This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 34%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES5%3C/text%3E%3C/svg%3E)
Hello everyone!
In the page prompted when signing in the 365 apps like Onedrive with a work account ,
Will Selecting "Yes, all apps" and leaving "Allow my organization to manage this device" unchecked trigger the auto MDM enrollment? (The org has enabled the auto enrollment)
And what about the scenario the auto enrollment hasn't been enabled?
Thanks in advance!
Thank you so much! It clarifies things perfectly!
But still one question, Kindly see the post below,
https://www.reddit.com/r/sysadmin/comments/1j27iqu/help_why_does_intune_keep_enrolling_my_users/
It seems that the OP didn't enable auto-registration, and there was also no checkbox of "Allow my organization to manage this device". However, according to his description, auto-enroll was still triggered. How come it ended up like this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
SUIKA-5822 If this answers your question, please remember to "Accept Answer", so that others in the community facing similar issues can easily find the solution.
SUIKA-5822 We haven’t heard from you on the last response and was just checking back to see if you have any more concerns. If this answers your question, please remember to "Accept Answer", so that others in the community facing similar issues can easily find the solution.
Hello SUIKA-5822
I wanted to share a quick clarification regarding the Microsoft 365 sign-in prompt and its impact on automatic MDM (Mobile Device Management) enrollment.
1.The organization has auto MDM enrollment enabled (via Microsoft Entra configuration).
2.The user or system joins the device to Microsoft Entra ID or registers it and chooses to allow management.
1.Registers the device with Entra ID.
2.Enables SSO across Microsoft apps.
3.Does NOT trigger MDM if the box “Allow my organization to manage this device” is unchecked.
-What happens if “Allow my organization to manage this device” is checked?
1.This triggers MDM auto-enrollment if the organization has it enabled (Intune, or other MDM provider set via Microsoft Entra).
Now based on your concern You select “Yes, all apps” and You leave the checkbox "Allow my organization to manage this device" unchecked and also Your org has auto MDM enabled
This gives the result the device will be registered in Entra ID, but will NOT be enrolled in MDM (like Intune). you get SSO benefits and access to enterprise apps, but your IT admin won’t be able to enforce MDM policies or remote controls.
and if you look in another Scenario if Auto MDM Not Enabled - If your org has not enabled auto-enrollment, then even checking the box won't enroll the device — only Microsoft Entra ID registration happens.
I hope this clarifies things.
Thank you so much! It clarifies things perfectly!
But still one question, Kindly see the post below,
https://www.reddit.com/r/sysadmin/comments/1j27iqu/help_why_does_intune_keep_enrolling_my_users/
It seems that the OP didn't enable auto-registration, and there was also no checkbox of "Allow my organization to manage this device". However, according to his description, auto-enroll was still triggered. How come it ended up like this?
Hello SUIKA-5822
You're correct to point out the discrepancy in the Reddit post you referenced.
If the devices were previously registered with Microsoft Entra ID, they might still be subject to auto-enrollment policies. Even if auto-enrollment wasn't enabled at the time of registration, the devices could still enroll automatically when the policy is later activated. This behavior is especially common if the devices were joined to Entra ID before the auto-enrollment setting was configured. How to enroll already Microsoft Entra joined Devices to Microsoft Intune?
Auto Intune Enrollment
and another reason can be conflicting policies can lead to unexpected enrollment behaviors. For instance, if both MDM user scope and Windows Information Protection (WIP) user scope are enabled and overlap, WIP takes precedence, potentially bypassing MDM auto-enrollment. This misconfiguration can cause devices to enroll in MDM unexpectedly.
and In some cases, default settings in the Microsoft Intune Enrollment section can trigger auto-enrollment. If the "Microsoft Intune Enrollment" setting was configured, it might have caused devices to enroll automatically, even if the MDM user scope was set to "None." Adjusting this setting can stop unintended enrollments
https://neeraj.cloud/post/intune-enroll-only-in-device-management/ one more reason can be users might manually initiate enrollment through the "Enroll only in device management" option in Windows settings. While this method doesn't register the device with Entra ID, it can still enroll the device in Intune, leading to the observed behavior.
I hope this clarifies things.
Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the answers.
Thank you for reply!
In general, whether the auto-enrollment is unexpectedly triggered or not, "No, this app only" is always safe and would not trigger the enrollment, right?
Yes, you're correct in general, selecting “No, this app only” during the Microsoft 365 sign-in prompt is the safest choice to avoid triggering automatic MDM (Intune) enrollment. This option only provides authentication for the current app.