Forum Discussion
Manage Windows computers on Intune without email accounts
We have a new customer with a strange requirement. Our developers will be on site in their offices. We have to provide them with computers and whatever software required to do their work. We also have to manage these computers; patching, MS Defender, etc. But they are not allowed to access our internal company resources. No access to our email, SharePoint, logon to our VPN, etc. They will have Internet access. We already manage our computers through Entra/Intune but we can't use that for this situation.
Is it possible to setup a separate instance where we just need Intune to manage these laptops. No email accounts for the users. Just manage the devices only?
4 Replies
It is possible to manage Windows devices in Intune without assigning email accounts or giving access to internal company resources. You can do this by setting up a separate Azure AD tenant specifically for this use case and assigning Intune licenses to that tenant. Devices can be enrolled using Windows Autopilot, manual enrollment, or other supported methods without needing individual user email accounts. You can configure device-based policies for updates, Microsoft Defender, software deployment, and compliance settings. Users can log in using local accounts or generic Azure AD accounts if needed, but they won't have access to your VPN, email, or other corporate services. This setup allows you to manage the devices entirely through Intune while keeping them isolated from your main organization.
I would create a separate conditional access policy for these users and block access to the resources they don’t need.
Would I be able to assign conditional access policy to specific computers? Some of the users will get a second laptop to access email. So I can't block access based on users.
Would it be possible to assign conditional access policy to specific computer instead of user? Some of these users might get a second laptop they will use to access email but are not allowed to bring onto customer's office. So we don't want to block based on user.
