BPRT (Bulk Token) can be generated from any azure ad user, can we restrict it?

Ritesh Sharma 266 Reputation points

Hi, I am testing the bulk enrollment using provisioning account. I noticed, i can create the BPRT token using my normal account. Which doesn't assigned any role global or administrator role. It has assigned E3 and Enterprise Mobility + Security E3 license. However on the Microsoft site, it mentioned that. It can be created using certain role only.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,476 questions
0 comments No comments
{count} votes

Accepted answer
  1. Lu Dai-MSFT 28,356 Reputation points

    @Ritesh Sharma Thanks for posting in our Q&A.

    For this issue, I have done the test in my lab. As you said. we can use a normal Azure AD account to create bulk enrollment token and enroll the device successfully.

    Honestly, I'm not sure if there is any issue in future use. Given this situation, it is suggested to create an online support ticket to double confirm. Here is the support link:


    Thanks for your understanding.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

0 additional answers

Sort by: Most helpful