Windows Intune User Provisioning: Having a closer look


At the moment there’re several scenario’s to manage and provisioning users to Windows Intune in order to enable Enterprise Mobility Management (EMM) or simply said – managing your mobile devices. As the process of provisioning users to Windows Intune in combination with Configuration Manager 2012 R2 is not always clear I’ll provide you some insights and tips where and how to troubleshoot.

clip_image001

As mentioned I’ll will focus in this post on a hybrid scenario using Configuration Manager 2012 R2, Windows Intune and on-premise Active Directory where Azure Active Directory Sync (aka DirSync) is used to syncronize on-premise users to Windows Intune (Azure Active Directory).

Process Overview Windows Intune User provisioning

  1. John Doe is created in (on-premise) Active Directory
  2. John Doe is synchronized by Azure Active Directory Sync to (off-premise) Azure Active Directory
  3. John Doe is discovered by Configuration Manager 2012 R2
  4. John Doe is add to Windows Intune collection in Configuration Manager 2012 R2
  5. John Doe is synchronized by Windows Intune Connector
  6. John Doe is enabled Windows Intune user

User provisioning step-by-step

  1. John Doe is created in (on-premise) Active Directory, this is just an regular action which is can be an manual or automated task.
  2. After the creation of John Doe, Azure Active Directory Sync will synchronizes John Doe user ID to Azure Active Directory and therefore being known in Windows Intune.

clip_image002

The users in Windows Intune marked by a sync-icon are synchronized from your on-premise Active Directory to off-premise Azure Active Directory.

clip_image003

3.   Assuming you’ve enabled delta discovery on your discovery methods John Doe will be known soon in Configuration Manager.

4.   After adding John Doe to the Windows Intune enabled collection he’ll become an Windows Intune enabled user.

clip_image004

clip_image005

Important is the order of users being successfully provisioned and enabled for Windows Intune.

The message below occurs when John Doe logs on to Windows Intune services but hasn’t been granted access to use Windows Intune. In this case step 4 has been missed, John Doe wasn’t added to the Windows Intune collection in Configuration Manager.

clip_image006

The status of whether an user is Windows Intune enabled can be queried by the CloudUserID using the following query (thanks Pieter Wiglevens for mentioning) :

select Full_User_Name0,Unique_User_Name0,User_Principal_Name0, CloudUserID from User_disc

Currently John Doe has no CloudUserID associated.

clip_image007

5. As John Doe was added to Windows Intune collection now, in the next cycle of the Windows Intune Connector he will be added and enabled to Windows Intune. All relevant log files of the Windows Intune Connector can be found here.

clip_image008

6.  Now John Doe has been added to the Windows Intune we will check again his CloudUserID. This time John Doe has an CloudUserID which was synced back from Windows Intune services by the Windows intune Connector.

clip_image009

The CloudUserID reflects the ObjectID of John Doe user account in Azure Active Directory.

clip_image010

As mentioned before Windows Intune acts as gateway between managed devices and your on-premise infrastructure. If you were wondering or expecting the checkbox below should be check…that is the case in an hybrid scenario as we’re currently describing.

clip_image011

From the field I noticed some customers setting this checkbox afterwards by a scripts but shouldn’t be done! This checkbox won’t be set at all in a hybrid scenario. Looking at John Doe’s user information from Azure Active Directory the IsLicensed status is set to false. Although we already known John Doe is a Windows Intune enabled user…how come?

clip_image012

The license info this far is applicable if you’re Office 365 enabled user or in a scenario using Microsoft Intune in a standalone configuration. When enabling Office 365 for John Doe and check again his license status, it has changed to True.

clip_image013

The Licenses information has been updated as well and shows the Office 365 license information for the tenant subscription where John Doe is member of.

clip_image014

To get more details of the licenses your company has purchased use the Get-MsolSubscription. In the initial setup we only purchased Windows Intune (INTUNE_A).

clip_image015

Secondly we added Office 365 E3 license. So retrieving the license information again we’ll see an overview including both Windows Intune and Office 365 (ENTERPRISEPACK).

clip_image016

Wondering about the utilitization of your licenses (applies only to Office 365 as mentioned before) use Get-MSolAccountSku

clip_image017

Please let me know this was helpful and don’t hesistate drop me a line if you have further question or comments!

Regards, Ronny

Sources

http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/11/how-many-intune-enabled-users-do-i-have.aspx

http://blogs.technet.com/b/treycarlee/archive/2013/11/01/list-of-powershell-licensing-sku-s-for-office-365.aspx

Advertisements

One thought on “Windows Intune User Provisioning: Having a closer look

  1. Pingback: Manage Microsoft Intune users via PowerShell | More than just ConfigMgr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s