Case Study: Implementing Microsoft 365 and Intune for Secure Hybrid Device Management

By /

Case Study: Fabrikam Ltd. — Implementing Microsoft 365 and Intune for Modern Device Management

Company Overview

Fabrikam Ltd. is a global logistics and supply chain company headquartered in Chicago with two regional offices in Austin and Toronto.
The company employs over 3,800 people and operates across multiple platforms and devices, with both Windows and mobile ecosystems used daily by staff.

LocationEmployeesLaptopsDesktopsMobile Devices
Chicago2,0002,2004002,500
Austin1,2001,3001501,800
Toronto60065050900

Fabrikam has recently purchased a Microsoft 365 E5 subscription to centralize identity, productivity, and endpoint security. The IT department plans to use Microsoft Intune and Microsoft Defender for Endpoint to manage, secure, and monitor all user devices globally.

Existing Environment

The organization maintains an on-premises Active Directory domain named fabrikam.local, synchronized to Azure AD (Microsoft Entra ID) using Azure AD Connect.
All servers run Windows Server 2019, and workstations are running Windows 11 Enterprise joined to the local AD domain.

Server Infrastructure:

Server NameRole/Configuration
SRV-DC01Domain Controller
SRV-NPS01Network Policy Server (NPS)
SRV-FS01File and Print Server
SRV-ADC01Azure AD Connect Server
SRV-SEC01Security Server hosting ATP sensor

Device and Platform Overview:

  • Chicago users primarily use Windows 11 laptops and Android mobile devices.
  • Austin users are mixed with Windows laptops and iOS devices.
  • Toronto users operate thin clients and a mix of iPhones and Android phones.
  • All desktops and laptops are domain-joined, but mobile devices are unmanaged and rely on basic Exchange ActiveSync policies.

Cloud Configuration and Azure AD Roles

Azure AD (Microsoft Entra ID) hosts synchronized users with the following administrative assignments:

UserAzure AD Role
AliceGlobal Administrator
BobIntune Administrator
CarolApplication Administrator
DaveCloud App Security Administrator
ErinSecurity Operator

Fabrikam also maintains a cloud security group named “FieldOpsTeam”, which is used for device and app access control in Microsoft 365.

Planned Changes

The IT team plans a phased modernization project to enhance identity, compliance, and device management. Key initiatives include:

  1. Deploy Microsoft 365 enterprise applications across all user accounts.
  2. Manage Windows, iOS, and Android devices using Microsoft Intune with full compliance enforcement.
  3. Implement Microsoft Defender for Endpoint and Defender for Identity to detect and respond to threats in real time.
  4. Automate Windows feature update deployments using Intune:
    • Apply updates every June for all global offices.
    • Apply pilot updates in Austin every December before the global rollout.

Technical and Compliance Requirements

Technical Objectives

  • Automatic Device Enrollment:
    All Windows 11 devices joined to Azure AD must automatically enroll in Microsoft Intune.
  • Dedicated Technicians for Mobile Enrollment:
    Only designated support technicians in Chicago should be able to enroll Android devices.
  • Regional Device Management:
    Alice (Global Admin) should handle Toronto devices, while Bob (Intune Admin) manages Austin and Chicago.
  • Identity Security Monitoring:
    Defender for Identity sensors must be deployed on domain controllers (DCs) and should not use port mirroring.
  • Principle of Least Privilege:
    Assign roles minimally — technicians manage enrollments, admins handle policy creation.
  • App Deployment:
    Establish a Microsoft Store for Business to control enterprise app distribution through Intune.

Compliance and Security Requirements

  • Users in the FieldOpsTeam group should only access Microsoft Exchange Online through Intune-managed, compliant devices.
  • Implement Windows Information Protection (WIP) to safeguard corporate data on user devices.
  • Apply Conditional Access policies to ensure data access from secure, compliant devices only.
  • Configure Defender for Endpoint with strict compliance evaluation and non-compliance remediation policies.

Configuration Steps

1. Configure Azure AD Device Settings

In the Microsoft Entra admin center:

  1. Navigate to Devices > Device Settings.
  2. Enable Users may join devices to Azure AD → “Selected” (restrict to IT and FieldOpsTeam).
  3. Enable Users may register their devices → “All”.
  4. Enforce Multi-Factor Authentication (MFA) for Azure AD Join.
  5. Add Alice and Bob as local device administrators for troubleshooting.

2. Link Intune as the MDM Authority

  1. Go to Entra ID > Mobility (MDM and MAM) > Microsoft Intune.
  2. Set the MDM user scope to “All”.
  3. Set the MAM user scope to “None” (unless managing BYOD apps).
  4. Save configuration to establish the MDM link between Entra ID and Intune.

3. Configure Automatic Enrollment in Intune

In the Intune Admin Center:

  1. Navigate to Devices > Enroll devices > Automatic Enrollment.
  2. Ensure the MDM user scope matches Azure AD.
  3. Set enrollment to occur automatically upon Azure AD Join or Hybrid Join.

4. Enforce Device Compliance Policies

  1. Go to Intune > Devices > Compliance Policies.
  2. Create a Windows 11 compliance policy:
    • Require BitLocker encryption.
    • Require secure boot.
    • Enforce password complexity.
    • Require Defender Antivirus and up-to-date definitions.
  3. Assign the policy to all users in the FieldOpsTeam group.

5. Apply Configuration Profiles (Windows Information Protection)

  1. Navigate to Intune > Devices > Configuration profiles.
  2. Create a Windows 10 and later profile.
  3. Select Windows Information Protection (WIP) template.
  4. Configure:
    • Protection mode: Allow overrides.
    • Corporate boundary: fabrikam.local, fabrikam.com.
    • Enforced apps: Microsoft Edge, Office 365, OneDrive.
  5. Assign to FieldOpsTeam.

6. Deploy Defender for Identity Sensors

  • Install the sensor directly on SRV-DC01 (Domain Controller).
  • Register it with the Defender for Identity portal.
  • Configure alerts and telemetry collection within Microsoft 365 Security Center.
  • No port mirroring needed — it integrates directly with the domain controller’s network stack.

Verification and Testing

  1. Join a test Windows 11 laptop to Azure AD — confirm automatic Intune enrollment.
  2. Verify compliance policies apply correctly and mark the device as compliant.
  3. Access Exchange Online — confirm access is granted only through managed devices.
  4. Review logs in the Defender for Identity portal for any authentication alerts.
  5. Use Intune reporting to confirm configuration and compliance states.

Summary

Through this setup, Fabrikam Ltd. achieves a secure, modern management structure:

  • Azure AD handles identity and access.
  • Intune manages devices, policies, and app deployment.
  • Defender for Identity and Endpoint safeguard against internal and external threats.
  • Conditional Access and WIP enforce data protection and compliance across the organization.

This hybrid approach ensures consistent security policies, streamlined updates, and unified device visibility — a key step in Fabrikam’s journey to full Zero Trust implementation.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top