Forum Discussion

Abdelhakim_Y95's avatar
Abdelhakim_Y95
Brass Contributor
Jul 12, 2019

Azure AD Join via Office 365 installation!?

Hi All,

 

The company i manage Intune for, states that when installing office 365 on their private device and they sign in to it, they join Azure AD. I've checked my devices in intune and this is really the case...

 

I've found out that Automatic Enrollment was set to All users.

How can i prevent users for not Azure AD joining via an Office 365 installation or Private device?

  • Hi Abdelhakim_Y95,

     

    actually the device does not Azure AD join, it gets Azure AD registered. This is a slight difference as you still logon via your user you used before. With Azure AD join you would logon after Azure AD join with the Azure AD user afterwards. Regarding your concern about private devices, this would be the same. I assume you won't like to have private devices managed by Intune. As soon as they get registered (aka Workplace Join) they receive Intune policies for example. With auto enrollment an Azure AD register will end up in a device MDM managed by Intune. If we talk about Windows 10 you could easily prevent Azure AD join via:

    device enrollment > enrollment restrictions > device type restriction > new policy > Properties > configure platforms > Windows (MDM) set to "Personally Owened" > Block

     

    This will only allow Windows Autopilot devices to enroll into MDM and block personal devices

     

    see: https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

     

    Blocking personal Windows devices

    If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.

    The following methods qualify as being authorized as a Windows corporate enrollment:

    The following enrollments are marked as corporate by Intune. But since they don't offer the Intune administrator per-device control, they'll be blocked:

    The following personal enrollment methods will also be blocked:

    * These won't be blocked if registered with Autopilot.

     

    best,

    Oliver

  • Hi Abdelhakim_Y95,

     

    actually the device does not Azure AD join, it gets Azure AD registered. This is a slight difference as you still logon via your user you used before. With Azure AD join you would logon after Azure AD join with the Azure AD user afterwards. Regarding your concern about private devices, this would be the same. I assume you won't like to have private devices managed by Intune. As soon as they get registered (aka Workplace Join) they receive Intune policies for example. With auto enrollment an Azure AD register will end up in a device MDM managed by Intune. If we talk about Windows 10 you could easily prevent Azure AD join via:

    device enrollment > enrollment restrictions > device type restriction > new policy > Properties > configure platforms > Windows (MDM) set to "Personally Owened" > Block

     

    This will only allow Windows Autopilot devices to enroll into MDM and block personal devices

     

    see: https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

     

    Blocking personal Windows devices

    If you block personally owned Windows devices from enrollment, Intune checks to make sure that each new Windows enrollment request has been authorized as a corporate enrollment. Unauthorized enrollments will be blocked.

    The following methods qualify as being authorized as a Windows corporate enrollment:

    The following enrollments are marked as corporate by Intune. But since they don't offer the Intune administrator per-device control, they'll be blocked:

    The following personal enrollment methods will also be blocked:

    * These won't be blocked if registered with Autopilot.

     

    best,

    Oliver

Resources