Implementing MDM for Microsoft 365


Microsoft 365 includes Enterprise Mobility Plus Security (EMS), which is includes Mobile Device Management and Mobile Application Management that will be accessing your resources. Microsoft 365 EMS Includes Microsoft Intune to help manage devices and applications both corporate devices (COD) and personal devices (BYOD). In this post we will discuss and explored

  • How to plan for MDM and MAM

At the end of this post, you’ll know how to plan, implement and configure MDM related services in Microsoft 365.


Microsoft 365 is a SaaS bundle of Windows 10, Office 365 and Enterprise Mobility + Security that businesses can subscribe. There are three versions of Microsoft 365.

  • Microsoft 365 Education, solution for educational providers.

Microsoft 365 also includes Microsoft Enterprise Mobility and security or EMS which is a suite of products including Azure Active Directory which offers cloud-based identity and access services, Azure Information Protection which offers document labeling, classification, protection and security, Microsoft Advanced Threat Analytics which provides real-time monitoring and protection against malware threats. Microsoft 365 Device Management which uses Intune to offer a mobile device and app management solution. Microsoft 365 Device Management uses Intune to manage devices and apps across multiple platforms including Windows 10, Android and iOS devices allowing devices to access company resources such as data and applications, ensuring that devices are compliant before they can access resources, protect corporate information by managing access restrictions, and controlling how users use and share data and manage applications on devices including app deployment, access and usage.

Microsoft Intune provide several capabilities. It provides the ability to secure and monitor the data access, manage multiple devices per person (IOS, Android, macOS or Windows). Intune into integrates with Windows Defender. Intune also utilizes Azure AD conditional access policies, mobile device management (MDM) and mobile application called (MAM). So let’s look at differences between MDM and MAM. In MDM users enforced to “enroll” devices, use certificates to communicate with Intune. IT pushes apps to devices, restricts OS types and can remotely wipe device. MDM is used to enforce the enrollment of the user’s devices that will allow them to obtain a certificate to communicate with Intune. And then IT can push the Apps to the devices. We can restrict the operating system types. We can even remotely wipe a device. So if a device gets stolen, we can choose to wipe that device and company information. In Mobile Application management (MAM), users ise personal devices to access company resources. When opening an app, additional authentication required. If device is lost, IT can remove company information. MAM is for users with personal devices who are accessing company resources. When they’re opening an application from personal devices, they’re gonna be required to provide additional authentication. IT can remotely remove just the company information from that personal device. So MDM is the primary tool use for managing corporate devices. MAM is the primary tool use for managing personal devices that contain corporate information on them. Now, when it comes to working with these devices and managing these devices through MDM, there are several ideas that you need to take into consideration.

  • Device Ownership: Who owns device. MDM for managing corporate devices, MAM for managing personal devices. We need to understand the different devices and who owns those devices.

Planning for Mobile Device Management

Microsoft Intune and MDM Authority Solutions

Lets have a deep dive, on the planning process for mobile device management, because this is a fairly complex topic, and there are a lots of different things that you need to take into consideration. So we will focus on four key areas,

  1. MDM Authority Solutions or solutions that you can implement and manage devices.

MDM Authority Solutions

There are 4 possible MDM Authority solution that you can implement.

  1. Intune Standalone : Cloud-only management, which you configure by using the Azure portal. Includes the full set of capabilities that Intune offers.

So just make sure we fully understand, Let’s have a look what Microsoft Intune offers.

  • We use Microsoft Intune to secure and monitor all of the data access from mobile devices (Corparate devices (COD) or pesonal devices (BYOD)) and we can manage the different device platforms (Android, IOS, macOS and Windows (mobile, surface and desktop)).

So just make sure we fully understand, Let’s have a look MDM vs MAM

MDM is used primariliy for Corporate Devices

  • Integrate with Azure AD so we can Deploy Conditional Access Policy to enforce users to enroll devices. Use these conditional access policies like configuring WiFi or VPN, delivering applications to device, enforcing regulatory requirements

MAM is used primarily for personal devices (BYOD)

  • Control authentication when accessing corporate resources

MDM Deployment

Lets have a look MDM Deployment Considerations

Device Types: Deployment is a type of device in the role or the user that the device is gonna have when accessing the corporate resources

  • Corporate Devices (COD) or Personal Devices (BYOD)

Organizational Groups

Identify each use case and sub use case can go down even to platforms and apps.

  • Use Case, Sub use case, Organizational Unit (Group)

Mobile Device Usecase with Platform & apps

  • Corporate → Executive → HR, Finance → IOS

Let me give an example of Organizational groups, Use case is corporate. A sub use case is the executive within corporate, Organizanational group is executives in HR, finance. So we’ll create policies based on the organizational group.

Lets break this down into further detail for mobile device use cases along with platforms and Apps. Corporate like above. Executives at the corporate level within departments or organizational group like HR and Finance, and now we’re drilling it down to the executives within HR and Finance that they’re using an IOS. . We can further refined this for the executives in HR and Finance that are using IOS and we want to control email, profiles and apps. We can get very granular with MDM.

MDM Deployment Planning

Select MDM Solution Choose the appropriate MDM authority solution based on the tools that you are going to use to manage the MDM deployment.

Plan for MDM Infrastructure There are a few considerations for Planning for the MGM infrastructures.

External Communications: How are we going to communicate our expectations from our external users?

Bandwidth Requirements: Users are Accesing, downloading and updating apps frequently.

  • Cache Proxy: To cash certain types of content of redundant downloads from multiple devices

Plan Device Policies

  • Policy Conflict Resolution: Once the device is enrolled in MDM, we can create and assign, multiple policies to manage a device. Some of them may overlap, so we have to set up the priority of those policies to ensure we achieve our goals for managing that device.

MDM Deployment Plans There are three primary MDM deployment plans:

Rollout Plan: Groups to target for rollout

  • Pilot Group: Test with super users to ensure the deployment process works as expected

Communication Plan: Explain and Communicate details of Rollout Plan

  • What and How information is communicated

Support Plan: Support of the new functionality and resolution of issiues, incidents and requests

  • Who is involved in support process

Device Enrollment and Enrollment Limits Device enrollment allows to manage devices, apps and how they access company data. In a BYOD scenario, users have their personal information on devices, and they may have also some company data. How are we going to manage that?

Devices must be enrolled in Intune and must have an MDM certificate for communications. In order to begin to use mobile device management (MDM), make sure devices are enrolled in Intune and they have an MDM certificate.

There are some dependencies for device enrollment:

  • Device Ownership (Personal or Corporate)

All devices are allowed to enroll by default but we can restrict enrollment by device type. It’s called enrollment limits, and managed through Endpoint Manager Admin Center. It allows you to specify restrictions for enrollment

  • By Number and type of devices

We can create multiple restrictions and set priority order before applying these restrictions to user groups. There are some default restrictions that are available and by default they apply to all users and userless enrollments like kiosk machines. But that can be overridden using custom restrictions with higher priorities. Therefore we have to look at default restrictions. If we want to tweak those we need to create custom restrictions and make sure they are higher priority than the default restrictions.

Managing Mobile Device Management in Microsoft 365

We are gonna focus on managing the mobile device management (MDM) in Microsoft 365. There are 3 topics for managing MDM in Microsoft 365:

  • MDM Integration with Azure AD

MDM Integration with Azure AD

So let’s talk about MDM integration with Azure AD. We have company devices (COD) and personal devices (BYOD).

Company Devices

  • Join Windows to Company Active Directory

We are talking about integration with Azure AD, we can join windows to a traditional active directory environment. However to allow the enrollment process to take place, we have to configure the hybrid Azure AD domain join. Another option is to join Windows to Azure AD directly if we don’t have the traditional onpremise AD environment.

Personal Devices (BYOD)

  • Add Microsoft Work Account to Windows

Our personal devices. We can add a Microsoft work account to Windows. By doing so, it allows us to access organization apps and resources, and provide an opportunity for the users to enroll their device in MDM. However, the keywords it provides them an opportunity they can decline to auto enroll the device in MDM. So this is where training in communications are necessary, so the user’s know what is expected from them. If they are going to use personal device to access the company resources.

Manage Devices

  • Group Policy

We have a few different options to manage these devices. If we are using the traditional active directory domain, we are going to use group policies for managing devices. We can also use the system center configuration manager for our traditional active directory domain environment. However, we are going to use MDM to manage our Azure AD join devices because that provides all the functionality. Including auto enroll and to manage the limits or restrictions on those devices.

Azure AD Integration with MDM requirements There are some prerequisites for the MDM integration with Azure AD.

Active MDM Subscription

  • Intune by default

We need an active MDM subscription. By default, we are using Intune, but we are not limited to using Intune. We can go to the Azure AD App Gallery to see if there is a third party tool that we can use instead of Intune.

Configure MDM Settings

  • MDM tems of use URLS

Another requirement is to configure MDM settings. This includes URLs for the MDM terms of use, so the users have to view them and understand what is expected from users when using MDM. There are also some configuration settings for MDM Discovery and compliance. Lastly, while we are configuring MDM settings, we can configure the scope of the devices. If we want to use auto device enrollment, it’s going to require Azure AD premium P1 or higher, and there is also Azure AD premium P2. If you have onpremise AD and you want to be able to use domain join, you can’t just do it with onpremise active directory, you need to configure hybrid with Azure AD. After that, you can use group policies for configuring devices for Hybrid Azur AD Domain join. So it is possible to configure domain join for onpremise active directory by implementing hybride Azur AD.

Lets take a look at the configuration options for an azure AD integration. In the lets view manage Azure Active directory, make sure you are a global administrator, which is one of the requirements. Now, on the left hand side, scroll down and you see, an option called Mobility (MDM and MAM).

Image for post
Image for post

If you want to bring in another application, you simply click on add application. It will bring up the available applications you have including On-premises MDM application. You can use Microsoft Azure AD to enable user access to on premises MDM application. It does require an existing on-premises MDM application subscription. You can change the name, logo etc.

Image for post
Image for post

In Microsoft Intune We have two categories on the left hand side. We have MDM user scope, terms of use, discovery and compliance URLs. Below that, we have MAM user scope, terms of use, discovery and compliance URLs.

The user scope in MDM can be set to None, Some for only specific groups and all for everyone to be able to auto enroll. If you have several groups, you can search for them when you enable MDM for some. These URLs are the default settings, by the way. And you can restore default MDM and MAM URLs. If you want to have something specific to your organization, this is where you can customize them.

So this is where and how we configure MDM to integrate with Azure AD.

Setting MDM Authority

The mobile device management (MDM) authority setting determines how you manage your devices. As an IT admin, you must set an MDM authority before users can enroll devices for management.

Possible configurations are:

Intune Standalone — cloud-only management, which you configure by using the Azure portal. Includes the full set of capabilities that Intune offers. Set the MDM authority in the Intune console

Intune co-management — integration of the Intune cloud solution with Configuration Manager for Windows 10 devices. You configure Intune by using the Configuration Manager console. Configure auto-enrollment of devices to Intune

Mobile Device Management for Office 365 — integration of Office 365 with the Intune cloud solution. You configure Intune from your Microsoft 365 admin center. Includes a subset of the capabilities that are available with Intune Standalone. Set the MDM authority in Microsoft 365 admin center.

Office 365 MDM Coexistence You can activate and use both MDM for Office 365 and Intune concurrently on your tenant and set the management authority to either Intune or MDM for Office 365 for each user to dictate which service will be used to manage their mobile devices. User’s management authority is defined based on the license assigned to the user. Microsoft Intune Co-existence with MDM for Office 365

So now we look at some of the concepts associated with changing your MDM authority option.

Choose MDM Authority Option

If you change to the MD authority, it can take up to 8 hours before people realize or see that that change has been made. The device actually has to check in with the authority to realize change and then has to synchronize with the new service and pick up information from new service. Now there are settings called basic settings that include things like the profile. Your profile includes configuration options like email, WiFi VPN, certificates, configuration profiles. These are immediately going go away. They could remain on the device for up to seven days. Or it could be longer if device has been offline and hasn’t checked in and synchronized with the new service. So there’s an MDM authority change and the device checks in and then their synchronization takes place. You’ll have your settings configured based on the new MDM authority, but if you don’t connect the authority for a period of time, it won’t synchronize until you connect to that new service. If the devices is wiped or doesn’t communicate, your MDM certificate doesn’t get renewed. It wont be removed from Azure AD portal for 180 days after the certificate expires. There are some devices without associated users. These include anybody with the IOS device enrollment program or any type of bulk enrollment scenarios. What you need to do is call support for assistance to move them to the new MDM authority. MDM authority can never be changed to unknown. It’s not possible for you to change to unknown. It has to be associated with one of the four authorities.

Set MDM authority to Intune If you haven’t yet set the MDM authority, follow the steps below.

In the Microsoft Endpoint Manager admin center, select the orange banner to open the Mobile Device Management Authority setting. The orange banner is only displayed if you haven’t yet set the MDM authority.

Under Mobile Device Management Authority, choose your MDM authority from the following options:

  • Intune MDM Authority
Image for post
Image for post
Image for post
Image for post

A message indicates that you have successfully set your MDM authority to Intune. So these are the steps and location for changing your MDM authority.

Configuring Device Enrollment Restrictions

There are several Device enrollment restrictions options to take into consideration.

  • Device Platforms

So these are some of the items that we can configure as we’re working with enrollment restrictions in Microsoft 365.

We have some Device enrollment configuration options that we need to be aware of

  • Restrictions: By Default users get 5 devices they can enroll. We can change that to 3 if we want to.

You can delegate responsiblities for managing all these devices. We can provide the appropriate permissions to individuals to manage our devices. This is called the Device Enrollment Manager (DEM). A global admin or Intune admin manages the members of DEM Group. Intune permissions can be applied to any Azure AD user. There is a maximum of 150 DEM and each DEM can enroll up to 1000 devices.

Limitations of devices that are enrolled with a DEM account DEM user accounts and devices that are enrolled with a DEM user account have the following limitations:

  • A DEM account user must be assigned an Intune license.

Add a device enrollment manager Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Device enrollment managers.

Image for post
Image for post

Select Add.

Image for post
Image for post

On the Add User blade, enter a user principal name for the DEM user, and select Add. The DEM user is added to the list of DEM users.

Permissions for DEM Global Administrator or Intune Service Administrator Azure AD roles are required to

  • assign DEM permission to an Azure AD user account

If a user doesn’t have the Global Administrator or Intune Service Administrator role assigned to them, but has read permissions enabled for the Device Enrollment Managers role assigned to them, they can see only the DEM users they’ve created.

Remove device enrollment manager permissions Removing a device enrollment manager doesn’t affect enrolled devices.

To remove a device enrollment manager

Sign in to the Microsoft Endpoint Manager admin center, choose Devices > Enroll devices > Device enrollment managers. On the Device enrollment managers blade, select the DEM user, and select Delete.

To configure Device Enrollment Limit Restrictions Log into the Azure portal and select the Intune blade Select “Device Enrollment” and then click “Enrollment Restrictions”

Image for post
Image for post

Here I am changing the device limit from the default of 5 to 3 and then saving my changes

Image for post
Image for post

To configure Device Enrollment Type restriction Sign in to the Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > Create restriction > Device type restriction.

On the Basics page, give the restriction a Name and optional Description.

Choose Next to go to the Platform settings page.

Under Platform, choose Allow for the platforms that you want this restriction to allow.

Image for post
Image for post

Implementing Mobile Device Management for Microsoft 365

Set the mobile device management authority What is device management Microsoft Intune

Identify mobile device management use-case scenarios

Develop a rollout plan

Develop a communication plan

Develop a support plan

What is device enrollment?

Set enrollment restrictions

Azure Active Directory integration with MDM

Configure auto-enrollment of devices to Intune

Set the mobile device management authority

Create a device type restriction Create a device limit restriction

Add a device enrollment manager

Originally published at

Written by

I am passionate about Technology, Cloud Computing, Machine Learning and Blockchain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store