Hello, I have a question where the scenario is as following. -Third party tool is used Identity provider (and to provision ad users in 365 cloud ) -Devices are HAADJ joined(using GPO/Ad connect in testing phase). -Devices are enrolled to Intune using SCCM cloud attach, And MDM auto enrollment with device credentials. -Primary user showing in Intune is not assigned but can later be manually assigned in cloud. -To be clear, AD connect is not used to provision users in cloud due to the third party provisioning tool. -UPN mismatch between AD and Entra is causing us to avoid using user credentials for MDM auto enrollment as onprem domain user is not recognized in the cloud. Question: -What method can be used if any to show primary users assigned to the device in Intune (could there be some sort of mapping between cloud and onprem in the current setup? -Any other suggestions to have the devices enrolled to Intune (Obviously without removing third party identity/Provisioning service)?

@Ahmed Sh,Thanks for posting in Q&A. I have done some research about this issue, here are some suggestions you can refer. 1.Hybrid AADJ device will only be assigned a primary user when the user logs into the device for the first time. https://learn.microsoft.com/en-us/mem/intune/remote-actions/find-primary-user#who-is-assigned-as-the-primary-user 2.Based on my searches, you can try the method mentioned in the following link to enroll your device into Intune, but it will remove 3rd party identity/configuration services. https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients 3.If you want to enroll the device into Intune, it is recommended that you use User credential in Group Policy, but this method will not work with the SCCM cloud attach https://petri.com/how-to-automatically-hybrid-azure-ad-join-and-intune-enroll-pcs/ Non-official, just for reference. Hope above information can be helpful. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fanswers%2Fsupport%2Fpreferences&data=05%7C01%7Cv-zhoduan%40microsoft.com%7C60250971f6c4415aa6bf08dbc93981aa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638325021052982520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Hc2StS%2BjO3kC4BEQcSxl63PrSHCGCMZy7uNcFr9%2BBHw%3D&reserved=0" rel="ugc nofollow">our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

How to get HAADJ devices enrolled with device credentials to show primary user in Intune?

Accepted answer

ZhoumingDuan-MSFT 9,390 Reputation points Microsoft Vendor

2024-05-20T06:35:29.8833333+00:00

@Ahmed Sh,Thanks for posting in Q&A.

I have done some research about this issue, here are some suggestions you can refer.

1.Hybrid AADJ device will only be assigned a primary user when the user logs into the device for the first time.

https://learn.microsoft.com/en-us/mem/intune/remote-actions/find-primary-user#who-is-assigned-as-the-primary-user

2.Based on my searches, you can try the method mentioned in the following link to enroll your device into Intune, but it will remove 3rd party identity/configuration services.

https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients

3.If you want to enroll the device into Intune, it is recommended that you use User credential in Group Policy, but this method will not work with the SCCM cloud attach

https://petri.com/how-to-automatically-hybrid-azure-ad-join-and-intune-enroll-pcs/

Non-official, just for reference.

Hope above information can be helpful.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
ZhoumingDuan-MSFT 9,390 Reputation points Microsoft Vendor

2024-05-22T05:12:03.01+00:00

@Ahmed Sh, Hope things going well.

May I know the above information is helpful? If there is any update, feel free to let us know.

Ahmed Sh 60 Reputation points

2024-05-22T05:52:47.4733333+00:00

Hello @ZhoumingDuan-MSFT , Thanks for your reply, I have indeed implemented cloud attach and it reflects primary users now in Intune when users are logged in.

However getting the 401 configuration missing error described here: https://www.iamsysadmin.eu/mobile-device-managment/intune/fix-configuration-missing-error-401-in-endpoint-manager-admin-center/

-Not sure what the impact is if I enable discovery as mentioned in the article.

ZhoumingDuan-MSFT 9,390 Reputation points Microsoft Vendor

2024-05-22T07:27:32.9866667+00:00

@Ahmed Sh, Thanks for your reply.

Here are some advantages and disadvantages enabling discovery.

https://www.reddit.com/r/SCCM/comments/alnu0q/azure_ad_user_discovery_what_are_the_benefits/

ZhoumingDuan-MSFT 9,390 Reputation points Microsoft Vendor

2024-05-24T06:39:11.71+00:00

@Ahmed Sh, Hope you have a good day.

If the answer is helpful, please click "Accept Answer" and kindly upvote it to help others with the same problem as soon as possible.
Sign in to comment

Share via

How to get HAADJ devices enrolled with device credentials to show primary user in Intune?

2 additional answers