Event banner
Event details
Jason_Sandys
Microsoft
MicrosoftHi James. Can you be a little more specific here. What exactly do you mean that the "users still need permissions" to register a device to Azure?
Users need to be a member of the "Users may join devices to Microsoft Entra" permission in Entra under Device settings.
- Jason_SandysOK, that's expected and by design. Some organizations wish to limit the ability to do this so this is the control for this. If you wish to allow all users to join their devices to Entra, then simply select All. Registering a device to Autopilot is a separate activity with a separate purpose as this is device specific. As noted, some orgs wish to limit which users, regardless of AP registration, have the ability to join that device to Entra (which is actually user centric activity).
- We recently moved from Hybrid to Entra joined devices. This didn't happen during the hybrid join process, so it's a shame that the Entra Join process isn't as smooth. We are fine with users joining their work computers, but we don't need their joining their personal devices to our tenant. Since we partner with our MSP to join PC's we purchase and otherwise pre-provision computers for end users, we were really hoping this wasn't necessary since we are already joining the device before the end user ever touches it.
SeanBulgerTo add to Jason's comment, you can allow users to register their devices to Entra, but still prevent them from enrolling their device in Intune. Use a device enrollment restriction in Intune to prevent users from enrolling a personal device. A device that has been registered for Autopilot is seen as a corporate-owned device and will be allowed to enroll in Intune. This will allow you to apply conditional access policies based on device compliance, which would block non-managed devices from accessing corporate resources.