Organizational Admins Joined Devices to Azure AD

AnthonyLiwen-4936 0 Reputation points
2024-08-13T14:48:16.0366667+00:00

Hi,

I have a kind of bit of conundrum. When we first joined Office, the administrators went around and joined all the PCs to the Azure AD using their credentials.

However, we didn't realise at the time of doing this that we would not be able to utilize Intune except for the handful of machines used by the administrators.

Now we want to utilize Intune on a handful of our computers (about 300). We would need to disjoin the computer from it's AD and then rejoin as the user and then remove the user from the local AD group since joining to the AD allows the user to be an admin on their machine.

Is there an easy way to do this? To recap this is what I would like to do:

  1. Remove current Azure AD join on all user's using Business Premium licenses
  2. Rejoin to current Azure AD using user credentials
  3. Enroll in Intune
  4. Enroll in Autopilot

I am hoping this can be done via script where I would not need to have any user/admin involvement at all, but I'm afraid that that will not be the case here. Would this have to be a manual process or is there an automated way to do this?

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
457 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,934 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,266 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 12,235 Reputation points Microsoft Vendor
    2024-08-14T02:49:49.09+00:00

    @AnthonyLiwen-4936, Thanks for posting in Q&A.

    From your description, I know you want to disjoin the computer from its AAD and rejoin to Intune as standard user, if there is any misunderstanding, please let me know.

    If you want to disjoin device from Azure AD, you can run the command "dsregcmd.exe /debug /leave". Since you want to perform this in multiple devices you can create a script with above command and push the file to all devices and run it through GPO.

    After disjoining from Azure AD, you can enroll in Intune using Autopilot enrollment or Bulk enrollment method, both of them can set the user as standard user and there is no need to remove from AD.

    Here are links you can refer.

    https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll

    https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid

    Hope above information can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.