New tenant, devices wont register with Organization (Business Premium).

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,366
I will start off by saying I'm a noob when it comes to Intune or Azure AD. I have had this issue across all of my tenants not just this new one and I just haven't had the time to figure it out and research why this is happening. When I sign into a Business Premium account on a computer across any one of my tenants I get the standard popup.

1727814782106.png

If I leave the checkbox checked in I get this error:

1727814807470.png

The app will login and function but it will not register the device with the organization at https://intune.microsoft.com/

So my tenant show this.

1727814903194.png

What settings do I need to change to allow the device to register? Here are a couple of screenshots from what I've looked at so far

Devices > Enrollment > Automatic Enrollment

1727814982317.png

-----------------------------

I mainly want the device to register correctly with the organization so I can manage it in Intune then store BitLocker keys there ... Does anyone have the absolute basics I need to do that?
 
Typically what I will do is unbox a new device ... set it up as a local admin account ... deliver it onsite then attempt to login to services like Outlook, OneDrive, Teams etc and upon login I am prompted to "Allow your organization to manage this device"

Device will typically be a Latitude with Windows Pro on it. I feel like I'm doing something fundamentally wrong causing it to not be able to register with Entra/Intune

Is it because I am trying to use devices with a local admin account to login to the services?

If I leave it checked in then I get the corresponding error and it will not register with the organization.

@YeOldeStonecat @Sky-Knight
 
Last edited:
Ok I grabbed a test machine and reformatted it ... on Windows 11 startup I logged in using a work or school account and it registered with Intune ... so basically I can't start with a local account then add services because I believe the device is then flagged as BYOD.

It looks like setting up a TAP doesn't work either.

I'm going to try and setup a local account ... get the system prepped with updates and stuff then adding another account by logging into the organization and then seeing what happens.

I'm starting to think this might just be too much work for the companies I manage that have less than 10 users... which are a majority of my clients. I'm used to being able to basically get the computer 90% of the way there before delivery.

Now to use Intune I have to pre-login with the users Business Premium account and setup a PIN before I can proceed or I get further into complicated territory with Intune policies I don't know much about.

Edit: OK it looks like TAP DOES work with Windows Hello PIN

Edit: OK setting up a local account then connecting it to the workplace account works but it creates a new user profile in the system which then requires the user to login using their O365 credentials and TAP does not work in this case

So it looks like I will be going the route of TAP + Hello PIN then prep the system and when onsite the first thing I should do is change the PIN.

What a journey, the tenant is fine... if anyone has any input please let me know.

My next learning experiment will be exploring adding BYOD's being added to Intune ... which quite frankly sounds pretty messy.

I think I need to change my deployment procedure.
 
Last edited:
What happens when an already intune enrolled device needs to be repurposed for another user?

Are you supposed to retire the device? Delete the device? Then add a new workplace account?
 
Note, the above requires Intune licensing, Business Premium.

You will not have nearly as much of this stuff if you're still using Basic / Standard.

Fortunately, it doesn't really matter in that context either. Entra ID Joined devices don't have to be managed by Intune, and Intune is where the security features that caused this live.
 
timeshifter said:
Following along as I need to master this too.

What is TAP?
Click to expand...
Temporary Access Pass

It's an "MFA method" that allows you to issue a generated password that's valid for a defined amount of time. You use this to allow a user to authenticate against their Entra ID identity without their phone / MFA token.

Short term, automatically expiring, automatically documented, single factor access on demand. That's TAP.
 
thecomputerguy said:
Typically what I will do is unbox a new device ... set it up as a local admin account ... deliver it onsite then attempt to login to services like Outlook, OneDrive, Teams etc and upon login I am prompted to "Allow your organization to manage this device"

Device will typically be a Latitude with Windows Pro on it. I feel like I'm doing something fundamentally wrong causing it to not be able to register with Entra/Intune

Is it because I am trying to use devices with a local admin account to login to the services?

If I leave it checked in then I get the corresponding error and it will not register with the organization.

@YeOldeStonecat @Sky-Knight
Click to expand...

If the customer uses Entra ID for identity, then my process is:

1.) Unbox
2.) Patch / Firmware Update (This is done with a passwordless local admin account) NO... I do NOT support Home edition!
3.) Deploy the software load. (If no Intune)
4.) Set the password for the local admin account.
5.) Join the device to the appropriate Entra ID. (Using my M365 admin account)
6.) Use the command line to grant local admin rights to the appropriate M365 user. (if no Intune)
7.) Use the Intune admin panel to assign the device to the user. (If Intune)
8.) Ship to user.

Sometimes I'll have to coordinate with the user to login for the first time if there's special stuff, but usually those bits are when THEY unbox because the endpoint has my RMM on it, and the user can pop it on the wifi from the login screen.

If they have Intune AND they have allowed me the investment to configure the thing, that will do as much as possible, all the way to using Autopilot to configure the device for me. All of this reduces on-boarding time, and therefore expenses. Clients have somewhere between 1 and 3 hours of billed time per endpoint depending on complexity.

And it's always the tightwads that cost 3 hours... because they refuse to modernize their software and use crap like Adobe perpetual licensing, Quickbooks, etc.
 
Sky-Knight said:
If the customer uses Entra ID for identity, then my process is:

1.) Unbox
2.) Patch / Firmware Update (This is done with a passwordless local admin account) NO... I do NOT support Home edition!
3.) Deploy the software load. (If no Intune)
4.) Set the password for the local admin account.
5.) Join the device to the appropriate Entra ID. (Using my M365 admin account)
6.) Use the command line to grant local admin rights to the appropriate M365 user. (if no Intune)
7.) Use the Intune admin panel to assign the device to the user. (If Intune)
8.) Ship to user.

Sometimes I'll have to coordinate with the user to login for the first time if there's special stuff, but usually those bits are when THEY unbox because the endpoint has my RMM on it, and the user can pop it on the wifi from the login screen.

If they have Intune AND they have allowed me the investment to configure the thing, that will do as much as possible, all the way to using Autopilot to configure the device for me. All of this reduces on-boarding time, and therefore expenses. Clients have somewhere between 1 and 3 hours of billed time per endpoint depending on complexity.

And it's always the tightwads that cost 3 hours... because they refuse to modernize their software and use crap like Adobe perpetual licensing, Quickbooks, etc.
Click to expand...

When I went to assign the device to the user it asks for a management name and I just copy and pasted the computer name. I'm not sure exactly what the point is of assigning the device to the user because the device already shows up in the users devices in Entra.

This seems like a lot of extra steps for a business with 5 computers total.
 
thecomputerguy said:
When I went to assign the device to the user it asks for a management name and I just copy and pasted the computer name. I'm not sure exactly what the point is of assigning the device to the user because the device already shows up in the users devices in Entra.

This seems like a lot of extra steps for a business with 5 computers total.
Click to expand...
If you join the device to Entra ID as the user, it on boards all of this for you.

The point is you as an IT professional aren't supposed to onboard anything anymore, you're supposed to stuff a hardware ID into AutoPilot and let Intune configure everything for you, and what doesn't fit into Intune is done manually after the fact, in a very annoying way, to surface to management that tool NEEDS TO DIE.

Which... well... in SMB land doesn't end well. So yeah, we spend time climbing into the back window.
 
Sky-Knight said:
If you join the device to Entra ID as the user, it on boards all of this for you.

The point is you as an IT professional aren't supposed to onboard anything anymore, you're supposed to stuff a hardware ID into AutoPilot and let Intune configure everything for you, and what doesn't fit into Intune is done manually after the fact, in a very annoying way, to surface to management that tool NEEDS TO DIE.

Which... well... in SMB land doesn't end well. So yeah, we spend time climbing into the back window.
Click to expand...

Yeah this all sounds like it's designed more for mass deployment when working across a single tenant .. I am in and out of tenants of small companies all day long ... like 10+ tenants a day and dedicating Intune + Autopilot policies for companies of such a small size I'm having a hard time seeing how it makes sense to do anything outside of joining the devices to Entra/Intune for Bitlocker keys & Remote wipe ... basically just the basics...

A lot of the clients I'm dealing with are working outside of the normal sphere of pure O365 and I'm installing apps like Quickbooks, Lacerte, VPN software, Dropbox, Adobe, and a s*** ton of small custom software like Eaglesoft, Dentrix, Farmers, Thompson Reuters... tons of printer variations etc ..

Not to mention a lot these clients place high importance on things like getting their background picture back and putting their icons where they were before ... a lot of dumb basic stuff.

I'm thinking simply joining to Entra/Intune is probably enough at the level I am at until I can learn more through testing so when my one man show dies I can say I have experience with Intune/Autopilot policies to get a job.
 
thecomputerguy said:
Yeah this all sounds like it's designed more for mass deployment when working across a single tenant .. I am in and out of tenants of small companies all day long ... like 10+ tenants a day and dedicating Intune + Autopilot policies for companies of such a small size I'm having a hard time seeing how it makes sense to do anything outside of joining the devices to Entra/Intune for Bitlocker keys & Remote wipe ... basically just the basics...

A lot of the clients I'm dealing with are working outside of the normal sphere of pure O365 and I'm installing apps like Quickbooks, Lacerte, VPN software, Dropbox, Adobe, and a s*** ton of small custom software like Eaglesoft, Dentrix, Farmers, Thompson Reuters... tons of printer variations etc ..

Not to mention a lot these clients place high importance on things like getting their background picture back and putting their icons where they were before ... a lot of dumb basic stuff.

I'm thinking simply joining to Entra/Intune is probably enough at the level I am at until I can learn more through testing so when my one man show dies I can say I have experience with Intune/Autopilot policies to get a job.
Click to expand...

In the situation you're in, I recommend only joining devices to Entra ID and leaving Intune off the shelf. Intune can come later.

The templates and policies you refer to are deployable via script, and there are orgs out there that sell precanned configurations you can shove into service. Microsoft has M365 Lighthouse available for free as well, but can only really support tenants that have a Business Premium on it or greater. This product works via GDAP, which is a renewable mechanism to link groups of people in YOUR M365 tenant, to M365 RBAC roles in your CUSTOMERS' TENANTS and allow you to bounce between them via the Partner portal.

So joined tenants are then subject to Lighthouse's baselines, which allow for deployment of specific features at a click once setup.

The thing is, you're supposed to manage ALL TENANTS as a fleet, not this one at a time fully custom mess you're doing now. If you continue treating tenants like pets, instead of like cattle... you will go insane, and go broke.
 
We find InTune is a big time saver for us.
We're in an out of a few hundred 365 tenants all the time. Every week, piles of new computers coming into our office, for us to unbuckle, vendor updates and perhaps a round of Microsoft updates, name, create local account.

Once intended user gets signed in...sit back and let automated things happen for a few minutes, reboot...one final touch to really customize desktop and app defaults (all pretty quick)...done.

InTune will...
*remove any/all old versions of Office, and push install the latest. Monthly Enterprise Update Channel
*Push install Company Portal App
*Push install other apps we might have selected for this client from the Microsoft Store
*Engage OneDrive, enforcing settings we select
*Sync Teams libraries
*Engage BitLocker and back up the key
*Set a login banner
*Push out wireless profiles so it will auto hop on wireless networks that you pre loaded, client doesn't have to go through joining steps
*Set lock workstation after XX minutes
*Enforce Microsoft updates
*Pre configure Outlook (although with AzureAD joined rigs...really don't have to configure much anyways)

*365 auto syncs Edge favorites and saved creds
 
Say for example I'm at a clients office that requires them to be joined to the local domain to access local resources like an SQL database, think Eaglesoft or small custom SQL piece of software that requires local domain authentication...

Does this process change in this case?
 
Azure AD Connect. Synchronizes users and devices across both authentications....thus authentication and access to resources on both sides.
Used to be quite a buggy program...but has improved. However...some "gotchas" to prepare for ahead of time. One of my first ones, do not sync the defaults from ADUC. Create specific OUs in ADUC...and ONLY...synce those. Else...your directory in Azure will be a huge pile of pasta!
 
YeOldeStonecat said:
Azure AD Connect. Synchronizes users and devices across both authentications....thus authentication and access to resources on both sides.
Used to be quite a buggy program...but has improved. However...some "gotchas" to prepare for ahead of time. One of my first ones, do not sync the defaults from ADUC. Create specific OUs in ADUC...and ONLY...synce those. Else...your directory in Azure will be a huge pile of pasta!
Click to expand...

I always appreciate your insight into these matters @YeOldeStonecat and @Sky-Knight your knowledge is far beyond mine and I post these publicly so that the knowledge I get from much smarter people than I may be learned at a later time.

My business would not be what it is today without @YeOldeStonecat pricing sheet and insight into monthly MSP structure.

In regards to this whole Azure AD connect thing... thank you for the knowledge again but ... 🤮
 
You must log in or register to reply here.

Similar threads

HCHTech
Google Workspace OUs
Replies
0
Views
251
HCHTech
HCHTech
HCHTech
Interpreting "Risky Users" in Microsoft Entra admin center
2
Replies
31
Views
2K
britechguy
britechguy
YeOldeStonecat
Recent issue with Photo viewer
Replies
3
Views
467
callthatgirl
callthatgirl
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3 4
Replies
60
Views
4K
Rosco
Rosco
autumn
Apple Business
Replies
7
Views
699
autumn
autumn
Back
Top