I have a client that wants to deploy Azure AD. The client is not too cloud-savvy and requested that he wants a cloud solution for Active directory to restrict users in a group policy type of arrangement to be configured in a way that no staff has admin access on work PC and conversion from workstation to domain-joined.
The client has been on Microsoft 365 Business Standard subscription. The client has now purchased Azure AD Premium 1 subscription for the solution.
- Given the current licensing details, what level of device management can be achieved?
- Since the client has been on the M365 business, Devices have already been Azure AD Registered. To enable device management, What are the options to switch from Azure AD registered to Azure AD joined?
- Can Intune be used for MDM/MAM? If Yes, how should this be activated? (considering the given licenses)
- Our Pre-sales team prescribed this license because of this Feature:
- Azure AD Join: MDM auto-enrollment & local admin policy customization
I have scanned a lot of Microsoft documents to assist with this implementation, but I can't find a conclusive guide to help with automatic deployment for devices already provisioned and registered on the azure ad. Most especially the local admin policy customization (this is the main reason client sought the solution)
From this document, The user who joins the device (using the only method available for this scenario " Self-service in OOBE/Settings") has local admin privileges by default, is there any way to restrict this?