Intune Licensing - Device Enrolment
I am looking for some information on Intune and Device enrolment licensing. Currently, we have Microsoft Entra ID P1. Our setup is in a Hybrid environment. My account (Device Enrolment Manager) has a Microsoft E3 license, which includes Intune. I have configured Enrollment profiles, app deployment, Intune connector for AD, etc. I can enroll devices in Intune using Automatic Enrolment or Autopilot using a single DEM account; then, this device will be given to a different user. For now, I just want to confirm that if I was able to enrol few devices using my account, and I believe there is a limit of 1000 per DEM, does that mean if we do not require an Intune device-only license and if we don't need additional Intune capabilities I am ok to keep enrolling Devices using single Device Enrolment manager account? I just want to make sure we are not breaking any MS license agreements. Or do you require an Intune license as soon as the device is enrolled in Intune, regardless of whether you require additional Intune features? Thanks!
intune device disable
Hello Everyone – Help needed I’m supporting SD teams in our company providing automated way to quickly offboard some employees.One of the tasks is to disable Entra device objects.While I can disable the Entra Objects using Intune console, I cannot do that via Graph API nor via Powershell Graph API Is it possible ?
Weird issue accessing netlogon
Got a bit of a weird issue here...... We have just started using AAD machines via autopilot & intune and doing testing on them accessing resources on our current onprem domain, got things sorted so they can access file shares and DFS namespace shares perfectly fine and thats all going through, but having an issue with intermittent issues with netlogon. There seems to be no pattern but when trying to hit \\domain\netlogon that will work but when trying \\domain.fqdn.gov.uk\netlogon that wont work. However without doing anything trying again a little while later and it will be the opposite way around that can access on the full fqdn but not the short name, and then to make it worse, sometimes both work at the same time. Different devices have been tried and had 2 side by side where one could access short but not fqdn and the other could access fqdn but not short. At the same time if i try to access any server shares on either short name or fqdn then those are fine, seems to just be issues with netlogon on the domain. at all times i can run to \\domain & \\domain.fqdn.gov.uk and the folder list of sysvol and netlogon both appear but its just guess work which is going to work. This happens the same on both our internal network and when connected via cisco anyconnect vpn back into our network. Hopefully someone has come across a similar issue and fixed it! Thanks if you have managed to read this far :)
Microsoft Intune Management - Connect securely to Intune with Microsoft Graph and PowerShell!
Dear Microsoft Intune friends, In this article I will show you how to create a "secure" connection to Microsoft Intune with Microsoft Graph and PowerShell! In this example, we use an app registration in Microsoft Entra ID and a certificate created on the local machine. Create and export the certificate. I use Visual Studio Code and PowerShell 7. $certName = 'IntuneGraphAppCert' $cert = New-SelfSignedCertificate -Subject "CN=$certName" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -NotAfter (get-date).AddYears(1) Export-Certificate -Cert $cert -FilePath "C:\certs\$certName.cer" Note: The certificate is created in the local certificate store and exported to the folder C:\certs. The certificate is valid for one year. Create an app registration in Microsoft Azure AD. 1. Go to the Azure portal and create a new app registration in Azure AD. 2. Give the app a name and notice the following. 4. Go to the API permissions and add the following permissions (These serve only as an example). 5. Do not forget to grant admin consent. 6. Go to the certificate and secrets and upload the certificate. Back inVisual Studio Code and PowerShell! 1. Install the Microsoft.Graph. Install-Module -Name Microsoft.Graph -Verbose -Force -AllowClobber 2. Import the Microsoft.Graph module. Import-Module Microsoft.Graph 3. Create some variables. $TenantId = '77e01716-a6a2-4f99-b864-xxxxxxxxxxxx' $AppId = '5c14b994-2290-4f84-9069-xxxxxxxxxxxx' $certName = 'IntuneGraphAppCert' $Cert = Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.Subject -eq "CN=$CertName" } 4. Connect to Microsoft Graph. Connect-MgGraph -TenantId $TenantId -ClientId $AppId -Certificate $Cert 5. We check the permissions. (Get-MgContext).Scopes HAPPY CONNECTING!! I am fully aware that this is only as good as the physical machine is secured. However, I would like to share my experiences with you. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on GitHub! https://github.com/tomwechsler
Exclude/Allow Particular non-managed devices from Conditional access policy without enrolling
Hello Experts How to Exclude or Allow some Personal ( Non-company Managed) Particular devices from Conditional access policy without enrolling or joining them to Intune or Entra. For Example I have created some Conditional access polices and now We want to allow some personal devices to be able to Login to Office or Outlook from some two or three personal Android devices which are Unmanaged or not company managed. Can we achieve using these Devices unique ID or ICCID ? If possible please give some hint or clue. Thank you.
Unable to change MDM Authority to Intune?!
Alright folks, I've been beating my head against a wall for two weeks and I can't do it any longer. I'll preface this with, "I'm new to this." That said, I'm great at figuring stuff out but the documentation on this process is lacking in so many ways. I've come on with a company that was, as far as I can tell, not managing their devices (in this case, Windows devices). I set about learning everything I could about Entra/Azure (whatever we're calling it these days) and Intune, registering devices, enrolling devices, etc. We currently pay for 25 Intune licenses. I have one. My Test User account has one. My DEM user has one (which I've set up as a DEM in Intune). And one of our actual employees has one. I'm trying to enroll two devices as a test. Both were set up as an OOBE (one brand new and one wiped and reset). For one I used 'Work/School' login on startup and signed in with my DEM account. For the other I used 'Work/School' and signed in with my Test User account. I knew to make sure our MDM Authority was set to Intune prior to starting the process. I checked and it's currently reading as "Microsoft Office 365" (see image) I've read about an 'orange bar.' I don't have an orange bar. I read about, "Depending on whether your tenant was pre or post 1911 Service Release, Intune is automatically set as your MDM." and "If Mobile Device Management Authority was set, you cannot change this." If I don't have an orange bar and the MDM Authority reads"Microsoft Office 365" does this mean, at some point, our MDM was set to "Microsoft Office 365?" And, if so, according to the "...if [it] was set, you cannot change this" am I forever stuck with that as our MDM Authority?? This would seem silly. Second. In Entra/Azure the two devices I've been using to try and understand this convoluted process say they are being managed (MDM) by "Office 365 Mobile." What the actual... is Office 365 Mobile really Microsoft Office 365 which is really Intune???? I'm lost. (see image) To make matters worse/more confusing, in Intune when I look at the devices, it says the devices MDM is INTUNE!?!! (see image) *mind blown I don't really know what I'm missing. I keep reading something about adding Intune as an MDM Authority and being able to choose which Authority I am using to manage devices but, as with everything Microsoft, who knows what's changed since all of this documentation, blog posts, etc. were written. I can't, for the life of me, find anywhere to 'add' Intune or change the MDM Authority. Can someone PLEASE help me understand this. I've been at this for weeks, I have a timeline as we're rolling out a bunch of new devices and I don't want to miss this opportunity to do it the right way. I feel like I'm getting close but, on top of being unsure of whether they are even actually being managed by Intune, none of the basic policies I've created are being pushed to the devices regardless of how many times I've checked to make sure the users are in the right group, etc. I feel like I've tried everything. I'm pulling my hair out. UPDATE: I put in a Support ticket with Microsoft as well and received a very quick response/phone call from Microsoft with some explanation and a solution to the first part of this journey. According to the Microsoft technician, at one point there was a Microsoft 365 E5 license in our tenant which comes with Intune (our current licensing only included Office 365 licenses when I started but I have convinced them to add a few Intune licenses) and the MDM Authority was set at that time. He very quickly provided me a link (by email) to the "Change MDM Authority" blade which I have been trying to find for a week! It, apparently, is hidden/gone once your MDM Authority is set. I've now, very easily, been able to change the MDM Authority to Intune! Argh. So, now off to unenroll and re-enroll these test devices and see if it solves the follow-up issues. For anyone having similar issues, here is the link> https://intune.microsoft.com/#view/Microsoft_Intune_Enrollment/ChooseMDMAuthorityBlade
