question

BobWright-3571 avatar image
0 Votes"
BobWright-3571 asked azure-cxp-api edited

Trying to find a way to auto enroll clients on one domain into a different Domain that has a tenent.

Hi all, I am just want to see if this is possible?

We acquired a company. Non Trusted Domain. Would like to set up an auto enrollment on their machines to enroll in Intune for our existing Domain Tenent. There will be no Trusts set up between these 2 Domains at all per security. The only thing we do share in common is the Back Office credentials for Office, One drive, sharepoint, etc.

Will I be chasing a ghost here? I have looked around and I still cannot tell if this a doable situation. I was able to get a test machine enrolled but I needed admin rights and that isnt going to fly with end users. Without a trust I dont think we can use an enrollment account.


Any advice is welcome. Thank You

mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered Jason-MSFT commented

On-prem domain and forest trust is irrelevant as this is all about the user and device's cloud identity. Technically, here, the device's cloud identity is irrelevant if all you care about is the users logging into M365 Apps online.

Thus, to clarify, what do you really want to do here? Enroll refers to MDM management of the devices; i.e, you enroll a device into Intune for management. While a good thing to do for management purposes, this has nothing to do with identity and the use of M365 app services. Thus, is this part of your goal or not?

If all you want to do is enable SSO for M365 app access, then you can certainly sync the users from the new domain to the single AAD tenant using AAD connect. You can also then either domain join or hybrid Azure AD domain join the systems to the same AAD tenant.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yes..let me explain in more detail.

Since the pandemic people are working from home. Problem is they never get on the VPN so I can manage them with updated software, patches, etc.

This is more of a way to ensure that they get every update just as long as they are on internet. Management of laptops is the only factor I care about.

I just dont see a way to do this automatically like you can with Hybrid Joined or some AD-Connect function.

If there is a way maybe I just needed to be pointed in the right direction. I thought maybe there could be a way to modify a GPO or similar to trick Endpoint..Not sure.

Thanks for your help Jason

0 Votes 0 ·

First, keep in mind that hybrid joining a device is not management. It's simply getting it a cloud identity while being on-prem AD domain joined.

For management, that would be enrolling in Intune.

As noted, you can absolutely connect both domains to a single AAD tenant using AAD Connect. From there, you can enable user syncing and thus hybrid user identities. Same for devices. You can then enroll (manually or using auto-enrollment) the devices into the same Intune tenant associated to the AAD tenant.

0 Votes 0 ·

Yes but the catch is Security will not allow AAD-Connect from another Domain. So now I am trying to figure out if its even possible without having that connection. I wish it was easy like cellphones.

0 Votes 0 ·

but the catch is Security will not allow AAD-Connect from another Domain

Why? That's not a security boundary.

Also, how do users in the additional domain access the M365 online apps? Are they using a second set of credentials?

0 Votes 0 ·

yes they have 2 sets of creds...One to log into their domain and laptops, and one they log into their O365 accounts with which is on the Domain we want to eventually move them to. However in the meantime I was hoping I could manage these endpoints via automatic enrollments.

0 Votes 0 ·
Show more comments