Showing results for 
Search instead for 
Did you mean: 

Some Fun with Azure AD and Intune

Iron II
Iron II

Friday was supposed to be an easy day off where I spent some time to help a friend set up the Microsoft Azure features that he was paying for (but not using). His firm takes client data seriously and needed my help. It was content to maximize the Microsoft services that it has, which was fine by me. I could spend my day learning and solving problems. It ended up being something other than "fine", and I was one of the last two leaving the office.

I'm familiar with Azure AD (AAD) and could help protect identities, implement modern authentication, as well as an assortment of best practices that are unique to Microsoft. The documentation and steps were very confusing, but it was possible to decipher how to get started with Intune. The actual job wasn't so straightforward, and the reason was less technical than "redtape" created by a very confusing and complex licensing scheme. It came down to this:

My friend's legacy Office 365 E3 licenses aren't the same as Microsoft 365. It's difficult to understand that there's even a problem until you run into the end of a maze. Stuff doesn't work, and there's no clear explanation. Yet:

  • There are references to Intune in the O355 admin GUI
  • I was able to purchase one-off licenses to set up Intune and license users
  • I was even able to create a CIS benchmark and security group using Intune/AAD. However, it's likely that I'll have to set up a dynamic device group once the AAD licensing changes.
  • Poor performance in the console led me to suspect there were service issues, so I kept trying. You probably wouldn't give up easily either, if you're like me.

Intune still wouldn't populate any of the users or devices that I could clearly see in AAD. It turns out that O365 E3 lacks a P1 or P2 AAD license, so I was unable to perform the necessary MDM config step in AAD to integrate the services. Maybe I should have known, but nothing in the UX (or clearly stated in the docs) made that clear. The only clue was that MDM wasn't present in my left frame of "all services" for AAD, but I still searched for it and found it.

The interface for MDM/MAM took stated my edition of AAD wasn't licensed (you have to enable that in AAD for Intune to function). It puzzled me because I'd assume that the E3 license of Office 365 was just the old naming for M365 and Microsoft still permitted me to go ahead and license Intune (which was showing up in my admin interface). The KBs and feature matrices I poured through in search of a solution only cover M365/AAD. That too led me to believe that's what I was using, until I had the "ah ha" moment that the tenant was a grandfathered SKU.

I lost hours of my day (and so did one of the more senior people in the firm who was with me). Thankfully, the licenses can be migrated to M365, but that raised some consternation about whether everything that already exists "will still work smoothly". My problem wasn't willingness to change or even the work itself: it was the licensing. Nearly all of the pieces were in front of me, but they wouldn't "connect" because one service was gated off.

*The closest equivalent in the "new" licensing isn't M365 E3, it's M365 Business Premium ... M365 E3 would jack the price up $10 per month per head.