Forum Discussion
Intune enrollment creates new Azure AD object
Hi, we have Azure AD Hybrid joined devices, we want to enroll them to Intune. Upon testing with a subset of devices, we observe that intune enrolled devices become duplicates with their own/new objec...
Henrixx do you mean this PRT?
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2021-08-03 18:25:21.000 UTC
AzureAdPrtExpiryTime : 2021-08-17 18:25:30.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/f4b9822c-3c52-41ba-85d0-c9fc9ef75aa9
EnterprisePrt : NO
We use MDM user scope with a group containing the pilot users who use the machines we want to enroll.
Thanks, so you got the PRT - thats good.
Next, lets check some additional questions:
- how do you perform the HAADJ? Manually or using a GPO? -if a GPO is used, are you using MDM (Device Credentials or User Credentials)?
- I guess you are using mail as UPN?
- If you check Intune, do you see these devices as corp enrolled or personal enrolled?
- What OS are you on? especially the PCs you use for the pilot?
Next, lets check some additional questions:
- how do you perform the HAADJ? Manually or using a GPO? -if a GPO is used, are you using MDM (Device Credentials or User Credentials)?
- I guess you are using mail as UPN?
- If you check Intune, do you see these devices as corp enrolled or personal enrolled?
- What OS are you on? especially the PCs you use for the pilot?
Henrixx thanks for following up. Devices are HAAD joined using Azure AD Connect device sync.
Yes, UPN used for login to O365 is the same as primary SMTP.
In intune, these devices first appear as personal, I change them to corporate owned. This is probably because pilot users enrolled them using logon to work or school.
We are on Windows 10 20H2 and 21H1. BR- Ruslan
- the AAD connect will only create the Object in AAD. Its sitting in a pending status until you tell the Computer to do the hybrid join. Through GPO or dsregcmd /join command.
The second info, is kinda what I referred to regarding mdm auto enrollment. Using Work or school account will just cause what you are experiencing right now. There is a chance that the objects in AAD will merge themselves over a couple days, but doesnt have to, and there is no way you can force that.- Was this issue ever resolved? I'm having a similar issue where the Azure AD registered device is duplicated when the user enrolls into MDM. What's worse is that the device identifies as the non-compliant registered instance instead of the MDM enrolled object, so conditional access doesn't work.
