Microsoft Intune Co-existence with MDM for Office 365

In mid-November 2015, we released a service update to Microsoft Intune. It was a massive update for us, and included a huge amount of new features. You can view the announcement post here.

One of the features announced has gone a little under the radar, and that’s co-existence with MDM for Office 365

You can now activate and use both MDM for Office 365 and Intune concurrently on your tenant and set the management authority to either Intune or MDM for Office 365 for each user to dictate which service will be used to manage their mobile devices. User’s management authority is defined based on the license assigned to the user. If the user is assigned with the EMS or Intune license, Intune will manage user’s devices and apps. If the user is assigned with the Office 365 license (without the EMS or Intune license), then MDM for Office 365 will manage user’s devices. Stay tuned for a detailed blog post on this topic in the coming weeks.

This is great news for customers who currently use the built-in MDM for Office 365. For those unfamiliar, MDM for Office 365 is a limited set of MDM features and controls that comes as part of your Office 365 subscription. It’s a really great feature for a lot of customers who are new to Office 365, and want to ensure their data and devices are secure without a whole lot of effort.

While MDM for Office 365 is great, it’s certainly no Intune!

We find that many customers are interested in Intune, however a lot want to start quickly and initially choose MDM for Office 365. Traditionally, this MDM Authority decision, once made, could not be easily changed. Further, once it was set/changed, every user across the organization had to use the single MDM Authority – be it Microsoft Intune or MDM for Office 365.

With the Intune Co-existence with MDM for Office 365 feature, we can now assign a set of users to use MDM for Office 365, and another set of users to be Intune enabled.

How do we enable Co-existence?

There’s actually not much we need to do. Users who are assigned EMS or Intune licenses are automatically managed by Intune, and users who are assigned an Office 365 license (and no Intune license) will use the MDM for Office 365 authority.

To enable MDM for Office 365, browse to the https://portal.office.com portal, select the MOBILE MANAGEMENT tab and select ENABLE MDM. Office 365 will then do the MDM Authority provisioning. Once complete, the MOBILE MANAGEMENT tab will allow you to manage MDM policies and devices. For a complete setup guide, visit https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd image

From the Intune side, when you attempt to set the MDM Authority (to either ConfigMgr or Intune Standalone) there is some new text. Previously, you couldn’t “Add” Intune as the MDM Authority, you had to “Set” Intune as the MDM Authority. Meaning it was one or the other. Now, we see that the MDM Authority is set to Office 365, however we have the option to Add Intune as a subsequent MDM Authority. image

Here I’ve got two users, both have an Office 365 E3 license. The Matt.IntuneMDM account also has an Intune A Direct license assigned.

image image

From the Matt.MDMOffice365 account, I should get blocked to my Office 365 email unless I’ve enrolled into the MDM for Office 365 service. I’ve downloaded the Outlook app and entered my credentials. Office 365 can see that my device is not enrolled, so it’s prompting for MDM for Office 365 enrollment. Once enrolled, I’ll receive all of the security policies set – such as password/encryption/etc requirements.

Screenshot_20160105-090114 Screenshot_20160105-102522

From the MOBILE MANAGEMENT tab in the Office 365 Portal, I can see my device has been enrolled

image

Now, I’ll perform the same process using my Matt.IntuneMDM account, which has an Intune Direct A license applied. Because this license is applied, the devices this user attempts to use will be managed by the Intune MDM authority, not the MDM for Office 365 authority.

And as I’ve not set anything up in Intune (no Conditional Access for Office 365), my email access will be granted without enrolling.

Screenshot_20160105-113918

And that’s about it. I’ve got two separate Office 365 users – one with an Intune license and one without, both being secured by MDM.

Matt Shadbolt | Program Manager | Enterprise Client & Mobility (Intune)

Comments

  • Anonymous
    March 10, 2016
    Hello, and what about current tenants and not newly created?We have enabled Intune MDM and on Office 365 MDM we see that we cannot activate Office 365 MDM.Also we have tenants with different situation when Office 365 MDM is enabled and we do not see option to activate Intune.Also, what about SCCM? With it, it is still to only to SCCM and not Intune or Office 365 MDM with SCCM?
    • Anonymous
      March 10, 2016
      Hey Kazzan. If you use SCCM, you don't have any co-existence options. Odd that you're seeing inconsistent results, I've not heard that feedback before. Best to raise a free support case and have our support team take a look at each scenario. It's likely something simple like lack of Intune licenses, or MDM authority incorrectly set. Matt
      • Anonymous
        April 07, 2016
        Ok, Just talked with customer about buy more licence. But another qeustion arise from other customer. Is it possbile to add Office 365 MDM as as a subsequent MDM Authority if Intune is activated already and set as MDM authority? We do not see such option here.
  • Anonymous
    July 26, 2016
    I have read that you only need to upload the APNs certificate to either intune or mdm if you are in coexistence mode because the cert is shared. Is this still the case or am I reading old documentation? Thank you!
    • Anonymous
      July 31, 2016
      If you're doing o365 and Intune Standalone co-existence, you need to upload the APN cert to the Intune console.
  • Anonymous
    January 24, 2017
    I have a query. We have a bunch of corporate devices that we will want to manage through Intune. However is it possible if these same users have personal devices for them to sign-in and only enroll using Office 365 MDM even if they have an Intune license (for their corporate device) ?
    • Anonymous
      February 21, 2017
      Hi Chris. As soon as the Intune license is assigned to the user (be it via Intune Direct, or an EMS license), the user will be required to enroll in Intune. The Office 365 MDM features will only be available for those users without an Intune license. Matt
  • Anonymous
    January 24, 2017
    Hi,We're already using Intune, how do we re-activate the 365 MDM feature?
    • Anonymous
      February 21, 2017
      Hi Chris. Please contact support and they may be able to help you. Matt
  • Anonymous
    March 08, 2017
    Hi, We've tried to enroll Windows 10 Clients via Workplace Join to Intune. Our customer has O365 and Intune Device Authority and as you said, the mobile device search for the Inune licence and get enrolled wether in Intune or O365. But The Windows 10 Clients always get enrolled in O365. Anybody else had these Problems ?Thank you
    • Anonymous
      March 13, 2017
      Are you sure the Intune license is assigned to the user who's enrolling the device? Feel free to log a Premier/Pro support case.
      • Anonymous
        March 16, 2017
        Yes the license is assigned to the user, infact he already has an iPhone enrolled in Intune. Do we need Azure AD Premium for an enrollment of an W10 Client as a Mobile Device? Is there an Option to enroll this W10 Clients manually in Intune and not with the autoenrollment via Azure AD?Thanks for this advice, we will also start a Support case.Greetings, Max
        • Anonymous
          March 16, 2017
          Should be fine then!RE AADP, no, for MDM enrollment you dont need an AADP license. However, if you want to do Conditional Access you'll need an AADP license assigned.If you just 'Connect to work or school' you'll just get MDM enrolled.
  • Anonymous
    March 15, 2017
    Hello.I'd like to know what happens if someone already has enrolled devices in O365 MDM and adds Intune as an MDM Authority when everyone has EMS licenses - will they all lose their policies? Will the policy stop working? What I mean is, if there's no policy created in Intune there's probably going to be a conflict over what's applied to the device/what'll be applied in Intune right?Thanks in advance,Miguel
    • Anonymous
      March 15, 2017
      That's a great question Miguel. I've not tested that scenario, however when the user is licensed we pull it into Intune. So the policies would then apply to the user in Intune, not in o365. However, as the device is still enrolled using the Office MDM authority, the user will need to unenroll their devices and re-enroll for any affect to take place.It should be quite easy for you to test though - ie, just license a user and see what happens. Would appreciate if you could report back the results! Matt