TechNsight

Ask a Question

How to Maintain Intune Device Management Capabilities in a Hybrid Environment After Disabling AD Accounts

Question:

How to retain Intune device management capabilities after disabling AD accounts?

I am using a hybrid environment with on-prem DC, ADsync, and Exchange Online. I use Intune to manage company-issued iPhones and iPads. I have encountered a problem where disabling an AD account of a terminated employee also disables the ability to perform device actions in Intune, such as wiping the device. This is inconvenient because I may not be able to collect the device right away, or I may need to access some data on the device before wiping it. I have tried re-enabling the account and restoring the original settings, but it did not work. I had to delete the device from Intune and ABM and re-enroll it for a new user. Is there a way to avoid this issue and keep the device management capabilities in Intune after disabling the AD account?

Answer:

Intune is a cloud-based service that allows organizations to manage and secure their mobile devices, such as iPhones and iPads. Intune integrates with Active Directory (AD) and Azure AD to synchronize user identities and device enrollment status. However, some Intune users have reported a problem where disabling an AD account of a terminated employee also disables the ability to perform device actions in Intune, such as wiping the device. This can pose a security risk and a compliance issue, especially if the device contains sensitive data or is not returned to the organization. In this article, we will explore the possible causes and solutions for this problem.

Why does disabling an AD account affect Intune device management?

The reason why disabling an AD account affects Intune device management is because of the way Intune authenticates and authorizes device actions. Intune uses Azure AD as the identity provider for device actions, such as wipe, lock, reset, etc. When a device is enrolled in Intune, it is assigned an Azure AD device object that is linked to the user’s Azure AD account. The Azure AD account is synchronized with the on-prem AD account via ADsync. Therefore, when an on-prem AD account is disabled, the corresponding Azure AD account is also disabled, and the device object loses its access token. This prevents Intune from performing device actions on the device, as it cannot authenticate or authorize the request.

How to avoid losing Intune device management capabilities after disabling AD accounts?

There are a few possible ways to avoid losing Intune device management capabilities after disabling AD accounts. One way is to use a different identity provider for device actions, such as Microsoft Endpoint Manager (MEM) or Microsoft Graph API. These identity providers do not rely on Azure AD accounts for device actions, and can use alternative methods, such as device IDs or certificates, to authenticate and authorize the requests. However, this may require additional configuration and integration with Intune, and may not be compatible with all device types and platforms.

Another way is to delay the disabling of the AD account until the device is wiped or collected. This can be done by creating a separate OU for terminated employees, and applying a different ADsync policy for that OU. The policy can be configured to not disable the Azure AD account when the on-prem AD account is disabled, or to delay the synchronization for a certain period of time. This can give the Intune administrator enough time to perform the necessary device actions before the Azure AD account is disabled. However, this may also pose a security risk, as the terminated employee may still have access to some cloud services or resources via the Azure AD account.

A third way is to use a different device management solution, such as Apple Business Manager (ABM) or Apple Configurator, for iOS devices. These solutions do not depend on Azure AD or Intune for device actions, and can use Apple IDs or serial numbers to identify and manage the devices. However, this may also require additional configuration and integration with Intune, and may not provide the same level of functionality and security as Intune.

Conclusion

In conclusion, disabling an AD account of a terminated employee can affect Intune device management capabilities, as Intune uses Azure AD as the identity provider for device actions. This can be avoided by using a different identity provider, delaying the disabling of the AD account, or using a different device management solution. However, each of these options has its own pros and cons, and may not be suitable for every organization or scenario. Therefore, it is important to evaluate the needs and requirements of the organization, and choose the best option that meets the security and compliance standards.

Related posts:

  1. “How to Carry Tux Paint in Your Pocket: USB Installation Tips”
  2. Winter’s Unique Emblems: The Cultural Layers of Snowflakes
  3. FindFatFolder: The Expert’s Guide to Locating Large Folders
  4. “Zenfolio’s Express Send: The Fast Track to Online Portfolio Updates”
  5. Ensuring Privacy: How Total Saver Protects Your Financial Data
  6. Parking Made Easy for Large RVs: A Guide to RV Park Design

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us