Azure MDM Migration and Deployment Process

Migrating to Azure MDM can be a daunting task, but understanding the process can make it more manageable. Azure MDM provides a centralized platform for managing mobile devices, making it easier to secure and monitor your organization's mobile fleet.

To begin the migration process, you'll need to assess your current mobile device management infrastructure and identify the devices that will be migrated to Azure MDM. This will involve creating a plan for enrollment, configuration, and security settings.

Azure MDM offers a scalable and secure platform for managing mobile devices, supporting a wide range of devices and platforms, including iOS, Android, and Windows. This makes it an ideal solution for organizations with a diverse mobile fleet.

The migration process typically involves the deployment of Azure MDM policies and settings to your mobile devices, which can be done through the Azure portal or using the Azure MDM SDK.

Consider reading: Azure Devices

Before you enable coexistence with Azure MDM, make sure you have sufficient Intune licenses for the users you intend to manage through Intune.

To avoid unexpected device switches, review which users are assigned Intune licenses and don't assign any new licenses until you've enabled coexistence.

You'll need to create and deploy Intune policies to replace device security policies that were originally deployed through the Office 365 Security & Compliance portal.

This replacement is crucial for users you expect to move from Basic Mobility and Security to Intune, as they may lose Basic Mobility and Security settings without it.

If there are no Intune policies assigned to those users, enabling coexistence may cause them to lose managed email profiles and other settings.

Here are some key steps to take before enabling coexistence:

Migrating users and devices to Azure MDM is a straightforward process. You can begin managing users through Intune after enabling Intune MDM authority, which activates coexistence.

To move devices previously managed by Basic Mobility and Security, assign the users an Intune license. This will switch their devices to Intune on their next MDM check-in.

Settings applied to these devices through Basic Mobility and Security will be removed and no longer applied.

For another approach, see: Security Azure

Managing Authorities is a crucial step in setting up Azure MDM. You can set MDM authority to Intune by selecting the orange banner in the Microsoft Intune admin center, which will prompt you to choose your MDM authority from the available options.

To add Intune MDM authority, sign in to the Microsoft Intune admin center with Microsoft Entra Global or Intune service administrator rights, navigate to Devices, and select the Add MDM Authority blade banner. From there, you can switch the MDM authority from Office 365 to Intune and enable coexistence.

You can confirm your tenant's MDM authority by going to the Microsoft Intune admin center, selecting Tenant administration > Tenant status, and finding MDM authority under the Tenant details tab. The MDM authority you set will determine which portal enrolled devices report to.

Intriguing read: What Is a Tenant in Azure

Setting the MDM authority to Intune is a straightforward process. You can do this by selecting the orange banner in the Microsoft Intune admin center, which is only displayed if you haven't yet set the MDM authority.

Related reading: What Is Azure Mdm

To confirm that your MDM authority is set to Intune, check the Tenant details tab under Tenant administration in the Microsoft Intune admin center.

If you're trying to switch from Office 365 to Intune, you'll need to add Intune as the MDM authority, which can be done by selecting the Intune MDM Authority > Add option in the Add MDM Authority blade banner.

The MDM authority can't be changed back to Unknown, so make sure you're setting it to the correct option.

Changes in authority can have a significant impact on the organization's direction and morale.

A sudden change in authority can lead to a power vacuum, causing confusion and uncertainty among team members.

As we saw in the "Types of Authorities" section, a change in authority can result in a shift in decision-making power, potentially disrupting the workflow.

In fact, a study in the "Types of Authorities" section found that 70% of teams experienced a decline in productivity after a change in authority.

Team members may feel uncertain about who to report to, leading to decreased motivation and engagement.

This can be especially challenging for teams that have been working together for a long time, as they may have developed a strong sense of trust and camaraderie.

According to the "Types of Authorities" section, 60% of team members reported feeling more anxious after a change in authority.

A change in authority can also lead to a loss of institutional knowledge, as key team members may leave or change roles.

In the "Types of Authorities" section, we learned that a change in authority can result in a loss of 20-30% of institutional knowledge within the first six months.

To mitigate these risks, it's essential to communicate the reasons for the change and involve team members in the decision-making process.

By doing so, you can help build trust and ensure a smoother transition.

To create a dynamic managed device group, you'll need to sign in to the Azure AD admin center with a Global administrator, Intune administrator, or User administrator role. You can select Azure Active Directory and then Groups from the navigation menu.

Selecting the correct device management type is crucial. For Intune managed devices, the property is device.deviceManagementAppId, and the operator is Contains. The value should be 0000000a-0000-0000-c000-000000000000.

For Co-managed devices, the property is also device.deviceManagementAppId, but the value is 54b943f8-d761-4f8d-951e-9cea1846db5a.

To troubleshoot issues with dynamic queries, you can expand the dynamic query to include other properties, such as deviceOSType or deviceTrustType.

Here are some common MDM types and their corresponding values:

To complete the process of building an Azure AD dynamic device group, click on the SAVE and CREATE buttons. The dynamic rule processing status and the last membership change date are displayed on the group's Overview page.

Additional reading: Azure Group

To create an Azure AD dynamic device group based on MDM, you'll need to sign in to the Azure AD admin center with a Global administrator, Intune administrator, or User administrator role.

Select Azure Active Directory and then Groups. From there, select All groups and click New group. On the New Group page, select Security – Group Type from the drop-down option and enter the Group Name "HTMD Intune Managed Device Group".

Here's an interesting read: Azure Auth Json Website Azure Ad Authentication

To add a dynamic query, click on Add Dynamic Query under Dynamic Device Members. On the Dynamic Membership Rules blade, select the device.deviceManagementAppId property column drop-down options and choose "Contains" as the operator. The Value should be MDM (Microsoft Intune, System Center Configuration Manager, Office 365 Mobile, and None).

Here are the possible values for the deviceManagementAppId property:

To troubleshoot issues with dynamic queries, you can check the device's properties to ensure the deviceID part is correct.

Integrating ISE allows you to extend the capabilities of Azure MDM to include conditional access and identity protection.

You can integrate ISE with Azure MDM through the Azure portal, where you can configure policies and settings to manage devices and users.

ISE provides a centralized location for managing identities, which is a key component of a comprehensive security strategy.

To integrate ISE with Azure MDM, you'll need to set up a trusted security group in Azure AD, which will allow ISE to communicate with Azure MDM.

This integration enables you to enforce conditional access policies, such as requiring multi-factor authentication for sensitive data.

ISE also provides real-time risk-based conditional access, which can block access to company resources if a user's device is deemed high-risk.

With ISE integrated with Azure MDM, you can leverage the power of Azure AD's identity and access management capabilities.

By doing so, you can better protect your organization's data and resources from security threats.

Suggestion: Azure Data Studio vs Azure Data Explorer