This is part two of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premise AD. But if you already have those in your lab, that’s great!
Setting up the basics
First step is to enter the magic world of Microsoft Intune, which you access from endpoint.microsoft.com. This is your go-to place for managing devices and you can also access the Azure Active Directory (Azure AD) from here.
To get you going, you will need a test-user and some groups, this is the first thing we will create.
In this part we will:
- Enable MFA
- Create users
- Create groups
- Enable Apple enrollment
- Enable Google Android enrollment
- Customize Company Portal
Enabling MFA
Security is important, even in a lab. I guess you are used to MFA by now, so let’s enable that for our lab tenant in the simplest way we can. It’s default enabled for your Global Admin account, but we need this for all accounts.
Depending on which way you got your license, this might or might not be available since it requires premium licenses for Azure AD.
Since there are a lot of better guides than I can ever write on this, this is how you do it in the most simple way: Enable per-user Multi-Factor Authentication – Azure Active Directory | Microsoft Docs
Creating a user
(If you already have users with assigned licenses, you can skip this part)
Simplest way to create a user is to click on Users in the left side menu and then just click “+ New user” in the top ribbon.
For this lab purpose, we will fill out the bare minimum which to set a user name, name and location (licenses needs location). Select to auto-generate the password and make sure to save it somewhere (OneNote is usually where I keep my lab information).
Next step is to assign a license to our new user. The easiset way to do this is to simply click on your newly created user and select “Licenses”.
Click on “+ Assignments” and then select the appropriate license you want to assign. Don’t forget to press save!
We now have a user which is allowed to enroll devices into Microsoft Intune!
Create groups
For this setup, we will create two groups. One user group and one Windows device group. You can of course create more groups, but to simplify we will start with these two!
To create a group, select Groups in the left side menu and then click “+ New group” in the ribbon.
For our user-group, we will keep it simple and set a name and use the “Dynamic User” as Membership type. Please note that this requires you to have a Azure AD P1/P2 license, if your trail does not come with that user “Assigned” as group type instead for the two groups we will create. This means that you will have to add the devices and users manually.
Next step is to create our rule by clicking “Add dynamic query” at the bottom. We will use a very simple rule which says to add all enabled accounts to the group.
This isn’t a good rule to use in real life, since we will also add all our admin users to this group. But for the sake of keeping things simple, this is good enough I would say.
Hit “Save” and then “Create“.
Next up is our Windows Autopilot group.
Same steps as previously, but this time select “Dynamic Device” as Membership type.
Next step is to create our rule by clicking “Add dynamic query” at the bottom. This time we will create a rule which will fetch all our Windows Autopilot devices.
Instead of manually entering the rules, click edit on the far right and add this string:
(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))
You will see that the property, operator and value is populated once you have added it.
Hit “Save” and then “Create“.
We have now created all the users and groups we need to get going but you can of course build on this and create even more groups and users to your liking.
Enable enrollment
As default, Windows enrollment is always enabled. For iOS, iPadOS, macOS and Android we will need to add some connectors to enable management.
Apple devices
To setup Apple enrollment, we need an Apple ID to request a certificate from Apple. For your lab (if you are the only one using it) you can use the Apple account you already have.
Select Devices in the left side menu, then select Enroll devices, then Apple enrollment. You will notice that all except one options is grayed out since we are missing the Apple MDM Push certificate which enables all the services
Select the “Apple MDM Push certificate” option and you will be asked to grant Microsoft permission to send information to Apple by checking the box. Secondly, download the CSR and save it somewhere on your computer.
Next step is to click the “Create your MDM push certificate” and you will be asked to sign in with your Apple ID to the Apple certificate portal.
As you can see, I have quite the few certificates from different previous labs (and my current one). Your list will most likely be empty.
Select “Create a Certificate” and accept the terms of use and on the next page upload the CSR file you downloaded previously. I’m also adding a comment for myself that this is for the Intune for Noobs environment. Then click “Upload“.
Once the CSR is uploaded, an Apple MDM Push certificate will be issued with an expiration date 1 year into the future. Intune will warn you once you are getting close to the renewal date.
Download the certificate to your computer and save it, then head back to the Microsoft Intune portal and enter the email adress of your Apple ID on step 4 then upload the certificate you just downloaded. Then click “Upload” and you have successfully enabled management of Apple devices and you can close the flyout with the X in the upper right corner to end up back on the “Enroll devices” page.
Google Android
To enable the modern management methods of Android called Android Enterprise, you will need to link a Google account to the Managed Google Play.
Select “Android Management” in the list and you will notice the same thing here, that all options under Android Enterprise is grayed out except to connect the Managed Google Play.
Click the “Managed Google Play” option and flyout will appear. Grant Microsoft premissions to send information to Google, then click “Launch Google to connect now“. A pop-up will appear asking you to sign-in to Google. If you don’t have a Google account you want to use, or want to create on for the purpose of this lab you can select to create an account to manage your organization with. Otherwise use an existing Google account.
Once you have signed in, click “Get started” on the landing page displayed.
Next step is to add your business name (this could be whatever). I’ve named mine the same as in the Microsoft world.
On the next step, you are asked to fill out some contact information, you can skip this and just check the box at the end. Then finish the wizard.
Once done and you have selected to finish the setup, you will be redirected back to Intune, and you will see that the service is active.
Customize Company Portal
Last thing we will do is to add some customization to Company Portal but also the sign-in experience (which we will use in Windows Autopilot).
First off, select “All services” in the left side menu and then select “M365 Azure Active Directory“. A new tab will open and select “Azure Active Directory” in the left side menu. Then navigate to “Company Branding” in the list. Select “Configure” to get started. You can add a lot of custom backgrounds and logos, but for now we will only enable “Show option to remain signed in” at the bottom and click save to keep it super simple. You can come back here later and add your custom things.
Click save and then close the Azure AD portal and head back to Microsoft Intune.
In Microsoft Intune, select “Tenant administration” in the left side menu, then navigate to “Customization“. This is where you call add customizations to the Company Portal app, which is the end-user side of Microsoft Intune and the portal where users get applications and information.
To edit the settings for the portal, click Edit at the top of the page (next to Settings).
To keep things simple, we will only add the required information to this, but you can come back later and add more.
I’ll add my company name, and leave the rest of the branding part to default.
Further down under Configuration I will add a URL to my “Privacy statement”. In this case it’s just the URL to my blog. You need to add something and it’s a good idea to choose something that exists so you can try the link when playing around in the company portal
Once you have added those two, click “Review + save” and then “Save“.
Ending notes…
We have now prepared our Microsoft Intune environment to start doing some real stuff. In the next part we will setup some really simple management of Windows including enrollment through Windows Autopilot.