Licensing, Setup & First Device

Microsoft 365Endpoint ManagementSecurityMicrosoft Intune
Written By Tiago Carvalho
Intune for SMBs: Zero to Hero  ·  Part 1 of 6

Microsoft Intune  ·  Endpoint Management  ·  SMB  ·  2026

Series overview — 6 articles
Part 1 · Now
Licensing, Setup & First Device
Part 2 · Next
Compliance & Conditional Access
Part 3
Settings Catalog & Configuration Profiles
Part 4
App Deployment & Company Portal
Part 5
Security Baselines & Defender
Part 6
Reporting & Day-2 Operations

Most Intune guides jump straight into compliance policies and configuration profiles — and skip the part that determines whether any of it actually works. Before you can push a single policy to a device, you need the right licence, a correctly configured tenant, and at least one enrolled device to test against. This first article in the series covers exactly that: the decisions and steps you take before touching any device.

🏢
M365 Business Premium is the right starting point for most SMBs — includes Intune Plan 1, Defender for Business, and Entra ID P1 in a single licence
⚠️
300-user limit on Business plans — organisations above this threshold need Microsoft 365 E3 or higher
☁️
Entra Join is the recommended path for SMBs in 2026 — full cloud, no on-prem AD dependency, simpler to manage
Automatic MDM enrolment means devices join Intune the moment a user signs in with their work account — no manual steps needed per device
In this article
Choosing your licence Business Premium vs E3 Tenant setup — in order Groups strategy Entra Join vs Hybrid Join First device enrolled Verify it worked Checklist

Choosing your licence — what SMBs actually need

The right licence for an SMB deploying Intune for the first time is almost always Microsoft 365 Business Premium. It includes everything you need to get through this entire series: Intune Plan 1 for device management, Microsoft Defender for Business for endpoint protection, Entra ID P1 for Conditional Access and dynamic groups, and Defender for Office 365 Plan 1 for email security. You are not paying for separate add-ons — it is all in one SKU.

The one constraint that matters: Business plans cap at 300 users. If your organisation is approaching or over that number, the decision changes. Below that limit, Business Premium is the correct answer for most SMBs and is significantly cheaper than an equivalent E3 configuration with the necessary security add-ons.

Business Premium vs Microsoft 365 E3 — which and when

Feature M365 Business Premium M365 E3
Microsoft Intune Plan 1 ✓ Included ✓ Included
Microsoft Entra ID P1 ✓ Included ✓ Included
Microsoft Defender for Business ✓ Included ✗ Add-on required
Defender for Office 365 Plan 1 ✓ Included ✗ Add-on required
Windows Enterprise licence ✗ Not included ✓ Included
User limit 300 users maximum No limit
Price (approx.) ~$22/user/month ~$36/user/month
Best for SMBs up to 300 users Organisations over 300, or those needing Windows Enterprise features
🔍
What about Intune Plan 2 and the Intune Suite? Plan 2 adds advanced features like Remote Help, Endpoint Privilege Management (as a standalone), and Tunnel. The Intune Suite bundles Plan 2 with additional capabilities. Neither is required to complete this series — everything covered across all six articles works within Intune Plan 1. You can evaluate Plan 2 features after you have the foundations in place. Pricing changes regularly — always verify current pricing at microsoft.com.

Tenant setup — do these in order

New Intune tenants require a small set of one-time configurations before any device can be enrolled. Skipping or reordering these steps creates problems later that are hard to trace. Work through them in the sequence below.

1
Assign Intune licences to users
A user must have an Intune licence before their device can enrol. In the Microsoft 365 admin centre → Users → Active users, verify each user has a licence that includes Intune. If you purchased M365 Business Premium, Intune is included — confirm it is enabled in the licence assignment. Unlicensed users will fail enrolment silently.
2
Set the MDM Authority to Intune
Navigate to Intune admin centre (intune.microsoft.com) → Devices → Enroll devices. If the MDM authority has not been set, you will see an orange banner — click it and select Intune MDM Authority. This is a one-time, tenant-wide setting. If you previously used Configuration Manager (co-management) this will already be configured. For a fresh Intune tenant this is the first thing to confirm.
3
Enable automatic MDM enrolment
Go to Intune admin centre → Devices → Enrollment → Windows → Automatic Enrollment. Set MDM User Scope to All. This ensures that any Windows device joining Entra ID automatically enrols into Intune without any additional steps. Leave MAM User Scope at None for now — it is for BYOD mobile scenarios covered in a separate article. Requires Entra ID P1 (included in Business Premium).
4
Configure Company Portal branding
Go to Intune admin centre → Tenant administration → Customization. Set your organisation name, support contact name, support email address, and support phone number. Upload your company logo (recommended: PNG, 400×100 px, under 750 KB). This information appears in the Company Portal app and in all enrolment communications users receive. It takes five minutes and makes a significant difference to first-day user experience.
5
Set enrolment restrictions
Go to Intune admin centre → Devices → Enrollment → Enrollment device platform restrictions. Review the default policy. For most SMBs: allow Windows (Personal and Corporate), set a minimum OS version of Windows 10 22H2 or Windows 11 21H2 at minimum, and set a device limit per user of 5. Restrict platforms you are not managing yet to avoid unexpected enrolments.
💡
The Intune admin centre has moved. The current URL is intune.microsoft.com. Older bookmarks pointing to endpoint.microsoft.com or devicemanagement.microsoft.com redirect automatically, but update your bookmarks and documentation now to avoid confusion.

Groups strategy — start simple, stay consistent

Everything in Intune is assigned to groups. Compliance policies, configuration profiles, apps, update rings — all of it targets Entra ID groups. If your group structure is chaotic, your Intune deployment will be too. For an SMB starting from scratch, the right approach is to create a small number of purpose-built groups and resist the temptation to add more before you need them.

Create these four groups before your first policy deployment:

Group name Type Membership rule / notes Used for
SG-Intune-Pilot Security — Assigned Add your IT team and 2–3 volunteer testers manually Testing all new policies before broad rollout
SG-Intune-AllUsers Security — Assigned All licensed users (or use the built-in "All Users" carefully) Policies and apps that apply to everyone
SG-Windows-Devices Security — Dynamic Device (device.deviceOSType -eq "Windows") Device-targeted Windows policies
SG-Corporate-Devices Security — Dynamic Device (device.deviceOwnership -eq "Company") Policies that should only apply to organisation-owned devices
⚠️
Always test with SG-Intune-Pilot first. Every policy in this series gets assigned to the pilot group first, validated, then extended to the broader groups. This discipline prevents configuration mistakes from reaching the entire fleet. It takes one extra step and saves hours of troubleshooting.

Entra Join or Hybrid Join — the SMB decision

This is the most consequential architectural decision in this series. Get it right at the start and everything that follows is simpler. Get it wrong and you are rebuilding later.

Microsoft Entra Join — recommended for SMBs

With Entra Join, Windows devices join Microsoft Entra ID directly — there is no on-premises Active Directory involved. The user signs in with their M365 work account at first setup, the device registers in Entra ID, and automatic MDM enrolment drops it straight into Intune. No domain controller, no AD sync dependency, no NDES, no on-prem infrastructure required for device management.

For an SMB that runs primarily on Microsoft 365 cloud services — Teams, SharePoint, Exchange Online — Entra Join is the correct choice in 2026. Microsoft's own guidance is explicit that Entra Join is the strategic direction and that Hybrid Join is a transitional state, not a destination.

Hybrid Entra Join — only if you have on-prem dependencies

Hybrid Join keeps devices joined to on-premises Active Directory while also registering them in Entra ID. This enables both cloud SSO and traditional Kerberos/NTLM authentication for legacy applications running on-prem. If your organisation still relies on file servers with Kerberos, on-prem applications, or GPO-dependent software that cannot be replaced, Hybrid Join may be necessary as a transitional step.

Hybrid Join requires the Entra ID Connect sync tool, the Intune Connector for Active Directory (for Autopilot scenarios), and a working AD infrastructure. It adds complexity that most SMBs do not need.

If you are starting a new Intune deployment and your apps work on Microsoft 365 or can be accessed via browser or VPN — choose Entra Join. The rest of this series is written for Entra Join. If you are in a Hybrid Join scenario, the core concepts still apply but some enrolment steps differ.

Enrolling your first Windows device

With licences assigned, automatic enrolment enabled, and groups created, enrolling a Windows device into Intune takes less than five minutes. There are two paths depending on whether the device is new or already in use.

Path A — New device (Out-of-Box Experience)

During the Windows setup experience, on the "Set up for work or school" screen, sign in with the user's M365 work account. Windows joins Entra ID, triggers automatic MDM enrolment, and the device appears in Intune within a few minutes. This is the recommended approach for any new device being deployed to a user.

Path B — Existing device already running Windows

On an existing device: Settings → Accounts → Access work or school → Connect. Enter the user's work email address, sign in with M365 credentials, and select Join this device to Microsoft Entra ID. Automatic MDM enrolment triggers in the background once the join completes. The device will restart.

⚠️
Entra Joining an existing device that was domain-joined requires a local admin account. If the device is currently joined to on-prem AD, you need to remove it from the domain first, then Entra Join. This resets the local profile — always back up user data before doing this on a device with existing user data.

Verify the device is enrolled via PowerShell

On the device itself, open PowerShell and run the following to confirm the join type and MDM enrolment state:

Verify Entra Join and MDM enrolment state on the device PowerShell 
# Run on the Windows device after joining

# Check Entra ID join status
dsregcmd /status

# Key fields to look for in the output:
# AzureAdJoined    : YES    → device is Entra Joined
# MDMUrl           : https://enrollment.manage.microsoft.com  → MDM enrolled
# WorkplaceJoined  : NO     → should be NO for a full Entra Join

# If MDMUrl is blank, automatic enrolment has not triggered yet.
# Wait 5–10 minutes after the Entra Join and check again,
# or trigger a manual sync: Settings → Accounts → Access work or school
# → click the account → Info → Sync

Verify it worked in the Intune admin centre

Once a device has enrolled, open the Intune admin centre → Devices → All devices. Your device should appear within 5–15 minutes of enrolment. Check three things:

Field Expected value If different
Managed by Intune Check MDM authority and automatic enrolment settings
Ownership Corporate (for org-owned devices) Can be changed manually — or use enrolment restrictions to set default
Compliance Not evaluated This is expected — you have not created compliance policies yet (Part 2)
Last check-in Within the last 30 minutes Trigger a manual sync from the device if stale
💡
"Not evaluated" compliance is correct at this stage. A device has no compliance status until a compliance policy is assigned to it. You will build and assign compliance policies in Part 2. Until then, Conditional Access (if configured) will treat the device as compliant by default — which is another reason to work through the series in order.

Part 1 checklist

  • Confirm licence — M365 Business Premium (or E3 for 300+ users) Verify Intune Plan 1 is enabled in the licence assignment for all users. M365 admin centre → Users → Active users → select a user → Licences.
  • Set MDM Authority to Intune Intune admin centre → Devices → Enroll devices. Look for the orange banner. Select Intune MDM Authority if not already set.
  • Enable automatic MDM enrolment — MDM User Scope: All Intune admin centre → Devices → Enrollment → Windows → Automatic Enrollment. Set MDM User Scope to All.
  • Configure Company Portal branding and support contacts Tenant administration → Customization. Add organisation name, logo, support email, and phone number.
  • Review enrolment restrictions Devices → Enrollment → Enrollment device platform restrictions. Allow Windows, set minimum OS version, set device limit per user.
  • Create the four starter groups in Entra ID SG-Intune-Pilot (assigned), SG-Intune-AllUsers (assigned), SG-Windows-Devices (dynamic device), SG-Corporate-Devices (dynamic device).
  • Enrol a test device and verify in Intune admin centre Run dsregcmd /status on the device. Confirm AzureAdJoined: YES and MDMUrl is populated. Device appears in Intune → Devices → All devices.
Next in the series · Part 2 of 6
Compliance Policies & Conditional Access: The Foundation You Can't Skip
Build Windows compliance policies for SMBs, connect them to Conditional Access, and understand what happens when a device fails — before it reaches your users.
Coming next →
Get in touch
Setting up Intune for your organisation?
If you are deploying Intune for the first time and need help with licensing decisions, tenant architecture, or enrolment strategy — get in touch.
Sources
Official references
Tiago Carvalho
Previous

Compliance & Conditional Access
Next

Intune Enterprise Application Management: Deploy Third-Party Apps Without Packaging