Tips for Setting Up Permissions in Intune

The Cloud Device Administrator role has the ability to make modifications to device settings at a global level in Azure AD, associated with the following permission: 

Below are tips for making modifications to various settings. 

Intune Admin Center - Enabling Windows Hello for Business Globally 

To ensure proper configuration, this setting should remain set to Not ConfiguredThis is so that it can be customized through IT unit-created policies.

Enabling Hello for Windows settings globally

Intune Enrollment Restriction Settings

There are enrollment restriction settings within Intune that allow for the configuration of which devices can enroll into Intune.

Additional Tenant-Wide Configurations in Company Branding

There is an additional tenant-wide configuration in the company branding section that provides the ability to customize the sign-in experience and other appearance settings. See Microsoft’s Configure your company branding article for more information. 

Uncheck Allow My Organization to Manage My Device for Personally-owned Devices 

Checking the box and clicking OK will register the customer’s device to Azure AD (Azure AD registered device) and possibly enroll it to MDM (Mobile Device Management), depending on what is the current state of this device and the configuration of MDM. This setting also remembers this user’s credentials on this device for other apps.

Uncheck Allow my organization to manage my device, then click OK. This will not register the customer’s device to Azure AD, but it will remember the customer’s credentials on the device for other apps.

Choose No, sign in to this app only. This will not register the customer’s device to the Azure AD, and it will only remember the customer’s credentials for this app.

Close the window by clicking on X.  This will just close the notification and does nothing.

0% helpful - 2 reviews


Article ID: 157384
Wed 8/9/23 3:34 PM
Tue 12/19/23 9:45 AM