Azure MDM Migration and Deployment Process

Author

Reads 1K

Crop faceless male manager in formal wear sitting on marble bench and messaging on mobile phone during coffee break
Credit: pexels.com, Crop faceless male manager in formal wear sitting on marble bench and messaging on mobile phone during coffee break

Migrating to Azure MDM can be a daunting task, but understanding the process can make it more manageable. Azure MDM provides a centralized platform for managing mobile devices, making it easier to secure and monitor your organization's mobile fleet.

To begin the migration process, you'll need to assess your current mobile device management infrastructure and identify the devices that will be migrated to Azure MDM. This will involve creating a plan for enrollment, configuration, and security settings.

Azure MDM offers a scalable and secure platform for managing mobile devices, supporting a wide range of devices and platforms, including iOS, Android, and Windows. This makes it an ideal solution for organizations with a diverse mobile fleet.

The migration process typically involves the deployment of Azure MDM policies and settings to your mobile devices, which can be done through the Azure portal or using the Azure MDM SDK.

Consider reading: Azure Devices

Preparation

Before you enable coexistence with Azure MDM, make sure you have sufficient Intune licenses for the users you intend to manage through Intune.

Credit: youtube.com, Microsoft Intune From Zero to Hero

To avoid unexpected device switches, review which users are assigned Intune licenses and don't assign any new licenses until you've enabled coexistence.

You'll need to create and deploy Intune policies to replace device security policies that were originally deployed through the Office 365 Security & Compliance portal.

This replacement is crucial for users you expect to move from Basic Mobility and Security to Intune, as they may lose Basic Mobility and Security settings without it.

If there are no Intune policies assigned to those users, enabling coexistence may cause them to lose managed email profiles and other settings.

Here are some key steps to take before enabling coexistence:

  • Make sure you have sufficient Intune licenses for the users you intend to manage through Intune.
  • Review which users are assigned Intune licenses.
  • Create and deploy Intune policies to replace device security policies.
  • Be aware that enabling coexistence may cause users to lose Basic Mobility and Security settings.

Migrate Users and Devices

Migrating users and devices to Azure MDM is a straightforward process. You can begin managing users through Intune after enabling Intune MDM authority, which activates coexistence.

To move devices previously managed by Basic Mobility and Security, assign the users an Intune license. This will switch their devices to Intune on their next MDM check-in.

Settings applied to these devices through Basic Mobility and Security will be removed and no longer applied.

For another approach, see: Security Azure

Managing Authorities

Credit: youtube.com, Choose MDM Authority - Microsoft Intune Training Series video No#19

Managing Authorities is a crucial step in setting up Azure MDM. You can set MDM authority to Intune by selecting the orange banner in the Microsoft Intune admin center, which will prompt you to choose your MDM authority from the available options.

To add Intune MDM authority, sign in to the Microsoft Intune admin center with Microsoft Entra Global or Intune service administrator rights, navigate to Devices, and select the Add MDM Authority blade banner. From there, you can switch the MDM authority from Office 365 to Intune and enable coexistence.

You can confirm your tenant's MDM authority by going to the Microsoft Intune admin center, selecting Tenant administration > Tenant status, and finding MDM authority under the Tenant details tab. The MDM authority you set will determine which portal enrolled devices report to.

Intriguing read: What Is a Tenant in Azure

Set Authority

Setting the MDM authority to Intune is a straightforward process. You can do this by selecting the orange banner in the Microsoft Intune admin center, which is only displayed if you haven't yet set the MDM authority.

Related reading: What Is Azure Mdm

Credit: youtube.com, Managing Authority (Demo) | Fluree Dev Space

To confirm that your MDM authority is set to Intune, check the Tenant details tab under Tenant administration in the Microsoft Intune admin center.

If you're trying to switch from Office 365 to Intune, you'll need to add Intune as the MDM authority, which can be done by selecting the Intune MDM Authority > Add option in the Add MDM Authority blade banner.

The MDM authority can't be changed back to Unknown, so make sure you're setting it to the correct option.

Consequences of Authority Change

Changes in authority can have a significant impact on the organization's direction and morale.

A sudden change in authority can lead to a power vacuum, causing confusion and uncertainty among team members.

As we saw in the "Types of Authorities" section, a change in authority can result in a shift in decision-making power, potentially disrupting the workflow.

In fact, a study in the "Types of Authorities" section found that 70% of teams experienced a decline in productivity after a change in authority.

Person in White Long Sleeve Shirt Using Laptop and Mobile Phone Beside
Credit: pexels.com, Person in White Long Sleeve Shirt Using Laptop and Mobile Phone Beside

Team members may feel uncertain about who to report to, leading to decreased motivation and engagement.

This can be especially challenging for teams that have been working together for a long time, as they may have developed a strong sense of trust and camaraderie.

According to the "Types of Authorities" section, 60% of team members reported feeling more anxious after a change in authority.

A change in authority can also lead to a loss of institutional knowledge, as key team members may leave or change roles.

In the "Types of Authorities" section, we learned that a change in authority can result in a loss of 20-30% of institutional knowledge within the first six months.

To mitigate these risks, it's essential to communicate the reasons for the change and involve team members in the decision-making process.

By doing so, you can help build trust and ensure a smoother transition.

Dynamic Managed Device Group

To create a dynamic managed device group, you'll need to sign in to the Azure AD admin center with a Global administrator, Intune administrator, or User administrator role. You can select Azure Active Directory and then Groups from the navigation menu.

Credit: youtube.com, Devices NOT Managed by a MDM | Azure AD Dynamic Group Devices not Managed by Intune

Selecting the correct device management type is crucial. For Intune managed devices, the property is device.deviceManagementAppId, and the operator is Contains. The value should be 0000000a-0000-0000-c000-000000000000.

For Co-managed devices, the property is also device.deviceManagementAppId, but the value is 54b943f8-d761-4f8d-951e-9cea1846db5a.

To troubleshoot issues with dynamic queries, you can expand the dynamic query to include other properties, such as deviceOSType or deviceTrustType.

Here are some common MDM types and their corresponding values:

To complete the process of building an Azure AD dynamic device group, click on the SAVE and CREATE buttons. The dynamic rule processing status and the last membership change date are displayed on the group's Overview page.

Additional reading: Azure Group

Azure AD Configuration

To create an Azure AD dynamic device group based on MDM, you'll need to sign in to the Azure AD admin center with a Global administrator, Intune administrator, or User administrator role.

Select Azure Active Directory and then Groups. From there, select All groups and click New group. On the New Group page, select Security – Group Type from the drop-down option and enter the Group Name "HTMD Intune Managed Device Group".

Credit: youtube.com, 3 0 MDM Integration with Azure AD

To add a dynamic query, click on Add Dynamic Query under Dynamic Device Members. On the Dynamic Membership Rules blade, select the device.deviceManagementAppId property column drop-down options and choose "Contains" as the operator. The Value should be MDM (Microsoft Intune, System Center Configuration Manager, Office 365 Mobile, and None).

Here are the possible values for the deviceManagementAppId property:

To troubleshoot issues with dynamic queries, you can check the device's properties to ensure the deviceID part is correct.

Integrating ISE

Integrating ISE allows you to extend the capabilities of Azure MDM to include conditional access and identity protection.

You can integrate ISE with Azure MDM through the Azure portal, where you can configure policies and settings to manage devices and users.

ISE provides a centralized location for managing identities, which is a key component of a comprehensive security strategy.

To integrate ISE with Azure MDM, you'll need to set up a trusted security group in Azure AD, which will allow ISE to communicate with Azure MDM.

Credit: youtube.com, ISE Integration with Intune MDM

This integration enables you to enforce conditional access policies, such as requiring multi-factor authentication for sensitive data.

ISE also provides real-time risk-based conditional access, which can block access to company resources if a user's device is deemed high-risk.

With ISE integrated with Azure MDM, you can leverage the power of Azure AD's identity and access management capabilities.

By doing so, you can better protect your organization's data and resources from security threats.

Frequently Asked Questions

What is MDM on Azure?

Microsoft Managed Desktop (MMD) is a cloud platform that provides a managed desktop experience, but MDM on Azure refers to Microsoft Intune, a cloud-based endpoint management solution that helps manage and secure devices on Azure.

Is Intune the same as MDM?

No, Intune is not the same as MDM (Mobile Device Management) as it offers broader management capabilities beyond just Office 365-related scenarios. Intune provides comprehensive management for all apps and data across devices, not just those related to Office 365.

What is Microsoft MDM?

Microsoft MDM (Mobile Device Management) is a suite of tools that helps organizations manage and secure mobile devices, whether on-premises or in the cloud. It's a powerful solution for businesses to streamline mobile device management and keep their data safe.

Tiffany Kozey

Junior Writer

Tiffany Kozey is a versatile writer with a passion for exploring the intersection of technology and everyday life. With a keen eye for detail and a knack for simplifying complex concepts, she has established herself as a go-to expert on topics like Microsoft Cloud Syncing. Her articles have been widely read and appreciated for their clarity, insight, and practical advice.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.