memdocs
memdocs copied to clipboard
MicrosoftDocs
DEM and AAD Device Registration limits
"Applying an Azure AD device restriction to a DEM account will prevent you from reaching the 1,000 device limit that the DEM account can enroll."
There is currently no method of excluding a specific user from this tenant wide restriction as far as I can find so, even though this is a true statement, the default configuration of AAD from MS is set to restrict to 20 devices per user.
This effectively restricts us from using a DEM account without opening for users to register a multitude of devices, kind of seems like a bad design/integration?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 7786d9c0-55b0-9bff-fc0a-f4ee70ee0615
- Version Independent ID: cf0c17a0-fdc7-e0af-db82-913e36d2ec7c
- Content: Enroll devices using a device enrollment manager account - Microsoft Intune
- Content Source: memdocs/intune/enrollment/device-enrollment-manager-enroll.md
- Service: microsoft-intune
- Sub-service: enrollment
- Technology: ****
- GitHub Login: @ErikjeMS
- Microsoft Alias: erikje
@mgroover The PM responded with this suggestion. Does this work for you?
"Couldn't they remove the AAD tenant wide restriction and instead use the Device Limits under the Intune Enrollment restrictions: Set enrollment restrictions in Microsoft Intune. Then you can exclude the DEM accounts from that."
@ErikjeMS and the PM, as well as loop in @mgroover . Can we please re-open this issue? The PM's response on this one was invalid. It's already stated in the article that the DEM is not impacted by Intune's Device Limit Enrollment Restrictions.
The only valid answer to the issue that @mgroover raised is that you'd have to increase the Azure AD tenant-wide setting to 1,000 or higher in order to NOT impact the 1,000-device limit imposed in Intune for DEM's. So the quoted text in the issue-opening comment:
"Applying an Azure AD device restriction to a DEM account will prevent you from reaching the 1,000 device limit that the DEM account can enroll."
Should instead be something like:
"Setting the Azure AD device restriction to less than 1,000 will prevent you from reaching the 1,000 device limit that the DEM account can enroll."
Thanks @ErikjeMS . I have a quick addition to the question. Per this other Docs article - https://docs.microsoft.com/en-us/mem/intune/enrollment/device-limit-intune-azure#settings-applied-based-on-user-affinity - it is shown that Hybrid Azure AD Joined devices are immune to the Azure AD Max Devices per User setting.
Considering that, I feel like it's a safe assumption that when a DEM enrolls an already-Hybrid-Azure-AD-Joined device, this doesn't end up counting towards their 1000 limit, or towards any limits, because HAADJ devices are immune to both limits from Intune and Azure AD. Is this correct?
Any updates on this anyone ? I'm planning on using a DEM account for Autopilot HAADJ deployment. I would like to know if i need to change device enrollment restrictions settings on AAD or MEM side ? Or if HAADJ deployment make the DEM account "immuned" like Jeremy said above ? thanks
any update on this? Having the same issue - makes no sense for the DEM account to be limited by the AAD device limit.
any update on this? Having the same issue - makes no sense for the DEM account to be limited by the AAD device limit.
On my side i've been using DEM account since then to deploy HAADJ PCs and i think that the AAD device limit is not applied in the Hybrid environement.
any update on this? Having the same issue - makes no sense for the DEM account to be limited by the AAD device limit.
Hi @cicoradj, I'm sorry, no update yet. Just followed up again.
Hi @cicoradj @JB40550 @JeremyTBradshaw @mgroover Thanks again for reaching out to the Microsoft Intune Docs team and for your dedication to our documentation. Unfortunately, we've been unable to resolve your issue in a timely manner and we sincerely apologize for the delay. The timeline for resolution varies based on resourcing, so we've created an internal work item to get this article reviewed and updated. We are closing this issue for now, but feel free to comment here as necessary. #please-close
OK so this goes on for a full two-years, is still a discrepancy, and it gets closed????
OK so this goes on for a full two-years, is still a discrepancy, and it gets closed????
I agree this is disheartening. I am going to submit a PR to update the statement quoted in the OP so that it says Azure AD's max # of devices setting will take precedence over the 1000 limit imposed by Intune, and will include a link to this other page - https://learn.microsoft.com/en-us/mem/intune/enrollment/device-limit-intune-azure#settings-applied-based-on-user-affinity. I'll definitely be deleting the wording "Applying an Azure AD device restriction to a DEM account" which we know is not even possible.
Thankfully, we can conclude from that other page that Hybrid Azure AD Join's do NOT consider the AAD device restriction number. I am not sure how common it is to use a DEM for HAADJ's, but the DEM would be the same as any user in that case (exempt from the AAD device # limit). I'll incorporate this info into the updated statement as well.
Setting a reminder now to do that PR, will do ASAP but not today.
HI @TassieTrooper @JeremyTBradshaw, thanks for following up and I'm really sorry we couldn't resolve this before closing. Because of your comments, I just reopened this task, and escalated the internal task we have open so I hope to hear back from someone on the product team ASAP.
Thanks very much. All positive here, love the product, so happy to hear that CI is being followed through 🥇