Enroll AzureAD joined Windows devices with Intune

Azure, Intune / By / June 8, 2022

Last updated on June 8th, 2022 at 11:22 am

In the event you need to enroll devices with Intune that are already joined to AzureAD, there is an easy way by using MDM only enrollment. Microsoft describes this method as an option to MDM enroll workgroup, AD, or AADJ devices. Microsoft states this method is not recommended because:

However, if the device is already joined to AzureAD, it will be associated with the Intune managed device, and will function as if it was enrolled when it was AzureAD joined. AzureAD features such as conditional access will still function. One specific use case for this – if a business did not previously have Intune licensing, but they still used AzureAD for their identity provider. They upgraded to licensing with Intune and want to enroll their AzureAD joined devices with Intune.
Prerequisites:

  1. Machine is already AzureAD Joined – Microsoft does not recommend performing an MDM only enrollment on a non-AzureAD joined Windows device
  2. Users performing the MDM enrollment are assigned a proper Intune license
  3. Users are allowed to enroll devices in MDM. From MEM: Devices > Windows > Windows Enrollment > Automatic Enrollment. MDM scope should be set to All or Some. If Some, users enrolling devices need to be a member of the specified group

Steps to enroll the device:

  • Here is an example device joined to AzureAD with no MDM
  • From the device, have the user navigate to settings > accounts > access work or school. Select enroll only in device management.
  • Have the user sign in with their company credentials when prompted. It may take a minute or two to register the device.
  • If you receive the below error, either the user account does not have a proper license for Intune, or the user is not allowed to enroll devices in MDM.
  • When complete, you should see two entries under Access work of school. One showing the AzureAD join and the other showing the MDM enrollment.
  • Shortly after the enrollment, you can check to make sure the Microsoft Intune Management Extension is installed and running. You can also check the timestamp on the folder to verify it was recently installed after the Intune enrollment. The device should appear in the MEM device dashboard within a few minutes.
  • If you select the newly enrolled device in MEM, and navigate to Monitor > hardware, you can see the enrolled date showing just a minute before the IME was installed.
  • Looking the device up in AzureAD now shows Microsoft Intune listed as the MDM.
  • Lastly, to verify that conditional access policies are working, I added a conditional access policy blocking non-compliant devices from accessing web apps in report mode and tested successfully.

Some things to remember when using this enrollment method:

  • Per Microsoft’s recommendations, this should only be used in the event you have AzureAD joined devices not enrolled in Intune. Do not use this method for workgroup or AD joined devices because it will not register/join the device with AzureAD.
  • The device may not be a member of any groups when it gets enrolled if AAD was only being used as an identity provider. You may need to add to groups as needed for profile/policy/app deployments
  • The device ownership will be set to personal after the enrollment. This is because a user is manually doing the enrollment. So, MEM assumes its a personally owned device. This can and should be changed to corporate if these are company devices
  • I suggest converting these devices to Autopilot devices once they’re enrolled. Assuming all these devices have something in common, like machine name, you can make a dynamic group and set an Autopilot profile to convert targeted devices to Autopilot devices. It can take a few days before they show up in the Autopilot enrollment dashboard.

Related Posts