Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium

If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. To set up this protection, you can implement Hybrid Azure AD joined devices. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.

This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.

Before you get started, make sure you complete these steps:

  • Synchronize users to Azure AD with Azure AD Connect.
  • Complete Azure AD Connect Organizational Unit (OU) sync.
  • Make sure all the domain users you sync have licenses to Microsoft 365 Business Premium.

See Synchronize domain users to Microsoft for the steps.

1. Verify MDM Authority in Intune

Go to Endpoint Manager and on the Microsoft Intune page, select Device enrollment, then on the Overview page, make sure MDM authority is Intune.

  • If MDM authority is None, click the MDM authority to set it to Intune.
  • If MDM authority is Microsoft Office 365,go to Devices > Enroll devices and use the Add MDM authority dialog on the right to add Intune MDM authority (the Add MDM Authority dialog is only available if the MDM Authority is set to Microsoft Office 365).

2. Verify Azure AD is enabled for joining computers

  • Go to the admin center at https://admin.microsoft.com and select Azure Active Directory (select Show all if Azure Active Directory is not visible) in the Admin centers list.
  • In the Azure Active Directory admin center, go to Azure Active Directory , choose Devices and then Device settings.
  • VerifyUsers may join devices to Azure AD is enabled
    1. To enable all users, set to All.
    2. To enable specific users, set to Selected to enable a specific group of users.
      • Add the desired domain users synced in Azure AD to a security group.
      • Choose Select groups to enable MDM user scope for that security group.

3. Verify Azure AD is enabled for MDM

  • Go to the admin center at https://admin.microsoft.com and select select Endpoint Management (select Show all if Endpoint Manager is not visible)

  • In the Microsoft Endpoint Manager admin center, go to Devices > Windows > Windows Enrollment > Automatic Enrollment.

  • Verify MDM user scope is enabled.

    1. To enroll all computers, set to All to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.
    2. Set to Some to enroll the computers of a specific group of users.
      • Add the desired domain users synced in Azure AD to a security group.
      • Choose Select groups to enable MDM user scope for that security group.

4. Create the required resources

Performing the required tasks to configure hybrid Azure AD join has been simplified through the use of the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet found in the SecMgmt PowerShell module. When you invoke this cmdlet it will create and configure the required service connection point and group policy.

You can install this module by invoking the following from an instance of PowerShell:

Install-Module SecMgmt

Important

It is recommended that you install this module on the Windows Server running Azure AD Connect.

To create the required service connection point and group policy, you will invoke the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet. You will need your Microsoft 365 Business Premium global admin credentials when performing this task. When you are ready to create the resources, invoke the following:

PS C:\> Connect-SecMgmtAccount
PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'

The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.

  1. In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select Link an existing GPO... from the context menu.
  2. Select the policy created in the above step, then click OK.

Get the latest Administrative Templates

If you do not see the policy Enable automatic MDM enrollment using default Azure AD credentials, it may be because you don’t have the ADMX installed for Windows 10, version 1803, version 1809, or version 1903. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):

  1. Download: Administrative Templates (.admx) for Windows 10 May 2019 Update (1903).
  2. Install the package on the Primary Domain Controller (PDC).
  3. Navigate, depending on the version to the folder: C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3.
  4. Rename the Policy Definitions folder in the above path to PolicyDefinitions.
  5. Copy PolicyDefinitions folder to C:\Windows\SYSVOL\domain\Policies.
    • If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.
  6. Restart the Primary Domain Controller for the policy to be available. This procedure will work for any future version as well.

At this point you should be able to see the policy Enable automatic MDM enrollment using default Azure AD credentials available.