Body
Note: Microsoft Intune is a service shared by many departments. An accidental change could impact multiple units.
All Intune Admins should be members of the @UGA Microsoft Team. For additional assistance, contact the UGAMail team.
How to Configure Intune Access for Departments
- Put in a Microsoft Intune Onboarding Request.
- Creating UGA Mail Z-accounts: Please provide the MYID@uga.edu address for individuals who will be the owners of the Intune Security group for your unit's use of Microsoft Intune.
- Please attach a .csv file with myid@uga.edu email addresses of users in your department who need access to administrative access to your unit's Microsoft Intune.
- Please indicate which myid@uga.edu email address(es) should be set as the group owner.
- Enter the information needed for each user which includes User Principal Name, Mail Nickname, Display Name, Password, and Account enabled:The UGA Mail Team will create UGA Mail z-accounts for each user who manages your Intune environment.
- These accounts will have higher-level access to Intune. With this access, the UGA Mail Team will enable Microsoft Authenticator MFA for the created Z-accounts.
- Each newly created Z-account will be assigned an A1 license in UGA Mail.
- Creating a Security Group for the Unit’s Z-Accounts:
- Creation of the Unit’s Custom Administrator Role and Scope Tag.
- A Custom Administrator Role for your Unit and a Scope Tag specific to your unit. We will need to add any groups created for this unit to the Custom Admin Role or the Intune MDM (Mobile Device Management).
- Groups that contain user accounts need to be added to the Intune MDM by the UGA Mail Team.
- Groups containing machines will need to be added to the Custom Admin Role created for the Unit by the UGA Mail Team.
- Scope tags determine which objects admins can see.
- Each Unit who is using Intune can have one or more Scope Tags to silo their devices from other groups or unit’s devices. For example, CTS has a Scope Tag labeled EITS-CTS.
- There is also a Default scope tag that is applied to every group until it is removed from the Scope Group where all the Device, Person, and other groups reside in the Default Tag until they are added to their departmental Scope Tag.
- Only Global Administrators can add, remove, or modify Scope Tags (i.e., add/remove groups to/from a Scope tags
- Security Groups of User Accounts need to be added to the Intune MDM.
- Security Groups containing machines need to be added to the Scope Tag
- Policies need to be added to the Scope Tag.
- Lastly, UGA Mail will Add Departmental Intune Admins to Microsoft Intune with a @UGA Microsoft Team.
Other helpful documentation
EITS Microsoft Intune TeamDynamix Intune Documentation
CAES Microsoft Intune TeamDynamix Documentation
EITS Microsoft Intune TeamDynamix Request Forms