Intune question

Question

I would like to start off by stating that I’m very new to Intune and Azure and my questions might come off a bit long winded and confusing.
I have been tasked to implement Intune into our current environment.
Overview of environment:
Local Active Directory Domain.
We purchased standalone Microsoft Intune user subscriptions for user who work remotely.
Remote devices are local AD joined and connect through VPN.
Installed and enabled Intune Connector for Active Directory

I’ve gone through and imported half of the hardware IDs into Intune to use with Windows Autopilot. I also created a group policy to “enable automatic MDM enrollment”

My question is these devices are logged into by local AD users. Can/should I sync these AD users to Azure with AD connect? Is there an addition fee?
Is there another way to manage these laptops without using Azure AD?

Answer 1

Yes, if you have local AD, you should install Azure AD Connect to sync the users. That way you can also license the users. There isn't an extra cost if you use Azure AD Connect. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect

Regarding the automatic MDM enrollment, the existing AD joined devices need to be Hybrid Azure AD Joined (this means joined to on-prem AD and registered in Azure AD). You can configure this in Azure AD Connect https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
The users will also need an Intune license and Azure AD Premium (EMS licenses contain this for example)

Then you can use the GPO to enroll the devices into Intune.

Note that when you were referring to Autopilot with the Intune connector for AD, this for new devices (you can reimage existing devices) to go through the Autopilot OOBE, enroll into Intune and then join the on-prem domain. Some background info about that https://oofhours.com/2019/07/15/inside-windows-autopilot-user-driven-hybrid-azure-ad-join/

Answer 2

@PRK , For your questions, Here are my answers for the reference:
Q1: is these devices are logged into by local AD users. Can/should I sync these AD users to Azure with AD connect? Is there an addition fee?
A1: It seems we want to configure Hybrid Azure Active Directory Joined devices. Azure AD Connect is an option. We can firstly confirm what is our domain, managed or federated domain. Then configure it according to the steps in the official articles. Here is an article for managed domain for the reference.
https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

For Intune device enrollment, intune license is required. I notice we have configured MDM auto-enroll. Agree with Nick, for this situation, Azure AD Premium licenses are also required. We can consider EMS or other license include Intune license. The following link for the reference:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses

Q2: Is there another way to manage these laptops without using Azure AD?
A2: Intune integrates with Azure Active Directory (Azure AD) to control who has access, and what they can access. So for Intune managed, we need Azure AD. We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

In addition, to deploy Windows Autopilot user-driven Hybrid Azure AD Join over the internet using a VPN, we can configure "Skip AD connectivity check (preview)". Also we need to make sure the VPN supports this. Here are some links for the reference:
https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-over-the-internet-using-a-vpn/
https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-which-vpn-clients-work/
Note: Non-Microsoft link, just for the reference.

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Thank you both for your responses. I do have some follow up questions.

Since we only have Intune user subscription licenses I can still use Azure AD connect and this will allow me use Azure AD to assign the Intune licenses per user. Can I only sync the VPN users who work remotely or do I have to sync all users in the locally managed domain?

In order to use MDM auto-enroll we will need Intune licenses and Azure AD Premium. Because we don’t have an Azure AD Premium license MDM auto-enroll will not work? If we don’t use Windows Autopilot do we need the Intune Connector for Active Directory in our environment?

Answer 4

Azure AD Connect - you can choose specific OU's to sync if you like, or you can use custom filtering.

MDM auto-enroll - You can look at "Simplify Windows enrollment without Azure AD Premium" https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium

Intune Connector for Active Directory - This is only used if you do Autopilot with Hybrid Azure AD Join. It is responsible for creating the computer accounts in AD, and then sending the offline domain join blob to Intune for the client to download.

I would recommend using a suite like EMS or M365 licenses that contain Intune + Azure AD Premium. You get a lot of benefits with Azure AD Premium.