question

testuser7-8288 avatar image
0 Votes"
testuser7-8288 asked LuDaiMSFT-0289 commented

device registration MFA

The Azure AD document says that when you are joining any device OR registering any personal device with Azure-AD and if you want the user to undergo multi-factor authentication, you should you use CONDITIONAL ACCESS POLICY.

You should not go to device --> settings blade and turn on MFA

So CA-policy is the route to turn on MFA, what is that CLOUD-RESOURCE to configure CA-policy for device-registration.


Thanks.

mem-intune-generalazure-ad-conditional-accessmem-autopilot
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
1 Vote"
testuser7-8288 answered testuser7-8288 commented

Oh my bad... it is an "ACTION" and not a cloud-resource in CA-policy.
I got it.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@testuser7-8288
Thank you for your post and quick update!

I'm glad that you were able to resolve your issue and post the answer here, so others in the community facing the same issue can easily find this.


Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

Hi @JamesTran-MSFT

I have one imp. point to check with you, though.
Is there a way to bulk register devices into Azure-AD ?
For eg., if I have 1000 windows10 laptops to join Azure-AD, what is the best way. Do I have to use the individual UPN/password and register it with tenant

OR

Is there something like Intune enrollment where-in we have a "Device Enrollment Manager" type of account to join all the device.


Thanks.

0 Votes 0 ·

Actually if I may, I would like to clarify my question.

I am not sure what is the main technical difference between Device Enrollment Manager (DEM) VS Provisioning package

Is it correct that in case of DEM the owner and enrolled-by will be the DEM-account ?
And in case of provisioning-package, the owner and enrolled-by will be the person who signed into while creating the package.

If I have 500 win10 laptops, which one would be better.
Do I have to undergo same number of screens in both methods OR any method would do anything automatic.
I guess in provisioning package method, there should not be any screen where admin has to put any value.
But in case of DEM, I believe there is NO difference if end-user doing the work or admin with DEM account doing the work.


Thanks.

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@testuser7-8288
Thank you for the quick response!

When it comes to bulk registering your devices in AzureAD, you should be able to follow our - Bulk enrollment for Windows devices documentation. Additionally, when it comes to DEM vs Provisioning package, I'd recommend posting these questions to our Intune or Auto-pilot forums so their experts can look into these questions as well.


Based off our documentation, it looks like DEM can enroll up to 1,000 mobile devices with a single Azure Active Directory account, while a Provisioning package is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.


Thank you again for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@testuser7-8288 DEM is different from Provisioning package.

For DEM, it is useful for scenarios where devices are enrolled and prepared before handing them out to the users of the devices. However, it has a lot of Limitations. We can read the following article as a reference.
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#limitations-of-devices-that-are-enrolled-with-a-dem-account

For Provisioning package, it does not require any administrator roles in your Azure AD tenant and the bulk enrollment devices' join type will be Azure AD joined and the owner is like package_xxxxxx. In intune portal, the Primary user is none for this device.
In Azure AD:
79470-image.png

In intune:
79478-image.png

The following article describe the different enrollment methods:
https://www.petervanderwoude.nl/post/windows-10-enrollment-methods/

Could you please explain what does "I guess in provisioning package method, there should not be any screen where admin has to put any value." mean? And what kind of scenario do you want to use enrollment method for?


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (121.1 KiB)
image.png (209.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

testuser7-8288 avatar image
0 Votes"
testuser7-8288 answered LuDaiMSFT-0289 commented

Thanks @LuDaiMSFT-0289


When I am using the provisioning package, I do not think I have to put my username-password.
the username-password used during creation to get the bulk-token for the provisioning package will be applied and effective automatically.

But in case of DEM, every time on every machine I have to put the dem-account and password.

And also in case of provisioning package, there will be NO local admin of device created during package installation on the device.

That's why I said, I guess in provisioning package method, there should not be any screen where admin has to put any value.

Am I correct ?

Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@testuser7-8288 From view of whether put your username-password, I agree with you.

0 Votes 0 ·