Setting up Azure AD Hybrid Device Join to auto enroll a small group of MS Surface devices in Intune. RRS feed

  • Question

  • Just looking for a little input.  We have a handful of MS Surfaces that we want to enroll in an MDM, mainly if they get lost they can be wiped etc…

    I am looking at enrolling the devices in Intune which is part of our O365 -- Enterprise Mobility + Security E3 licensing.

    I have been researching it and have the following questions

    #1 I see that I have to enable Hybrid Azure AD join in Azure AD Connect.  It looks like a fairly straightforward procedure.  Are there any “gotchas” that I should be aware of enabling this?

    #2 I have setup a group, that has Yianne, myself and an account I created for this purpose, and have set in Azure Active Directory -> Mobility (MDM and MAM) that these three accounts are the only ones that can enroll machines.

    3) I have created an OU for machines that we want to manage and created a GP with the setting “Enable Automatic MDM enrollment using default Azure AD Credintials” enabled.

    So in a nutshell, I am assuming that once #1 is setup, when any of the three accounts log into a machine in the OU with the group policy configured they will enroll in Intune.

    My concern is:

    What impacts can/does #1 have?  Is it transparent or am I going to come in and no one will be able to log on (LOL)?

    Am I close from what I have been researching on #2 and #3?


    Tuesday, November 5, 2019 6:23 PM

All replies