Thursday, 17 July 2025

Microsoft Intune: Device Management and MDM authority Configuration

Steps to configuring device management in Microsoft 365 Intune (also known as Microsoft Endpoint Manager). below steps covers end-to-end steps and explanations, ideal for admins setting up device management for the first time

✅ 1. Prerequisites

Before starting, ensure the following:

✅ Licenses Required:

  • Microsoft Intune or Microsoft 365 E3/E5, or EMS E3/E5
  • Entra ID (formerly Azure AD)

✅ Admin Access:

 

Before Configuring Device management we need to configure MDM Authority:

🔐 1. It Enables Intune to Manage Devices

When you configure the MDM authority, you are telling or informing to Microsoft 365:

"Intune is the system that will manage and enforce mobile device policies for this tenant."

Without setting the MDM authority, even if you assign licenses or create policies, devices cannot enroll or be managed.

⚙️ 2. Prevents Conflicts Between Tools

You can only have one MDM authority per tenant. Microsoft supports:

  • Microsoft Intune (cloud only)
  • Configuration Manager (on-prem SCCM)
  • Co-management (SCCM + Intune)

If this is not set explicitly, Intune doesn’t know who is in charge, and you can't proceed with device enrollment.

Configuring the MDM (Mobile Device Management) Authority in Microsoft Intune is a critical initial step because it defines how devices will be managed and establishes the management framework for your organization

steps to configure the mobile Device Management

-->Go to: Microsoft Intune Admin Center

 -->Navigate to: Tenant Administration > Intune Enrollment

-->  Choose: Set MDM Authority > Microsoft Intune





When setting up device management in Microsoft Intune, one of the most critical decisions you'll make is configuring the Mobile Device Management (MDM) authority. This setting dictates how your devices are managed: either entirely through Intune (Intune Standalone) or through a hybrid approach integrating with Configuration Manager (Co-management). Your choice directly impacts device enrollment, compliance, and overall control within your organization.


Understanding the MDM Authority

The MDM authority determines the primary management tool for your devices. You have two main options:

  • Intune Standalone: This is a cloud-native solution where all device management tasks—enrollment, configuration, compliance, and reporting—are handled directly within the Intune portal. It's ideal for organizations looking for a streamlined, cloud-based approach.
  • Co-management with Configuration Manager: This hybrid option allows you to manage devices using both Intune and Configuration Manager. It's often used by organizations with an existing Configuration Manager infrastructure that want to gradually transition workloads to Intune.
     More detailed about Intune Standalone versus Co-management




Important Considerations Before You Begin

Choosing your MDM authority is a tenant-wide, critical decision that affects all devices managed by your Intune tenant. Once set, you cannot change it without unenrolling and re-enrolling all devices. This can be a significant undertaking, so careful planning is essential.

If you're already using Configuration Manager with Intune integration (hybrid MDM), avoid changing the MDM authority to Intune Standalone. Doing so will break the existing integration and require extensive reconfiguration.


Prerequisites

Before configuring your MDM authority, ensure you have:

  • Global Administrator or Intune Administrator role: These permissions are required to modify the MDM authority setting.
  • Active Intune Subscription: A valid Intune subscription is necessary.
  • Clear Device Management Strategy: Determine whether a solely Intune-based approach or a hybrid co-management approach aligns best with your organization's needs.
  • Configuration Manager Setup (if choosing Co-management): Ensure Configuration Manager is correctly configured for hybrid MDM.

Steps to Configure the MDM Authority

Follow these steps to set up your MDM authority in Microsoft Intune:

  1. Sign in to the Microsoft Endpoint Manager admin center: Go to https://endpoint.microsoft.com and sign in with an account that has the necessary administrative permissions.
  2. Navigate to Tenant administration: In the left-hand navigation pane, click on Tenant administration.
  3. Select MDM authority: Under Tenant administration, click on MDM authority.
  4. Choose your MDM authority: On the MDM Authority page, you'll see the current setting or options to configure it for the first time:
    • Intune MDM Authority: Select this to manage devices solely through Intune.
    • Configuration Manager MDM Authority: Choose this for a co-management approach with Configuration Manager.
  5. Confirm your selection: A confirmation message will appear. Read it carefully, understanding the implications of your choice.
  6. Click "Change to [Selected Authority]": Confirm your selection to update the MDM authority.
  7. Verification: The MDM Authority page will then display your newly selected MDM authority.

Choosing the Right MDM Authority

Selecting the appropriate MDM authority is crucial for your device management strategy. Consider these factors:

  • Current Infrastructure: If you have a significant existing investment in Configuration Manager, co-management might be the most practical option. For new setups or a desire for simpler management, Intune Standalone could be more suitable.
  • Device Types: Intune Standalone is excellent for modern devices like smartphones and tablets. Co-management offers benefits if you manage a mix of modern and traditional devices.
  • Management Requirements: If you require extremely granular control over device settings and applications, Configuration Manager's capabilities might be necessary. For a more simplified, cloud-based experience, Intune Standalone might be a better fit.
  • Migration Strategy: Co-management provides a gradual path if you plan to migrate from Configuration Manager to Intune over time.
  • Future Goals: Consider your long-term vision for device management. Co-management can help bridge the gap if your ultimate goal is to move all devices to Intune.

Troubleshooting Tips

  • Error message when changing MDM authority: Verify you have Global Administrator or Intune Administrator permissions and an active Intune subscription.
  • Devices not enrolling after changing MDM authority: Devices must be unenrolled and re-enrolled after an MDM authority change.
  • Co-management not working after changing MDM authority: If you mistakenly changed from Configuration Manager to Intune Standalone, you'll need to reconfigure co-management settings in Configuration Manager. This is a complex process.

------------------------------------------------------------------------------------------------------- 

Configure Device Enrollment:

Device enrollment is the process of registering a device with Microsoft Intune, allowing it to be managed and secured by your organization. Once enrolled, devices can receive policies, apps, and configurations, ensuring compliance with your security standards.

Microsoft Intune Automatic Enrollment Configuration:

 Configure Device Enrollment:

Device enrollment is the process of registering a device with Microsoft Intune, allowing it to be managed and secured by your organization. Once enrolled, devices can receive policies, apps, and configurations, ensuring compliance with your security standards.

Microsoft Intune Automatic Enrollment Configuration:

 Automatic Enrollment" under Home > Devices > Enrollment > Microsoft Intune. This page is where you configure how Windows devices automatically enroll into Intune.

Let's break down each section:

1. MDM user scope

  • What it is: This crucial setting determines which users in your Microsoft Entra ID (formerly Azure Active Directory) tenant will automatically have their Windows devices enrolled into Intune for Mobile Device Management (MDM).
  • Options:
    • None: No users' devices will automatically enroll for MDM. You would typically select this if you want to prevent automatic enrollment or are using a different enrollment method for all devices.
    • Some: This allows you to select specific Microsoft Entra ID security groups. Only users who are members of these selected groups will trigger automatic MDM enrollment when their devices meet the conditions (e.g., Entra ID Join or Hybrid Entra ID Join). This is ideal for phased rollouts, testing, or managing specific sets of users.
    • All: All users in your Microsoft Entra ID tenant will have their devices automatically enrolled for MDM if the enrollment conditions are met. This is commonly used for broad, corporate-wide deployments.
  • Significance: This is the primary control for enabling or disabling automatic MDM enrollment for your users.

2. MDM terms of use URL, MDM discovery URL, MDM compliance URL

  • What they are: These are URLs that Windows devices use to communicate with the Intune service during the automatic enrollment process.
    • MDM terms of use URL (https://portal.manage.microsoft.com/TermsofUse.aspx): If you want to present users with terms and conditions they must accept before their device is enrolled, this URL points to that agreement. By default, it uses Microsoft's standard terms.
    • MDM discovery URL (https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc): This is the most critical URL. When a device attempts to automatically enroll, it contacts this URL to "discover" the Intune enrollment service. This URL directs the device to the correct Intune endpoint for your tenant.
    • MDM compliance URL (https://portal.manage.microsoft.com/?portalAction=Compliance): This URL is used to direct users to a compliance portal if their device is found to be non-compliant with Intune policies. It provides a link where users can see why their device is not compliant and what steps they need to take.
  • Significance: These URLs are pre-populated by Microsoft and are specific to the Intune service. It is strongly advised NOT to change these default URLs unless you have a highly customized or third-party MDM integration scenario, as altering them will break automatic enrollment with Intune. The "Restore default MDM URLs" link below them serves as a safeguard.

3. Windows Information Protection (WIP) user scope

  • What it is: This section pertains to Windows Information Protection (WIP), a feature (now being deprecated by Microsoft in favor of Microsoft Purview solutions) designed to prevent corporate data leakage on Windows devices. It works by classifying corporate data and restricting its movement to unmanaged apps or personal locations.
  • Options: Similar to MDM user scope, you can choose:
    • None: WIP policies are not applied to any users automatically.
    • Some: WIP policies are automatically applied only to users in specified Microsoft Entra ID security groups.
    • All: WIP policies are automatically applied to all users in the tenant.
  • Note on WIP Deprecation: While these settings are still visible in the portal, Microsoft has announced the deprecation of WIP. For new implementations, it's recommended to explore Microsoft Purview Information Protection (MPIP) and other data loss prevention (DLP) solutions.

4. WIP terms of use URL, WIP discovery URL, WIP compliance URL

  • What they are: These URLs are similar in function to their MDM counterparts but are specifically for Windows Information Protection. They point to endpoints for WIP terms, discovery, and compliance status.
  • Significance: Like the MDM URLs, these are typically pre-populated and should generally not be changed. The "Restore default WIP URLs" link is also available.