Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.
This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.
This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.
This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.
Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.
Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.
Are You Having an Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr?
Are you having issues with Windows Information Protection (WIP, previously known as “Enterprise Data Protection – EDP” policies configured through the SCCM ConfigMgr CB 1606 production version?
If so, I was one of you. I’m talking about the issue I faced while deploying the WIP policy via the Windows 10 MDM channel. I will try to explain the problem which I had with WIP CI (for the specific scenario which I tested):-
When you open WIP CI, try to check whether everything is okay or not and exit out of CI with/without making any changes. Some values in CI XML will automatically change, breaking the entire CI.
Windows Information Protection WIP– Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr
I’ve embedded a video below explaining this bug/issue. If you are new to WIP/EDP and want to know how to create, deploy, and test WIP with Windows 10, look at my previous post and video here.
The good news is that Microsoft’s new rollup update (KB3186654)most probably fixed this issue. I have done extensive testing with Windows Information Protection (WIP) policies/CIs after installing the new rollup on the SCCM CB 1606 server, and the results are very promising.
Name
Type
New Windows 10 WIP
General
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Table 1
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Fig.1
How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP
I tried creating new WIP CIs, editing the existing WIP CIs, etc. All the scenarios I tested worked well for me. I tested this with Windows 10 1607 build numbers 14393.00 and 14393.82 (via MDM channel). Are You Having an Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Video 1
Sample of the correct WIP CI with correct ConstantValue
Let’s discuss the Sample of the correct WIP CI with the correct ConstantValue. The below section helps you show the sample of the correct WIP CI with the correct ConstantValue.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Intune Company Portal App Login Issues with Windows 11 or Windows 10 Devices? Have you tried to Repair or Reset Company Portal App to fix the issue? The Intune company portal application is not allowed to log in when it is installed on Windows 10 or Windows 11.
The issue explained in the post below could be due to either Azure AD authentication issues or proxy issues. It won’t let you log in with your username and password.
The Company Portal app will get redirected to the login page repeatedly. Have you tried to log in to the Intune company portal from a Windows device, and can you reproduce this issue?
Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues. This post also explains the Tenant Restriction Policy and company portal issues.
Whenever you have an issue with the Intune Company Portal app, it’s better to Reset, Repair, or Reinstall it before trying to do further troubleshooting. Otherwise, this could be another issue if you see the same problems with a more significant number of Windows 11 devices.
Intune Company Portal App Repair options are easy to use, unlike other Win32 or MSI applications. Since the Intune Company portal is a Microsoft Store Application, it has all the Reset, Repair, and Reinstall options.
To fix Intune Company Portal App Repair Reset Options, you need to follow the steps explained below.
Navigate to the Apps & Features option by right-clicking on the Start button from Windows 11.
Use the search function to find the Company Portal application.
Click on the three (3) vertical dots menu.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.1
To repair the Company Portal Application on a Windows 11 device, select Advanced options, as shown in the screenshot below.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.2
The first step I always recommend is to TERMINATE the company portal app by clicking on the TERMINATE button from Apps -> Apps & Features -> Company Portal Advanced Options.
Intune Company Portal App Repair
Let’s check the next option, the Intune Company Portal app repair option. If this app isn’t working correctly, you can try to repair it. The Company Portal app’s data will not be affected.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.3
Company Portal App Repair Reset and Uninstall
Let’s check the following options to see if the Terminate and Repair options for the Company portal don’t work well. Company Portal App Repair, Reset, and Uninstall are the other options available on Windows 11 devices.
Company Portal REPAIR helps to fix the issue if the app is still not working as expected. The RESET will remove all the app-related data from the Windows 11 PC and give the Company Portal a fresh start.
The UNINSTALL button is the last resource for fixing theCompany Portal Application on Windows 11PC. After uninstalling the app, you can reinstall it from the Microsoft Store.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.4
Well, this is a weird issue, so stay with me! Let’s learn how to Fix the Company Portal App Login Error that Occurred. This issue is only for the Intune Company portal application. There was no issue accessing the company portal Website. This issue is only applicable to Windows 10/11 devices.
Problem Statement – Fix Company Portal App Login Error
Windows 10 devices started getting error messages when users tried to launch the Company portal app. The error details are given below.
Login error occurred – An error occurred while attempting to log in to Company Portal Login Error.
You get two options:
Share Details
Close
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.5
Send Company Portal App for Windows 10 Logs
You can try to click on Share details to get the Company portal app log for Windows 10 or 11 devices. The message shows “Sending the Logs to Microsoft.“
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.6
Now you can share the details with Microsoft using the Onenote file. Requesting help with the company portal app for Windows 10 or Windows 11.
NOTE! – You can send the company portal app logs for Windows 10 using the following method as well:
Open the Company Portal app.
Select Help & support > Get help.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.7
Details of Company Portal App Log
Describe the problem you’re experiencing. The Company Portal has collected your logs (Diagnostics ID: 2WWEWN) and sent them to Microsoft to help troubleshoot. Your description will help us understand what happened and how to fix the problem. After you’ve described the situation, send this email to your company support for more help.
Troubleshooting – Fix Company Portal App Login Error
Now, let’s enter the real troubleshooting scenario of the Company Portal app for Windows 10 devices.
First, I couldn’t find much information from the Microsoft logs mentioned in the above section.
I started looking at event logs to get more details.
Navigate to Microsoft-Windows-AAD/Operational (Azure AD authentication-related errors).
The following event ID 1098 shows an error that started when I tried to launch the company portal app.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.8
Event Log Details
The following are the company portal login issues with Windows 11/10 devices. As you can see in the paragraphs below, these logs are taken from event logs.
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 233, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113
Log: 0xcaa1007b Acquire token failed.
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.Log: 0xcaa1007b Acquire token failed.
Logged at aggregatedtokenrequest.cpp, line: 70, method: AggregatedTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c
0xcaa9004b Exception during nonce request
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 16/07/2020 10:11:06
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa9004b Exception during nonce request.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c
Fix Company Portal App Login Error Occurred
A proxy server tenant restriction was implemented using the following: Use tenant restrictions to manage access to SaaS cloud applications. For more details, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions.
The company portal app for Windows 10 or Windows 11 requires authentication to Azure AD through https://login.microsoftonline.com. These URLs are available in the above event logs. Tenant restrictions require TLS inspection only on traffic to Azure AD, not to the Office 365 cloud services.
It seems the TLS inspection for the following URL caused the issue. At least one of the following URLs is required:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.9
Intune Company Portal Login Issues
After 3 login attempts, the company portal application will show you the following error: “Login error occurred – an error occurred while attempting to login“. You may also get the following details in the error log.
Have you ever seen this? The following scenarios show this issue in different Intune/AAD tenants. The table below helps you show more details.
The Issue in Different Intune/AAD Tenants
Windows 10 AAD Joined
Windows 10 MDM enrolled (Work account)
Windows 10 OOBE
FIX Intune Company Portal App Login Issues with Windows 10/11 – Table 1
I don’t have any solution for this issue yet. If you can reproduce this issue then please do comment on this post. When I remove add Work or School account from Settings – Accounts – Access work or school, then I’m able to login to the Intune company portal.
However, it will (obviously) say, “You need to add your device before you can install apps.” If you select “Don’t add this device,” the Intune company portal will proceed to the next page, which will show you the “my devices” list, etc., with a note, “It looks like you need to add this device so that you can install apps.”
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.10
Log File Details – Intune Company Portal:-
Intune Company Portal Login Issues with Windows 10 Anniversary Update.
Microsoft.Management.Services.SelfServicePortal.CommonViewModels.ServiceLoginPageViewModel.<AuthenticateWithExceptionHandlingAsync>d__36.MoveNext()
2016-09-03T06:03:13.4876367Z WARN Event None 400 f67a7f1d-54e3-41e0-a838-e39ec3385ba3 3-0-0 Displaying error dialog
Title: Login error occurred
Message:An error occurred while attempting to login.
Exception: Microsoft.Management.Services.SelfServicePortal.Common.Portable.Authentication.IntuneAuthenticationException: Failed to authenticate with AAD
at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AuthenticationResultHelper.ThrowIfAuthenticationStatusIsNotSuccess(AuthenticationStatus authenticationStatus)
at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService.<AuthenticateAsync>d__0.MoveNext()
Resolution – Proxy Issue
The client app (in this case, Company Portal) should support tenant restrictions. I overlooked this point while writing this post. Microsoft docs already document that client software must request tokens directly from Azure AD so that the proxy infrastructure can intercept traffic.
NOTE! – The company portal (website) works well with tenant restrictions.
The proxy servers removed the OMT feature for TLS inspection for AAD authentication communication, which fixed the Company Portal.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How do I create and Upload an Apple Push Notification Service APN Certificate Using SCCM CB? We need an APN cert to manage iOS and Mac OS devices via Intune and Hybrid SCCM CB.
In this video tutorial, we can see how to get the certs from Apple and How to upload them to SCCM CB for a hybrid solution. How to Create an Apple Push Notification Service (APN) Certificate to Manage iOS and Mac OS X devices via Intune.
You must have an Apple ID/user name and password to upload and download the SCCM CB hybrid certificates. I’m adding more detailed Videos to my YouTube Channel;subscribe here.
The following is the location and file where I saved the downloaded cert from the SCCM CB hybrid environment: C: UsersanoopDocumentsApple CertApple_Cert_4_How_2_Manage.CSR.
Table of Contents
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Fig.1
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB
The screenshot below helps you show the Apple push certificates portal and the certificate for third-party servers. The table below enables you to show more details.
Sep 24, 2016
Vendor
Expiration Date
Status
Mobile Device Management
Microsoft Corporation
Sep 24, 2016
Active
Mobile Device Management
Microsoft Corporation
Sep 24 2016
Active
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Table 1
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Fig.2
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB
Go to the following website !! Apple Website:- https://identity.apple.com/pushcert/.
You can manage iOS and Mac OS devices via Microsoft Intune and SCCM CB hybrid environments at the end of this process!
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How do you create and deploy compliance policies using SCCM CB Hybrid and Intune Environments? We will discuss developing and deploying compliance policies using SCCM CB Hybrid and Intune Environments. Ok, at 3 topics in this post.
1. How to Create Compliance policies using Intune and SCCM CB Hybrid environment.
2. How to deploy Compliance policies and
3. Differences between the compliance policy settings !!
I have created a quick and dirty video tutorial to explain all these steps, and the video is embedded in this post as well 🙂 First and foremost, the compliance policies work along with Conditional Access policies.
The device must comply with our policies to have permission to access corporate resources like emails, SharePoint Online, etc. SCCM CB and Intune Compliance policies can be deployed only to users, not device collections or groups.
As you can see in the following picture, we can specify the type of compliance policy that you want to create in SCCM CB. There are two options: 1. Compliance rules for devices managed with SCCM clients; 2. Compliance rules for devices managed without SCCM clients (MDM clients, etc.).
How Do You Create An SCCM CB Hybrid Compliance Policy?
Moreover, it allows you to select different device platforms, such as Windows 8.1, Windows 10 mobile, iOS, Android, and KNOX. This is a handy option in SCCM CB Hybrid compliance settings! The video tutorial above explains the steps to create an SCCM CB compliance policy.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.1
How Do You Create a Compliance Policy using Intune?
As you must have noticed, all platforms have one general compliance policy. There is no option to create compliance policies for various device platforms, such as iOS, Android, and Windows.
Yes, we don’t have the option to select a specific OS platform in Intune compliance policies. The three common segregations available are as follows. The video tutorial above explains all the steps to create an Intune compliance policy.
Three Common Segregations
System Security
Device Health
Device Properties
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Table 1
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.2
How Do You Deploy Compliance Policies Using SCCM CB Hybrid?
Yes, compliance policies can deploy only to User Collections, not device collections, in SCCM. There are no DEVICE Collections in the drop-down menu!! Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios.
Another point is SCCM CB’s granularity regarding Compliance rules/policy evaluation schedules. You can change the Compliance policy evaluation schedule!!! By default, the SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. The video tutorial above explains the steps to deploy the SCCM compliance policy.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.3
How to Deploy Compliance Policy using Intune?
Yes, compliance policies can be deployed only to user groups in Intune, not device groups. Moreover, compared with SCCM CB, the scheduling of compliance policies is not granular. Instead, Intune provides global settings for all the compliance policies we create for that tenant.
Check out the Intune compliance policy settings. What is that? It’s the compliance status validity period. Nice!! It’s a global setting—we can’t specify 31 days for one compliance setting and 20 days for another!! The video tutorial above explains all the steps to deploy the Intune compliance policy.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.4
Difference Between Intune vs SCCM CB Hybrid Compliance Policies
Following are the differences that I have noticed in Intune vs SCCM CB Hybrid Compliance Policies:- Intune does not allow users to select a specific supported platform. However, with SCCM CB, we can create platform-specific compliance policies.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.5
There is no Granularity in Deploy Scheduling options with Intune. However, many more scheduling options are available for SCCM CB compliance policies.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.6
Outcome/Result of Compliance Policies – Windows 10 Device
The following is an example of a Windows 10 machine that AAD and MDM joined, but it’s not compliant. Device encryption is not enabled on Windows 10 machines.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.7
The following is an example of a Windows 10 device compliant with an organization’s policies. Once Windows 10 is compliant, the user can access corporate mail and other resources.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.8
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User? In this post, I would like to share the video tutorial to explain. Microsoft Intune introduced MAM Reporting options with the Intune 2305 release.
Let’s learn how to create Intune App Protection Policies for iOS iPadOS. In this article – Create Intune App Protection Policies For IOS IPadOS. App Protection Policies can be applied to both enrolled and non-enrolled devices. APP can be used for third-party MDM solutions.
MAM policies created in the MEM portal are different from the MAM policies that we make from the Intune portal for MDM-enrolled devices. Outlook Groups is the newest application included in the Azure portal for Intune MAM-enabled applications.
Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience.
Also, I can see the PREVIEW option to add custom applications for MAM policies without MDM enrollment. This is an excellent feature. Settings –>Preview – Line-of-business apps –> Preview – Add a custom app.
Intune MAM Policies and App Reporting
Settings
Preview – Line of business apps
Preview – Add a custom app
Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User – Table 1
Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User – Fig.1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Learn how to Set up Dynamic Device Groups in Intune. Do you want to add mobile devices automatically to Microsoft Intune Device Groups? Intune Dynamic groups have been a customer request for a long time.
This feature is similar to dynamic collections in SCCM/ConfigMgr. There are two ways to do it: one using the Azure AD Premium feature called AAD Dynamic Groups, and another is pretty new in Intune, something called Device Group Mapping.
One of our recent posts explains how tocreate nested Azure AD dynamic groups, a highly anticipated feature from the Azure AD team. This functionality shows the memberOf attribute, which was introduced to facilitate the nesting of Azure AD groups.
This capability allows for more flexible and efficient management of group memberships within Azure Active Directory, enabling organizations to simplify access controls and administration across their Azure resources.
Learn How to Setup Dynamic Device Groups in Intune – Fig.1
Navigate via – Directory –> Groups –> Open the group (MDM Group) –> Configure. Enable Dynamic Group (Only available for AAD Premium subscriptions) Membership –> Add Users where <Department> is equal to “IT”.
Learn How to Setup Dynamic Device Groups in Intune
Login to AAD.Portal.Azure.com.
Navigate to the Azure Active Directory -> Groups node -> Click on the New Group button.
Group Type -> Security
Group Name -> HTMD AAD Group based on Dept
Group Description -> To add all devices or users from a dept
Membership Type -> Dynamic User
Learn How to Setup Dynamic Device Groups in Intune – Table 1
In this scenario, all the users from the IT department will be added to the AAD Dynamic Security Group, which is called MDM Group.
Don’t panic if the group is not reflecting with users immediately; give it some time. It will get updated.
Once the AAD Dynamic Group is created and updated, log in to the Intune portal (endpoint.microsoft.com) and Create a New User Group to fetch all the devices of IT department users.
Learn How to Setup Dynamic Device Groups in Intune – Fig.2
Whenever a new user joins the IT department, that user is automatically added to the Intune MDM group. Provisioning and de-provisioning groups is made easy with this.
There are two options to build the Azure AD dynamic group query. You can use the rule builder or rule syntax text box to create or edit an AAD device group dynamic membership rule.
Rule Builder -> Graphical interface – Easy to create the dynamic query.
Rule Syntax -> Advanced technical users for complex queries.
Follow the steps below to use Azure AD dynamic group Rule Builder to create dynamic query rules for Hybrid Azure AD joined devices.
Under Configure Rules -> Choose Property drop-down list.
Select deviceTrustType as the property from the drop-down list.
How do you Add Devices automatically to Intune Device Groups using Device Group Mapping?
Click on the Admin tab in the Intune console. Navigate via Device Group Mapping—enable Device Group Mapping—Create a Device Group and ADD a CATEGORY to manage device group mapping rules. Once you click on Create Device Group, it will guide you through creating one device group.
When every user enrolls (during the Enrollment Process) to Intune using the Microsoft Intune Company Portal application, the User will get an extra screen to select “Choose the best category for this device.” I have created only one category, “ADMIN,” for users. You are free to make an Intune device category for each department!!
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
