How to Configure Entra ID for Device Enrollment in Intune (GUI + PowerShell)
Study Guide
Configuring Microsoft Entra ID for Device Enrollment and Management
This study guide walks you through the foundational Entra ID configurations required before deploying Microsoft Intune policies. It covers:
- General device settings
- Device cleanup automation
- Enterprise State Roaming (ESR)
- Static and dynamic groups
- MDM and MAM scope configuration
- PowerShell automation using Microsoft Graph and IAM APIs
1. Entra ID General Device Settings
These settings define who can register or join devices, how many devices users can enroll, and whether users can retrieve BitLocker keys.
Portal Path
Microsoft Entra admin center โ Devices โ Overview โ Device Settings
Key Settings Explained
1. Users may join devices to Microsoft Entra
- Set to All or Selected
- Required for Entra ID Join
- Device restrictions can be enforced later in Intune
Recommendation: Set to All
2. Require Multi-Factor Authentication for device join
- Leave set to No
- Use Conditional Access instead for granular control and reporting
3. Maximum number of devices per user
- Default: 50
- Applies to all registered devices (including personal and stale devices)
- Entra does not automatically clean stale devices
Recommendation: Leave at 50 unless you have high device volume per user.
4. BitLocker Recovery Key Access (Preview)
Setting:
Restrict non-admin users from recovering BitLocker keys for owned devices
- Yes โ Higher security, more helpdesk tickets
- No โ Easier recovery, less secure
Decision depends on security posture.
2. Automating Device Registration Policy with Graph
Variables
$devicequota = 50
$entraregister = 1
$entrajoin = 1
$mfa = 0
$bitlocker = "true"
Device Registration Policy
Uses:
PUT https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy
Includes:
- Device quota
- Registration settings
- Join permissions
- MFA requirement
BitLocker Permission Policy
Uses:
PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
3. Cleaning Up Stale Devices
Entra does not auto-remove inactive devices.
Strategy
| Action | Threshold |
|---|---|
| Disable device | 90 days inactive |
| Delete device | 120 days inactive |
Disable Devices
Filter:
ApproximateLastSignInDateTimeAccountEnabled = true
Patch:
{
"accountEnabled": false
}
Delete Devices
Filter:
ApproximateLastLogonTimeStampAccountEnabled = false
Send:
DELETE https://graph.microsoft.com/beta/devices/{deviceId}
4. Enterprise State Roaming (ESR)
ESR syncs user preferences across Windows devices.
What ESR Syncs
Windows Settings
- Keyboard layouts
- Region settings
- Mouse configuration
- Wi-Fi profiles (WPA only)
- Web credentials
- Pen preferences
Microsoft Edge Settings
- Favorites
- Passwords
- Addresses
- Extensions
- Open tabs
- History
Enable ESR
Portal Path:
Entra ID โ Devices โ Device Settings โ Enterprise State Roaming
Set:
Users may sync settings and app data โ All
Automating ESR
Uses IAM API, not Graph.
Endpoint:
https://main.iam.ad.ext.azure.com/api/RoamingSettings?ESRV2=true
Requires:
- Device code authentication
- Access token creation
- REST PUT request
5. Creating Entra ID Static Groups
Static groups require manual membership assignment.
Portal Path
Entra ID โ Groups โ New Group
Settings:
- Group type: Security
- Membership type: Assigned
Group Capabilities
- License assignment
- Role assignment
- Nested groups
- Administrative units
- Owner delegation
Automating Static Group Creation
Endpoint:
POST https://graph.microsoft.com/beta/groups
Required JSON:
{
"description": "GroupDescription",
"displayName": "GroupName",
"mailEnabled": false,
"mailNickname": "groupnickname",
"securityEnabled": true
}
6. Creating Entra ID Dynamic Groups
Dynamic groups automatically populate based on rules.
Membership types:
- Dynamic User
- Dynamic Device
Dynamic User Group โ Office Licensed Users
Rule Example:
(user.assignedPlans -any
(assignedPlan.servicePlanId -eq "ServicePlanID"
-and assignedPlan.capabilityStatus -eq "Enabled"))
Use servicePlanId from Microsoft licensing reference list.
Dynamic Device Group โ Autopilot Devices
Rule:
(device.devicePhysicalIDs -any (_ -contains "[ZTDID]"))
Used to target imported Autopilot devices.
Automating Dynamic Groups
Add to JSON:
"groupTypes": ["DynamicMembership"],
"membershipRule": "rule here",
"membershipRuleProcessingState": "On"
Submit via Graph:
POST https://graph.microsoft.com/beta/groups
7. Configuring MDM Scope (Critical for Intune Enrollment)
This setting determines who can enroll devices into Intune.
Portal Path
Entra ID โ Mobility (MDM and MAM) โ Microsoft Intune
Recommended Configuration
| Setting | Value |
|---|---|
| MDM user scope | All |
| MAM (WIP) | None |
| URLs | Leave default |
MDM vs MAM
| Feature | Purpose |
|---|---|
| MDM | Corporate device enrollment |
| MAM | BYOD app-level management |
8. Automating MDM Scope
Uses IAM API.
Endpoint:
https://main.iam.ad.ext.azure.com/api/MdmApplications/{policyId}
Key Settings:
"mdmAppliesTo": 2,
"mamAppliesTo": 0
Values:
- 2 = Enabled for all
- 0 = Disabled
Requires:
- Device code authentication
- Access token
- PUT request
Architecture Summary
Before configuring Intune policies, your Entra ID tenant should have:
- Device join enabled
- Proper device quota set
- BitLocker policy decided
- ESR configured
- Static and dynamic groups created
- MDM scope enabled
- Stale device cleanup automation in place
Exam Focus Areas
Expect scenario-based questions around:
- Device registration vs device join
- Conditional Access vs MFA requirement
- Graph PUT vs PATCH usage
- Dynamic group rule syntax
- ServicePlanId filtering
- Autopilot device queries
- IAM API vs Graph API usage
- Stale device cleanup logic
Practical Lab Checklist
โ Enable Entra device join
โ Configure device quota
โ Set BitLocker retrieval preference
โ Enable ESR
โ Create static security group
โ Create dynamic Office user group
โ Create dynamic Autopilot device group
โ Configure MDM user scope
โ Automate settings with Graph
I
