Entra ID / Intune / Security

The Critical Need for Integrating Devices with Intune 

Avatar photo
Post author:Written By

Why is Entra ID Integration Important? 

I have worked with Microsoft Intune for over five years and have seen the importance of Entra ID Joined devices grow. Organizations have shifted focus from traditional On-Premise Active Directory joined devices to an Entra ID joined model. The top three reasons are: 

  1. Integrating devices into Entra ID enables organizations to adopt a Zero-Trust security strategy and use Conditional Access with devices to explicitly allow or deny access to the Microsoft 365 tenant and Enterprise Applications. 
  1. Integration with Intune enables organizations to manage devices from any location, meaning their devices can stay up to date with Windows updates or enforce security policies, ensuring that devices are secure and centrally managed 
  1. Integrating Entra ID with Intune enables organizations to benefit from Zero Touch deployment using Windows Autopilot. This stops organizations from spending extensive time imaging devices manually and instead sending devices to users straight from distribution centers, allowing AutoPilot to configure secure desktops in 30 minutes on average*. 

*Average based on personal experience, as I have delivered thousands of desktops over five years. 

Entra ID Join vs Hybrid Entra ID Join 

It should be noted that for the context of this article, I am referencing Entra ID Join and not Hybrid Entra ID Join. I advocate ditching Hybrid Entra ID Join and recommend that organizations try Entra ID Join in a Proof of Concept. Some of the myths around Entra ID Join are: 

  • “My file shares won’t work without an Active Directory joined devices”. This is false; if the user accessing the file share is using a synchronized account (an account synchronized from Active Directory to Entra ID via Entra ID Connect), file shares will work as expected. 
  • “Users won’t be able to access printers or print”. This is false; if users use a synchronized account, there shouldn’t be issues. IT administrator will be able to install printer drivers and map printers via Intune, but for the best experience, use Universal Print
  • “My legacy applications won’t work”. This could be true where a legacy application uses an Active Directory workstation to authenticate, but my experience has found this is very limited. This relates to my previous point of using a Proof of Concept to test applications. 

Entra ID Join is recommended as best practice by Microsoft and should be used for all new devices. Hybrid Entra ID Join typically has issues with enrolment with new devices and is a less flexible solution; one of the major downfalls is the need for line of sight to a Domain Controller for provisioning a new device. In my opinion, the only time it is acceptable to use Hybrid Entra ID Join is when the devices already exist in Active Directory, and there are no plans to refresh devices.  There are considerations to be made: 

  • Group Policy vs Intune-delivered policies: if there is a policy clash between Group Policy and Intune-delivered policies, Group Policy will take precedence, which could lead to issues when managing the devices across both environments. 
  • Is ConfigMgr currently being used? If so, you must ensure ConfigMgr is configured for Cloud Attach to ensure devices can be co-managed with Intune. 
  • You may encounter issues with Domain Joined devices, which require more IT intervention than an Entra ID Joined device. 

In the past, it has been challenging to transfer from a device that is joined to a domain to one that is joined to Entra ID. Typically, the process would involve resetting the devices, which would result in the loss of local data, applications, and settings. This can take several hours to complete. Fortunatly, Quest Software has recently announced that their On Demand Migration tool now supports workstation migrations from on-premise Active Directory to Entra ID Joined, while preserving data, applications, profiles, and settings. 

The Risks of Not Integrating Devices with Intune 

Unmanaged or poorly managed devices seriously threaten an organization’s data and network security and compliance. Without proper device management, devices can be lost, stolen, compromised, or infected by malware, which exposes sensitive information and creates entry points for attackers. Also, unmanaged devices may not have the latest updates, patches, antivirus software, or encryption settings, rendering them more vulnerable to exploits and breaches. 

These security risks are amplified without Intune, which provides a unified platform for managing and securing devices across all major operating systems. Intune enables IT admins to remotely configure, monitor, enforce policies on devices, and wipe or lock them in case of loss or theft (figure 1). 

Integrating Devices with Intune 
Figure 1: The options available to admins for a Windows device 

Intune integrates with other Microsoft services, such as Entra ID (formerly Azure Active Directory) and Defender for Endpoint, providing a comprehensive and consistent device management experience. 

By not integrating devices with Intune, organizations miss out on these benefits and expose themselves to greater security and compliance risks.  

Intune Integration Enhances Organizational Security. 

The modern digital workspace evolves constantly and faces new threats from cyberattacks, malware, phishing, ransomware, and data breaches. To protect the organization’s data and devices, a robust and comprehensive security strategy is essential to adapt to changing scenarios and mitigate risks.  

One of the critical components of a security strategy is device management, which ensures all devices employees use comply with the organization’s policies and standards. Device management enables enforcing security settings, such as encryption, password complexity, firewall rules, antivirus software, and updates. In addition, device management allows the remote wipe or lock of lost or stolen devices, preventing unauthorized access to sensitive data. 

Another aspect of device security managed by Intune is encryption, which protects data on enrolled devices from unauthorized access or theft. Encryption scrambles the data on the device so that it can only be read by authorized users who have the decryption key. Intune integrates with BitLocker, a feature of Windows that encrypts the entire drive of the device. BitLocker can be configured and managed through Intune policies, for example requiring a PIN or password to unlock the encrypted drive or backing up the recovery key to Entra ID. 

Intune supports Windows Hello for Business, a feature of Windows that enables secure and convenient sign-in to devices using biometric factors, such as face, fingerprint, iris recognition, or a PIN. Windows Hello for Business replaces the traditional password-based authentication, which can be easily compromised or forgotten. Windows Hello for Business can be integrated with Intune to enforce policies, like requiring a minimum PIN length, complexity, or expiration or disabling biometric factors if needed. Windows Hello for Business can be integrated with Entra ID to enable single sign-on to other Microsoft services and applications. 

Another way that Intune enhances device security is by integrating with Microsoft Defender for Endpoint, a cloud-based service that provides advanced threat protection and response for devices. Defender for Endpoint monitors the device’s behavior and activities, detects and blocks malicious attacks, and offers automated investigation and remediation capabilities. Intune has policies and integration that automatically enroll devices into Defender for Endpoint when Intune manages them, ensuring all devices have consistent and up-to-date protection against cyber threats and vulnerabilities. 

The Importance of DLP in the Modern Digital Workspace. 

Data Loss Prevention (DLP) is a set of policies and tools that protect sensitive data from unauthorized disclosure, transfer, or misuse. DLP can help organizations comply with regulations, such as GDPR, HIPAA, or PCI DSS, and prevent data breaches that can damage their reputation and incur legal liabilities. 

One challenge of data loss prevention (DLP) is monitoring and controlling data flow across various devices and endpoints, including laptops, desktops, tablets, smartphones, and USB drives. Employees can use these endpoints to access, store, or transfer data, but they can also pose data leakage, theft, or loss risks. For example, an employee might copy confidential data to a USB drive and lose it, upload it to an unauthorized cloud service like Dropbox, or send it via email to an external recipient. 

To address these challenges, Microsoft offers Endpoint DLP with Purview, a solution that leverages the integration of Defender for Endpoint and Purview to provide comprehensive visibility and control over data on enrolled devices. Endpoint DLP with Purview enables organizations to: 

  • Discover and classify sensitive device data using Purview’s sensitive information types and sensitivity labels. Purview can apply sensitivity labels to data based on predefined or custom rules. These rules can include keywords, regular expressions, or metadata. Sensitivity labels help indicate the level of confidentiality and protection that is needed for the data. The labels can range from public to internal, confidential, or highly confidential. 
  • Endpoint DLP policies can specify the actions and conditions allowed or blocked for the data, such as copying, printing, sharing, or transferring. These Endpoint DLP policies can vary depending on the context, like the device state, location, network, or user role. For example, an Endpoint DLP policy can block copying highly confidential data to a USB drive or stop it from being printed from an unauthorized printer. 

Although Intune isn’t a requirement for Endpoint DLP, one of the dependencies to use these features is the device to be enrolled into Purview. This can be achieved by ensuring the device is enrolled into Defender for Endpoint, which we mentioned earlier in this article. 

What Should Organizations Do Now? 

Intune and Entra are powerful solutions that help organizations secure and manage their devices and data. By integrating devices with Intune, organizations can benefit from Entra’s unified identity and access management platform. This provides seamless and secure access to data and applications across devices and clouds. Intune and Entra enable a zero-trust approach to device management, where every device is verified, every app is sanctioned, and every data is encrypted. This reduces the risk of data breaches, complies with regulations, and empowers users to work from anywhere. Organizations should not delay evaluating and improving their device management strategies with Intune and Entra.  

TEC Talk: Protecting Privileged User and Workload Identities in Entra ID

TEC Talk Protecting Privileged User and Workload Identities in Azure AD

Join Thomas Naunheim’s Free Webinar on March 7th @ 11 AM EST.

Register Today!
Tags: ,

About the Author

Jon Jarvis

Jon Jarvis is a Microsoft MVP working as a Principal Architect at Cisilion. Jon has been working within Office 365 for over a decade having first learnt how to do an Exchange Online migration using articles from Practical 365! Jon enjoys working on the whole of the Microsoft 365 product range and has a passion for learning new skills, which has led to him passing 23 Microsoft exams. Outside of work, Jon is a Brazilian Jiu Jitsu Black Belt who has trained for over 13 years!

Leave a Reply