Roles and responsibilities

When your organization is enrolled in Microsoft Managed Desktop (the service), what does Microsoft do for you? And what are your organization's responsibilities?

Microsoft Managed Desktop's roles and responsibilities

Microsoft Managed Desktop (the service) provides these key roles and responsibilities:

Role or responsibility Description
Mobile Device Management (MDM) policy management Microsoft will apply MDM policies according to best practices and consider requests for policy changes. We'll also make changes to your tenant as prescribed in device policies.
User support We provide a mechanism for elevated access to devices and for issues to get escalated through a support request if necessary. For more information, see User support.
Microsoft Managed Desktop service support Microsoft will provide support to your IT department through a Microsoft Managed Desktop Operations Team. The team will support technical remediation, change requests, and incident management for the customer's Microsoft Managed Desktop environment. For more information, see submit a support request.
Change management Microsoft will notify customers, in advance, when changes need to be made to their Microsoft Managed Desktop environment. For more information, see service changes and communication.
Security monitoring Microsoft will monitor your Microsoft Managed Desktop devices using Microsoft Defender for Endpoint. If the Microsoft Managed Desktop Security Operations Center (SOC) team detects a threat, we'll notify you, isolate the device, and rectify the issue remotely. For more information, see Security.
Update monitoring and management We actively monitor your Microsoft Managed Desktop devices to ensure that the latest quality and feature updates are installed for Microsoft Windows and Microsoft Office. For more information, see how updates are handled.
User and device grouping Microsoft Managed Desktop Operations Team will create and manage required device and user groups as part of IT operations. No membership or configuration changes are allowed for these groups. Altering these groups can lead to unexpected configuration of devices and loss of functionality. For any issues or questions around these groups once established, IT administrators can submit a support request.
Microsoft 365 Apps for enterprise configuration and management For apps provided by Microsoft (Microsoft 365 Apps for enterprise comprising Word, Excel, PowerPoint, Outlook, Publisher, Access, Teams, and OneNote), Microsoft will provide configuration for the deployment, update, and support. However, you must:
  • Obtain and assign licenses for these apps
  • Add users to security groups
  • Manage end of life
  • Deploy any add-ons you need

Microsoft will provide Microsoft Intune deployment tools to deliver the applications to remote clients.

OneDrive Microsoft is responsible for deployment and continued operation of OneDrive for Business clients. Information stored in key folders on the device is synchronized to OneDrive for Business.

Your roles and responsibilities

The following list of common roles and responsibilities is required for deployment, but aren't provided by Microsoft. It's not exhaustive but is applicable to most organizations. There are a few items that both you and Microsoft share responsibility for.

Role or responsibility Description
Change management You must have your own change management process and have a contact established with Microsoft Managed Desktop Operations Team. You also must have resources to review and approve these changes. For more information, see service changes and communication.
Identity management You're responsible for creating user accounts, assigning users to groups, and keeping metadata up to date.
Microsoft 365 Apps for enterprise configuration and management Microsoft is responsible for ensuring Office applications are deployed to users and those applications are kept up to date.

You're responsible for managing Microsoft 365 services and policies, including Exchange Online administration responsibilities:
  • Email administration
  • Mailbox and rule configuration
  • Exchange on-premises management

You're also responsible for collaboration tools, SharePoint server administration, domain management, and security and information policies that are set in the Microsoft 365 admin center.
User support Provide all user support and technical assistance from first contact through to resolution for the user, either by you or through a designated support partner. You must either provide user support directly or work with a partner to provide support for these areas:
  • On-site infrastructure: all network and internet connectivity, VPN infrastructure and client configuration, local conference room equipment, printers, proxy server and configuration, and firewalls.
  • Company-wide cloud resources: email, SharePoint, collaboration services, and other cloud infrastructure that relates to the company-wide technology footprint.
  • Line of business and any other company-specific applications.
Line of Business and third-party applications For apps you provide (such as your line-of-business apps), whether you package them yourself or engage a non-Microsoft vendor to do so, you are responsible for the following:
  • Identifying applications needed for targeted user groups
  • Creating and managing Microsoft Entra groups for app deployment
  • Packaging apps to meet Microsoft Intune deployment standards
  • Uploading apps to Microsoft Intune
  • Testing apps in Microsoft Managed Desktop environment
  • Testing apps with your users
  • Managing and assigning users to applications
  • Identify and deploy application updates through Microsoft Intune
  • Uninstalling and removing applications when they've been retired
  • Procuring and assigning licenses
  • Providing user support for line-of-business apps
  • Managing app settings remotely
Security monitoring and response You're responsible for investigating and resolving incidents for devices that aren't Microsoft Managed Desktop devices.

You're responsible for handling Microsoft Managed Desktop - Microsoft Defender Endpoint (MDE) alerts that are resolved by third party applications, bots, and the Cyber Security Operations Center (CSOC). This includes resolved, pending, and unresolved alerts. Microsoft Managed Desktop Security Operations Center (SOC) doesn’t triage these alerts.
Operations support You must provide a list of preferred contacts and subject matter experts in your organization. We need these contacts if there's an operational incident which requires Microsoft Managed Desktop Operations Team support or awareness.

You're also responsible for investigating and resolving incidents for devices and services that aren't in Microsoft Managed Desktop. You must ensure that the Microsoft Managed Desktop Operations Team is always informed of any issues that may impact on the Microsoft Managed Desktop service.
Network infrastructure, including VPN You're responsible for setup, configuration, and management (including fixing and debugging) of all networking-related infrastructure and services. This also includes internet connectivity, network controls, proxy configuration, and remote connectivity infrastructure.

If a proxy is configured (in hardware or software), there's a collection of URLs that must be allowed by the proxy. You're responsible for fixing any conflicts or incompatibilities due to multiple proxies. For more information, see Proxy configuration. You can add network proxies specific to your organization using configurable settings.

Printing You're responsible for installing, maintaining, and administering printers and print queues. Cloud printing is a recommended solution, but it isn't required.
OneDrive You're responsible for information that isn't synchronized with OneDrive for Business.