Event banner
Event details
When we pre-provision a device for Autopilot, our users still need permissions to register a device to Azure. Even though the autopiloted device is registered to Entra and Intune already during the pre-provision process. Is this necessary / a security practice or can this be avoided for smoother user experience?
Jason_Sandys
Microsoft
MicrosoftHi James. Can you be a little more specific here. What exactly do you mean that the "users still need permissions" to register a device to Azure?
- Users need to be a member of the "Users may join devices to Microsoft Entra" permission in Entra under Device settings.
- Jason_SandysOK, that's expected and by design. Some organizations wish to limit the ability to do this so this is the control for this. If you wish to allow all users to join their devices to Entra, then simply select All. Registering a device to Autopilot is a separate activity with a separate purpose as this is device specific. As noted, some orgs wish to limit which users, regardless of AP registration, have the ability to join that device to Entra (which is actually user centric activity).
- We recently moved from Hybrid to Entra joined devices. This didn't happen during the hybrid join process, so it's a shame that the Entra Join process isn't as smooth. We are fine with users joining their work computers, but we don't need their joining their personal devices to our tenant. Since we partner with our MSP to join PC's we purchase and otherwise pre-provision computers for end users, we were really hoping this wasn't necessary since we are already joining the device before the end user ever touches it.