New tenant, devices wont register with Organization (Business Premium).

What is this?
I ran across a similar error at a few clients ....like you had for your opening post. I did my usual stuff, if the device was with a prior user, removing it, (similar to removing a computer from ADUC), and these were tenants that had been used for a while and AzureAD joining had been successful prior with other rigs. So I was Google-Fu'ing like a Kung Fu Master...and stumped upon some thread in some forum, maybe Reddit, where someone said "Disable the WIP enrollment..."...I did that, gave it an hour to cook..and then tried..and the join was successful.

I believe back then when I discovered that...Microsoft was having a "bug/glitch" for a few weeks related to that, thus why it worked. But...months afterwards....I'd occasionally run into the symptoms like that, and flipped that radio button to "none" did the trick.

Also from what I've read, the WIP enrollment is being deprecated, to be replaced by a different twist of that service (I've yet to learn about).
It's different than the MDM User Scope....you for sure still want that enabled.

Of course I ensured all of those enrollment/registration DNS records were properly in place, somewhere around the InTune portal pages there's a spot to have it check the required DNS records and it's always a positive result, I don't skimp on setting up my DNS records and having them proper.

1728046347816.png
 
WIP is going away in favor of Defender XDR, along with a horde of other small features scattered here and there.

Defender for Endpoint
Defender for Identity
Defender for O365
Defender for Cloud Apps

These four things combine to become Defender XDR. <insert Captain Planet meme here>

Defender XDR makes the Defender admin panel almost a SIEM, the combination is pretty wildly powerful.

Defender for Identity you won't need if you ditch Active Directory.
Defender for Endpoint is contained in Defender for Business (Part of Business Premium)
Defender for O365 is also contained in Defender for Business (Part of Business Premium)

So for the SMB that buys Business Premium, all they need to do is get Defender for Cloud Apps to complete the solution. Defender for Cloud Apps can monitor SaaS applications used by the vendor, and the entire M365 estate looking for Shadow IT efforts, along with a ton of other things. This is $3.50 / user / month on its own.

If you want to know more about all of this, review the study material for the SC-900 exam. I just snagged that one myself last week.

Note, all of these features positively shovel data into Azure Sentinel, which is where my current org makes most of its money. SOC operations for SMB are HARD, but we perform them. But you need a manned SOC a ton less if you fully implement Defender XDR.

Note, anyone tries to talk to me about Sentinel One, or anything else that pretends it's an MDR solution... will get slapped. Because none even come close to comparing. Microsoft has simply run away with the ball, and the referees are still trying to figure out where the new field is located.
 
It seems when I try to register a device to Azure AD that uses a Business Standard account I am unable to. Is there a way to register the device so that the device uses the credentials of the M365 account as a login with Windows Hello PIN and stores the Bitlocker key in the users devices in Entra?

I bumped a license from standard to premium and it was able to register but all other Business Standard accounts seemingly only allow "Sign into this app only" or if I try to leave the box that says "allow my organization to manage this device" I still get a registration error.

Is Azure P2 required to even register the device with Azure?

@YeOldeStonecat @Sky-Knight
 
P2 is not required. P1 is all you need....but you need InTune for more features, which Biz Standard does not have....and Prem does.
Biz Premium...or...higher. I do my best to avoid supporting anyone with below biz premium.
 
P2 is not required. P1 is all you need....but you need InTune for more features, which Biz Standard does not have....and Prem does.
Biz Premium...or...higher. I do my best to avoid supporting anyone with below biz premium.

So Business standard is basically just Email and Apps and won't register with Entra?
 
P1 is not required, Entra ID Free is all that's required to register devices to the directory and use the Azure login on the device. M365 Business Standard has this requirement met, as it has the O365 variant of Entra ID with even more functionality.

P1 is required for Conditional Access policy, which lets you do cool things like require an Entra joined device or an Intune Compliant device.

But no, M365 Business Standard will allow you to join devices to the directory (So will Basic), however the tenant may have been configured to resist this from an end user. Have you tried joining it with a Global Admin account? If you do this, you'll need to use the net use command manually on the endpoint to grant local admin rights. M365 Business Standard lacks the tools you need to automate these processes, but you very much can perform many of them manually.

However yes in general Business Basic and Business standard are a set of collaboration tools only, security functionality comes with PREMIUM, as it contains the Entra ID Premium P1 entitlement, as well as Defender for Business, and Intune. Without these features you're doing a ton of busy work because the client wants to be cheap, this is your idiot tax.

Keynote, joining a machine to Entra ID comes with Entra ID Free, and is therefore included in Entra ID O365 which you have from Business Basic / Standard. The error you started this thread with was a failure to join Intune, Intune enrollment is utterly separate from Entra ID enrollment. This isn't Active Directory, you don't get a free policy engine (Group Policy) with Entra ID. Entra ID is purely an identity provider.
 
Last edited:
So Sky elaborated the Azure...err..Entra...err...Idendity..."free" allows join. But...my question is...."What is your goal?" To me (IMO)....just joining the "free" directory one doesn't really gain you much more over plain old "registering at device".

To me, being able to leverage conditional access policies, and InTune, is where you start to "use tools to your advantage, as well as to the clients advantage".

Sky also worded it well..."...because the client wants to be cheap, this is your idiot tax". Yes you should be charging more...much more....for clients who "cheap out" and resist the pitch for Biz Premium (or higher). Because you have to spend more time doing what you do! And your time...costs more...than the savings they think they have in cheaping out.
 
Back
Top