Support Tip: How User Device Affinity works in Intune
Published Jun 26 2019 01:01 PM 48.9K Views

By Scott Duffey | Intune Sr. PM

 

If you’ve worked with System Center Configuration Manager in the past, you’ll be familiar with the term “User Device Affinity”. In Intune we call this “Primary User” and it’s simply a mapping between an Intune device and a user. A device can have just one Primary User, but a User can have more than one device.


The point of having this relationship is to improve experiences for both end users and IT support. Here’s a few examples where this mapping is useful:

  • When a user opens the Company Portal app on their phone, they see a list of all their Intune-managed devices. In case they have an Intune-managed device that is lost or stolen, they can perform a reset for that device. This self-service reduces IT support cases as the end user can take care of the problem themselves. The list of all Intune managed devices is built from the Primary User relationship.
  • Another example is on the IT support side. When an IT admin uses the troubleshooting page in the admin portal, the first step is to supply a username. This name then enumerates all the user’s devices (along with policies, apps and other useful information). Again, this device list is built based on Primary User.

 

As an Intune IT admin, you can view the Primary User of a device by going to the device overview page in the admin portal.

 

primaryuser.png

 

What happens when the device doesn’t belong to anyone?
While most of the devices being managed by Intune today are single-user devices, there are some customer scenarios where this isn’t the case. For example, you might have Kiosks, First-line worker devices or Windows 10 PC’s being used by multiple users in a classroom or call center. We call those shared devices. These devices typically have a different set of end-users and self-service based requirements in the Company Portal.

 

thisdeviceshared.png

 

Moving forward, and based on many customer requests, you’ll start to see improvements in the shared device scenario.

  • In an upcoming release of the Company Portal app for Windows (we're planning on a release shortly), shared devices (ones without any primary user assigned) will now be able to be used for each Intune user who signs into Windows and opens the app. Each user will be able to install Available apps that have been assigned to their user account. There is also a label to help identify a shared device vs a single user device and importantly, end-users won’t be allowed to perform any device actions (like removing it from management or factory resetting it) via the Company Portal app.
  • In future releases, we’ll be building out some additional changes that customers have been asking for including the ability to add or change a primary user through the admin portal, or seamlessly inherit Primary User from other sources (such a SCCM).

 

For more detailed information on how to configure and use the Intune Primary User, we’ve posted updates to the documentation page here: https://aka.ms/primary_user_intune.

Blog Post Updates:

21 Comments
Iron Contributor
Great! Thanks for the update/letting us know Scott, this is going to be quite helpful :)
Deleted
Not applicable

Thanks for updating us, Scott. This is a great improvement tp the Company Portal app and Microsoft Intune!

 

I have one question though. Regarding "shared devices (ones without any primary user assigned) will now be able to be used for each Intune user". Could you please clarify if each Intune user will also be able to install available apps through the Company Portal app, on Shared Devices that do have a Primary User assigned? For instance where these were setup with a Device Enrollment Manager?

 

Bronze Contributor

Way to bury the lede there @Intune_Support_Team !  I'm thrilled to hear that we will finally be able to assign a device to a different user without having to completely start over and re-enroll it.  

 

I was so excited that I tried telling others about it by clicking the Share button at the bottom of this article, but the button seems to be broken.  It takes me to a page at addthis.com with no content, just a header, search bar, and footer.  You might want to have someone check on that.  Meanwhile, I'll tweet the URL the old fashioned way.  :)

Brass Contributor

@Intune_Support_Team.. does this only work if Azure AD join (Autopilot self-deploying mode) based on what I am reading in the support document below.  So no shared devices for Hybrid Joined enrollments.

 

https://docs.microsoft.com/en-us/intune/find-primary-user#who-is-assigned-as-the-primary-user

 

 

@Steve Whitcher  - thanks for pointing this out along with the share! We reached out to the TechCommunity team regarding the share issue, and they responded back that this can sometimes occur when cookies aren’t accepted or are in In-Private browser. If you continue to have issues in the future, please let us know. 

Brass Contributor

@Intune_Support_Team - thanks for the response.   Checking UserVoice I do not see much mention on Shared Devices and support for Hybrid AADJ.   Curious if there is anything on the roadmap for this.  I plan on submitting a request in UserVoice in the meantime.

Hi @Miguel Sanabia, appreciate the feedback to improve the Intune service!

 

In addition, here are a few links that may help to keep up to date with what's new with Intune:

Microsoft 365 roadmap
In Development
What's New
EMS Blogs

Copper Contributor

Hello,

 

can i change primary user of device in case someone left and i dont want to redeploy that device?

Thank you 

Copper Contributor

Would be good to know how you can change this.

 

My admin account is registered as the primary user beceuse I setup peoples pc

can't seem to find a place to just change the value !

Copper Contributor
Any news on when the above changes will be made? Thanks

Hi @SS0123@AlexSamadYB@AlviC1440,

Engineering has started work on the ability to change the primary user within Intune.

Keep an eye out on our In Development and What's New for any new announcements for this feature!

Copper Contributor

@Intune_Support_Team thanks for the broken links!

 

@Intune_Support_Team why are you leaving Hybrid Azure AD scenarios out of the mix? How do you expect to transition people to the cloud when you roll out things that don't work for existing AD infrastructure?

 

@Intune_Support_Team Why does it take years to get changes implemented that should have been incorporated when it was deployed? Why do you make your customers unenroll a device in order to change the primary user? Who's idea was this and why did you think this was a good idea? Changing the primary user by an admin should have been the way to go from the very beginning. Do you know how many things have to be in place for enrolling another user? When you unenroll, it also disjoins from Hybrid Azure AD! This makes it especially difficult if they are remote and have to be on a VPN and require MFA.... You leave your Hybrid customers in the dust all the time @Intune_Support_Team ....

 

Par for the course by Microsoft though...

Copper Contributor

Just wanted to ask for an update on the primary user change ability from the Azure Portal. It has been almost 6 months since this was referenced in the initial thread post, and creates significant extra work for IT.

Copper Contributor

Hi @Intune_Support_Team 

We are having a similar scenario as explained above - where the primary user (also device enrolled user) would not be using the device, instead another Azure AD user (who is not the primary user of the device) will be using the device in KIOSK mode.  We are unable to control the device through Intune (e.g simple scenario like restart via Intune is not working). Looking forward to get some some workaround / fix on this regard at the earliest

 

Brass Contributor

"In future releases, we’ll be building out some additional changes that customers have been asking for including the ability to add or change a primary user through the admin portal, or seamlessly inherit Primary User from other sources (such a SCCM)."

 

This is basically essential. We are an AD / SCCM environment moving towards HybridAD and Intune. Crucially, most of our devices are shared use (classrooms). At present, Microsoft's advice seems very 2005. It's regressive to go from zero-touch deployment in SCCM to heavy touch to ensure the device enrolls without being linked to the first user to use the device.

 

Auto-enrollment via SCCM or AD is completely pointless if you can't specify that the device is to be a shared device.

Hi @SS0123@AlexSamadYB@AlviC1440@DonaldSteele@Ravisrinivasamurthy@Mark Burland - We're excited to announce that today we started rolling out a feature giving you the ability to change a device’s primary user. More information can be found in our What's new document of Week of March 9, 2020 here and from Scott Duffey's post here: Change the Intune Primary User – Public Preview Now Available. Thank you all for your patience!

 

@PeterHoldridge, we've made some improvements to Microsoft Endpoint Manager in the past few months, and would be happy to take additional feedback to the team to address your concerns. Could you private message us with current blockers for us to follow-up on?

Copper Contributor

It is nice that you gave the ability for admins to sit all day and click one at a time to remove the primary users off of our shared devices leaving little time for our actual work!

 

We need to be able to flag devices so that they remain a shared device and a primary user CANNOT be assigned.  If not that then we need to be able to bulk select and remove the primary user from Endpoint manager.

 

Our computer technicians who manage our devices, onsite and remotely, do most of the imaging are being set as the primary user messing up the shared devices for others when they use them.

 

It is not feasable to manually check and remove our technician accounts from the Primary User field each day.

Copper Contributor

Please make installing apps via Corporate portal possible for all users even if primary user is set!!!

Copper Contributor

Hi,

 

Any time frame for this:

 

"seamlessly inherit Primary User from other sources (such a SCCM)."

 

Thanks

Copper Contributor

Create dynamic device groups according to primary users security/distribution/(what ever type) group.

Please...

Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: