intune.
A few months back, Microsoft announced Intune’s supportability for Android for Work (A4W). Since then I was waiting for an A4W supported device 😉 Yes, that means all the android devices are not supported by A4W. Here is the list of A4W supported devices from Google.
A more detailed explanation is in the above video or you can click here
Beginners Guide Intune Android for Work Google Play for Work Setup
In this post, I will try to cover the prerequisites of Android for Work, Intune portal admin configurations, Add Google play apps to Google for Work, Android for Work Device enrollment, Work profile creation, and Removal of Android for thework profile.
First of all, you need to create a baseline of Android devices which you want to support in your environment. Following are some of the points which we need to take care of as part of the Android for Work implementation:-
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
Preparation Work – Android for Work Admin configurations:
Devices with Android 5.0 Lollipop and later will only have work profile and Android for work support as per Google. This is nothing to do with Microsoft and Intune.
Some of the Android for Work settings are available only for Android 6.0 and later.
It’s important to understand Android for Work does NOT support all android devices in the market- a list of supported devices -is here.
Bind your Intune and Google for Work account from the Silverlight Intune portal. Because Azure Intune blade is not enlightened with this feature yet.
Create a Google account or use an existing account to sign up for Android for Work with the EMM provider. More details here
Add applications from Google Play to Google for Work store and then sync these apps to Intune. You can click on the Sync button in Intune console to initiate a new sync between Intune and Google store for work.
Sync the apps from Intune console – Admin > Mobile Device Management > Android for Work. After Sync the apps will be visible under – Intune console – Apps – Volume Purchased app
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
I recommend using the following option after the pilot testing in your production environment. Enable the option “Manage supported devices as Android for Work – (Enabled) All devices that support Android for Work are enrolled as Android for Work devices. Any Android device that does not support Android for Work is enrolled as a conventional Android device”.
The only caveat is that we don’t have the option to restrict the devices which are NOT supported by Android for Work from enrolling into Intune. Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Notes from the Field – Android for Work security policies:-
As an initial release Intune out of the box “Security and Work profile policies are very limited for A4W”. I suppose you have to use the combination of A4W and Android policies together to support Android devices in your organization.
OMA URI custom policies are supported with A4W. However, only a few options are supported by custom policies along with Intune. I know only 2 policies that are supported by this feature and those are WiFi and VPN profiles. More details here.
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM
End-User Experience – Android for Work:-
Enrollment of Android for work devices is straightforward as the normal Android device enrollment for the first part of it. The second part is more towards, logging into Intune company portal from the Android for Work context and continuing the process of enrollment.
Work profile on Android devices will get created via Intune company portal enrollment. This will happen only for Android for Work supported devices. If you have a device that is not supported for Android for Work by Google then the enrollment won’t create a work profile etc… it will be normal enrollment.
How to enroll devices to Android for Work How to sync Google play for Work app store with Intune How to create a work profile for Android devices How to complete configuration task to support Android for Work with Intune
Beginners Guide Intune Android for Work Google Play for Work Setup Endpoint Manager | MEM?
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Intune RBAC roles and permissions in Intune Admin Center Portal are explained in this post. We will discuss the access rights of the built-in Intune RBAC role called Configuration policy manager.
Ideally, this role should have access to Manage and deploy configuration settings and profiles depending on the scope. Before going into details, let me explain, what is the scope.
Intune RBAC (Role-Based Access Controls) is the workflow that helps organizations segregate the roles and responsibilities of different support teams by providing them with limited access to specific resources. “The users or devices that a specified person (the member) can manage.” If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console.
Granular control to delegate the permissions to Level 1, 2, and 3 Intune teams from different operating groups (entities/opcos). Limit assigned permissions of Intune admins to specific user or device groups. Control/Manage the view permissions of Intune objects using RBAC.
In this video, we will explain Intune RBAC Strategic Options | Role-Based Access Controls | Scope Groups | Intune Objects | Roles.
Intune RBAC Strategic options – Intune RBAC Roles Permissions in the Intune Admin Center Portal
What is Intune RBAC?
RBAC helps Intune Admins to control who can perform various Intune tasks within your enterprise. There are nine (9) built-in Intune roles (RBAC roles). The list of Intune RBAC built-in roles is updated in the table.
In this post, I will try to explain the access right of Intune’s default role called Configuration Policy Manager. I have created a user name Kaith in Azure Active Directory. This user is assigned to Configuration policy manager access and the scope is set to the group “All Bangalore Users”.
Intune configuration policy manager can access Assign, Create, Delete, Read, and Update profiles. However, we will go into deep dive to understand more details about the access rights for this role.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 1
Intune RBAC – Tired Hierarchy
Azure AD is the primary identity repository for Intune! The Intune Full Admin permissions – Azure AD.
Global Admin Role (Tier 1)
Intune Service Admin Role (Tier 2)
Intune RBAC Permissions – Intune Portal
Tier 3 Roles – App Admin, Helpdesk Admin, etc…
Updated Built-In Inutune RBAC Roles
Let’s check the built-in Intune RABC roles (endpoint manager roles) available in the MEM admin center portal.
Application Manager
Built-in Role
Endpoint Security Manager
Built-in Role
Read-Only Operator
Built-in Role
School Administrator
Built-in Role
Policy and Profile manager
Built-in Role
Help Desk Operator
Built-in Role
Intune Role Administrator
Built-in Role
Cloud PC Administrator
Built-in Role
Cloud PC Reader
Built-in Role
Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 1
Endpoint Manager Roles
Let’s understand what are the different types of roles available within Intune RBAC workflow. There are built-in roles and custom roles. I have given examples of custom roles in the previous posts.
Assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles. Allowed to edit the Intune Policy and Profile Manager.
Even the profile is ONLY deployed to out-of-scope users/groups. Intune Role-Based Access (RBA) rules don’t respect the scope of the editing profile.
This should be NOT allowed. Editing should be allowed only to those profiles which are assigned ONLY to Intune policy manager’s scope of users or devices (Intune policy manager = Kaith). Intune RBAC roles are still in development.
Access is denied to remove and add assignments to a profile that is already deployed to users who are not in the scope. Addition and removal of Assignments should be allowed if the admin is trying to deploy profiles to users in scope.
Access is denied to remove assignments to profiles that are targeted to the users or groups in scope. This should be allowed!
Allowed to delete all the profiles even if those profiles are targeted to out-of-scope users. This should NOT be allowed! If the profile is assigned only to in-scope users, then the deletion of the profile should be allowed.
Allowed to enable/disable certificate authority connector for SCEP or PFX profile deployment. Intune RBAC roles are still in development.
Login to MEM Admin Center (Intune).
Navigate to tenant admin -> Roles -> Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 2
Intune RBAC Access rights – Application Manager
Allowed to remove assignments of applications that are already targeted to the users NOT in the scope of an Intune Application Manager. This should NOT be allowed. If it’s deployed/assigned to the users who are in scope, then removal of the assignment should be allowed.
Allowed to add assignments to the application, even if the user’s Intune application manager is targeting is out of scope for him/her. This should NOT be allowed. Assign administrators to Endpoint Manager Roles and Create and configure custom Endpoint Manager Roles.
The addition of assignment to the Application policy should be allowed only when the targeted users are within the scope of an Intune application manager.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 3
Intune RBAC – Endpoint Security Manager
Let’s discuss, Intune RBAC – Endpoint Security Manager. You can assign administrators to Endpoint Manager Roles. Create and configure custom Endpoint Manager Roles.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 4
Intune Read-Only Operator
Name – Read-Only Operator. Description – Read-Only Operators view user, device, enrollment, configuration, and application information and cannot make changes to Intune.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 5
Intune School Administrator
Name – School Administrator. Description – School Administrators can manage apps and settings for their groups. They can take remote actions on devices, including remotely locking them, restarting them, and retiring them from management.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 6
Intune RBAC – Help Desk Operator
Name – Help Desk Operator. Description – Help Desk Operators perform remote tasks on users and devices and can assign applications or policies to users or devices.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 7
Intune Role Administrator
Name – Intune Role Administrator. Description – Intune Role Administrators manage custom Intune roles and add assignments for built-in Intune roles. It is the only Intune role that can assign permissions to Administrators.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 8
Cloud PC Administrator
Name – Cloud PC Administrator. Description – Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 9
Intune RBAC – Cloud PC Reader
Name – Cloud PC Reader. Description – Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC blade.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Fig. 10
Video Tutorial – Intune RBAC Roles
A more detailed explanation is in the above Youtube video or you can click here.
Intune RBAC Roles Permissions in the Intune Admin Center Portal Video
Overall Access Rights of Intune tiles
Allowed to perform some administrative activities in configuring devices, and Setting device compliance tiles. Allowed to view details about users and groups in managing users’ tile.
Access is denied to perform any activities in Manage Apps, Conditional Access, Device Enrollment, Device and Groups, and Access control tiles.
Allowed to view objects in the Manage Users tile – Users and Groups.
Access is denied to create/delete new/existing groups. It doesn’t matter Intune policy manager is editing the groups which are in SCOPE or not.
Access is denied to change device and user settings in the Manage user tile.
Access is denied to Intune Silverlight console.
Intune administrator Role permissions
Let’s check Intune administrator Role permissions from the following table.
Read basic properties on all resources in the Microsoft 365 admin center
Table 2 – Intune RBAC Intune RBAC Roles Permissions in the Intune Admin Center Portal Table 2
Read, Delete, Wipe, Assign, Create, and Update are Inutne permissions can be assigned for each Intune objects.
Admin Groups – Admin group users are the administrators assigned to this role Scope Groups – Administrators in this role assignment can target policies, applications, and remote tasks to Azure AD Device/User Groups Scope tags – Who all can view this RBAC Role
41 Intune Objects List
Let’s check the list of 41 Intune Objects from Intune RBAC perspective.
Android FOTA Android for work Audit data Certificate Connector Chrome Enterprise (preview) Cloud attached devices Corporate device identifiers Customization Derived Credentials Device compliance policies Device configurations Device enrollment managers Endpoint Analytics Endpoint protection reports Enrollment programs Filters Intune data warehouse Managed Device Cleanup Settings Managed Google Play Managed apps Managed devices Microsoft Defender ATP Microsoft Store For Business Microsoft Tunnel Gateway Mobile Threat Defense Mobile apps Multi Admin Approval Organization Organizational Messages Partner Device Management Policy Sets Quiet Time policies Remote Help app Remote assistance connectors Remote tasks Roles Security baselines Security tasks Telecom expenses Terms and conditions Windows Enterprise Certificate
References:-
Assigning administrator roles in Azure Active Directory – here
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Now, Microsoft Graph API is the buzzword. How to use Microsoft Graph API to fetch the details from Azure Active Directory (Azure AD/AAD) and Microsoft Intune? And a list of Intune PowerShell Scripts samples. I’m not going to provide any Graph API scripts to fetch details in this post.
APIs have always been an alien term for me. Rest API was everywhere and now it’s Graph API. Have you ever tried Facebook Graph API? So the entire industry is taking the path of Graph API!
In this post, I would like to help by providing basic details of the Microsoft Graph API. How to start using Graph API graphically (Not programmatically) and how Graph API would be helpful for IT Pros in their day-to-day life. Microsoft Intune admins can analyze the details of a device or user from Graph API.
We can get only limited details of objects from the Azure AD portal, however, loads of details can be fetched from Graph API via Web browsers. You can perform all the GET and other supported operations from the following URL. Remember to sign in to thetenant.
Latest video on Intune Graph
Launch Microsoft Graph – URL –-> https://graph.microsoft.io/en-us/graph-explorer
When you sign in for the first time you need to agree to provide the following permissions to Graph explorer. Click on Agree button to proceed further.
Intune PowerShell Scripts sample
There are two versions of Graph explorer available at the moment. Version 1.0 and Beta. I was having a hard time connecting to Graph API. It was ok when I wanted to retrieve my user information. But when I tried to fetch the details for the entire tenant, it was asked to agree or accept new Admin consent as you can see in the following paragraph.
This query requires additional permissions. If you are an administrator, you can click here to grant them on behalf of your entire organization. Or, you can try the same request against your own tenant by creating a free Office 365 developer account.
When I tried to click on the “HERE” button to accept the consent, it was giving me an odd error as follows:- “AADSTS90002: No service namespace named ‘organizations’ was found in the data store.” Ryan and Panu helped me to get rid of this error mentioned above. To accept this admin consent, you don’t have to create any manual applications or run any PowerShell scripts! It’s out of the box set now in your enterprise applications blade in the Azure console.
Intune PowerShell Scripts sample
Following are some of the samples of graph API GET queries to retrieve details from Intune and Azure Active Directory (AAD). The other 3 types of actions are possible with Graph API and those are POST, PATCH, and DELETE.
https://graph.microsoft.com/beta/users/[email protected]/ownedDeviceshttps://graph.microsoft.com/beta/deviceAppManagement/mobileAppshttps://graph.microsoft.com/beta/users/https://graph.microsoft.com/beta/applications Following is some of the extracts of device management mobile app.
WhatsApp is one of the applications “https://graph.microsoft.com/beta/deviceAppManagement/mobileApps“. Similarly, we can retrieve the owned devices of a user and the status of a device through Graph API GET commands. Some of these details are only available ONLY through Graph API. This will great help for Intune admins at the time of troubleshooting issues.
Intune PowerShell Scripts sample
cache-control: private content-type: application/json;odata.metadata=minimal;odata.streaming=true; request-id: 604557b1-409b-4749-8w32d-d754844b2181 client-request-id: 6se357b1-409b-4349-864d-d754844b2181 Status Code: 200 { “@odata.context”: “https://graph.microsoft.com/beta/$metadata#deviceAppManagement/mobileApps”, “value”: [ { “@odata.type”: “#microsoft.graph.iosStoreApp”, “id”: “ab8a5364-887d-44e7-a6cd-9684d2f279c3”, “displayName”: “WhatsApp Messenger”, “description”: “WhatsApp Messenger is a FREE messaging app available for iPhone and other smartphones. WhatsApp uses your phone’s Internet connection (4G/3G/2G/EDGE or Wi-Fi, as available) to let you message and call friends and family. Switch from SMS to WhatsApp to send and receive messages, calls, photos, videos, and Voice Messages. \n\nWHY USE WHATSAPP: \n\n• NO FEES: WhatsApp uses your phone’s “publisher”: “WhatsApp Inc.”, “largeIcon”: null, “createdDateTime”: “2017-01-22T06:40:24.696692Z”, “lastModifiedDateTime”: “2017-01-22T06:40:24.696692Z”, “isFeatured”: false, “privacyInformationUrl”: null, “informationUrl”: null, “owner”: “”, “developer”: “”, “notes”: “”, “uploadState”: 1, “installSummary”: null, “bundleId”: “net.whatsapp.WhatsApp”, “appStoreUrl”: “https://itunes.apple.com/us/app/whatsapp-messenger/id310633997?mt=8&uo=4”, “applicableDeviceType”: { “iPad”: false, “iPhoneAndIPod”: true }, “minimumSupportedOperatingSystem”: { “v8_0”: true, “v9_0”: false, “v10_0”: false } },
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities? MEM portal is a one-stop-shop for all the services in the Microsoft cloud. When a user logins to a MEM portal for the first time, he/she can see all these services which are already selected as favorite services by default.
The selection of favorite services in the MEM portal for individual users is not based on the user’s profile or access rights of the user. This is not really good for new users in Intune portal. They will struggle to find out their role-related services.
Video
A more detailed explanation is in the above video or you can click here
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities
For example, you are an Intune admin and you have only access to Intune and Azure AD users and groups. But if you log into the MEM portal you will see all loads of services that make no sense to you at all. You will also find it really messy and I’m sure you will get lost in the portal until you find the search button or Intune services.
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
Don’t worry there is a very friendly search option available in the Azure portal. If you are Intune admin then you can just click on more services and type “Intune” in the search menu. You can see 2 Intune services one is for Intune (MDM) and the second one is for Intune App Protection (MAM without enrollment).
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
To keep your Azure portal well organized, you need to spend only 2-3 minutes when you log in to the portal for the first time. What do we need to do to get neatly organized Azure portal? You log in to the Azure portal and click on the more services button, then remove the services which are not relevant to you.
For example, Intune admins don’t have anything to do with “Virtual Machines” hence you can remove Virtual machine service from your favorite menu. So this will help you to get rid of the Virtual machine shortcut from the left side menu of the MEM portal.
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
END Result:- Clean and Tidy Azure portal for Intune Admins. Remove all the services from the Azure portal except Azure Active Directory, Users and Groups, Intune, and Intune protection services.
How to Organize Endpoint Manager Portal Neat Clean for Intune Activities | Microsoft Intune
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous posthere, you might have seen the basic process to create Azure AD dynamic user and device groups along with the explanations about the syntax of the queries/rules.
I have a feeling that we will also get some performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries and SCCM admins are very familiar with this kind of performance issue.
In this post, we will see how can we create dynamic device groups for Windows devices with the “Device Ownership” attribute in the Azure AD. This attribute is populated only when the devices are enrolled through MDM and if I understand correctly “Device Ownership” attribute is populated by Intune in this case.
So if this attribute is not getting populated then you need to make sure that the device is correctly enrolled to Intune or not. Because some of these types of attributes are available only when the Intune portal is migrated to Azure. If you are still using Intune Silverlight portal, you may need to wait for your Intune migration to complete.
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
Following are the Advanced membership rules which you can use to create Azure AD, and dynamic Device groups, to segregate BYOD and CYOD devices!All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”)
All Windows BYOD Devices Query for Azure Active Directory
All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”)
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
Auditing of Azure Active Directory Dynamic groups is very important from ops teams’ perspective. These auditing options are available in the new Azure portal and it’s very useful to track the changes of a particular Azure AD dynamic group. As you can see in the below table ACTOR is the one who performed the activity on that group. For example, when I created this group “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.
Date
Actor
Activity
Target(s)
3/2/2017, 1:42:18 PM
Microsoft Approval Management
Add member to group
Device : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PM
Microsoft Approval Management
Add member to group
Device : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune
So, it’s recommended to look at the best practices when we create dynamic device or user groups in Azure Active Directory. You may not see the performance issues with AAD dynamic groups at the time of testing or POC but when you migrate all the users into Azure AD then this could surely impact.
Personally, I always try to use -eq rather than using -contains in the AAD dynamic rules but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune?
Reference:-
Using attributes to create advanced rules for group membership in Azure AD – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Microsoft Intune to automatically enroll CYO or BYO devices. You can scope automatic enrollment to some Azure AD users, all users, or none. This is an old post, but the concepts are still the same.
There is an option in the old classic Azure portal to set up Automatic Intune MDM enrollment for Windows 10 devices. A similar option is available in the new Azure portal with new names and a new look. More details about Windows 10 Intune Auto Enrollment Process are explained in this post.
Intune Admin Portal is one of the first things you have to learn. From this post, you understand what is where in Intune admin portal. The official name of the Intune admin portal is the Microsoft Intune Admin Center.
Introduction
The Intune Auto Enrollment option will help you to perform two (2) things, as explained below in the video. It’s an old video now, the patch to configure auto-enrollment is changed a bit, and I have explained it in the new Intune portal walkthrough video below.
First, whenever a Windows 10 device is joined to Azure AD, then the device will automatically get enrolled into Intune for MDM Management.
Second, the allowed users in the MDM user scope group can enroll devices into Intune.
Intune Portal Walkthrough | MEM Admin Center | Training
More Details about Intune Auto-enrollment using Group Policy are explained in the following document here. And the Quick Start Guide for Windows auto-enrollment document here.
NOTE! – For Windows 10 BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
Windows 10 Intune Auto Enrollment Process
Following is the place where you can set the MDM enrollment configuration in the new Azure portal. When your MDM User scope is set to None, then none of the enrolled devices get the proper policies, and those devices won’t work as expected.
In the Microsoft Intune admin center, choose Devices -> Device Onboarding – Enrollment -> Windows.
Click on Automatic Enrollment button.
How to Configure Automatic Intune MDM Enrollment Fig.2
Select the MDM user Scope to All or Custom Azure AD group as per your requirement. If it is set to None, users won’t be able to enroll the devices into Intune management.
The simplest option is to specify “all users” in the MDM user scope so that all the users in your organization can enroll their devices into Intune. Windows 10 devices will be automatically enrolled to Intune when the users perform Azure AD Join.
User groups can manage this option. When you want to provide a specific group of users the ability to enroll their devices into MDM/Intune, this is the place to configure that user group. Click on the SOME option in the MDM User scope and select the user group you want to provide access to.
From the same place, you can perform a granular or phase-wise approach to move users to new MDM management. There are 3 URL options in this blade, you can configure these URLs as per your MDM vendor.
Video Windows 10 Intune Auto Enrollment Process
This is an old video recorded using the Azure portal UI. The concept is the same, but the options are different in the new portal UI.
Windows 10 Airwatch Mobileiron Auto Enrollment Process?
In case your devices are managed by Airwatch or Mobileiron, then you can specify those URLs. All the URLs are automatically configured in the new Azure portal for Intune MDM. There are 3 different URLs in this blade.
1. MDM Terms of use URL – The URL of the terms of use endpoint of the MDM service
2. MDM Discovery URL – This is the URL of the enrollment endpoint of the MDM service. The enrollment endpoint is used to enroll devices for management with the MDM service. The URL given below is the Intune enrollment endpoint URL.
3. MDM Compliance URL – This is the URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliance device.URL can navigate to this URL hosted by Intune service in order to understand why their device is considered noncompliant. Users can also initiate self-service remediation so their devices become compliant and they can continue to access resources.
So where is the option in new Azure portal to configure the MDM auto-enrollment setting for Windows 10 devices and MDM enrollment for rest of the devices (Android, iOS, and macOS)? Following is the place where you can configure Intune MDM enrollment option – Microsoft Azure – Mobility (MDM and MAM).
Windows 10 Intune Auto Enrollment Process Screen capture.
Reference Link :-Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered by the cloud! – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager? Have you already seen the new Intune options in the MEM portal? If not, I would recommend watching the following video post to get an overview of the new Intune portal here.
We can have more granular restrictions for MDM enrollments in the new Intune portal. We don’t need any tweaking in on-prem services like ADFS or any federated access management system.
Now, we have the option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can set up this policy. “Enrolment restrictions” is the place where you can find the details about granular enrollment restriction policies.
Enrollment restriction policies help us restrict/block a set of devices from enrolling into Intune.
How to Restrict Personal iOS Devices
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
Within enrolment restriction rules, we can have two types of restrictions Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal, and that gives us the option to restrict or block specific platform devices from enrolling.
If you want to restrict Android devices from enrolling into your Intune MDM enrollment, you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY “Android for Work” enabled devices to enroll in Intune. I hope there could be some limitations from the Android platform side to restrict the Android devices which are not enabled for Android Work type of management.
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
The device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) from enrolling into Intune.
The most interesting feature which is very helpful for any organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company-owned iOS devices can be enrolled using the apple DEP program. In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, then go to Platform Configurations and then BLOCK personally owned iOS devices.
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager
For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.
How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager?
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Quick Overview Comparison between Intune Azure and Silverlight Portal? I’m excited to share the comparison video and post of Intune Silverlight and the new Intune in MEM portal.
Loads of new features and loads of very good changes. All the new Azure tenants with a new Microsoft EMS subscription will be able to access a preview version of Intune in the MEM portal.
The performance, look and feel of Intune console is far better than Intune Silverlight console. Intune in MEM portal helps us eliminate loads of duplication works that we need to perform to create groups in Azure AD and Intune groups.
In the new portal, we can direct deploy applications, policies, profiles, etc… to Azure Active Directory Dynamic device groups and user groups. Enrolment restriction rules and RBA for Intune admins are other most exciting features for me within the new portal.
Quick Overview Comparison between Intune Azure and Silverlight Portal
Video Tutorial to know Intune Silverlight Portal Experience
Video Tutorial to know Intune Silverlight Portal Experience.
Video Tutorial to know Intune Silverlight Portal Experience
Overview Comparison between Intune Azure
Manage Apps node is the place where you can create apps from the Android store, Apple Store, and Windows store. The most exciting feature in Manage apps is that you can directly search the Apple App store (Yes, I think for preview, we have only the option to select the US store) and fetch the application from there.
Hence you don’t need to specify the properties of that app. Deployments in the new MEM portal are called ASSIGNMENTS. You can directly deploy applications to AAD groups. One thing missing in the review version of Intune is an option to upload MSI applications.
Quick Overview Comparison between Intune Azure and Silverlight Portal
Configure Device node is the place in the new Azure console where you can create configuration policies for iOS, Android for Work, Android, and Windows devices. In the Intune Silverlight portal, configuration policies have build-in generic policies for Windows, iOS, Android, etc…similarly new Intune portal in Azure has build-in profiles.
We have different profile types called Device Restriction policies, WiFi profiles, VPN profiles, SCEP deployment profiles, eMail profiles, etc… Device restriction policies are nothing but the build-in configuration policies for specific device platforms.
Quick Overview Comparison between Intune Azure and Silverlight Portal
Set device compliance is the node where you can create new, improved compliance policies for all the supported devices like iOS, Android, and Windows. The improvement over the Silverlight Intune portal is that we can select the device platform explicitly in the compliance policies.
Also, depending upon the device platform, the separate compliance policies will get applied to different devices (even if a user is targeted to iOS, Android, and Windows compliance policies). Deployment of compliance policies is done via assignments in Intune portal.
Quick Overview Comparison between Intune Azure and Silverlight Portal
The conditional Access node in the new Intune portal got very few options if you compare it with Intune Silverlight conditional access options. All the device-based conditional access rules are moved out of Intune. Now those device-based conditional access rules are part of Azure Active Directory. Device-based conditional access policy has loads of granular options, more conditions, more control options, etc…
Quick Overview Comparison between Intune Azure and Silverlight Portal
Enroll Devices node is where you can define enrolment restriction rules. Enrolment restriction rules are the rules which help to restrict the devices from enrolling into Intune. The enrolment restriction rule comes before conditional access verification. Within enrolment restriction rules, we can have different types of restrictions like Device Type restrictions and Device Limit restrictions.
Device type restriction is the place where we can select device platforms and platform configurations. Enroll Devices node is the place where you can also define/configure Windows Hello for business, check the MDM management authority, Terms and conditions, Corporate device identities, and apple MDM push certificates.
Quick Overview Comparison between Intune Azure and Silverlight Portal
Access control is the place where we can define custom security permissions for Administrator users. Role-based administrator (RBA) is enabled in the new Intune portal, where you create your own customized Intune admin roles.
Once you create a security role, you can create a new assignment to it and add Members Group and Scope Groups. Following are the permission options available in Intune review portal – Device Configurations, Managed Apps, Managed Devices, Mobile Apps, Organization, Remote tasks, Roles, Telecom Expenses, and Terms and conditions.
Quick Overview Comparison between Intune Azure and Silverlight Portal
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Learn How to Delete Devices from Azure Active Directory | Azure Portal? We need to have deleted and disabled options in Azure AD and Intune as part of effective device management.
A device can be retired and deleted from Intune console (Silverlight), and I’m sure the new MEM portal will surely have these options.
If you are an SCCM admin, you could recollect there is an option in the SCCM console to delete and disable a device. However, I have seen that when you retire and delete a device from Intune console, that device will get removed from Intune console but will still stay in Azure AD.
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Back to delete and disable device options in the new Azure AD portal. We will cover the disable/enable device option first and then discuss the delete option. Think about a hypothetical scenario, there is an emergency, and you want to disable the device AAD to prevent further damage to your organization.
To disable a device, you need to go to All users and groups blade in the MEM portal here. Select All Users and select the Devices option from that blade. This will give a list of devices, and from that list, you can select one device and click on disable/enable the option as per the requirement.
You can review the video attached to this post to get a real-time experience of this. We don’t have to disable the option in Intune console, so the only way to disable a device is from the Azure AD portal. Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices?
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Delete Devices from Azure Active Directory
Now, we can see the delete device option in the Azure portal. This is a critical option, which is very helpful in keeping your Azure AD environment clean. This will help device management admins to get better results of configuration/compliance policy and application deployments. To disable a device, you need to go to All users and groups blade in the Azure portal here.
Select All Users and select the Devices option from that blade. This will give a list of devices and from that list, you can select one device and click on delete.
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Another question I usually get is “How to remove or Exclude a device from Azure Active Directory Dynamic Device Group”.
I expect this could be one of the scenarios which will be used in the deployment of security/configuration policies via Intune. This is a very valid scenario, and you can’t avoid this kind of scenario in the device management world. No explanation is needed if you are an experienced SCCM Admin.
Exclude a Device from Azure AD Dynamic Device Group
It’s impossible to remove a single device directly from the AAD Dynamic device group. Yes, there is a remove button available, but when you select a device and click on that remove button, it will give a confirmation popup with a YES button.
If you click on the YES button, it will give an error stating you can’t remove the device from the Azure AD dynamic device group. “Failed to remove member LENexus 5 from group _Android Devices”. However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups.
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups
AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression is separated by a conditional operator, either ‘and” or “or“. You can play around with this conditional operator to remove the devices from the AAD dynamic device or user groups.
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups
Following is the advanced membership rule query I used in the AAD dynamic device group to remove a device. In this query, you can see the conditional operator between 2 binary expressions is -and.
I don’t know the result and whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume that this will work because I can see a difference in the device icon for the device called “LGENexus 5”. And that is the device that I tried to exclude using the above query.
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Learn two things from this post. How to Create Azure AD Dynamic Groups for Managing Devices using Intune? and How to Pause AAD Dynamic Group Update?
This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.
So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.
However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside AAD Dynamic groups.
AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts Left parameter, the Binary operator, and the Right constant.
A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user.department).
A binary operator is nothing other than a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”
Let’s take an example of creating an Azure AD dynamic group for Windows devices. The following are the steps to create the AAD dynamic Device group. You must have appropriate permissions to create Azure AD groups. Follow the steps to create the Device group for 22H2.
Select Security – Group Type from the drop-down option.
Enter Group Name “HTMD Windows 11 22H2 Device Group” (any name is fine).
Enter Group Description “HTMD Windows 11 22H2 Device Group” (any description is fine).
Select Dynamic Device as the Membership type.
Click on Add Dynamic Query under Dynamic Device Members.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 1
You need to hover over the properties column to get an option to select Azure AD dynamic device groups based on Windows on the Dynamic membership rules page.
You can create or edit rules directly by editing the syntax in the box below. Or you can use the Azure AD portal UI as shown below to create a dynamic group query rule. There are some scenarios where the device properties (e.g. nesting) are not published in the UI property list.
(device.deviceOSVersion -startsWith "10.0.22621")
Click on the SAVE button to save the query rule.
You also have the option to validate the Azure AD query from Validate Rules tab, as shown in the picture. More details are explained in the below section.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 2
You can now click on the CREATE button to complete the process of creating a Windows devices Azure AD dynamic group. You can also change the version numbers to get different results.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 3
Microsoft recently added an option to Pause Azure AD Dynamic Group Update. You can perform the PAUSE action from the Azure AD portal itself. You don’t have to do this using Microsoft Graph or any other crazy method.
There is an accidental deployment that happened to the Azure AD dynamic group and you must reduce the impact. What would be your first step? I think the update pause might help to pause the deployment with immediate effect at least for new devices.
You can navigate to the Azure AD dynamic group that you want to pause. From the Overview tab, you can enable the Pause Processing option for Azure AD Dynamic groups.
When the setting is set to YES, the processing of this dynamic group will pause.
When set to NO, processing will continue.
The Dynamic Rule Processing Status = Updates Paused once you enable the Pause Processing option from Azure AD dynamic group. The Dynamic Rule Processing Status shows whether or not this group is processing changes to the dynamic group rules. This is only applicable when a group is newly created or the rule was recently edited or the Pause Processing setting is changed.
How to Pause Azure AD Dynamic Group Update Fig. 1
Maximum supported words/characters
I did a test to understand what is the maximum supported words/characters in Azure AD dynamic advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.
When I increased the numbers to 315 words and 3085 characters, it started giving an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune
Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.
Dynamic Query
First, I wanted to group all windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule and 2. Advanced Rule. To group windows devices based on the operating system, it’s better to use simple queries via Azure portal GUI.
In case you want to use advance membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the complexity of the query and the size of the database) to populate the devices into the group.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune
It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.
We need to have two constant values like iPhone and iPad. Following is the query which I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).
How to Create Azure AD Dynamic Groups for Managing Devices using Intune
OK, here we go with a grouping of Android devices. I want to create an AAD dynamic device group using a simple membership rule in this scenario.
Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”
How to Create Azure AD Dynamic Groups for Managing Devices using Intune
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? A Clean Intune environment always gives us better deployment results, and one of the important steps to keep your environment clean is explained in this post.
This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to ensure that you don’t have duplicate copies of policies and applications.
Moreover, you should avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.
Introduction
We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM, then that device record will automatically get removed from On-prem Active Directory or not.
The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility, and this should be handled separately by on-prem Active Directory.
So how are these operations handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory? In most cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).
To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure a clean environment with clean Azure AD. You can get a better understanding of this issue from the above video tutorial. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager
How to Delete Clean Tidy Intune Azure Active Directory?
In the above example, Intune console shows me only one device assigned to my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account, you can see there are a total of 3 devices, and all the 3 devices have been shown as managed by Intune.
This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?
I suppose we should have a better accuracy/sync between Intune and Azure AD databases. I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in the near future or not.
To ensure better results for Intune device management policies, when you delete a device from Intune, you should make sure that the device record is removed from Azure AD. I’m planning to post a video tutorial showing how to delete a device from Azure AD to have a clean and tidy environment.
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Learn how to Troubleshoot Windows 11 10 Intune MDM Issues from this blog post. There are several options to troubleshoot and some of them are explained here.
Windows 11 or 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you use Intune or SCCM + Intune hybrid to manage Windows 10 machines, all the management policies are deployed through the MDM channel. This post is Windows 10 MDM Troubleshooting Guide.
For example, if an Intune policy is deployed to a Windows 10 machine, but it’s not getting applied on a Windows machine, then how do we start troubleshooting? First of all, we need to understand Windows 10 management architecture. Following is the high-level architecture diagram for Windows 10 management. Windows 10 MDM issues troubleshooting will be easy if we know this high-level architecture. This post will help us as Windows 10 MDM Troubleshooting Guide.
How to Troubleshoot Windows 11 10 Intune MDM Issues 1
There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I will share the 3 easy ways to start MDM troubleshooting. Yes, it’s different from the SCCM/ConfigMgr client’s way of troubleshooting as there are no log files for the MDM client.
MDM client is in build with Windows 10 operating system, and events logs are the best place to start troubleshooting Windows 10 MDM issues. The 3rd way mentioned in this post is very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips, as you can see above.
Event logs in Windows 10 machines are the best to start troubleshooting MDM-related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined, all the events related to Intune/SCCM policies are recorded in “this” event log section.
AAD event logs are also very useful in this windows 10 MDM issue, and you can check out the following location for AAD-related event logs “Microsoft-Windows-AAD/ Operational”. Event logs are an integral part of the Windows 10 MDM Troubleshooting Guide.
The event logs are the best to start the Windows 10 MDM issues troubleshooting. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether the deployed policies are reached and applied on that machine or not. There is also a way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to the work or school page.
How to Troubleshoot Windows 11 10 Intune MDM Issues 1
Troubleshoot Windows 10 with WMI Explorer
WMI Explorer way of checking whether the policy settings are applied or not:-
WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on the windows 10 system or not. As you can see in the following screen capture, this is how to check whether MDM policies are correctly applied to a Windows 10 machine.
I have deployed the Windows Defender policy from Intune to this Windows 10 machine, and you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting, the best place to begin with is event logs.
We can also check this via WBEMTEST, but we may need to start WBEMTEST from the system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) have been applied to a machine.
Registry way of checking Windows 10 MDM Policy settings
Troubleshoot Windows 10 with Registry Entries
The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is the registry key. Following is the registry location where you can find MDM policy settings. You want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers
In this below screen capture, you can see the Windows Defender settings I applied to Windows 10 machines through Intune policies. The only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi
System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).
How to Troubleshoot Windows 11 10 Intune MDM Issues 11
Troubleshoot Windows 10 with MDMDiagReport
These GUID IDs can be found in the MDMDiagReport.xml file, and this XML can be decoded into HTML file MDMDiagReport.html using the tool here.
How to Troubleshoot Windows 11 10 Intune MDM Issues 111
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
