How to setup automatic MDM enrollment of Windows 10 with AzureAD – Mobile-First Cloud-First
This is not a new feature – but it is new that I can be done the new Azure Portal (Codename Ibiza) https://portal.azure.com
The reason for settings this up is: when a Windows 10 devices is AzureAD joined then it is also automatic enrolled in Intune as a MDM managed Windows 10 devices.
This blogpost is created in feb. 2017 when Azure Active Directory still is in preview in the new AzureAD portal – so Microsoft can and may change the functionality, location and look of this setting.
Requirement:
- AzureAD premium subscription
- Microsoft Intune subscription
- Intune set as MDM Authority
- Windows 10 Pro, Windows 10 Enterprise, Windows 10 Pro Education, Windows 10 Education or Windows 10 Team
Recommendation:
Create the following dns records:
CNAME : EnterpriseEnrollment.company_domain.com Points to : EnterpriseEnrollment-s.manage.microsoft.com
TTL : 1 Hour
CNAME : EnterpriseRegistration.company_domain.com Points to : EnterpriseRegistration.windows.net
TTL : 1 Hour
How to:
Start https://portal.azure.com
Find Azure Active Directory and click on it
Select Mobility (MDM and MAM)
Then select Microsoft Intune
Select All – or Some if you only want this to apply to specified groups
Go into “Users and Groups”
Click on “Device Settings”
Then you can setup automatic MDM enrollment
- Users may join devices to Azure AD
- In my case I set it to all – but in some cases it can make sense to only allow some groups of users to AzureAD join there devices
- Additional Administrators on Azure AD Joined devices – here you can setup extra users to be local admin on AzureAD joined devices. The user that are enrolling the devices always becomes member of the local administrators security group. Be aware that this settings is the same for all devices in the tenant.
- Require Multi-Factor Auth to join devices – this can be a good ideer so your are know who the users are when enrolling a device into AzureAD
- Maximum number of devices per user. Be aware that Intune only allows 15 devices per user – so when you hit number 16 for a user the devices not be in Intune automatically
- Click save – and you are ready to go.
The user experience:
The is the OOBE from Windows 10.
Use Express settings
Who owns this PC?
Select : My work or school owns it
Click Next
Login with your work or school account
Enter username and password
Click Sign in
The Windows 10 will AzureAD join your device and automatic MDM enroll the device.
It will now be ready to be managed with Intune.
![Windows-Hello-For-Business-Active-Directory[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/Windows-Hello-For-Business-Active-Directory1-1024x576-65x65.png "Windows-Hello-For-Business-Active-Directory[1]")
![B-Intune-Graphic[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/B-Intune-Graphic1-1024x603-65x65.png "B-Intune-Graphic[1]")
![wp-1593849019379[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/wp-15938490193791-65x65.jpg "wp-1593849019379[1]")