Steps to configuring device
management in Microsoft 365 Intune (also known as Microsoft Endpoint
Manager). below steps covers end-to-end steps and explanations, ideal for
admins setting up device management for the first time
✅ 1. Prerequisites
Before starting, ensure the following:
✅ Licenses Required:
- Microsoft
Intune or Microsoft 365 E3/E5, or EMS E3/E5
- Entra
ID (formerly Azure AD)
✅ Admin Access:
- Microsoft
365 Admin Center
- Microsoft
Intune Admin Center: https://intune.microsoft.com
Before Configuring Device management we need to configure MDM Authority:
🔐 1. It Enables Intune to Manage
Devices
When you configure the MDM authority,
you are telling or informing to Microsoft 365:
"Intune is the system that will
manage and enforce mobile device policies for this tenant."
Without setting the MDM authority, even
if you assign licenses or create policies, devices cannot enroll or be
managed.
⚙️
2. Prevents Conflicts Between Tools
You can only have one MDM authority
per tenant. Microsoft supports:
- Microsoft
Intune (cloud only)
- Configuration
Manager (on-prem SCCM)
- Co-management
(SCCM + Intune)
If this is not set explicitly, Intune
doesn’t know who is in charge, and you can't proceed with device
enrollment.
Configuring the MDM (Mobile Device
Management) Authority in Microsoft Intune is a critical initial step because it
defines how devices will be managed and establishes the management framework
for your organization
steps to configure the mobile Device Management
-->Go to: Microsoft Intune Admin Center
-->Navigate to: Tenant Administration > Intune Enrollment
--> Choose: Set MDM Authority > Microsoft Intune
When setting up device management in Microsoft Intune, one of the most critical decisions you'll make is configuring the Mobile Device Management (MDM) authority. This setting dictates how your devices are managed: either entirely through Intune (Intune Standalone) or through a hybrid approach integrating with Configuration Manager (Co-management). Your choice directly impacts device enrollment, compliance, and overall control within your organization.
Understanding the MDM Authority
The MDM authority determines the primary
management tool for your devices. You have two main options:
- Intune
Standalone: This is a cloud-native solution
where all device management tasks—enrollment, configuration, compliance,
and reporting—are handled directly within the Intune portal. It's ideal
for organizations looking for a streamlined, cloud-based approach.
- Co-management with Configuration Manager: This hybrid option allows you to manage devices using both Intune and Configuration Manager. It's often used by organizations with an existing Configuration Manager infrastructure that want to gradually transition workloads to Intune.
Important Considerations Before You
Begin
Choosing your MDM authority is a tenant-wide,
critical decision that affects all devices managed by your Intune tenant.
Once set, you cannot change it without unenrolling and re-enrolling all
devices. This can be a significant undertaking, so careful planning is
essential.
If you're already using Configuration
Manager with Intune integration (hybrid MDM), avoid changing the MDM authority
to Intune Standalone. Doing so will break the existing
integration and require extensive reconfiguration.
Prerequisites
Before configuring your MDM authority,
ensure you have:
- Global
Administrator or Intune Administrator role:
These permissions are required to modify the MDM authority setting.
- Active
Intune Subscription: A valid Intune subscription is
necessary.
- Clear
Device Management Strategy: Determine whether a solely
Intune-based approach or a hybrid co-management approach aligns best with
your organization's needs.
- Configuration
Manager Setup (if choosing Co-management):
Ensure Configuration Manager is correctly configured for hybrid MDM.
Steps to Configure the MDM Authority
Follow these steps to set up your MDM
authority in Microsoft Intune:
- Sign
in to the Microsoft Endpoint Manager admin center:
Go to https://endpoint.microsoft.com
and sign in with an account that has the necessary administrative
permissions.
- Navigate
to Tenant administration: In the left-hand navigation pane,
click on Tenant administration.
- Select
MDM authority: Under Tenant administration, click
on MDM authority.
- Choose
your MDM authority: On the MDM Authority page, you'll
see the current setting or options to configure it for the first time:
- Intune
MDM Authority: Select this to manage devices
solely through Intune.
- Configuration
Manager MDM Authority: Choose this for a co-management
approach with Configuration Manager.
- Confirm
your selection: A confirmation message will
appear. Read it carefully, understanding the implications of your choice.
- Click
"Change to [Selected Authority]":
Confirm your selection to update the MDM authority.
- Verification:
The MDM Authority page will then display your newly selected MDM
authority.
Choosing the Right MDM Authority
Selecting the appropriate MDM authority
is crucial for your device management strategy. Consider these factors:
- Current
Infrastructure: If you have a significant existing
investment in Configuration Manager, co-management might be the most
practical option. For new setups or a desire for simpler management,
Intune Standalone could be more suitable.
- Device
Types: Intune Standalone is excellent for
modern devices like smartphones and tablets. Co-management offers benefits
if you manage a mix of modern and traditional devices.
- Management
Requirements: If you require extremely granular
control over device settings and applications, Configuration Manager's
capabilities might be necessary. For a more simplified, cloud-based
experience, Intune Standalone might be a better fit.
- Migration
Strategy: Co-management provides a gradual
path if you plan to migrate from Configuration Manager to Intune over
time.
- Future
Goals: Consider your long-term vision for
device management. Co-management can help bridge the gap if your ultimate
goal is to move all devices to Intune.
Troubleshooting Tips
- Error
message when changing MDM authority: Verify
you have Global Administrator or Intune Administrator permissions and an
active Intune subscription.
- Devices
not enrolling after changing MDM authority:
Devices must be unenrolled and re-enrolled after an MDM authority
change.
- Co-management not working after changing MDM authority: If you mistakenly changed from Configuration Manager to Intune Standalone, you'll need to reconfigure co-management settings in Configuration Manager. This is a complex process.
-------------------------------------------------------------------------------------------------------
Configure Device Enrollment:
Device enrollment is the process of registering a device with Microsoft Intune, allowing it to be managed and secured by your organization. Once enrolled, devices can receive policies, apps, and configurations, ensuring compliance with your security standards.
Microsoft Intune Automatic Enrollment Configuration:
Configure Device Enrollment:
Device enrollment is the process of registering a device with Microsoft Intune, allowing it to be managed and secured by your organization. Once enrolled, devices can receive policies, apps, and configurations, ensuring compliance with your security standards.
Microsoft Intune Automatic Enrollment Configuration:
Let's break down each section:
1. MDM user scope
- What it is: This crucial setting determines which users in your Microsoft Entra ID (formerly Azure Active Directory) tenant will automatically have their Windows devices enrolled into Intune for Mobile Device Management (MDM).
- Options:
- None: No users' devices will automatically enroll for MDM. You would typically select this if you want to prevent automatic enrollment or are using a different enrollment method for all devices.
- Some: This allows you to select specific Microsoft Entra ID security groups. Only users who are members of these selected groups will trigger automatic MDM enrollment when their devices meet the conditions (e.g., Entra ID Join or Hybrid Entra ID Join). This is ideal for phased rollouts, testing, or managing specific sets of users.
- All: All users in your Microsoft Entra ID tenant will have their devices automatically enrolled for MDM if the enrollment conditions are met. This is commonly used for broad, corporate-wide deployments.
- Significance: This is the primary control for enabling or disabling automatic MDM enrollment for your users.
2. MDM terms of use URL, MDM discovery URL, MDM compliance URL
- What they are: These are URLs that Windows devices use to communicate with the Intune service during the automatic enrollment process.
- MDM terms of use URL (https://portal.manage.microsoft.com/TermsofUse.aspx): If you want to present users with terms and conditions they must accept before their device is enrolled, this URL points to that agreement. By default, it uses Microsoft's standard terms.
- MDM discovery URL (https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc): This is the most critical URL. When a device attempts to automatically enroll, it contacts this URL to "discover" the Intune enrollment service. This URL directs the device to the correct Intune endpoint for your tenant.
- MDM compliance URL (https://portal.manage.microsoft.com/?portalAction=Compliance): This URL is used to direct users to a compliance portal if their device is found to be non-compliant with Intune policies. It provides a link where users can see why their device is not compliant and what steps they need to take.
- Significance: These URLs are pre-populated by Microsoft and are specific to the Intune service. It is strongly advised NOT to change these default URLs unless you have a highly customized or third-party MDM integration scenario, as altering them will break automatic enrollment with Intune. The "Restore default MDM URLs" link below them serves as a safeguard.
3. Windows Information Protection (WIP) user scope
- What it is: This section pertains to Windows Information Protection (WIP), a feature (now being deprecated by Microsoft in favor of Microsoft Purview solutions) designed to prevent corporate data leakage on Windows devices. It works by classifying corporate data and restricting its movement to unmanaged apps or personal locations.
- Options: Similar to MDM user scope, you can choose:
- None: WIP policies are not applied to any users automatically.
- Some: WIP policies are automatically applied only to users in specified Microsoft Entra ID security groups.
- All: WIP policies are automatically applied to all users in the tenant.
- Note on WIP Deprecation: While these settings are still visible in the portal, Microsoft has announced the deprecation of WIP. For new implementations, it's recommended to explore Microsoft Purview Information Protection (MPIP) and other data loss prevention (DLP) solutions.
4. WIP terms of use URL, WIP discovery URL, WIP compliance URL
- What they are: These URLs are similar in function to their MDM counterparts but are specifically for Windows Information Protection. They point to endpoints for WIP terms, discovery, and compliance status.
- Significance: Like the MDM URLs, these are typically pre-populated and should generally not be changed. The "Restore default WIP URLs" link is also available.
