How to Auto-Enroll Windows Computers into Intune via Azure AD

From Notes_Wiki

Home > Microsoft Intune > How to Auto-Enroll Windows Computers into Intune via Azure AD


How to Auto-Enroll Windows Devices into Intune via Azure AD Join (Cloud-Only Method)

Description

In a cloud-only setup, devices can automatically enroll into Microsoft Intune when a user signs into a Windows computer and joins it to Azure Active Directory (Azure AD). This method is commonly used without on-prem Active Directory or Hybrid Join.

Purpose

To simplify device onboarding and enforce security policies automatically by ensuring that devices are both Azure AD joined and Intune-enrolled in a single step.

Scenario

You want users to receive Intune policies automatically when:

  • They use a new or reset Windows device.
  • They manually join the device to Azure AD via Settings.
  • The device gets auto-enrolled into Intune because the user is in a targeted group.

Steps

A. Create a Security Group for Auto-Enrollment

  1. Go to Microsoft Entra Admin Center.
  2. Navigate to Groups > + New group.
  3. Choose:
    1. Group type: Security
    2. Group name: Auto-Enroll Users
    3. Membership type: Assigned
  4. Add users who need Intune auto-enrollment.
  5. Click Create.

B. Configure MDM Auto-Enrollment Settings

  1. In Entra Admin Center, go to Mobility (MDM and MAM).
  2. Click on Microsoft Intune.
  3. Under MDM user scope, choose Some.
  4. Assign the Auto-Enroll Users group.
  5. Save your changes.

C. Join the Windows Device to Azure AD (User Action)

  1. On the Windows 10/11 PC:
  2. Open Settings > Accounts > Access work or school.
  3. Click + Connect.
  4. Enter the user’s Azure AD credentials (must be in Auto-Enroll group).
  5. Follow the steps to complete Azure AD join.
  6. Once joined, the device will:
    1. Be Azure AD Joined
    2. Automatically enroll into Intune

D. Confirm Enrollment

  1. Log in to Microsoft Endpoint Manager Admin Center.
  2. Go to Devices > All devices.
  3. Verify that the new device appears with status: Managed.

Real-world Example

An IT team instructs employees to join their laptops to Azure AD. As long as the users are part of the `Auto-Enroll Users` group, their devices are automatically managed by Intune and receive baseline security policies immediately.

Notes

  • Intune license must be assigned to the user.
  • Device must be connected to the internet during join.
  • No on-prem Active Directory or GPO is required for this method.
  • Works well for remote or cloud-first environments.

Home > Microsoft Intune > How to Auto-Enroll Windows Computers into Intune via Azure AD

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=How_to_Auto-Enroll_Windows_Computers_into_Intune_via_Azure_AD&oldid=9238"