Evaluate device management models
Device management models determine how organizations control and secure their devices. Microsoft Intune supports three primary models: cloud-only, hybrid, and co-managed. Each model offers different levels of integration with on-premises infrastructure and cloud services.
You choose a model based on your organization's existing setup, migration goals, and device requirements. Understanding these models helps you plan an effective endpoint management strategy.
Cloud-only management
Cloud-only management relies entirely on cloud services for device management. Devices join Microsoft Entra ID directly, without connecting to on-premises Active Directory.
In this model, you use Intune for mobile device management (MDM) and mobile application management (MAM). Conditional Access policies enforce security requirements, and all configuration happens through cloud-based policies.
This approach suits organizations that:
- Operate primarily in the cloud
- Have remote or mobile workforces
- Want to minimize on-premises infrastructure
- Support bring-your-own-device (BYOD) scenarios
With cloud-only management, you get single sign-on to cloud apps, stronger security through multifactor authentication, and simplified provisioning for modern devices.
Hybrid management
Hybrid management combines on-premises Active Directory with Microsoft Entra ID. Devices join the on-premises domain and register with Microsoft Entra ID through hybrid join.
You can use Group Policy for some configurations while leveraging Intune for modern management features. Conditional Access integrates with on-premises identities to control access to cloud resources.
Hybrid management is ideal for organizations that:
- Have existing Active Directory investments
- Need to support legacy applications requiring domain authentication
- Want gradual migration to cloud management
- Require Group Policy for certain device configurations
This model allows you to maintain on-premises control while gaining cloud benefits like improved security and end-user experience.
Co-managed model
Co-management allows devices to be managed by both Microsoft Configuration Manager and Intune. This model provides unified management across on-premises and cloud environments.
Configuration Manager handles traditional management tasks, while Intune manages modern features like security policies and app deployment. You can gradually shift workloads from Configuration Manager to Intune.
Co-management benefits organizations that:
- Use Configuration Manager extensively
- Need to maintain on-premises management for some devices
- Want to use Intune's cloud capabilities alongside existing infrastructure
- Plan to transition to cloud-only management over time
You control the balance between on-premises and cloud management, enabling a smooth migration path.
Choosing the right model
Select a device management model based on your organization's needs, existing infrastructure, and migration goals. Cloud-only offers simplicity and modern features but requires cloud readiness. Hybrid provides balance for organizations with on-premises dependencies. Co-managed enables gradual transition for those heavily invested in Configuration Manager.
Consider factors like device types, user locations, security requirements, and application dependencies when making your decision. You can start with one model and evolve as your organization changes.