SOLVED

Azure AD P1 and Autopilot question

Copper Contributor

We are looking to try autopilot with Azure AD only as well as hybrid AD join. Want to understand all the licensing requirements for Azure AD, Intune and Autopilot. Is it possible to run a Autopilot in production with limited number of Azure AD Premium P1 licenses. We do not have Azure AD P1 for enterprise only few licenses .

1) Will it be possible to reclaim these Azure AD P1  licenses and assign to another set of machines after autopilot process is complete.

2) Without Azure AD PP1 what functionality do we loose with respect to Intune and autopilot in production environment.

3) Do we need to enabled Device Write back in Azure AD connect, when is it needed?

4 Replies
best response confirmed by Mark O'Shea (MVP)
Solution
Hi VK

1) The AAD licenses would be assigned to users, not devices. Licenses can be reassigned, but you would need to ensure that users aren't leveraging any other capabilities of AADP P1 prior to the licenses being revoked and then losing those features as well.
2) The biggest initial benefit you get by adding AADP P1 to Autopilot is that the devices will automatically enroll with Intune after performing the AAD Join, rather than it being an extra manual step. This means that if a device reset is performed, and the AAD P1 license isn't assigned to the user, the device will be AAD Joined, but not Intune managed until that is addressed separately.
3) https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback has more details, but two of the main scenarios are WHfB with hybrid certs. and CA via ADFS. Others may have some additional use case scenarios

@Mark O'Shea  Hi Mark , Thank you for the detailed responses. We are looking to use Azure AD P1 and Intune only for Auotpilot process. Once the Auotpilot process is complete and the SCCM client is installed on the machine, I was thinking the ongoing licensing requirement may be covered by the  SCCM co-management license. Please suggest if you see any issues with this approach.

Azure AD Premium P2 license is assigned on per user basis. If only 100 users wants to use the premium features, license needs to be assigned to only those 100 users and not to all 200 users.

For guest users, you need to maintain 5:1 which means, if guest users want to use Premium P2 features, you don't need to assign 5 licenses to 5 guest users. You just need to assign 1 license to any of those 5 guest users. If 10 guest users want to use Premium feature, assign license to only 2 guest users out of those 10 users, in order to stay compliant.

@KVS 

 

If you aren't enabling other AADP P1 scenarios, I think this would work for the enrolment, but longer term hopefully there are other things in P1 that you can leverage which means it will be rolled out for everyone. 

Normally I would recommend creating groups based on licensing, but in your case I think the slight delays of the dynamic groups being updated when licenses are reassigned might be a problem, so I would just stick to assigning users to the groups. 

1 best response

Accepted Solutions
best response confirmed by Mark O'Shea (MVP)
Solution
Hi VK

1) The AAD licenses would be assigned to users, not devices. Licenses can be reassigned, but you would need to ensure that users aren't leveraging any other capabilities of AADP P1 prior to the licenses being revoked and then losing those features as well.
2) The biggest initial benefit you get by adding AADP P1 to Autopilot is that the devices will automatically enroll with Intune after performing the AAD Join, rather than it being an extra manual step. This means that if a device reset is performed, and the AAD P1 license isn't assigned to the user, the device will be AAD Joined, but not Intune managed until that is addressed separately.
3) https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-device-writeback has more details, but two of the main scenarios are WHfB with hybrid certs. and CA via ADFS. Others may have some additional use case scenarios

View solution in original post