New Platform SSO with registration during Automated Device Enrollment on macOS
By Iris Yuning Ye, Product Manager – Microsoft Intune & Justin Ploegert, Principal Product Manager – Microsoft Entra A new setting ‘Enable Registration During Setup’ for Platform single sign-on (PSSO) during Automated Device Enrollment (ADE) is now generally available for macOS devices in Microsoft Intune. With this new setting and a compatible version of the Intune Company Portal (5.2604.0 and newer), this feature enables users sign in with their Microsoft Entra account during Setup Assistant, complete device registration before reaching the desktop, and get immediate access to work resources and ready to be productive sooner. Why this matters Previously, Platform SSO registration occurred only after users completed Setup Assistant and reached the desktop. They then had to notice and act on a separate notification to finish Platform SSO registration. When Platform SSO registration isn't completed, it can cause issues with app authentication or lead to noncompliance, delaying users from getting started on the device: Missed notifications - Users dismiss or ignore the post-enrollment PSSO prompt, leaving devices in an incomplete device registration state. Broken app authentication - Apps like Microsoft Outlook could fail to authenticate because SSO isn’t fully configured. Compliance gaps - Devices are flagged as noncompliant in the Intune Company Portal because Platform SSO registration isn’t completed. Helpdesk burden - IT teams field repeated tickets for issues that should have been handled automatically during provisioning. Migration blocker - Incomplete Platform SSO setup slows down migrating macOS devices to Intune. Platform SSO during ADE with EnableRegistrationDuringSetup key eliminates these issues. Device registration, identity bootstrap, and credential setup all happen inline during Setup Assistant before the user ever reaches the desktop. What the feature enables Capability Details Microsoft Entra device registration during ADE The device registers with Microsoft Entra ID before the user reaches the desktop. A hardware-bound Workplace Join certificate is issued and stored securely. Early device identity Device identity is established early in the provisioning process, enabling immediate access to resources protected by Conditional Access. Platform SSO credentials during initial setup When configured with Secure Enclave, credentials are stored in the device's Secure Enclave, providing hardware-bound, phishing-resistant protection aligned with Zero Trust principles. Minimized delays Users arrive at the desktop already signed in. No additional prompts, no waiting for policies, no broken apps. How it works This feature requires three policies that work together. All three must be configured correctly before enrollment starts and assigned to the same static user groups: A Platform SSO settings catalog policy with “Enable Registration During Setup” configured to Enabled. Intune Company Portal (version 5.2604 or newer) deployed as a line-of-business (LOB) app, which provides the Microsoft Enterprise SSO extension. An ADE enrollment profile configured with Setup Assistant with modern authentication and Await final configuration = Yes. When a device enrolls with these three policies in place, here's what happens: The device powers on and begins the ADE enrollment flow. Intune delivers the Platform SSO settings catalog policy with Enable Registration During Setup enabled. Intune Company Portal is installed automatically as a LOB app, providing the Microsoft Enterprise SSO plug-in. During Setup Assistant, the user signs in with their Microsoft Entra credentials. This first sign-in starts the regular enrollment process. A second sign-in authenticates the identity in Intune Company Portal and fetches the SSO extension. The device registers with Microsoft Entra ID, and a Microsoft Entra device registration certificate is issued. The user arrives at the desktop fully authenticated, with SSO active and Conditional Access satisfied. Note: During enrollment, users are prompted to enter their Microsoft Entra credentials at least twice. We're working on improvements to reduce the number of sign-ins in a future update. Prerequisites Requirement Details macOS version macOS 26 and newer Enrollment method ADE via Apple Business Intune Company Portal Version 5.2604.0 or newer, deployed as a LOB app. Download from https://go.microsoft.com/fwlink/?linkid=853070 Intune role for configuration Admin account with at least the Policy and Profile Manager built-in role Group type Assigned (static) user groups only. Dynamic groups and device groups are not supported. Important: Review the full Platform SSO prerequisites in the Platform SSO configuration guide before you begin. High level step-by-step configuration Step 1: Create or update the Platform SSO settings catalog policy In the Microsoft Intune admin center, go to Devices > Manage devices > Configuration. If this is your first time configuring Platform SSO, follow the full Platform SSO configuration guide. Add and configure the following setting: Setting Value Description Authentication > Extensible Single Sign On > Platform SSO > Enable Registration During Setup Enabled Enables the Platform SSO registration process during Setup Assistant. If using the Password authentication method, it’s recommended to add for password sync function: Setting Value Description Authentication > Extensible Single Sign On > Platform SSO > Enable Create First User During Setup Enabled Enables the password synchronization experience during Setup Assistant. Only configure this if using the Password authentication method. Tip: Microsoft recommends using Secure Enclave as the authentication method for the strongest hardware-backed security. Enable Create First User During Setup setting will be available soon in settings catalog. Assign the policy to your static user groups. Filter is also supported with correct static group setting. Step 2: Install Intune Company Portal as a LOB app Download the Company Portal for macOS PKG from https://go.microsoft.com/fwlink/?linkid=853070. In the Intune admin center, go to Apps > All Apps > Create. Add Intune Company Portal as a macOS LOB app. Make it a required app and assign it to the same groups as the Platform SSO policy from Step 1. Important: Company Portal 5.2604.0 and newer is required. If you install an older version, Platform SSO fails. When Intune detects Company Portal as a deployed policy, it sends it with priority during enrollment. And clean up the App bundle ID that are not related to Company Portal, make sure only com.microsoft.CompanyPortalMac as the relevant App bundle ID is kept. Step 3: Set up the enrollment profile In the Intune admin center, go to Devices > Device onboarding > Enrollment > Apple tab. Create or edit an Automated Device Enrollment profile with these Management settings: Setting Value User affinity Enroll with User Affinity Authentication Setup Assistant with modern authentication Await final configuration Yes Locked enrollment Yes Assign the profile to the same devices targeted as Steps 1 and 2. Critical: You must assign all three policies to the same devices targeted. If any policy is assigned to a different group, or if any step is misconfigured, enrollment will fail. In that case, wipe the device and re-enroll with all steps correctly configured. Key things to remember ✅ Three policies, one group: Settings catalog, Company Portal LOB app, and ADE enrollment profile, all assigned to the same static user groups. ✅ Static groups only: This feature does not work with device groups or dynamic groups. ✅ One SSO policy per device: If you already have a Platform SSO policy assigned to enrolled devices, make sure device is wiped appropriately before kicking of enrollment with new PSSO flow. ✅ Latest Intune Company Portal: Version 5.2604.0 or newer is required. ✅ macOS 26 required: This feature is supported on macOS 26 and newer. ✅ Secure Enclave recommended: For the strongest hardware-backed credential protection. For more details, refer to Configure Platform Single Sign-On (PSSO) during Automated Device Enrollment for macOS devices. Looking ahead: Reducing Platform SSO sign-in prompts Signing in multiple times during enrollment isn't the ideal experience, and we're actively working to streamline it with a new enrollment setting that enables users to complete both Intune enrollment and Platform SSO device registration with a single sign-in. This will further simplify the onboarding experience, reduce friction for users, and bring macOS enrollment closer to a truly seamless, zero-touch provisioning flow. Stay tuned to What’s new in Intune for the release. Related resources SSO in ADE profile (new article): Add Platform SSO policy to ADE Profile on macOS devices SSO scenarios: Platform SSO scenarios for macOS devices Platform SSO configuration guide for macOS devices using Microsoft Intune Common Platform SSO scenarios for macOS devices Install Company Portal for macOS as a macOS LOB app Set up automated device enrollment (ADE) Troubleshoot the Microsoft Enterprise SSO Extension plugin on Apple devices macOS Platform single sign-on known issues and troubleshooting As always, we'd love your feedback. If you've piloted Platform SSO during Setup Assistant, share your tips and lessons learned in the comments below or reach out to us on X @IntuneSuppTeam.New iOS/iPadOS, visionOS, tvOS and macOS ADE enrollment policies experience
By: Anya Novicheva – Sr. Product Manager | Microsoft Intune Coming with the 2606 service release (end of June), iOS/iPadOS and macOS automated device enrollment (ADE) profiles will move to a new infrastructure which enables Intune to speed up the delivery of new features. These will be the new enrollment policies experience for Apple devices enrolling through ADE. With this update, you’ll notice the authentication methods are better organized, there’ll be no Company Portal authentication method or automatic deployment of the Company Portal application, Apple-deprecated settings have been removed, and there’ll be more granular admin controls for the policies page. All newly created enrollment policies for iOS/iPadOS/macOS will automatically be part of the new experience. Existing enrollment profiles won’t be affected. You’ll be able to delete, edit, and assign existing enrollment profiles but you’ll no longer be able to create them with the old experience. We recommend creating a new enrollment policy and setting it as the default as soon as this feature releases so new enrollments will use the new policy as soon as possible. All new features releasing after will be part of the new enrollment policies experience moving forward and will not be added to the old enrollment profiles. Coming with the 2604 service release (end of April), you'll be able to create visionOS and tvOS automated device enrollment (ADE) policies with enrollment time grouping. Go to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new visionOS and tvOS enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy. Create a new enrollment policy for iOS/iPadOS and macOS ADE In the Microsoft Intune admin center, navigate to Devices > Enrollment > Apple > Enrollment program tokens > select a token > Enrollment policies > Create. Here, new enrollment policies can be created and assigned to devices that have synced over from Apple Business Manager or Apple School Manager. Additionally, enrollment policies can be deleted or set as the default by navigating to the ellipsis in a policy. Benefits of the new experience: Enrollment time grouping support - Enrollment time grouping in Microsoft Intune The columns control can be used to select which columns should be default, which one should be the primary column, and which ones to show or hide. The search bar can be used to search by any column field contents and isn’t case sensitive. The filters control can be used to filter the policies by platform. We’ll add more filtering for the other columns soon. Sort each column by the ascending or descending order by clicking on the column header. No more automatic Company Portal app deployment from the enrollment policy itself or Company Portal as an authentication method option in the drop-down setting. The Company Portal app can still be used and sent down as a required or available app to the device depending on your organization’s needs. We always recommend using Setup Assistant with modern authentication for ADE policies with user affinity as it is the most secure method. However, if you still want to deploy the Company Portal authentication method your users or devices, you can do userless authentication (Enroll with no user affinity for authentication) and deploy the application as needed along with the required app configuration policy to the targeted devices. Note that this is not recommended. The “Install Company Portal”, “Install Company Portal with VPP, and “Run Company Portal in single app mode until authentication” settings aren’t supported and have been removed from the enrollment policy for iOS/iPadOS ADE. For more details refer to the blog: Move to Setup Assistant with Modern Authentication for Automated Device Enrollment Shared iPad for iPadOS ADE has its own authentication method for devices with no user device affinity. Setup Assistant with modern authentication is the default and recommended authentication method for ADE enrollment policies. Assigning new enrollment policies to devices The device assignment flow for ADE policies is the same. Within the policy, navigate to the Devices tab to select a device(s) and select Assign policy. Ensure that you’re assigning a new enrollment policy to the devices. Existing (old) enrollment profiles (only applies to iOS/iPadOS and macOS) Existing enrollment profiles will remain in Devices > Enrollment > Apple > Enrollment program tokens > select a token > Profiles. New enrollment profiles within Profiles cannot and should not be created. Existing enrollment profiles can be deleted, edited, assigned to devices, and viewed. Their device assignments will not be affected or changed. We recommend you migrate your ADE devices from being assigned to old enrollment profiles over to new enrollment policies and always have the Await final configuration setting set to Yes. Additionally, we recommend you set your default enrollment policy to one of your newly created ones from the Enrollment policies tab. Important: If you delete an old enrollment profile, the device rename is no longer enforced (that is if someone changes the device name). Sending the Company Portal app to ADE devices with user device affinity (optional) - iOS/iPadOS only Previously within enrollment profiles, the Company Portal app was sent down automatically to devices with the creation of Setup Assistant with modern authentication and Company Portal authentication profiles. With new enrollment policies, the Company Portal application will never be sent down automatically from the creation or assignment of the enrollment policy. For enrollment policy with user device affinity, we strongly recommend you set the authentication method to Setup Assistant with modern authentication as the most secure and seamless method. For Setup Assistant with modern authentication, the Company Portal is no longer required because of Just in Time registration and compliance Remediation for iOS/iPadOS with Microsoft Intune. However, if you still want to send replicate the Company Portal authentication method for your users or devices, you can choose to Enroll without user affinity (userless) and then deploy the application as needed, along with the required app configuration policy to the targeted devices. Assigning the correct app configuration policy based on the authentication method is critical if you’re sending the Company Portal app to ADE devices without user device affinity. Otherwise, the Company Portal will cause issues on the device and won’t auto-update correctly. However, we highly recommend Setup Assistant with modern authentication as the ADE authentication method for your Apple devices with user affinity. Based on the Company Portal authentication method you use, send the following XML for the app configuration policy: If you're using the Company Portal on an ADE device enrolled without user affinity (also known as Device Staging): <dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict> If you're using the Company Portal on an ADE device enrolling with user device affinity, such as the Company Portal authentication method: <dict> <key>IntuneCompanyPortalEnrollmentAfterUDA</key> <dict> <key>IntuneDeviceId</key> <string>{{deviceid}}</string> <key>UserId</key> <string>{{userid}}</string> </dict> </dict> Stay tuned to What’s new in Intune for the release! If you have any questions, leave a comment on this post or reach out on X @IntuneSuppTeam and we'll provide updates in the blog on the timing of this release. Post Updates: 06/26/25: Updated post with a new ETA of Q4 CY25 (previously Q2 CY25). Also revised the content to better clarify the new experiences and authentication scenarios. 09/12/25: Updated post with a new ETA of Q1 CY26 (previously Q4 CY25). 02/26/26: Updated post with a new ETA of Q2 CY26 (previously Q1 CY26) and expanded scope to include macOS ADE alongside iOS/iPadOS. 04/30/26: Updated post with new ETAs - 2606 (end of June) for iOS/iPadOS and macOS, and 2604 (end of April) for visionOS and tvOS. Title and content updated to reflect the expanded OS scope.Intune my Macs: Accelerating macOS proof of concepts with Microsoft Intune
By: Neil Johnson and Chris Kunze - Principal Product Managers | Microsoft Intune Intune provides a broad and mature set of capabilities for managing macOS devices across security, compliance, applications, and user onboarding. Many customers, however, aren’t always aware of just how much functionality is available or how to bring it all together. We've developed a starter kit to make it easy to explore and set up macOS configurations in Intune: Intune my Macs. Intune my Macs helps bridge that gap by making it easy to explore some recommended macOS configurations and quickly set up a successful proof of concept using Intune. What is Intune my Macs? Intune my Macs is an open-source project from the Microsoft Intune Customer Experience Engineering team that allows you to deploy a complete macOS proof of concept in minutes. This starter kit brings together over 31 enterprise-grade configurations - identified by Apple’s Mac Evaluation Utility - along with policies, scripts, and applications, all of which can be deployed using a single PowerShell script. The project operates in dry-run mode by default, letting you preview exactly what will be created before committing any changes to your Intune tenant. When you're ready, simply add the --apply flag to the command-line to commit changes. Important: From a support perspective, Microsoft fully supports Intune and its ability to deploy PowerShell scripts. However, Microsoft does not support the scripts themselves, even if they are on our GitHub repository. They’re provided for example only. You are responsible for anything that they may do within your environment. Always test! See it in action Want a quick walkthrough before you dive in? Watch the video below to see a deep-dive on Intune my Macs - from authentication to policy creation, app deployment, and beyond. Why would you use it? 1. Jumpstart your macOS management Instead of building macOS configurations from scratch, Intune my Macs provides a ready-to-use baseline of production quality Intune artifacts. These configurations are designed to help you quickly evaluate Microsoft Intune for macOS management while also serving as reference implementations you can adapt to your environment. Below is an overview of what Intune my Macs deploys into your tenant, organized by category. Category Example configurations Security FileVault configuration, firewall enablement, Gatekeeper policies, Microsoft Edge policies Compliance Minimum macOS version (15.0), SIP enforcement, encryption requirements Identity Platform SSO via Secure Enclave with Microsoft Entra ID Applications Intune Company Portal, Microsoft 365, Remote Help, Intune Log Watch, Microsoft 365 Copilot, Windows App, and Edge Scripts Dock customization, FileVault key escrow (Escrow Buddy), onboarding automation Custom Attributes Hardware compatibility checks, Intune agent version reporting 2. Learn by example Each configuration in the repository serves as a practical reference implementation. The naming conventions follow a consistent pattern (for example, pol-sec-001-filevault, scr-app-100-install-company-portal), and detailed documentation explains what each setting does and why it's configured that way. 3. Reduce time to value Tasks that typically require extensive research, configuration, and testing can now be completed in just about 5 minutes, thanks to this streamlined approach. The script handles: Microsoft Graph SDK authentication Policy creation via Intune settings catalog and custom configuration profiles Script deployment with proper execution settings PKG application uploads Optional group assignments Optional Microsoft Defender for Endpoint integration If you're evaluating Microsoft Defender for Endpoint on macOS, the project includes an optional --mde command-line flag that deploys the full Defender for Endpoint configuration, including system extensions, privacy preferences, network filter settings, and a script that can be used to install the client. How it works This starter kit is driven by XML manifest files that define each configuration artifact. The main PowerShell script reads these manifests, resolves the associated JSON/mobileconfig/script files, and creates the corresponding objects in Intune via the Microsoft Graph API. You can scope this starter kit to specific artifact types using command-line flags like --apps, --config, --compliance, --scripts, or --custom-attributes. A custom naming prefix defined using the –prefix command-line flag) keeps your deployed objects easily identifiable, and the --remove-all command-line flag provides a clean way, based on the custom naming prefix, to delete everything created by an earlier run. For more information on how to use this project, be sure to review the prerequisites and instruction in the readme file. Bonus: Utility tools The project also includes several analysis and documentation tools: Export-MacOSConfigPolicies.ps1 - Back up existing Intune macOS policies to JSON Find-DuplicatePayloadSettings.ps1 - Detect conflicting settings across all your Mac configuration files Generate-ConfigurationDocumentation.py - Create Markdown or Word documentation from the manifests Get-IntuneAgentProcessingOrder.ps1 - Understand script and app processing sequence Get-MacOSGlobalAssignments.ps1 - List Mac policies assigned to All Devices or All Users Summary Intune my Macs isn't meant to be a one-size-fits-all production starter kit, but it’s a great way to get started. Use it to quickly implement a proof of concept, learn from the configuration patterns, and adapt the policies to your organization's specific requirements. Whether you're evaluating Intune for macOS management, setting up a new tenant, or just looking for reference implementations of common security configurations, this project can save you significant time and effort. Resources GitHub Repository Full Configuration Documentation Microsoft Defender for Endpoint Setup If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam! Post Updates 03/30/26: A video walkthrough has been added above. Watch to see Intune my Macs deploy a complete macOS proof of concept in minutes.Support tip: Move to declarative device management for Apple software updates
By: Benjamin Flamm – Product Manager | Microsoft Intune Apple recently announced at the Worldwide Developer Conference (WWDC) in June 2025 that mobile device management (MDM) software updates are deprecated in the upcoming Apple OS 26 versions. Instead, software updates will need to use declarative device management (DDM). In this blog, we want to provide you with everything you need to know to navigate this transition and easily manage software updates in DDM. What is DDM? DDM is an enhancement to Apple’s device management protocol that makes devices more proactive and autonomous, and this is perfectly highlighted by the major improvements that DDM brings to managing software updates. Previously, Intune had to send update commands and repeatedly check for the update status. With DDM, Intune simply tells the device the required OS version and the installation deadline, while the device proactively updates Intune on its progress from download to installation. Move to DDM for software updates The MDM software update features in Intune will initially be marked as ‘deprecated’ in the Intune admin center and support will end shortly after Apple OS 26 releases. Devices will ignore MDM update settings when DDM update settings are being enforced, so the only steps you need to do are to create your DDM update policies using the settings catalog. The following table lists the MDM software update features that’ll be unsupported later this year, along with the matching DDM feature that is currently available or coming soon. Legacy MDM feature New DDM feature iOS/iPadOS update policies Software Update or Software Update Enforce Latest settings, located in the settings catalog under Declarative Device Management (DDM): macOS update policies iOS update installation failures report Apple software update failures (Devices > Monitor) which is expected to release with Intune’s August (2508) service release. macOS update installation failures report Software updates report (macOS per-device) macOS software updates (Devices > All devices, select a macOS device > macOS software updates) which is expected to release with Intune’s August (2508) service release. macOS Settings catalog > Software Update payload and settings Software Update Settings located in the settings catalog under Declarative Device Management (DDM): Settings in the iOS or macOS ‘Device restrictions’ template Settings catalog > Restrictions, software update delay settings How do I manage software updates using Intune? With Apple deprecating MDM software updates, DDM is the recommended method to manage software updates in your organization. For a thorough guide that highlights the differences between MDM and DDM, along with how to configure DDM software updates review: Managed software updates with the settings catalog. Useful resources Apple announcements: Announcement of DDM software updates at WWDC 2023 Introduction of Software Update Settings at WWDC 2024 Announcement of MDM update deprecation at WWDC 2025 Intune Apple settings catalog configuration list | Microsoft Learn Apple Platform Deployment guide for managing updates | Apple Support Stay tuned to this post for updates! If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. Updates: 7/25/2025: Updated the expected release timeline of the new per-device software update report for macOS.
Zoom with Scroll + Modifier Key Not Working in Edge on macOS
Hello, I am using Microsoft Edge on macOS and I would like to zoom in and out of web pages using a modifier key (Command, Option, or Control) together with scroll Currently, Command + Scroll does not zoom the page. I understand that macOS may override this behavior through accessibility settings, but I would like to enable this functionality specifically in Edge without affecting system-wide behavior. Could you please advise: Is it possible to enable zoom using Scroll + Modifier Key in Edge on macOS? If not, are there any recommended workarounds or planned features for this? Thank you for your help DanceLens!
macOS: SSO no longer fully functional on AVD (Win11 25H2)
Hello everyone, Since updating our Test Azure Virtual Desktop Session Hosts from Windows 11 23h2 to 25H2 (26200.7462) , we've been experiencing an SSO issue that exclusively affects macOS clients. Symptoms For macOS users (Windows App), the following issues occur: Example Teams Teams shows the user as "Unknown User" Chat and collaboration features fail to load Error message: "You need to sign in again. This may be a requirement from your IT department or Teams, or the result of a password update. - Sign in" After clicking "Sign in," only a window appears with "Continue with sign-in" (no PW/MFA prompt) After this, all other applications work without further authentication Technical Details macOS Device: AppleM4 Pro macOS Tahoe 26.2 Installed WindowsApp version: 11.3.2 (2848) dsregcmd /status: No errors detected PRT is active and was updated for sign-in Entra Sign-In Logs: Error code: 9002341 EventLog on Session Host (AAD-Operational): Event ID: 1098 Error: 0xCAA2000C The request requires user interaction. Code: interaction_required Description: AADSTS9002341: User is required to permit SSO. Event ID: 1097 Error: 0xCAA90056 Renew token by the primary refresh token failed. Logged at RefreshTokenRequest.cpp, line: 148, method: RefreshTokenRequest::AcquireToken. Observations Affects: Both managed (internal) and unmanaged (external) macOS devices Does NOT affect: Windows clients connecting via Windows App Interesting: If a macOS user starts the session (with the error) and then reconnects on a Windows device, authentication works automatically there Workaround The issue can be resolved for macOS clients by removing the "DE" flag from "Automatic app sign-in" in the following file: C:\Windows\System32\IntegratedServicesRegionPolicySet.json Questions Is this a known issue? Has anyone experienced similar issues with macOS clients after the 25H2 update? Why does this issue only occur with macOS clients? Why does SSO only work after removing the "DE" flag for macOS devices, and why are Windows devices not affected? I would appreciate any insights or confirmation of this issue! Thank you and greetings FT_1Support tip: Troubleshoot device cap reached when enrolling devices into Microsoft Intune
By: Premkumar N – Security Customer Experience Engineer | Microsoft Intune When Microsoft Entra or Intune device limits are reached, users will encounter an error when enrolling their device into Intune. While it can be difficult to understand the reason for the failure from the error message, this blog will explain the differences between Microsoft Entra device registration limit and the Intune device enrollment limit, along with the steps to resolve these issues. For an overview of Microsoft Entra and Intune device limit scenarios refer to: Understand Intune and Microsoft Entra device limit restrictions. Let’s look at the experiences on different platforms, followed by the resolution steps. Android Intune device limit reached When the Intune device limit is reached, an Android device enrollment will fail with the following error: To diagnose the issue, review the Intune Company Portal logs for the affected device. Capturing Company Portal logs: Users can select "Email Support" from the error screen to send the logs via email or Send logs from Company Portal. If the Company Portal logs display the “Device Cap Reached” error as shown in the example logs below, this indicates that the Intune device limit has been reached. 2025-07-16T15:07:39.8410000 VERB o.zzafi 13923 6035 sending event: EnrollmentFailureEvent( networkState=CONNECTED, enrollmentFlowType=Enrollment, enrollmentType=AfwProfileOwner, failureName=DeviceEnrollmentFailure, errorException=com.microsoft.windowsintune.companyportal.exceptions.EnrollmentException: Server error = <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"> <s:Body> <s:Fault> <s:Code> <s:Value>s:Receiver</s:Value> <s:Subcode> <s:Value>s:Authorization</s:Value> </s:Subcode> </s:Code> <s:Reason> <s:Text xml:lang="en-US">Device Cap Reached</s:Text> </s:Reason> <s:Detail> <DeviceEnrollmentServiceError xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"> <ErrorType>DeviceCapReached</ErrorType> <Message>Device Cap Reached</Message> <TraceId>xxx</TraceId> </DeviceEnrollmentServiceError> </s:Detail> </s:Fault> </s:Body> </s:Envelope>, errorMessage=, sessionGuid=xxx ) By default, Intune allows a maximum of 15 devices per user; exceeding this limit logs an error in the Company Portal. To address this issue, either remove inactive devices that have not checked in to Intune within a specified timeframe, or increase the device limit (up to 15) in the Intune settings. To remove stale devices: Navigate to the Microsoft Intune admin center > Devices > All Devices. Search using the affected user's UPN to view all enrolled devices. Remove any devices no longer in use. To increase the device limit: Navigate to the Microsoft Intune admin center > Devices > Enrollment > Device Limit Restrictions. Select the policy, go to Properties, then edit Device Limit, and adjust the limit (maximum 15). Note: If the Intune device limit is reached, errors are logged in the Microsoft Intune admin center under Devices > Monitor > Enrollment failures. Microsoft Entra device limit reached For Android, users will see the same error message when Microsoft Entra device limit has been reached. You can confirm the Microsoft Entra device limit has been reached by checking the Company Portal logs for the following error: com.microsoft.identity.broker4j.workplacejoin.exception.DrsErrorResponseException: { "code": "invalid_request", "subcode": "error_directory_quota_exceeded", "message": "User 'xxx' is not eligible to enroll a device of type 'Android'. Reason 'DeviceCapReached'.", "operation": "DeviceJoin", "requestid": "xxx", "time": "xxx" } Similar to the Intune device limit reached, to resolve this issue either increase the device limit in Microsoft Entra for Microsoft Entra registration or remove any stale devices associated with the user in the Microsoft Entra admin center. Stale devices are those that are no longer active and can be removed when they haven’t checked in for a specified period. One cause of stale devices is deleting or retiring an Intune device, which may leave behind a record in Microsoft Entra and contribute to reaching the Microsoft Entra device registration limit. To remove stale devices: Go to the Microsoft Entra admin center. Navigate to Microsoft Entra ID > Users. Search for the user using their UPN. Select Devices. This displays a list of registered devices for the user. Devices that are no longer in use can be removed. To increase the device limit for Microsoft Entra registration: Go to the Microsoft Entra admin center. Navigate to Microsoft Entra ID > Devices. Select Device Settings. Locate Maximum number of Devices Per User. Adjust the device limit as needed. iOS Intune device limit reached For iOS, device enrollment may fail with the following error if the device limit has been reached. To check the issue, select 'Report and Email logs' to collect Company Portal logs. If the logs show the below error, it confirms the Intune device limit has been reached. 2025-07-18 12:38:33.427 | utility | 31673 | AlertManager.swift:37 (push(alert:grouping:)) Pushing alert with: grouping = 0 title = Couldn't add your device. message = You have reached the limit of devices you can register. Please contact your company support to increase this number, or review and remove devices that are already registered with this account. into the AlertManager The resolution is the same as Android, refer to the earlier steps for Intune device limit reached on Android. Microsoft Entra device limit reached On iOS devices, Intune enrollment may successfully complete; however, device registration may still result in an error as shown below in the Company Portal app. To collect Intune Company Portal logs, select More > Send logs > Email Logs. When you see the following error message in the Company Portal logs: iOSunderlyingErrorMessage: { "ErrorType": "AuthorizationError", "Message": "User '00000000-0000-0000-0000-000000000000' is not eligible to enroll a device of type 'Ios'. Reason 'DeviceCapReached'.", "TraceId": "00000000-0000-0000-0000-000000000000", "Time": "2025-07-16 14:07:23Z" } To resolve, use the same steps as Android when Microsoft Entra device limit is reached. macOS Intune device limit reached For macOS, device enrollment will fail with the following error when the Intune device limit has been reached. To identify the issue, collect the Company Portal logs by selecting 'Report' and then email the logs. In the logs, when you see the following error, this confirms the Intune device limit has been reached. 2025-07-25 07:39:23.731 | utility | 14262 | AlertManager.swift:37 (push(alert:grouping:)) Pushing alert with: grouping = 0 title = Couldn't add your device. message = You have reached the limit of devices you can register. Please contact your company support to increase this number, or review and remove devices that are already registered with this account. into the AlertManager To resolve, use the same steps as Android when Intune device limit is reached. Microsoft Entra device limit reached For macOS when enrolling into Intune, if the Microsoft Entra device limit has been reached, you’ll notice the following error: In the Company Portal logs, when you see the following error, this confirms the Microsoft Entra device limit has been reached. Description: { "ErrorType": "AuthorizationError", "Message": "User '00000000-0000-0000-0000-000000000000' is not eligible to enroll a device of type 'Mac'. Reason 'DeviceCapReached'.", "TraceId": "00000000-0000-0000-0000-000000000000", "Time": "2025-05-27 05:24:52Z" } To resolve, use the same steps as Android when Microsoft Entra device limit is reached. Windows Intune device limit reached For Windows devices, enrollment will fail with the following error when Intune device limit has been reached: When you see this error, you can check the logs in the event viewer in this path: Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Event ID: 71 MDM Enroll: Failed to receive or parse certificate enroll response. Result: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. To resolve, use the same steps as Android when Intune device limit is reached. Microsoft Entra device limit reached For Windows, when the Microsoft Entra device limit has been reached, you’ll notice the following error during Intune enrollment: When you see this error, you can check the logs in the event viewer in this path: Windows Device Source: Microsoft-Windows-User Device Registration/Admin Event ID: 304 The get join response operation callback failed with: exit code: Unknown HResult Error code: 0x801c000e Activity Id: a0a15e15-631a-46ab-b0a4-2f540778df7d The server returned: HTTP status: 400 Server response: { "code": "invalid_request", "subcode": "error_directory_quota_exceeded", "message": "User '8b000000-0000-0000-0000-000000000000' is not eligible to enroll a device of type 'Windows'. Reason 'DeviceCapReached'.", "operation": "DeviceJoin", "requestid": "a0000000-0000-0000-0000-000000000000", "time": "2025-05-30 15:33:09Z" } This is the result of the Microsoft Entra device limit reached for the user for Windows platform. To resolve, use the same steps as Android when Microsoft Entra device limit is reached. Device limit reached – Windows Autopilot hybrid join scenario The Microsoft Entra device limit reached error will also occur when changing the primary user in Intune for Windows Autopilot Microsoft Entra hybrid joined devices). In the Autopilot hybrid join scenario there will be two device records in Azure. The Microsoft Entra hybrid join record, and the standard Microsoft Entra join record. Changing the primary user only updates the hybrid joined record in Microsoft Entra, leaving the original user as the owner of the Microsoft Entra join record. The owner entries on the Microsoft Entra join record will impact the device registration limit. Rather than removing the Microsoft Entra join device, which deletes its join state and is not a recommended approach, remove the registered owner on that record. Note: Deploying new devices as Microsoft Entra hybrid join devices isn’t recommended, for more details refer to Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints: Which option is right for your organization. The following image shows the device state after the Microsoft Entra hybrid joined deployment is completed. User1 enrolled a Microsoft Entra hybrid join device with Intune and Windows Autopilot and the registered user for both the records is ‘user1’. After changing the primary user in Intune to user2, only the Microsoft Entra hybrid joined record is updated for user2. The Microsoft Entra device registration usage for user1 remains unchanged for the Microsoft Entra joined record, both before and after modifying the primary user of the Intune device. This counts toward the Microsoft Entra registration limit for user1. Resolution Before proceeding with the resolution steps for this scenario, it’s important to note the difference between a registered owner and a registered user: Registered owner: A registered owner is the user that cloud joined the device or registered their personal device. The registered owner is set at the time of registration. Registered user: For cloud joined devices and registered personal devices, registered users are set to the same value as registered owners at the time of registration. Remove the registered owner This action can be done using PowerShell and Graph Explorer. Step 1. Check the user's device count in Microsoft Entra ID using Graph Explorer or PowerShell. PowerShell: This query lists the registered devices for the user. Install-Module Microsoft.graph Connect-MGgraph Get-MgUserRegisteredDevice -UserId <userID> Get-MgUserRegisteredOwner -UserId <userId> Sample from PowerShell: Graph Explorer queries: Owned devices for the user GET https://graph.microsoft.com/v1.0/users/{user-id}/OwnedDevices Registered device for the user GET https://graph.microsoft.com/v1.0/users/{user-id}/registeredDevices Sample Graph Explorer output: Only the "ID" in the output is needed to remove the device in next step. { "@odata.context": "******", "@microsoft.graph.tips": "******", "id": "00000000-0000-0000-0000-00000000", "deletedDateTime": null, "accountEnabled": true, "approximateLastSignInDateTime": "******", "complianceExpirationDateTime": null, "createdDateTime": "******", "deviceCategory": null, "deviceId": "******", "deviceMetadata": null, "deviceOwnership": "Company", "deviceVersion": 2, "displayName": "******", "domainName": null, "enrollmentProfileName": null, "enrollmentType": "AzureDomainJoined", "externalSourceName": null, "isCompliant": false, "isManaged": true, "isRooted": false, "managementType": "MDM", "manufacturer": "******", "mdmAppId": "******", "model": "******", "onPremisesLastSyncDateTime": null, "onPremisesSyncEnabled": null, "operatingSystem": "******", "operatingSystemVersion": "******", "physicalIds": [ "******", "******", "******", "******" ], "profileType": "RegisteredDevice" } Step 2. After confirming the user association for the device, remove both the registered owner and user for the Microsoft Entra joined device record to clear the user count toward the pre-defined limit. Graph API query: Replace the 'deviceid' in the following query with the 'id' from the Graph Explorer output from the previous step. Delete Registered Owner DELETE https://graph.microsoft.com/v1.0/devices/{deviceid}/registeredowners/{user-id}/$ref Delete Registered User DELETE https://graph.microsoft.com/v1.0/devices/{deviceid}/registeredusers/{user-id}/$ref This can also be done with PowerShell as below. PowerShell commands In the below commands DeviceID = Microsoft Entra Device ID/ObjectID. It’s important to remove both the registered owner and registered user for the device. Remove registered owner: Remove-mgdeviceregisteredownerDirectoryObjectByRef –DeviceId <DeviceID> -DirectoryObjectId <userID> Sample PowerShell output: Remove registered user: Remove-mgdeviceregistereduserDirectoryObjectByRef –DeviceId <DeviceID> -DirectoryObjectId <userID> Sample PowerShell output: PowerShell or Graph Explorer can also be used to delete the device in other scenarios such as Intune device deletion and Microsoft Entra device ID deletion. Summary Device enrollment can fail when either Intune or Microsoft Entra device limits are reached. These errors can be confusing, however, understanding the difference between Microsoft Entra device registration limits and Intune device enrollment limits makes it easier to sort out and resolve the issue. These issues commonly stem from stale device records, or changing the primary user of a Microsoft Entra hybrid joined device. Resolving them involves removing inactive devices or adjusting device limit policies in the appropriate service. As a best practice, avoid changing the primary user of the Microsoft Entra hybrid joined device and deploy the Windows Autopilot device to new users with a fresh start. Additional information on this topic can be found in the Microsoft Learn docs below: Device limit - Understand Intune and Microsoft Entra device limit restrictions List RegisteredDevices for user - List registeredDevices - Microsoft Graph v1.0 ListOwnedDevices for user - List ownedDevices - Microsoft Graph v1.0 Remove the registered owners for the device - Delete registeredOwners - Microsoft Graph v1.0 Remove the registered user for the device - List registeredUsers - Microsoft Graph v1.0 If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam.Apple making device migration to Microsoft Intune easy with upcoming OS 26 release
By: Iris Yuning Ye – Product Manager | Microsoft Intune Apple recently announced a major update at their Worldwide Developers Conference 2025 that solves one of the biggest headaches for admins: migrating macOS and iOS/iPadOS devices from one mobile device management (MDM) solution to another without factory resets, manual re-enrollment, or missing configurations. With the new MDM Migration capability in macOS 26 and iOS/iPadOS 26, built directly into Apple Business Manager, IT admins are able to transition devices from third-party MDMs to Microsoft Intune seamlessly, and without user disruption. Migrating devices to Intune helps IT admins consolidate device management across platforms, enforce consistent security policies, and reduce operational complexity. In this blog, learn how to start using Apple’s MDM migration feature to easily move your macOS and iOS/iPadOS fleet to Intune. Prerequisite: macOS/iOS/iPadOS 26 and enrollment into a device management service is required to use the Apple MDM migration feature. 1. Pre-migration – preparation and set up Before starting the migration process, there are five major steps to follow for preparation. 1.1 Keep a record of your devices Start by creating a detailed inventory of all devices in your organization. This should include each device model, the version of OS it’s running, and whether it’s corporate-owned or user-owned. This step is critical because Apple’s new migration feature has specific OS version requirements. Knowing which devices are eligible helps you scope the migration accurately and avoid surprises later. 1.2 Document configurations in current MDM Before making any changes, document all existing configurations in your current MDM platform. This includes: Configuration profiles: Capture all profiles related to Wi-Fi, VPN, email, and certificates. These are essential for maintaining connectivity and access post-migration. Compliance policies: Note any rules that enforce password complexity, encryption, or device health checks. Security baselines: Record settings such as FileVault encryption, Gatekeeper, and the macOS firewall to ensure security standards are preserved. Custom scripts: List any scripts used for automation, monitoring, or maintenance tasks. Deployed applications: Document all apps currently deployed, including how they’re delivered (Volume Purchase Program, App Store, or custom packages). This documentation will serve as your blueprint for rebuilding these configurations in Intune. 1.3 Configure the Apple MDM push certificate Navigate to the Intune admin center, create and upload an Apple MDM push certificate. This certificate allows Intune to securely communicate with Apple devices. Without it, device management and policy enforcement can’t function. 1.4 Add Microsoft Intune to Apple Business Manager (ABM) or Apple School Manager (ASM) Next, integrate Microsoft Intune with ABM or ASM, by following these steps: Download the public key from Intune. Upload that key to ABM or ASM when creating a new MDM server. Then, download the server token from ABM or ASM and upload it back into Intune. This allows ABM to recognize Intune as a valid MDM server and enables device assignment. 1.5 Set up MDM Configurations in Intune Since migration is treated as a new device enrollment, you'll need to follow standard Intune ADE (Automated Device Enrollment) guidance to setup device enrollment profile. Some key steps include: Once the device is in ABM/ASM, token that must be created to link Intune with ABM. Then, the device needs to sync from ABM to Intune. There is an automatic sync every 12 hours, or admin can manually sync once every 15 min. After successfully synced device from ABM to Intune, you need to create the enrollment profile, and then manually assign it to the devices via device serial number, and then the device can power on and enroll through that assigned enrollment profile Using the configurations documented in step 1.2, begin replicating existing configurations in Intune. This includes but is not limited to: Rebuilding configuration profiles for network access and security. Reapplying compliance and security policies. Re-deploying applications. Rewriting or importing scripts as needed. Identify the other controls to implement that improves Zero Trust. Call to action: Please make sure testing the MDM configurations on a test device before assigning them to the devices you plan on migrating. And before initiating any migration, communicate with your endpoint users first, keeping them informed to avoid any confusion. 2. Migration – Admin step-by-step flow The admin experience starts from ABM or ASM. After logging into ABM or ASM, navigate to the Devices section. Select the device or group of devices targeted for migration to Intune. Selecting the ellipsis on the top right of device overview interface unveils the “Assign Device Management” button. Select the server you want to migrate the device to. In our case, it’s Intune. Confirm device assignment. 3. Migration – Endpoint step-by-step flow After completing the device management assignment, the device user receives a notification informing them that a management change is required. macOS iOS/iPadOS When the user selects the notification, they are guided through a simple approval process. If the user doesn’t initiate enrollment before the admin set enrollment deadline, an enforced migration occurs, which results in a non-dismissible and full-screen prompt that must be completed by the user before using the device. Regular migration Enforced migration (past deadline) Once the user approves the migration, the device communicates with Apple’s servers to get its new device management assignment. It then downloads and installs the new MDM profile. This migration process happens without rebooting the device. 4. Post-migration – Verification Lastly, verify the migration and enrollment successfully completed by navigating to the Intune admin center and confirming the new devices are listed. evice. Please note, it's important to have test device verifying required configurations running smoothly before migrating large number of devices and test your devices after migration to ensure everything is working smoothly. If you run into any issues, further adjustments may be needed. Special thanks to our Intune MVP, Somesh Pathak, whose content we leveraged in this blog! For more details and a video demo, check out Somesh’s blog at: https://intuneirl.com/mac-admins-your-migration-glow-up-just-dropped Summary In short, Apple’s new MDM migration in macOS and iOS/iPadOS 26 makes moving Mac, iPhone or iPad devices to Intune now easier than ever. With careful planning and a few simple steps, you can make the switch smoothly to manage your Apple devices all in one place. For Mac devices that aren’t running OS 26, you can check out our Intune Github for migration scripts and review the blog Managing and migrating Macs with Microsoft Intune. Let us know how your Mac journey is going by leaving a comment below, reaching out to us on X @IntuneSuppTeam, or join our Mac Admins Community on LinkedIn! Post updates: 12/04/25: Updated section "1.5 Set up MDM Configurations in Intune". 12/11/25: Updated MDM Migration URL.
