Step-by-Step Guide: How to Configure Azure AD and Intune for Device Enrollment and Management
Setting up Microsoft Intune requires configurations across Azure AD (now Microsoft Entra ID) and Intune Admin Center. Both environments work together to enable secure device registration, automatic enrollment, and management through policies and compliance controls. Below is a detailed walkthrough showing exactly how to configure each part.
🔹 Part 1: Configure Required Settings in Azure AD (Microsoft Entra ID)
Azure AD acts as the identity backbone for Intune. You’ll configure Device Settings and Mobility (MDM and MAM) to connect it to Intune.
Step 1: Configure Device Settings
Purpose:
Control which users can register or join devices to Azure AD, and specify administrative privileges for joined devices.
Navigation Path:
- Sign in to the Microsoft Entra admin center: https://entra.microsoft.com
- Go to Devices > Device settings.
Configure the following:
| Setting | Recommended Configuration | Description |
|---|---|---|
| Users may join devices to Azure AD | Selected or All | Choose “Selected” for better control—typically assign to an Intune enrollment group. |
| Additional local administrators on Azure AD joined devices | Add IT admins or Helpdesk groups | Grants them admin rights on AAD-joined devices. |
| Users may register their devices with Azure AD | All | Required for BYOD and MAM enrollment. |
| Require Multi-Factor Authentication to join devices | Yes | Strengthens security during enrollment. |
Save your changes once all options are configured.
Step 2: Configure Mobility (MDM and MAM)
Purpose:
This connects Azure AD with Microsoft Intune and defines which users’ devices automatically enroll for MDM or MAM.
Navigation Path:
- In the Entra admin center, go to Mobility (MDM and MAM) under Devices.
- Click Microsoft Intune from the list.
Under the Microsoft Intune configuration page:
| Setting | Recommended Configuration | Description |
|---|---|---|
| MDM user scope | Some or All | Defines which users will have devices automatically enrolled in Intune when joined or registered. |
| MAM user scope | None or Some | If using app protection policies without device enrollment, configure for targeted users. |
| MDM terms of use URL | Optional | Add your organization’s terms for user acknowledgment during enrollment. |
| MDM discovery URL | Default (auto-populated) | Used for device enrollment. |
Save your configuration.
💡 Tip: When connecting for the first time, ensure your Intune tenant is active and has the correct licensing (Microsoft 365 E3/E5, Intune Suite, or EMS E3/E5).
🔹 Part 2: Configure Settings in Intune Admin Center
Once Azure AD is linked, move to Intune to define how devices enroll and are managed.
Step 3: Configure Device Enrollment Settings
Purpose:
Define how devices are added to Intune and who can enroll them.
Navigation Path:
- Sign in to the Intune Admin Center: https://intune.microsoft.com
- Go to Devices > Enroll devices > Automatic Enrollment.
Configuration Steps:
| Setting | Recommended Value | Description |
|---|---|---|
| MDM user scope | Some or All | Choose the same group as your Azure AD MDM user scope. |
| MAM user scope | None (unless using MAM-only) | If you manage apps without full enrollment, assign here. |
Click Save when done.
Step 4: Configure Enrollment Restrictions
Purpose:
Limit which device types or OS versions can enroll in Intune.
Navigation Path:
- Devices > Enroll devices > Enrollment device platform restrictions.
Configuration:
- Review the Default restrictions or create a custom restriction policy.
- Configure platform access:
- Allow or block Windows, iOS/iPadOS, macOS, Android.
- Define OS version minimums and maximums.
- Set priority for custom policies.
Save your policy and assign it to appropriate user groups.
Step 5: Configure Enrollment Status Page (ESP)
Purpose:
Display a progress page during device setup (Autopilot or MDM) to show policy installation and app provisioning.
Navigation Path:
- Devices > Enroll devices > Enrollment Status Page.
Configuration:
- Turn Show app and profile installation progress to Yes.
- Choose whether to block users from proceeding until all required apps and policies are installed.
- Assign the profile to all users or selected groups.
Step 6: Verify the MDM Authority
Purpose:
Ensure Intune is set as your Mobile Device Management (MDM) authority.
Navigation Path:
- Tenant administration > Tenant status.
Confirm:
- MDM authority = Microsoft Intune.
- If not set, configure it using the Set MDM Authority wizard (only needed for first-time setups).
🔹 Part 3: Test and Validate Configuration
Testing ensures your environment is ready for production use.
Validation Steps
- Sign in with a test user included in the MDM user scope.
- Join a Windows device to Azure AD via Settings → Accounts → Access work or school → Connect.
- Confirm:
- The device appears in Azure AD → Devices.
- The device is enrolled under Intune → Devices → All devices.
- Compliance and configuration policies apply successfully.
Optional Checks
- Run
dsregcmd /statuson the device to confirm AzureADJoined = YES and MDMUrl points to Intune. - In the Intune portal, open the device record → Managed by should show MDM.
🧭 Summary Table
| Platform | Configuration Area | Example Path | Purpose |
|---|---|---|---|
| Azure AD | Device settings | Devices → Device settings | Control who can register or join devices |
| Azure AD | Mobility (MDM and MAM) | Devices → Mobility → Microsoft Intune | Connect Intune as MDM authority |
| Intune | Device enrollment | Devices → Enroll devices → Automatic enrollment | Configure MDM user scope and enrollment flow |
| Intune | Enrollment restrictions | Devices → Enroll devices → Enrollment restrictions | Restrict or allow OS types and versions |
| Intune | Enrollment status page | Devices → Enroll devices → Enrollment Status Page | Monitor provisioning during setup |
✅ Final Notes and Best Practices
- Always test with a pilot group before enabling for all users.
- Ensure your Intune licenses (or Microsoft 365 E3/E5) are assigned to admins and enrolled users.
- Sync groups regularly if you use hybrid Azure AD join.
- Periodically review your device cleanup rules and retirement policies in Intune.
- Document your configuration and group assignments for future audits.
