Key points
- Understand the Core Benefit: Registering Azure AD (now Microsoft Entra ID) devices into Microsoft Intune enables centralized management of security policies, compliance, application deployment, and device health.
- Meet Prerequisites: Ensure an active Azure AD tenant, valid Intune license (M365, EMS, Intune Suite), Windows Pro/Enterprise/Education edition, MDM user scope set to “Some” or “All,” internet connectivity, and admin rights.
- Choose the Right Enrollment Method:
- Manual Enrollment (Settings/GUI) — Best for small deployments, testing, or single devices.
- Company Portal App — Required for BYOD and Windows 11 Home devices; offers limited but secure control.
- dsregcmd Tool (Command Prompt) — Fixes enrollment errors or forces device join in hybrid scenarios.
- DeviceEnroller.exe (PowerShell) — Enables scripted or remote Intune enrollment for already Azure-joined devices.
- Group Policy (GPO Auto-enrollment) — Scales Intune enrollment across hybrid Azure-joined, enterprise domain devices.
- Understand Device Registration States:
- Azure AD Registered/Entra Registered — BYOD or personal devices with limited MDM control.
- Azure AD Joined/Entra Joined — Corporate-owned, cloud-managed devices with full Intune MDM control.
- Hybrid Azure AD Joined — Domain-joined devices synced via Azure AD Connect, combining GPO + Intune.
- Prevent Common Pitfalls: Avoid dual join conflicts, misconfigured MDM scopes, or GPO misalignment. Use dsregcmd /status, Event Viewer, and the Device Registration Troubleshooter to verify enrollment.
- Leverage Modern Deployment Tools: Use Windows Autopilot for out-of-box enrollment, Enrollment Status Page (ESP) for compliance at first login, and conditional access + zero trust policies to secure endpoints.
For organizations and managed service providers (MSPs), registering Azure AD (now Microsoft Entra ID) devices into Microsoft Intune enables modern endpoint management. This allows IT teams to centrally control
- security policies,
- application deployment,
- compliance monitoring, and
- device health
Intune enrollment for Windows devices also supports various deployment models, from corporate-owned Azure AD joined and hybrid joined devices to personal BYOD scenarios.
If you want to know how to register Azure devices into Intune, this article will discuss multiple methods, including GUI-based steps, command-line utilities, scripting approaches, and enterprise-wide automation through Group Policy.
Before you begin Intune enrollment for Windows devices
First, it’s important to mention end of support for Windows 10—effective October 14, 2025—and consider its implications for Intune enrollment. If you plan on registering Windows 10 devices into Intune, keep in mind that they may face limitations or degraded support after the mentioned date.
According to Microsoft’s official Intune documentation, “Windows 10 becomes an ‘allowed’ version in Intune. Devices running this version can still enroll in Intune and use eligible features, but functionality won’t be guaranteed and can vary.”
As such, we encourage migrating these devices to Windows 11 to prevent further issues and missing features during Intune enrollment.
Methods to enroll Azure AD devices in Intune
There are several methods that offer different levels of automation and user interaction, depending on the deployment scenario, organization size, and device management policies.
💡 Note: This guide focuses on Azure AD joined and hybrid Azure AD joined devices and outlines various methods for enrolling them into Intune. For more information about these devices, proceed to the section Understanding Azure device registration states.
📌 Prerequisites:
- Active Azure AD tenant with Intune licenses (including Microsoft 365 Business Premium, EMS E3/E5, M365 E3/E5, Microsoft Intune Suite, and standalone Intune plans)
- Device running Windows 10 or 11 Pro, Enterprise, or Education edition (for more specific builds, click here)
- Intune MDM enrollment must be enabled under Mobility (MDM and MAM) in the Azure portal
- AAD user account with necessary permissions
- Internet connectivity to Microsoft endpoints
- Local admin access (for manual enrollment and scripting)
💡Tip: Check the section Things to look out for before proceeding.
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Manual registration and enrollment via Settings (GUI) | ✓ | |
| Method 2: Enrollment using the Company Portal app | ✓ | |
| Method 3: Command Prompt enrollment via the dsregcmd tool | ✓ | |
| Method 4: PowerShell enrollment via DeviceEnroller.exe | ✓ | |
| Method 5: Auto-enrollment via Group Policy | ✓ |
Method 1: Manual registration and enrollment via Settings (GUI)
Users or IT administrators can use the device’s built-in Settings interface if they want to register and enroll Azure/Entra joined devices into Intune manually.
📌 Use Cases: Small deployments, testing, and one-off device provisioning
📌 Prerequisites:
- The device must not be domain-joined (neither on-prem Active Directory nor Azure AD)
- User permission to join devices to Azure AD
- Open the Settings app. Press Windows + I.
- On the left pane, click Accounts.
- Find Access work or school on the right pane and click the Connect button beside it.
- In the pop-up window, select Join this device to Microsoft Entra ID (it may appear as Join this device to Azure Active Directory on devices with older operating systems).
- Enter credentials for a Microsoft Entra ID user with an Intune license.
- Complete the guided prompts to finish enrollment (including signing in with a password and accepting the Terms of Use).
- After joining, return to the Access work or school section, click the connected account, and select Info to view MDM enrollment status.
Method 2: Enrollment using the Company Portal app
This method is designed for BYOD and personal Windows devices that shouldn’t be fully Azure AD joined and should only have limited management access and control. It allows users to enroll their own devices using the Microsoft Company Portal. This is also the only method supporting Windows 11 Home edition enrollment.
📌 Use Cases: Supporting personal devices without requiring admin rights and enforcing MDM policies while maintaining user ownership
📌 Prerequisites:
- Azure AD registered device (not joined)
- MDM user scope set to “Some” or “All” in Azure AD
- Microsoft Intune license assigned to the user
- Download and install the Company Portal app from the Microsoft Store.
- Launch the app and sign in with corporate Azure AD credentials.
- Follow the on-screen steps to allow device registration and MDM enrollment.
Method 3: Command Prompt enrollment via the dsregcmd tool
This method uses the built-in dsregcmd tool to force device registration or troubleshoot existing join or enrollment problems.
📌 Use Cases: Repairing failed or partial joins and manually triggering Azure AD join without reimaging
📌 Prerequisites:
- Device must be domain joined and SCP configured (for hybrid join)
- Azure AD Connect must be syncing devices from on-prem AD
- Internal network connectivity
- Local or domain administrator privileges (for join)
- Open Command Prompt as Administrator. Press Windows + R, type “cmd,” and press Ctrl + Shift + Enter.
- To trigger registration, copy and paste this command before pressing Enter (for devices joined to local AD and SCP configured):
dsregcmd.exe /join
- To check the status of registration, copy and paste this command before pressing Enter:
dsregcmd.exe /status
- Confirm device state, such as:
- AzureAdJoined: YES
- MDM Enrollment: YES
Method 4: PowerShell enrollment via DeviceEnroller.exe
This scriptable and remotely executable method triggers MDM enrollment using PowerShell for devices that have already been Azure AD joined. This allows devices to be enrolled in Intune as well as third-party MDM platforms like VMware Workspace ONE, MobileIron, and IBM MaaS360, integrated through Microsoft’s MDM bridge.
📌 Use Cases: Standardizing MDM enrollment using remote scripting tools
📌 Prerequisites:
- The device must already be Azure AD joined
- May require Azure AD or Microsoft Graph PowerShell modules for verification
- Administrator privileges
- Open PowerShell as Administrator. Press Windows + R, type “powershell,” and press Ctrl + Shift + Enter.
- To initiate MDM enrollment, copy and paste this command before pressing Enter:
Start-Process "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/c /AutoEnrollMDM"
- To verify MDM service URLs, copy and paste this command before pressing Enter:
Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" -Class MDM_DevDetail_Ext01
- To query the Azure AD device record, copy and paste this command before pressing Enter:
Get-AzureADDevice -SearchString "hostname"
- Close PowerShell.
Method 5: Auto-enrollment via Group Policy
This method automates MDM enrollment for hybrid Azure AD joined devices using Group Policy for domain-joined systems synced with Azure AD. Aside from Intune enrollment, this is viable for other third-party MDM platforms integrated with Azure AD.
📌 Use Cases: Planning large enterprise deployments and enforcing policy compliance within organizations with existing AD infrastructure and domain-joined Windows devices
📌 Prerequisites:
- Devices joined to on-prem AD and synced via Azure AD Connect
- System Configuration Profile (SCP) must be configured in AD
- GPO access
- Open the Group Policy Editor. Press Windows + R, type “gpedit.msc,” and press Enter.
- On the left pane, follow this path:
Computer Configuration > Administrative Templates > Windows Components > MDM
- Find and double-click the Enable automatic MDM enrollment using default Azure AD credentials policy.
- In the pop-up window, set the policy to Enabled and choose your desired device credential type under Options.
- Click Apply and OK.
- Run this command in an elevated Command Prompt or PowerShell to force a policy update:
gpupdate /force
- After a restart and user sign-in, Intune enrollment should occur.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Premature Azure AD join without auto-enrollment enabled |
|
|
| Dual state conflict (device is joined to both on-prem AD and Azure AD) |
|
|
| MDM enrollment failure due to GPO misconfiguration |
|
|
Understanding Azure device registration states
Before admins can manage devices through Intune, they must first register the device in Azure AD— now Microsoft Entra ID— and then enroll it into Intune for mobile device management (MDM) control. Registration can occur in one of three states, each suited for specific ownership models and management strategies:
| Registration state | Description | Use Case/Ownership Model | Management Capability |
| Azure AD registered | Device is connected to a work account without being fully joined to Azure AD | BYOD and personal devices | Limited MDM control |
| Azure AD joined | Device is fully joined to Azure AD with organizational credentials (typically for cloud-native environments) | Corporate-owned devices (cloud-managed) | Full MDM control via Intune |
| Hybrid Azure AD joined | Device is joined to on-prem AD and also registered in Azure AD via Azure AD Connect synchronization | Domain-joined environments transitioning to cloud management | Full MDM via Intune, plus support for GPO and SCP |
Additional considerations for successful enrollment
- Ensure automatic enrollment is enabled in Azure AD > Mobility (MDM and MAM) settings (and set the user scope to “Some” or “All”).
- When troubleshooting hybrid join devices, ensure SCP is configured in AD and Azure AD Connect syncs devices.
- Windows Autopilot can pre-register devices for seamless OOBE-based Intune enrollment.
- The Enrollment Status Page (ESP) provides real-time visibility into the device setup and policy deployment during Intune enrollment. Use this to delay access until the device is fully provisioned, ensuring compliance at first login.
- In multi-user environments, ensure enrollment is scoped correctly (user vs. device credential) for security and consistency.
Intune device registration troubleshooting
Device is Azure AD registered but not Intune enrolled
Verify that the user has a valid Intune license, such as EMS or M365 E3. You can also check Azure AD > Mobility (MDM and MAM) > Microsoft Intune > MDM user scope. Ensure the user scope is set to “All” or the device being enrolled is included in the selected group if set to “Some.” If enrollment keeps failing, remove the device from Azure AD, restart it, and attempt enrollment again.
dsregcmd shows a join error
On a domain controller, review the SCP configuration in Active Directory Sites and Services. Confirm the presence of the SCP and an accurate Azure AD tenant GUID and name. You should also verify that Azure AD Connect sync is working.
Auto-enrollment fails silently
Group Policy might not be applied or incorrectly scoped. Validate your GPO setting and ensure Device Credential is selected.
Other errors
Use Event Viewer to gather detailed error messages during enrollment and troubleshooting. Navigate to:
Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
You can filter log types by:
- Enrollment failures
- Discovery issues
- Policy application delays
- MDM errors from ESP stage (Autopilot)
You can also use Event ID filters such as:
- 201 — Enrollment initiation
- 301 — Enrollment failure
- 404 — Policy application issues
- 7000s — ESP progress logs
Alternatively, you can use Microsoft’s Device Registration Troubleshooter Tool to determine the registration issue and how to resolve it.
NinjaOne services that can optimize Azure AD and Intune enrollment
Microsoft provides native tooling and infrastructure for device registration and Intune MDM enrollment. That said, for IT teams and MSPs requiring more powerful automation, visibility, and remediation capabilities, NinjaOne can support those needs through the following:
| NinjaOne Feature | Description | How It Optimizes Azure AD/Intune Enrollment |
| Scripting agent actions | Remotely execute PowerShell, CMD, or Bash scripts across managed endpoints | Automates device enrollment triggers and cleanup at scale |
| Device inventory monitoring | Gain real-time visibility into device metadata like join type, OS, build, and enrollment status | Helps identify enrollment gaps (e.g., not joined, not enrolled) for remediation |
| Custom field tagging | Assign custom status tags (e.g., “Azure AD Joined”, “Enrollment Failed) to endpoints” | Enables targeted views, policy mapping, and rule-based automation based on enrollment state |
| Real-time alerting | Set alerts for deviations in configuration or enrollment failures | Notifies technicians when devices are not enrolled or drift from the expected MDM configuration |
| Bulk deployment support | Use deployment modules to mass-provision endpoints with scripts, Autopilot profiles, or GPO-aligned configurations | Ideal for onboarding MSP clients or rolling out Intune registration policies across enterprise fleets |
Key takeaways when adding Azure AD devices to Intune
Registering and enrolling Azure AD devices into Microsoft Intune helps organizations achieve secure and policy-driven endpoint management. No matter the registration state, administrators can use various enrollment methods depending on their needs, goals, and environment. Just make sure all prerequisites are met, essential factors are considered, and issues are proactively monitored.
Related topics:
