The Microsoft 365 Blog

Mastering Microsoft Intune (Without Losing Your Mind)

Apr 15, 2025

It starts with a question. One you've probably asked in a meeting, half-glazed, half-worried: *"What the hell is Intune, and why do we need it?"*

Let’s drop into a fictional-but-not-firm, Crunching Numbers. It’s a 50-person accounting outfit - laptops, iPhones, freelancers, deadlines. The usual. Half the team’s using company gear. The other half? Personal phones, mixing Teams notifications with Candy Crush.

Enter Intune. Microsoft’s answer to the modern IT nightmare: BYOD, app sprawl, and data leaking out of every unlocked iPhone.

Why Should You Care?

Intune is what you'd get if Microsoft tried to be your IT department. Cloud-based. Centralised. Quietly judging every device, you let near your company data.

For Crunching Numbers, it means:
- Managing devices without asking Phil in accounting to stop using Windows 7.
- Letting people use their phones, without also handing them your client list.
- Pushing apps, updates, and policies in one go. 

The Hidden Cost

No, Intune isn’t free. But Microsoft *loves* a bundle.

Instead of buying Intune Plan 1 (£8 per user/month), just go for Microsoft 365 Business Premium (£16.90) - it includes everything Intune Plan 1 offers, plus email, Teams, and Office.

If you’re already paying for Business Premium, you have Intune. Use it. 

Company Devices vs Personal Chaos

Crunching Numbers has:
- Windows desktops and laptops
- Company iPhones for execs
- Freelancers on their own devices

Here’s how you draw the line:
- Company-owned device - get fully enrolled in Intune. You control the lot.
- Personal devices? - Use *App Protection Policies* - they protect Outlook and Teams without touching private photos or Spotify playlists.

Getting Started: The Basics

To manage anything, go here:
1. Microsoft 365 Admin Centre
2. Expand "Admin Centres"
3. Open *Microsoft Intune*

 

Then, pop over to **Microsoft Entra** (formerly Azure AD). This handles users, device identities, and access control. Think of it as Intune’s grumpy older brother.

Enrolment: Who Gets In

 In Intune:
- Go to Devices > Device Onboarding > Enrolment
- Set limits (e.g., 5 devices per user)
- Block personal Windows devices if you want control

 

Pro tip: Intune can’t actually tell what’s personal vs company owned. Use Windows Autopilot to pre-register company gear. 

Enrolling a Windows Device (The Intune Way)

  1. On the Windows device: Settings > Accounts > Access work or school
    2. Hit "Set up for work or school"
    3. Sign in with your Microsoft 365 account
    4. Complete MFA (because of course)
    5. Device joins Entra ID, syncs with Intune

 

Within minutes, it shows up in both admin centres. From there, you can nuke it, lock it, or just check it’s alive.

And If It’s Already in Use?

 Go to Settings > Accounts > Access Work or School > Add account. Done. (Assuming you’re not blocking personal devices.)

 

 

 

Apple & Android Devices: Same Rules, Different Wrappers

Apple gear:
- Company-owned? Use Apple Business Manager + Automated Device Enrolment
- Personal? Stick with App Protection Policies

 

Androids:
- Company-owned? Use Android Enterprise
- Personal? Android Work Profile + Intune Company Portal app

 Device Groups That Sort Themselves

Enter Dynamic Groups in Entra:
- Devices get grouped by OS, ownership, or anything else.
- Users can be grouped by department, location, etc.

 

This means:
- Set a policy once
- New devices/users auto-inherit it

 

Example:
- Group: Windows 11 Devices
- Rule: OS starts with "Windows 11"
- Result: Every new Windows 11 device = instantly managed

Defender + Intune = Paranoid Harmony

Microsoft Defender for Business adds endpoint security:
- Antivirus
- BitLocker encryption
- Firewall
- Attack Surface Reduction

 

Setup:
1. Enable Defender in M365 Admin
2. In Intune, go to Endpoint Security > Defender for Endpoint
3. Sync + onboard devices automatically

 

Antivirus Policy Example

- Go to Endpoint Security > Antivirus > Create Policy
- Choose platform: Windows
- Configure settings (e.g., archive scanning, cloud protection)
- Assign to a device group

 

Want less hassle? Use Security Baselines - Microsoft’s pre-baked best practices.

 Compliance and Configuration

Compliance Policies
- Define rules (e.g., must have antivirus, BitLocker, no outdated OS)
- Set actions for non-compliance (e.g., email, lockout, retire device)

 

Configuration Policies
- Control app access, OneDrive sync, feature restrictions
- Use templates or settings catalogue

App Management & Conditional Access

Install Apps via Intune:
- Push Office, LOB apps, even URLs
- Assign to device/user groups

App Protection:
- Encrypt corporate data inside apps
- Block backups to personal clouds
- Enforce PINs, block copy/paste

Conditional Access (via Entra):
- Enforce rules: Only compliant devices get in
- Example: No app protection = no access to Teams

 Final Word

Intune isn’t just MDM. It’s the bouncer, bartender, and manager for every device touching your business data. Set it up once, and sleep better knowing your CFO isn’t opening spreadsheets next to Instagram.

 Next up: Policies that enforce themselves. Stay tuned.