Forum Discussion

KVS's avatar
KVS
Copper Contributor
Sep 23, 2020
Solved

Azure AD P1 and Autopilot question

We are looking to try autopilot with Azure AD only as well as hybrid AD join. Want to understand all the licensing requirements for Azure AD, Intune and Autopilot. Is it possible to run a Autopilot i...
Intune
  • markoshea's avatar
    markoshea
    Sep 24, 2020
    Hi VK

    1) The AAD licenses would be assigned to users, not devices. Licenses can be reassigned, but you would need to ensure that users aren't leveraging any other capabilities of AADP P1 prior to the licenses being revoked and then losing those features as well.
    2) The biggest initial benefit you get by adding AADP P1 to Autopilot is that the devices will automatically enroll with Intune after performing the AAD Join, rather than it being an extra manual step. This means that if a device reset is performed, and the AAD P1 license isn't assigned to the user, the device will be AAD Joined, but not Intune managed until that is addressed separately.
    3) https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback has more details, but two of the main scenarios are WHfB with hybrid certs. and CA via ADFS. Others may have some additional use case scenarios
markoshea's avatar
markoshea
MVP
Sep 24, 2020
Hi VK

1) The AAD licenses would be assigned to users, not devices. Licenses can be reassigned, but you would need to ensure that users aren't leveraging any other capabilities of AADP P1 prior to the licenses being revoked and then losing those features as well.
2) The biggest initial benefit you get by adding AADP P1 to Autopilot is that the devices will automatically enroll with Intune after performing the AAD Join, rather than it being an extra manual step. This means that if a device reset is performed, and the AAD P1 license isn't assigned to the user, the device will be AAD Joined, but not Intune managed until that is addressed separately.
3) https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback has more details, but two of the main scenarios are WHfB with hybrid certs. and CA via ADFS. Others may have some additional use case scenarios
KVS's avatar
KVS
Copper Contributor
Sep 24, 2020

markoshea  Hi Mark , Thank you for the detailed responses. We are looking to use Azure AD P1 and Intune only for Auotpilot process. Once the Auotpilot process is complete and the SCCM client is installed on the machine, I was thinking the ongoing licensing requirement may be covered by the  SCCM co-management license. Please suggest if you see any issues with this approach.

  • markoshea's avatar
    markoshea
    MVP
    Sep 24, 2020

    KVS 

     

    If you aren't enabling other AADP P1 scenarios, I think this would work for the enrolment, but longer term hopefully there are other things in P1 that you can leverage which means it will be rolled out for everyone. 

    Normally I would recommend creating groups based on licensing, but in your case I think the slight delays of the dynamic groups being updated when licenses are reassigned might be a problem, so I would just stick to assigning users to the groups. 

Resources