Microsoft Intune Co-existence with MDM for Office 365
In mid-November 2015, we released a service update to Microsoft Intune. It was a massive update for us, and included a huge amount of new features. You can view the announcement post here.
One of the features announced has gone a little under the radar, and that’s co-existence with MDM for Office 365
You can now activate and use both MDM for Office 365 and Intune concurrently on your tenant and set the management authority to either Intune or MDM for Office 365 for each user to dictate which service will be used to manage their mobile devices. User’s management authority is defined based on the license assigned to the user. If the user is assigned with the EMS or Intune license, Intune will manage user’s devices and apps. If the user is assigned with the Office 365 license (without the EMS or Intune license), then MDM for Office 365 will manage user’s devices. Stay tuned for a detailed blog post on this topic in the coming weeks.
This is great news for customers who currently use the built-in MDM for Office 365. For those unfamiliar, MDM for Office 365 is a limited set of MDM features and controls that comes as part of your Office 365 subscription. It’s a really great feature for a lot of customers who are new to Office 365, and want to ensure their data and devices are secure without a whole lot of effort.
While MDM for Office 365 is great, it’s certainly no Intune!
We find that many customers are interested in Intune, however a lot want to start quickly and initially choose MDM for Office 365. Traditionally, this MDM Authority decision, once made, could not be easily changed. Further, once it was set/changed, every user across the organization had to use the single MDM Authority – be it Microsoft Intune or MDM for Office 365.
With the Intune Co-existence with MDM for Office 365 feature, we can now assign a set of users to use MDM for Office 365, and another set of users to be Intune enabled.
How do we enable Co-existence?
There’s actually not much we need to do. Users who are assigned EMS or Intune licenses are automatically managed by Intune, and users who are assigned an Office 365 license (and no Intune license) will use the MDM for Office 365 authority.
To enable MDM for Office 365, browse to the http://portal.office.com portal, select the MOBILE MANAGEMENT tab and select ENABLE MDM. Office 365 will then do the MDM Authority provisioning. Once complete, the MOBILE MANAGEMENT tab will allow you to manage MDM policies and devices. For a complete setup guide, visit https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd
From the Intune side, when you attempt to set the MDM Authority (to either ConfigMgr or Intune Standalone) there is some new text. Previously, you couldn’t “Add” Intune as the MDM Authority, you had to “Set” Intune as the MDM Authority. Meaning it was one or the other. Now, we see that the MDM Authority is set to Office 365, however we have the option to Add Intune as a subsequent MDM Authority.
Here I’ve got two users, both have an Office 365 E3 license. The Matt.IntuneMDM account also has an Intune A Direct license assigned.
From the Matt.MDMOffice365 account, I should get blocked to my Office 365 email unless I’ve enrolled into the MDM for Office 365 service. I’ve downloaded the Outlook app and entered my credentials. Office 365 can see that my device is not enrolled, so it’s prompting for MDM for Office 365 enrollment. Once enrolled, I’ll receive all of the security policies set – such as password/encryption/etc requirements.
From the MOBILE MANAGEMENT tab in the Office 365 Portal, I can see my device has been enrolled
Now, I’ll perform the same process using my Matt.IntuneMDM account, which has an Intune Direct A license applied. Because this license is applied, the devices this user attempts to use will be managed by the Intune MDM authority, not the MDM for Office 365 authority.
And as I’ve not set anything up in Intune (no Conditional Access for Office 365), my email access will be granted without enrolling.
And that’s about it. I’ve got two separate Office 365 users – one with an Intune license and one without, both being secured by MDM.
Matt Shadbolt | Program Manager | Enterprise Client & Mobility (Intune)