SOLVED

Best practice for the managed Google Play Account in Intune/MEM

%3CLINGO-SUB%20id%3D%22lingo-sub-1673055%22%20slang%3D%22en-US%22%3EBest%20practice%20for%20the%20managed%20Google%20Play%20Account%20in%20Intune%2FMEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1673055%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20some%20advice%20on%20the%20best%20practice%20for%20setting%20the%20first%20step%20of%20Android%20enrollment%20in%20Microsoft%20Intune%2FMEM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20best%20practice%20for%20security%20and%20management%2C%20when%20we%20choose%20the%20managed%20Google%20Play%20account%20for%20Intune%2FMEM%20%3F%3CBR%20%2F%3EUsing%20an%20AzureAD%20account%20(with%20or%20without%20exchange%20online%20licence)%2C%20a%20Google%20account%2C%20or%20other%20external%20account%20%3F%3CBR%20%2F%3EDoes%20this%20account%20need%20to%20have%20access%20to%20a%20mailbox%20and%20MFA%20can%20be%20used%20with%20this%20account%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1673055%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Egoogle%20play%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMEM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1676998%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20the%20managed%20Google%20Play%20Account%20in%20Intune%2FMEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1676998%22%20slang%3D%22en-US%22%3EI%20mostly%20create%20a%20general%20Google%20account%20that%20is%20shared%20across%20the%20organization%20and%20can%20be%20linked%20with%20Intune.%3CBR%20%2F%3EThe%20managed%20Google%20Account%20is%20not%20that%20important%2C%20if%20you%20would%20ever%20loose%20access.%20You%20can%20link%20it%20again%20and%20re-add%20your%20apps.%3CBR%20%2F%3EIn%20comparison%2C%20if%20you%20loose%20access%20to%20your%20Apple%20account%2C%20you%20need%20to%20re%20enroll%20your%20device%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1677578%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20the%20managed%20Google%20Play%20Account%20in%20Intune%2FMEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1677578%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%2C%26nbsp%3Bthe%20Google%20account%20is%20usually%20a%20generic%20account%20created%20only%20for%20this%20purpose.%20This%20account%20is%20usually%20something%20that%20is%20only%20used%20for%20this%20link%20with%20most%20of%20my%20customers.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EUsually%20owned%20and%20stored%20by%20the%20team%20operating%20Intune%20since%20they%20are%20the%20ones%20who%20need%20this%20account.%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20of%20my%20customers%20are%20using%20a%20%5Brandom-name-chosen-by-customer%5D%40gmail.com%20or%20such%20for%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1717433%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20the%20managed%20Google%20Play%20Account%20in%20Intune%2FMEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1717433%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20don't%20really%20need%20the%20check%20emails%2C%20except%20if%20you%20would%20require%20approval%20for%20app%20updates%20maybe.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20haven't%20personally%20tried%20enabling%20MFA%20on%20the%20account.%20It's%20something%20to%20try%20out%20I%20guess.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1821136%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20the%20managed%20Google%20Play%20Account%20in%20Intune%2FMEM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1821136%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BWhen%20we%20want%20to%20use%20Android%20Zero-Touch%2C%20do%20we%20need%20to%20use%20the%20same%20account%20(Intune%20Google%20Play%20Account)%20or%20this%20can%20be%202%20different%20account%20%3F%3C%2FP%3E%3CP%3EApparently%20Google%20is%20asking%20to%20use%20a%20professionnal%20account%20to%20access%20to%20Zero-Touch%20portal.%3C%2FP%3E%3CP%3EIf%20we%20use%20a%20professional%20account%2C%20this%20account%20need%20also%20to%20have%20an%20Exchange%20Online%20licence%20always%20activated%20with%20an%20enabled%20mailbox%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All,

 

I'm looking for some advice on the best practice for setting the first step of Android enrollment in Microsoft Intune/MEM.

 

What is the best practice for security and management, when we choose the managed Google Play account for Intune/MEM ?
Using an AzureAD account (with or without exchange online licence), a Google account, or other external account ?
Does this account need to have access to a mailbox and MFA can be used with this account ?

 

Thanks !

9 Replies
I mostly create a general Google account that is shared across the organization and can be linked with Intune.
The managed Google Account is not that important, if you would ever loose access. You can link it again and re-add your apps.
In comparison, if you loose access to your Apple account, you need to re enroll your device

I agree with @Thijs Lecomte, the Google account is usually a generic account created only for this purpose. This account is usually something that is only used for this link with most of my customers. 

Usually owned and stored by the team operating Intune since they are the ones who need this account. 

Most of my customers are using a [random-name-chosen-by-customer]@gmail.com or such for this. 

@Thijs LecomteThanks for your answer !

This gmail account doesn't receive any email we need to check for MEM/InTune or Google Play ?

Can we change the password and add MFA for this account without breaking InTune integration ?

 

I have read that if we loose access to the Google Play account in InTune, to change this account with a new one, we need first retire all enrolled Android device and then enroll all devices. This will have a big impact for user, or there is a easier way to do this?

 

Thanks,

Hi

You don't really need the check emails, except if you would require approval for app updates maybe.

I haven't personally tried enabling MFA on the account. It's something to try out I guess.

@Thijs Lecomte When we want to use Android Zero-Touch, do we need to use the same account (Intune Google Play Account) or this can be 2 different account ?

Apparently Google is asking to use a professionnal account to access to Zero-Touch portal.

If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox ?

 

Thanks !

Yeah, you can use a different account. They are essentially two different things

@Thijs Lecomte 

Thanks, but what will be the best practice for you, with Android Zero-Touch and Intune Google Play Account :

- Two Professional Accounts.

- Two Gmail Accounts (Apparently not recommended by Google : is asking to use a professionnal account to access to Zero-Touch portal).

- Two Accounts (1 Gmail & 1 Pro) : 1 gmail Account for Intune Google Play Account & 1 Professional Accounts for Android Zero-Touch

- One unique Professional Account. So only one ExO licence and one account to secure. Any disadvantage ?

 

If we use a professional account, this account need also to have an Exchange Online licence always activated with an enabled mailbox or we don't need a mailbox ?

 

Do you know if we use also iOS and Samsung Knox : Best practice will be to use one different account for each or the same for all ? (Google Play, iOS AppStore, Android Zero-Touch, Knox) 

 

Thanks,

 

Best Response confirmed by SRPfr (Occasional Contributor)
Solution

@SRPfr 

There isn't a real, outlined best practices here.

 

You don't need a Exchange license per say, you could use this solution - https://msendpointmgr.com/2020/08/08/2-for-1-mail-enable-unlicensed-admin-accounts/

 

I would use one Professional account if possible, will be the easiest way

@Thijs LecomteThanks,

An a very usefull article !