Setup Microsoft Intune as an SCCM Administrator

In this post, we’ll guide you through the process of Setup Microsoft Intune Tenant and show you some of the basic steps you can do right from the start. Microsoft Intune is a cloud-based service that helps you manage your devices and apps. Many of our readers have been managing SCCM (Configuration Manager) for many years and are now pushed toward Microsoft Intune for the future of their device Management.

Let’s make a clear statement, as of today, Microsoft Intune is not doing everything as SCCM does. Microsoft Intune has still its flaws and drawbacks but it’s the path where Microsoft wants you to go in the upcoming years.

If you currently use SCCM, and want to use Microsoft Intune, you have the following options :

1. Enable tenant attach
   • Tenant attach allows you to upload your SCCM devices in Microsoft Intune.  It’s the easiest way to integrate Intune with your on-premises SCCM server.
2. Set up co-management
   • This option splits workloads between SCCM and Intune
3. Move from SCCM to Intune
   • Only for organizations who want a 100% cloud solution
4. Start from scratch with Microsoft 365 and Intune
   • Only applicable if you have Windows 10,11 clients to manage.

But first, let’s look at the architecture options for integrating Microsoft Intune in your Azure environment with Microsoft Entra ID. You can see SCCM in the right lower part of the blue section.

• Here’s a more targetted graph for the SCCM Administrator :

If you’re wondering if you can use Intune with your current licensing, Microsoft Intune licensing moves a lot, so the best bet is to look at Microsoft Licensing page and Microsoft Intune Plans and Pricing.

So now that you’re familiar with the concept, you’re ready to manage some devices in Microsoft Intune.

Table of Contents – Setup Microsoft Intune

• Setup Microsoft Intune Tenant
• Configure a custom domain name
• Set the MDM Authority
• Create Users
• Intune License Assignment
• Customize the Intune Company Portal
• Create a Compliance Policy
• Enroll Devices
• Application Deployment
• Device Configuration Profile
• Dashboard
• What’s next

Setup Microsoft Intune Tenant

The first step before going into the Endpoint Manager Portal is to setup Microsoft Intune Tenant. If you don’t have an Intune portal yet, you can sign in for a 30-day trial.

If you already have a Microsoft work or school account, sign in with that account and add Intune to your subscription. If not, you can sign up for a new account to use Intune for your organization.

• Once subscribed, check your email and verify your account using the provided link
• You’ll be directed to the Microsoft 365 admin center. If you have only cloud-based accounts go ahead and assign licenses to your accounts in the 365 portal.

Configure a custom domain name

When you setup Microsoft Intune, Microsoft gives you an initial domain name that looks like xyz.onmicrosoft.com. You can configure your company custom domain in Intune (systemcenterdudes.com)

If you are trying Microsoft Intune using the free trial, you can skip this step.

If you’re already using an Office 365 subscription, your domain may already be in Microsoft Entra ID. Intune uses the same Microsoft Entra ID, and can use your existing domain.

• If you want to use your organization’s custom domain name or synchronizing user account information from an on-premises Active Directory, follow these steps to add your organization domain in Intune.

• Go to Setup / Domains. Choose Add domain, and type your custom domain name. Select Use this domain at the bottom

• In the Verify domain dialog box select the option to create the TXT record in your DNS hosting provider.
• Select the desired option and Click Continue

• On the Verify page, enter your DNS Provider at the top
• Once the TXT information has been updated on your DNS Provider, click Verify

• There may be a delay, it may take up to 15 minutes for DNS changes to take effect. 
• Once completed your domain will be listed as Healthy. The OnMicrosoft domain cannot be removed.

Endpoint Manager portal

Once your initial Microsoft Intune setup is completed, you can close the Office portal and open the Endpoint Manager Admin Center.

Set the MDM Authority

The mobile device management (MDM) authority setting determines how you manage your devices. By default, the Intune free trial sets your MDM authority to Intune. As an IT admin, you must set an MDM authority before users can enroll devices for management. With the MDM authority set, you can start enrolling devices.

• Open the Intune Portal and select the orange banner to open the Mobile Device Management Authority setting. The orange banner is only displayed if you haven’t yet set the MDM authority.

• Under Mobile Device Management Authority, choose your MDM authority from the following options:

In our post, the MDM Authority will be set to Intune MDM Authority.

Create Users And Assign Licences

You can manually add users to Intune via Microsoft 365 admin center or Microsoft Intune admin center. You can also assign licenses in either of both portal.

Before enrolling devices, we need to create users. Users will use these credentials to connect to Intune.

If you’re using an Office 365 subscription, your users and groups are already in Microsoft Entra ID

For our test, we will create users manually in our Microsoft Intune Admin Center

• In the Intune Admin Center
• Select Users
• On the All Users page, click New user at the top
• Enter information for the user, such as Name and User name
• Go ahead and create your accounts

• Under Groups, choose a group to add the user to. If you don’t have any group, skip this step and do not add the user to a group. In our example, we are adding it to the All Intune Users group

• Under Assigned Role, assigned a Directory Role to your user

Intune License Assignment

We now need to assign the user a license that includes Intune before enrollment. If you don’t assign an Intune license to your user, you won’t be able to enroll their devices.

You can assign a license by users or you can use groups to assign your license more effectively. Repeat the step for all your users or groups.

• Click on the user that you just created
• Click on Licenses on the left and then Assignment on the top

• Select the desired license for your user and click Save at the bottom
• Also, ensure that an Microsoft Intune Plan is selected

Customize the Intune Company Portal

The Intune company portal is for users to enroll devices and install apps. The portal will be on your user devices. You’ll want to customize it to increase your user trust before doing any actions in the portal.

So we’ll customize it to reflect our company branding.

• In the Microsoft Intune Admin Center
• Click on Tenant administration / Customization
• Click Edit at the top

• In the Edit Customization Policy window, we enter our Organization Name, color and Logo

There’s plenty of other options to customize Microsoft Intune, go ahead and customize what you need. When completed, click the Review + Save button at the bottom

At that point, your Intune Tenant is ready to enroll devices. The next steps are optionnal but recommended.

Create a Compliance Policy

Before enrolling a device using this user, it’s best practice to create a basic compliance policy.

In our example, we will create a basic security setting that will allow monitoring iOS device compliance. We will check Jailbroken devices, check for an OS version and require a password policy.

• In the Microsoft Endpoint Manager Admin Center
• Select Devices / Device compliance / Policies / Create Policy

• For the Platform, select iOS/iPadOS, click Create
• Enter a Policy Name and a Description, click Next

• In Settings, select Device Health, under Jailbroken devices, select Block
• Under Device Properties, in Minimim OS version, enter 11
• Click Next

• In the Action for compliance screen, leave default options. Meaning that all non-compliant device will be marked as “Non-Compliant” immediately

• Once created, the policy must be assigned to a group
• Select groups to include
• Click Next

• On the review screen, review your choice and click Create

• You can also repeat the steps to create a policy for Android and Windows devices if needed

Enroll Devices

We are now ready to enroll devices into Microsoft Intune. With the various OS such as Windows, Android, and iOS and specific scenarios with BYOD and corporate device, there are so many ways to enroll devices.

We’ll cover various enrollment methods in separates posts. We already have a post on How to enroll iOS devices. To enroll Windows devices, we suggest the Intune Training video from our collegue Adam Gross on the topic which covers 5 common scenarios.

Create an Application Deployment

As an example, we will now add an application to the Intune Portal. We select Microsoft Authenticator app to show your the process. We will begin with the iOS version. This can be used for any other application if needed.

iOS

• Select App (1), Add (2), iOS Store App (3) and Select (4) at the bottom

• Click on Search the App Store, on the search box, enter Microsoft, select Microsoft Authenticator and click Select

• Enter the App information and click Next at the bottom

• In the Scope screen, click Next

• On the Assignment tab, this is where you enter the group you want to deploy the app. Add your group to the desired deployment option.

• On the Review + Create tab, review all your choices and click on Create at the bottom

• You’ll see a confirmation at the top right

• After creation, you’ll be sent to the Microsoft Authenticator app screen. Go to the Properties tab if you need to modify anything like Assignments. You can also see Deployment statistics on this screen

Setup Microsoft Intune – Review and Test App Deployment

The Application has now been added to our Intune tenant and is ready to test on an iOS or Android device

• On an iOS device, open the Company Portal and if you configured everything correctly, you’ll see the Microsoft Authenticator app

Device Configuration Profile

Using Microsoft Intune, you can enable or disable different settings and features as you would do using Group Policy on your Windows computers. You can create various types of Intune configuration profiles. Some to configure devices, others to restrict features, and even some to configure your email or wifi settings.

For our post, let’s create a Wifi connection profile for our users so they get access to your Wi-Fi network without configuring it. This is just an example, you can create a configuration profile for many other different settings.

• Login to your Intune Manager Admin Center
• Go to Devices / Configuration profiles / Create profile

• In Platform, select iOS/iPadOS and in Profile, select Wi-Fi, click Create at the bottom

• Give a Name and Description to your newly created profile, click Next

• In Configuration Settings, enter your Wifi settings, for our post we create a basic WPA2 profile but the WPA2-Enterprise is also supported, click Next

• Assign the desired scope tag, click Next

• Assign the profile to the desired user/groups, click Next

• Review your settings and click Create

You’ve just created your first configuration profile. You can now check the available options and create different configurations for different OS.

Dashboard

There’s still one last thing that you should start looking at. The Microsoft Intune Dashboard displays overall details about the devices and client apps in your Intune tenant. If you have a device, just take a look at what’s displayed there. it gives a good overview of your progress.

To access the Dashboard, simply select Dashboard on the left pane.

For our example, we can quickly see the action point we should focus on.

Setup Microsoft Intune – What’s next

So to wrap up, we’ve setup Microsoft Intune Tenant, configure it for your company’s needs, enroll some devices, configure a basic compliance policy, create a configuration profile and deploy your first app.

So what’s next? There’s still so much to cover. We suggested that you start looking at :

• Enroll Windows devices
• Enroll Android Devices
• App Protection Policy and Mobile application management (MAM)
• Device Profiles (One example: Enable And Manage Windows Defender Firewall Using Intune)
• Device Restrictions policy
• Conditional Access (One example: Block Tiktok Using Intune Device Compliance Policy And Conditional Access)
• Windows 10 Software Update in Intune
• Setup CoManagement (if using Configuration Manager)
• Setup Windows 10 Auto Enrollment
• Configure Windows 10 AutoPilot

Enroll on more devices, play with different options and most importantly test, test and test ! We’ll be doing a more in-depth post in the following week to cover more Microsoft Intune configuration options.