Windows Intune User Provisioning: Having a closer look

At the moment there’re several scenario’s to manage and provisioning users to Windows Intune in order to enable Enterprise Mobility Management (EMM) or simply said – managing your mobile devices. As the process of provisioning users to Windows Intune in combination with Configuration Manager 2012 R2 is not always clear I’ll provide you some insights and tips where and how to troubleshoot.


As mentioned I’ll will focus in this post on a hybrid scenario using Configuration Manager 2012 R2, Windows Intune and on-premise Active Directory where Azure Active Directory Sync (aka DirSync) is used to syncronize on-premise users to Windows Intune (Azure Active Directory).

Process Overview Windows Intune User provisioning

  1. John Doe is created in (on-premise) Active Directory
  2. John Doe is synchronized by Azure Active Directory Sync to (off-premise) Azure Active Directory
  3. John Doe is discovered by Configuration Manager 2012 R2
  4. John Doe is add to Windows Intune collection in Configuration Manager 2012 R2
  5. John Doe is synchronized by Windows Intune Connector
  6. John Doe is enabled Windows Intune user

User provisioning step-by-step

  1. John Doe is created in (on-premise) Active Directory, this is just an regular action which is can be an manual or automated task.
  2. After the creation of John Doe, Azure Active Directory Sync will synchronizes John Doe user ID to Azure Active Directory and therefore being known in Windows Intune.


The users in Windows Intune marked by a sync-icon are synchronized from your on-premise Active Directory to off-premise Azure Active Directory.


3.   Assuming you’ve enabled delta discovery on your discovery methods John Doe will be known soon in Configuration Manager.

4.   After adding John Doe to the Windows Intune enabled collection he’ll become an Windows Intune enabled user.



Important is the order of users being successfully provisioned and enabled for Windows Intune.

The message below occurs when John Doe logs on to Windows Intune services but hasn’t been granted access to use Windows Intune. In this case step 4 has been missed, John Doe wasn’t added to the Windows Intune collection in Configuration Manager.


The status of whether an user is Windows Intune enabled can be queried by the CloudUserID using the following query (thanks Pieter Wiglevens for mentioning) :

select Full_User_Name0,Unique_User_Name0,User_Principal_Name0, CloudUserID from User_disc

Currently John Doe has no CloudUserID associated.


5. As John Doe was added to Windows Intune collection now, in the next cycle of the Windows Intune Connector he will be added and enabled to Windows Intune. All relevant log files of the Windows Intune Connector can be found here.


6.  Now John Doe has been added to the Windows Intune we will check again his CloudUserID. This time John Doe has an CloudUserID which was synced back from Windows Intune services by the Windows intune Connector.


The CloudUserID reflects the ObjectID of John Doe user account in Azure Active Directory.


As mentioned before Windows Intune acts as gateway between managed devices and your on-premise infrastructure. If you were wondering or expecting the checkbox below should be check…that is the case in an hybrid scenario as we’re currently describing.


From the field I noticed some customers setting this checkbox afterwards by a scripts but shouldn’t be done! This checkbox won’t be set at all in a hybrid scenario. Looking at John Doe’s user information from Azure Active Directory the IsLicensed status is set to false. Although we already known John Doe is a Windows Intune enabled user…how come?


The license info this far is applicable if you’re Office 365 enabled user or in a scenario using Microsoft Intune in a standalone configuration. When enabling Office 365 for John Doe and check again his license status, it has changed to True.


The Licenses information has been updated as well and shows the Office 365 license information for the tenant subscription where John Doe is member of.


To get more details of the licenses your company has purchased use the Get-MsolSubscription. In the initial setup we only purchased Windows Intune (INTUNE_A).


Secondly we added Office 365 E3 license. So retrieving the license information again we’ll see an overview including both Windows Intune and Office 365 (ENTERPRISEPACK).


Wondering about the utilitization of your licenses (applies only to Office 365 as mentioned before) use Get-MSolAccountSku


Please let me know this was helpful and don’t hesistate drop me a line if you have further question or comments!

Regards, Ronny



One thought on “Windows Intune User Provisioning: Having a closer look

  1. Pingback: Manage Microsoft Intune users via PowerShell | More than just ConfigMgr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s