Setup Assistant with modern authentication for ADE - Intune Public Preview

Published Apr 20 2021 08:00 AM 15.9K Views

Updated 8/27/21: We're excited to take the preview tag off and share that Setup Assistant with modern authentication for ADE (iOS/iPadOS 13+ and macOS 10.15+) is now generally available! See Automatically enroll iOS/iPadOS devices by using Apple's Automated Device Enrollment on how to use this authentication method on iOS/iPadOS devices, and Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager for macOS devices.


We’re excited to announce support for a new authentication method for Apple's Automated Device Enrollment (ADE) which is Setup Assistant with modern authentication. This new authentication method is available for iOS/iPadOS devices running 13.0 and later and for macOS devices running 10.15 and later, in public preview in Microsoft Endpoint Manager.


For automated device enrollment scenarios where the authentication method is Setup Assistant with modern authentication, you can create a filter rule based on the enrollment profile name (enrollmentProfileName). See: Using filters with Setup Assistant with modern auth for ADE for corporate iOS/iPadOS/macOS devices to learn more.



When creating an ADE enrollment profile, you can choose a new authentication method: Setup Assistant with modern authentication. This authentication method for ADE allows your organization to require authentication with Azure Active Directory (Azure AD) in an out-of-box experience (OOBE) during enrollment with Setup Assistant, prior to users accessing the home screen. You have the option to also require multi-factor authentication (MFA) depending on the settings in your Conditional Access policy.


Users are required to authenticate with their Azure AD credentials twice: once during enrollment with Setup Assistant, and then again when they sign in to the Company Portal. After initial authentication with Azure AD during Setup Assistant, the home screen appears, and users can freely use the device for resources not protected by Conditional Access. User affinity is established when a user arrives at the home screen after the setup screens. However, the device will not show in a user's device list in the Azure AD portal until the user signs in to Company Portal. The additional sign in to the Company Portal app fully completes a device’s Azure AD registration and gives the user access to corporate resources protected by Conditional Access. This method provides all the security of authenticating with the Company Portal but doesn’t make users wait until the Company Portal installs on the device before they can start using it.


The correct Company Portal version will automatically be delivered as a required app to the device for iOS/iPadOS. We recommend choosing a Volume Purchase Program (for the enrollment profile. Otherwise, it will be delivered when the user sets up their Apple ID during the Setup Assistant screens. To learn how to get the Company Portal on macOS devices, see Add the Company Portal for macOS app.


Company Portal Redirection

A new improvement we’ve made to our onboarding experience helps guide users to complete that second Azure AD authentication by automatically redirecting to the iOS/iPadOS Company Portal when the user attempts to access corporate data.

If users open any managed iOS/iPadOS applications that are protected by Conditional Access and they haven't completed the additional Azure AD sign in to the iOS/iPadOS Company Portal, they will be redirected to the Company Portal from those other apps as part of this new change. This way, users are guided to complete that last step before they can access resources protected by Conditional Access.

Here is what it will look like if a user tries to open an app protected by Conditional Access before authenticating in the Company Portal:


Conditional Access block screen.Conditional Access block screen.


System prompt that opens the iOS/iPadOS Intune Company Portal.System prompt that opens the iOS/iPadOS Intune Company Portal.


Configuration in Microsoft Endpoint Manager admin center

The Intune documentation explains how to configure the Setup Assistant with Modern Authentication for iOS/iPadOS device enrollment and macOS device enrollment. In the Microsoft Endpoint Manager admin center, you can a user for multi-factor authentication. For instructions, see Require multi-factor authentication for Intune device enrollments. The following screenshot provides an example of the prompt locations:


MFA prompt locations for Microsoft Intune and Microsoft Intune Enrolment.MFA prompt locations for Microsoft Intune and Microsoft Intune Enrolment.


Enrolling devices with user device affinity but without Azure AD registration

For both iOS/iPadOS and macOS, user device affinity (also known as primary user) in Intune is established when a user lands on the home screen after the Setup Assistant screens. However, the device is not fully registered with Azure AD until the additional sign in to Company Portal, as mentioned above. This is also when device compliance is assessed, and the device shows as compliant in the Microsoft Endpoint Manager admin center. However, if you would like to keep devices fully enrolled with Intune but without Azure AD registration, this is also supported.

After the user completes the initial Azure AD sign in during Setup Assistant, if there are no resources protected by Conditional Access and if Azure AD registration is not required, then this authentication method can be used to fully enroll the device. If you choose this ADE flow, which does not require users to sign in to the Company Portal post enrollment, you will see the following device behavior:

  • The device will not show up in a user’s device list in the Azure AD portal (since there is no device identity association within Azure AD).

  • The device will not show up as compliant in the Microsoft Endpoint Manager admin center.


Keep in my mind

  • When enrolling an iOS/iPadOS device with Setup Assistant with Modern Authentication, app configuration policies are automatically applied to the iOS/iPadOS device. Don’t send a separate app configuration policy to the Company Portal for those iOS/iPadOS devices or it will result in an error.

  • If you choose Setup assistant with Modern Authentication as the authentication method for a device that is not running the correct software version, users will fall back to the legacy Setup Assistant ADE flow.

  • For iOS/iPadOS, we recommend selecting to install the Company Portal app from a VPP token in the enrollment profile. When VPP is used, the application can be downloaded and installed without user interaction. When VPP isn't used, an Apple ID is required to install the application. If the user doesn't sign in to an Apple ID during Setup Assistant, they will be prompted to sign in when Intune attempts to install the Company Portal.


Let us know if you have any questions by commenting on this post or reaching out to @IntuneSuppTeam on Twitter.


Post updates:
8/20/21 - added post on using filters with Setup Assistant with modern auth for ADE for corporate iOS/iPadOS/macOS devices.

8/26/21 - we're excited to take the preview tag off and share that Setup Assistant with modern authentication for ADE (iOS/iPadOS 13+ and macOS 10.15+) is now generally available! 

Occasional Visitor

I am trying this out on an iPad, the modern auth is working in the setup assistant and the device gets a management profile applied in this process/


However, from the launcher using 'comp portal' shows the device as not enrolled and tries to download a new management profile from the workflow, the profile downloads and fails to install and the device doesn't end up compliant as a result.


Not sure if it is intentional to have the device try to get a new management profile after it already has one applied from the setup assistant.

Occasional Contributor

Hi all,
I also experienced the same issue and this exprience is similar like when you set-up an enrollment profile without user affinity then try to enroll the device linked to this profile.

I'll describe here the user experience to help everyone understand well.


// User experience

Language > Country/Region > Network > Device activation + Getting settings > Remote Management > Gettings settings from "Company Name" > Passcode > ...

Note: Gettings settings from "Company Name" means that the device get ADE settings from Intune so the first Management profile is dowloaded and applied here.


After the company portal is installed and the user start the device enrollment, another Management profile is also downloaded and this one cannot be installed due to conflict.


I hope all those scenarios will find solutions.

cc: @Intune Support Team 




Occasional Visitor

I have made some progress.


Under DEP Profile, tenant admin > customization, I changed this setting 'Device enrollment' to 'Available, no prompts' from 'Available, with Prompts'. Additionally, I removed my own account as an enrollment manager.


With these two steps removed the additional profile download is no longer occurring. In "Comp Portal" under 'Devices' it displays says "Register this device" for my iPad, but otherwise compliant with policies and the iPad is shown in the endpoint manager and I am able to use functions from there on the device.


Let us know if any of this is expected,



Hi @kpax-io and @Aldo ELIAS, thank you for your feedback! It's helpful for us while this feature is in public preview and we work through issues that are found. We will take this issue back to the team to investigate. At the point of signing into the Company Portal, the device is already enrolled and there should not be an additional management profile coming down. While we don't have a specific fix right now, please make sure you are not sending down any app config policies targeted at the iOS/iPadOS Company Portal app if enrolling your device with setup assistant with modern authentication for iOS/iPadOS. For iOS/iPadOS, the correct app config is already being applied automatically behind the scenes in the enrollment profile, so no app config is needed for the iOS/iPadOS Company Portal. Sending down an additional app config in this case may result in an error. We’ll keep this post updated as we learn more. Thanks!

New Contributor

@Intune Support Team  Thankyou for sharing the feature update. Definitely this is exciting and adds a lot of benefits. 


Would like to share the observations that, once the device lands home screen and Company portal is installed the device checks in automatically and device records is created on MEM console and the device is marked complaint without having to manually login to Company portal .

Note- the articles described that CP login is required once the device lands home screen to access CA protected apps. 


When (date) Setup Assistant with Modern Auth will be Generally available?
what is the risk in testing this feature in Production devices.. anything specific we need to be careful of?

Occasional Contributor

Hi @gokulansubramani,

Only your context of your company can help you for this kind of decision.

I recommend to test using spare devices and if you feel confident to try with production devices you accept the risk of enhancement or changes after the product team change something. You also have to consider your rollback capabilities and your business impact for each scenarios.


@Intune Support Team  can also advise




Hi @gokulansubramani, thanks for the comment! Though we don't have any ETAs to currently share, stay tuned to this post for any future updates as well as our In development and What's new docs for new announcements regarding this feature.


Adding on to @Aldo ELIAS's comment, you may want to start with a pilot or test group before rolling this feature to your environment. After a successful pilot, you're ready to start a full production rollout. For more info on user/device targeting, see: add groups to organize users and devices to learn more. Hope this helps!

New Contributor

I started using the "Setup Assistant with modern authentication (preview)" and it seems to work well and the process works as expected.


I did run into an issue when trying to enroll a device using a DEM account following the same process, enrollment profile.


Once the Company Portal setup starts, I get a "There isn't a device setup for this account yet" error and it does not allow me to proceed, thus device does not register.


Anyone else having the same issue?

Occasional Contributor



When will MS support MFA durin ADE?
Right now if we have MFA requirments during Intune enrollment with Setup assistant with Modern auth, user are stuck to move on IF they dont have a second device to configure MFA on?

Is there any plan on creating cloud app "Company portal" where you can choose to set MFA requirement during Company portal sign in instead during setup assistant?


That will help us move forward with our ADE solution that requires MFA.

Hi @Joel Gonzalez, thanks for the feedback!

There are a few limitations of devices that are enrolled with a DEM account and would like to share that DEM accounts cannot be used when enrolling devices via Apple's Automated Device Enrollment (ADE). See: Enroll devices using a device enrollment manager account to learn more about current limitations.

If you continue to experience the same "There isn't a device setup for this account yet" error not working as expected, let’s get you over to our support folks for further investigation. Please open a support request from within the Help + support blade, or any of the methods here. Once created, feel free message us with your support case number so that we can have an eye on the case. Thanks!

Hi @Roiit, today you can require MFA during enrollment with Setup Assistant and during CP login, or just during enrollment with Setup Assistant, but not only during Company Portal login. We appreciate your feedback and have captured this and shared it with the appropriate folks.

If you’ve configured a Conditional Access policy to require multi-factor authentication (MFA), then the user will need a second device to complete MFA as the primary device cannot be used for anything else while it is being provisioned (e.g. reviewing a phone call or text).

Re: Cloud Apps – See section “Configuration in Microsoft Endpoint Manager admin center” in our post above for more information on using different cloud apps in your conditional access policies. No current plans to make the Company Portal a cloud app for MFA upon CP login only, but keep an eye out on our In development and What’s new docs for new features coming to Intune. Thanks!

New Contributor

@Intune Support Team I reported the issue because it only happens when using Setup with Modern Authentication, not via the normal method of Company Portal as authentication. I do have a ticket open - 25759813 - and we have not been able to determine what the issue is.

Occasional Contributor

Hi @Joel Gonzalez,


What do you think about setup MFA exception for Intune enrollment service ?
Maybe it can help you avoid this kind of issue ?


cc @Intune Support Team 




New Contributor

@Aldo ELIAS my only issue seems to happen when using Setup with Modern Authentication and then trying to register the device with a DEM account. I get the error mentioned above, but if I use Company Portal (legacy) as the authentication method instead the same device will enroll fine with a DEM account. 

Occasional Contributor

@Joel Gonzalezis your DEM account with MFA enabled / Enforced ?

Did you try to check the device logs ?


I don't have any idea so I can try to experience your situation but not possible before 1 week on my side.

New Contributor

@Aldo ELIAS no, DEM account does not have MFA enabled.


I reverted to the (Legacy) Setup and everything worked fine, but I would like to use the Setup with Modern Authentication eventually.


No one seems to know what the error means, which baffles me. I provided the diagnostic logs on my MS ticket to the thech working on it, but did not get it resolved.

Senior Member

@Intune Support Team  According to MC284343 this is now GA.  I tested this myself and experienced the same as the first 2 posters about an additional device management profile now tries to download.  We don't really have a simple Intune Environment and have heavily locked down DEP devices that have no apple id on them.  As I tested the following:
Changed the enrollment profile to:
Authentication Method: Setup Assistant w/ Modern Auth

Install company portal with VPP: Token specified.


Device was wiped from the intune console.  Upon going through the setup assistant everything went ok, eventually some apps started to deploy to the device.  Company portal didn't install until 30 minutes later along with the rest of our deployed apps, based of an Azure function app which moves devices to device based azure groups to separate out device types.  At this time I tried to open Outlook, which I believe it stated the device needed to be registered, added to Authenticator, then proceeded to open CP.  At this time it downloaded another device management profile, which can't be installed.  I only have the CP deployed to a device based group but there is no app config policy for it.  Same issue as the above posters.




I was having the same issue as Jason, Aldo and other with the Company Portal downloading a second management profile after ADE enrollment. I was able to resolve this issue by creating a new iOS enrollment profile and switching my default and devices over to the new profile. I reset a device that was having the problem, it enrolled and when I signed into the Company portal it only checked the device settings as show in this article:

It seems like my old enrollment profile was not installing the Company Portal app via the enrollment profile, so it did not have the correct configuration profile.


Hope this helps others!

Senior Member


I'll take a look at that article.  Is your enrollment profile set to use deploy CP via  VPP?  

  • Install Company Portal with VPP: Select Use Token: {YourToken} 

When I modified my profile I left it to deploy with VPP but the CP never installed via the enrollment profile.  Instead it installed via pushing the app to the device group from intune which is also device licensed.  We had to do this because the CP stopped updating at one time and was told by MS that this needed to be done.
So I just need to know if the supported config is setting the CP to deploy with VPP in the enrollment profile, and does it actually install?


Also it seems like the answer is always to create a new profile.  Modifying an existing profile never seems to work which is an issue.  So we have thousands of devices in multiple profiles.  Moving them around, setting a new default, is not the way to do business.


Hi Jason,


I had my first profile set to deploy CP via VPP, but it was not working. I realized this after removing my required app deployment of CP via Apps. When I created the the new Enrollment profile with CP deployed via VPP, it started auto installing. I then added the app deployment back on, because like you said, this is needed to get app updates for CP. I rest and tried again and everything is still working. So it seems like something with the CP deployment via VPP in my original enrollment profile was corrupt. 

Senior Member

@BMello Thanks.  I created a new test enrollment profile and moved the test device to it.  It seemed to work correctly this time and the CP did install and well as I didn't get any duplicate management profiles trying to install. 

I'm not sure if this enrollment method benefits us over 'Authenticate with the Company Portal' or not.


Jason, I believe Microsoft is planning to deprecate the Authenticate with Company Portal method in December of this year:

Move to Setup Assistant with Modern Authentication for Automated Device Enrollment

Last spring, we announced public preview of Setup Assistant with Modern Authentication for iOS/iPadOS 13+ and macOS 10.15+ for Automated Device Enrollment (ADE), and in August, we made this enrollment flow generally available. This authentication method for ADE allows your organization to require authentication with Azure Active Directory (Azure AD) in an out-of-box experience (OOBE) during enrollment with Setup Assistant, prior to users accessing the home screen. You have the option to also require multi-factor authentication (MFA) depending on the settings in your Conditional Access policy. On or shortly after December 10, 2021, we will be ending support for the older enrollment method that allows you to force run Company Portal in Single App Mode until authentication.

How this will affect your organization:

You likely have already moved to use Setup Assistant with modern authentication, however, if you have not, you’ll want to move to this new authentication prior to the December date. This does not affect existing enrolled devices. Within the Microsoft Endpoint Manager admin center, you’ll want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.” The setting Run Company Portal in Single App Mode until authentication (Devices > iOS/iPadOS > Enrollment Program Tokens > select/create Profile > Management Settings) will no longer be available after this change.


User experience: This new enrollment flow does change the enrollment screen order to put authentication prior to accessing the home screen. If you have user guides that share screen shots, you’ll want to update those so the guides match the new experience.

What you need to do to prepare:

Review the updated documentation and several best practices blogs prior to moving. If you do not adopt the new enrollment profile prior to December 10, new devices will be unable to enroll until you do one of the following:

  1. (Recommended) Select Setup assistant with modern authentication.
  2. Use ADE user affinity enrollment with the Company Portal without configuring the Run Company Portal in Single App Mode until authentication setting.

Note: While you can still use ADE user affinity enrollment with the Company Portal for the authentication method, we do not recommend this since the user will need to manually run the Company Portal and complete the enrollment and Azure AD registration steps.

For More Information

Additional Information
Senior Member

@BMello Yes I received that today, but if you look closer at #2 it states the following:
2. Use ADE user affinity enrollment with the Company Portal without configuring the Run Company Portal in Single App Mode until authentication setting.

Currently we ARE using run company portal in single app mode until authentication.  Removing that option would get us past the 12/10/21 cut off.

This is one of the reasons I started to look at this.  So I don't know if I just want to remove the requirement to run in single app mode, or switch over entirely to SAwMA.  Thoughts?

Regular Visitor

Why the need to remove the enrollment option "Run Company Portal in Single App Mode until authentication"? Why not leaving in as an option?


We use it today and have done so for years, and it works. And it works for DEM-accounts.


The modern authentication option is really screwing thing up for us because the modern authentication does not support DEM-accounts, as stated by several people in this thread. You get a "There isn't a device setup for this account yet" error.

Many devices are not personal, hence we use DEM-accounts, but we still want to take advantage of the functionality that ADE brings. 


The only other option is to use authentication with CP but then no settings are puched to the device until you do that and nothing forces you to do it and you have to complete that step within 24 hours or the enrollment can fail.

The best thing with Run Company Portal in Single App Mode until authentication is that the user is forced to complete the enrollment before thay can use the device. The new modern authentication method also takes care of that on personal devices since the device is fully enrolled during setup assistant and settings is pushed to the user/device directly after the setup assistant. But completion of the enrollment process in CP does not work for DEM accounts and we enroll thousands of devices with those accounts...



Senior Member

Martin - I agree that using Authentication using Company Portal along with "company portal in single app mode until authentication" is the best option for our use case.  We hand out lots of devices for our field workers and want to the process to be as seamless as possible.  We also have scripts that will move devices around to different device restrictions.  Forcing the ownership on the user to complete additional steps isn't something we want to do.  I have a feeling this is going to generate more help desk calls.

Occasional Visitor

Like others have said, the ADE w/ Modern Auth needs Single-App Mode support of some kind. We dropship iPads to users and have them go through the enrollment process in single-app mode, it works fine. Giving the iPads to users that use ADE w/ Modern Auth requires additional steps of having them wait for CP to download and then run enrollment manually. Until they do so, the iPad is essentially open for use and not registered in MEM/Intune.


Going to hold off implementing this until it's addressed in some fashion.

Senior Member

@Intune Support Team Why is "Run Company Portal in Single App Mode until authentication" being dropped?  People are using this in their organizations.

Occasional Visitor

@Jason Salgado  I think the second paragraph here has the answer to your question:


"However, what we discovered working with Apple on this incident is that Apple removed the functionality in 14.6 that we used for the Company Portal authentication method - Running the Company Portal in Single App Mode until authentication for ADE enrollment path. This break in flow for Single App Mode is described in the incident post and has led to an expedited move."


Seems like an Apple thing..

Senior Member

@Chris_P2045 Thanks.  I didn't read that article entirely and assumed it was going to be a permanent fix.  From the sound of it, Apple decided to put the feature back until the end of the year and then they will remove it again.

Frequent Visitor

Hey team (or anyone really),


What I am missing is this new enrollment process is a way to filter for devices when they are in the "inbetween" state (user affinity established but not fully AAD Registered). I am trying to figure out a way to use this new process to do a 'staged' rollout.


What I am trying to achieve is the following:

- Go through Set up Assistant with Modern Authentication until you reach the Home Screen [user affinity established]

- Push only Device targeted policies and only device targeted apps (i.e. Company Portal/Authenticator) [do not push user targeted policies/apps]

- Go through Company Portal user registration [AAD Registration completed]

- Only after this is finished, start pushing user targeted policies/apps


Is there a way to retrieve device status for the devices when the user affinity is established, but full AAD Registration is not yet completed?

New Contributor

@GlennKocak one thing i will say is to watch out and complete the setup process (including registration) within 24 hours of the Company Portal downloading, otherwise you will have to wipe the device and start the process from scratch. I learned it the hard way and then read it under the Microsoft Docs. You may already know this, but It is worth mentioning if not.

Occasional Visitor

Greetings, we have been trouble shooting where we are not seeing authentication through our IDP, the Server Error Message is 401 - unauthorized: Access is denied due to invalid credentials, this is on our internal network.  The authentication works as designed when not on our internal network however the end user will get prompted for MFA from our IDP


We also see another error "BYCloudConfigRetreiveProfilerFromWebErrorDomain error -1


Is there an authentication flow diagram or more technical documentation that can be provided?


Version history
Last update:
‎Sep 02 2021 08:34 AM
Updated by: