Enable Automatic Intune MDM Enrollment for Entra-Joined Windows Devices

When Windows devices join Microsoft Entra ID, they are not automatically managed by Intune unless the tenant's Mobility (MDM and MAM) policy is configured with an MDM user scope of All or a specific group. Without this, users will see their devices listed as Entra-joined but the Manage action is greyed out, no compliance policies apply, and apps/configurations cannot be deployed.

This recipe configures the Microsoft Intune MDM policy so that every (or a scoped set of) user's Entra-joined device automatically enrolls into Intune at join time — enabling compliance, Conditional Access integration, and app delivery. It also provides working navigation paths for the modern Entra admin center, since the Mobility (MDM and MAM) blade has moved between portals over time.

Run this when:

• Standing up a new tenant and preparing for device rollout.
• Migrating off a third-party MDM or from unmanaged Entra-joined devices.
• Troubleshooting why new Entra-joined PCs are not appearing in the Intune console.

• The Microsoft Intune MDM policy appliesTo value is set to all (or a named group).
• New Entra-joined Windows devices auto-enroll into Intune during the join flow.
• Existing Entra-joined devices enroll at the next user sign-in or workplace-join sync.
• Devices become eligible for compliance policies, Conditional Access, and app assignment.
• The Manage button in the Entra device blade becomes active for enrolled devices.

Warnings

• Licensing is mandatory. Users must hold a license that entitles Intune (Intune Plan 1, M365 E3/E5, M365 Business Premium, EMS E3/E5, etc.). Users without an Intune license will fail enrollment silently.
• Scope = All affects every licensed user. For large or regulated tenants, pilot with a group first before flipping to all.
• Existing third-party MDM conflict. If devices are already enrolled in another MDM (e.g., Workspace ONE, Jamf for Windows, Kandji), they will not silently re-enroll. Unenroll from the prior MDM first.
• Hybrid Entra join nuance. For Hybrid-joined devices, you additionally need the Group Policy Enable automatic MDM enrollment using default Azure AD credentials and Intune configured for the correct credential type.
• MAM vs MDM scope. Do not set MAM scope to all unless you intend to enroll personal/BYOD devices into app-protection; it can cause unexpected user prompts on corporate machines.

Compliance notes

• Automatic enrollment brings personal data into Intune's inventory (device name, model, OS, compliance state). Update your privacy notice and enrollment Terms of Use URL accordingly.
• Changes to mobility policies are recorded in the Entra audit log; retain for your standard audit window.