- Encrypt email in Outlook with Microsoft 365 - Tue, Dec 6 2022
- Restricting registration to Azure AD MFA from trusted locations with Conditional Access policy - Thu, Nov 24 2022
- Azure AD MFA with number matching and temporary access passes - Tue, Nov 22 2022
The error text here is slightly misleading; you may be left trying to troubleshoot why a device cannot reach a specific URL.
What the error is actually telling you, though, is that the user account you tried to join Azure AD with is not licensed for MDM. You might be thinking, well, that's right, this user does not have MDM, and this device is out of scope of our MDM deployment.
However, the default setting for MDM enrollment with Intune is that all users are in scope for MDM, so irrespective of whether they have a license or not, the Azure AD join process will attempt to enroll in MDM. If they are not licensed, it will fail. It does not, at the time of writing, simply skip MDM enrollment.
Fortunately, resolving this is rather straightforward and relies on creating a dynamic group and modifying the enrollment scope of MDM.
If you have never used dynamic groups, you should definitely investigate them.
So, first, let's create a dynamic group. From the Azure Active Directory portal, go to Groups, and select New Group.
On the New Group screen, set Group type to Security, choose a Group name, add a Group description if you want, and set the Membership type to Dynamic User.
Once you select Dynamic User, you will see a new option appear. Click Add a dynamic query.
On the Add Dynamic Query screen, you can specify the criteria that should be met for someone to be a member of this group. The goal of this group is only to add members who have an MDM license.
So, using some detective work (i.e., Google), we can find some information on what type of query would yield those results.
This article is a great resource for SKU names and their GUIDs. It tells us that the GUID for Microsoft Intune (MDM) is 8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2.
A word of caution here, though, depending on what license is assigned to your user. Whether it be a bundle or a single license, the GUID may be different. We can check this below.
This document is also a good place to start with dynamic query rules.
So now that we have an idea of what we want to put in our rule, we can try to craft one that says, "any user that has an Intune license."
Click Edit to enter the Rule Syntax editor.
We want to add the syntax below. Click OK to save.
user.assignedPlans -any (assignedPlan.servicePlanId -eq "8e9ff0ff-aa7a-4b20-83c1-2f636b600ac2" -and assignedPlan.capabilityStatus -eq "Enabled")
Click Validate Rules.
This is a useful preview feature that allows us to test our dynamic query. We can select users who should or should not be included in the results and then adjust the query as required.
I deliberately chose a user who I knew should be in the group (represented by the green check), and one that shouldn't (represented by the red cross). This shows that my query is working as expected.
I can now save the group.
Now, we need to adjust the scope for our MDM autoenrollment. In the Azure AD menu, find Mobility (MDM and MAM).
Click through the breadcrumbs until you reach the Configure page.
Change the MDM scope from All to some.
The Groups link will now become active.
Search for and select the dynamic user group we made in the previous steps.
Save your changes.
You now need to wait for the settings to flush through the system. I would allow at least an hour for this.
Subscribe to 4sysops newsletter!
Then, when you try to join your device to Azure AD, it will not attempt to enroll in MDM unless the user is a member of the dynamic group (i.e., has an Intune license), and the join will succeed.