none
Azure AD Join - Bulk enrollment best practice

    Question

  • I am wondering what is the best practice when joining corporate owned machines to Azure. We have no on-prem AD/DC, solely Azure AD. I have an upcoming project with a new office opening with 40 machines, and 35 users a combination of all corporate owned laptops and desktops.

    I am coming from a traditional background where when a new devices are brought in, it is imaged, joined to the domain, then given to the user. I want to achieve the same process with Azure - I need them to be managed by Intune, be able to deploy Computer Policies (NOT GPO, just basic InTune compliance policies), not just Mobile policies; and I need the devices to be properly linked to the user who uses it.

    SO... Is it better to:

    a. Open "Users may join devices to AzureAD" to ALL users and limit the number of devices - Image the machine, then have the END USER go through the steps to Join to AzureAD via settings under their own account

    b. Set "Users may join devices to Azure AD" to some Admin group with our Tech's user accounts, set device limit to Unlimited - Image the machine, join the machine to Azure under my own/the tech's own company account, then deploy to end user

    c. Create a limited admin for the sole purpose of enrolling machines to AzureAD, limit "Users may join devices to AzureAD" to a custom group for the enrollment user, set device limit to Unlimited -- Image the machine and use this one and only account to join the device to Azure.

    In any of these methods, how will it effect users BYOD and InTune? Most users will bring their smartphone or tablet/hybrid in, and I want those registered, but not joined. I still want to deploy basic compliance policies, but they are not corporate devices, and no tech will lay hands on those devices for set up so it needs to be simple for the user.

    I saw a few articles about two years old saying how if you do InTune you can't AAD Join, and vice versa, is this true?
    • Edited by NathanAK Tuesday, April 25, 2017 6:42 PM clairty
    Tuesday, April 25, 2017 6:39 PM

All replies