Mobile Device Management for Office 365 with Azure Active Directory


Editor’s note: The following post was written by Office 365 MVP Nuno Silva as part of our Technical Tuesday series.

Mobile Device Management for Office 365 (MDM for Office 365) integrated with Azure Active Directory is an enterprise-level identity and access management cloud solution. MDM for Office 365, built on top of the core offering of Office 365, provides a robust set of capabilities to empower enterprises with more demanding needs on identity and access management of their mobile devices.

MDM for Office 365 offers a new layer of capabilities that will raise the security of the organization devices, with the era of bring your own device (BYOD), each organization may consider using these new technologies that help their business data to be secure.

The new MDM capabilities are:

• Help secure and manage corporate resources with conditional access—Apply security policies on devices that connect to Office 365 to ensure that Office 365 corporate email and documents are synchronized only on phones and tablets that are managed by your company.
• Apply mobile device settings—Set and manage security policies such as device-level pin lock and jailbreak detection on devices to help prevent unauthorized users from accessing corporate email and data when a device is lost or stolen.
• Perform a selective wipe of Office 365 data—Remove Office 365 corporate data from a device when an employee leaves your organization, while leaving their personal data, photos, and apps intact.
• Preserve Office 365 productivity experience—Unlike third-party MDM solutions that have replaced productivity apps with restrictive all-in-one apps for corporate email, calendars and documents, MDM for Office 365 is built directly into the productivity apps your employees know and love. You can set access policies to help secure company data while keeping employees productive.
 Manage policies with ease—Administer mobile device policies directly from within the Office 365 administration portal, through an easy to use interface with wizard-based set up. View reports on which devices are connected to Office 365 and identify devices that have been blocked due to non-compliance.

These capabilities will be included with all Office 365 commercial subscriptions, including Business, Enterprise, EDU and Government plans.

Advanced mobile device and application management with Microsoft Intune
The capabilities built in to MDM for Office 365 are powered by Microsoft Intune, Microsoft’s comprehensive device management and app management solution for phones, tablets and PCs. Organizations that need management and protection beyond what’s included in Office 365 can subscribe to Intune and get additional device and app management capabilities, including:
• Mobile application management—Enable your workforce to securely access corporate information using Office mobile apps while protecting your company’s data by restricting actions such as copy/cut/paste/save in your managed app ecosystem. Intune also extends these capabilities to existing line-of-business apps with the Intune app wrapper and enables secure viewing of content using the Managed Browser, PDF Viewer, AV Player and Image Viewer apps.
• Manage devices from the cloud, or integrate with existing on-premises System Center Configuration Manager—Intune can manage devices from the cloud, without any infrastructure requirements, or Intune can be connected to System Center 2012 Configuration Manager to manage all of your devices including PCs, Macs, Unix/Linux Servers and mobile devices from a single management console.
• Comprehensive mobile device management—Deploy certificates, Wi-Fi, VPN and email profiles automatically once a device is enrolled, enabling users to access corporate resources with the appropriate security configurations. You also have the ability to bulk enroll corporate devices to set policies and deploy applications on a large scale and can provide your users with a self-service Company Portal where they can enroll their own devices and install corporate apps.

The built-in Mobile Device Management for Office 365 can help you secure and manage your users’ mobile devices like iPhones, iPads, Androids, and Windows phones. You can view an inventory of all enrolled devices that connect to your organization, create and manage device security policies, remotely wipe a device, and view detailed device reports. To get started, complete the following article to activate and set up Mobile Device Management for Office 365.

Here is a summary of some steps to configure:

• Go to Mobile devices and press “Get Started”





• After some moments the Dashboard will be like this 

• Then you have to configure your DNS, press Manage Settings and then the setup section of each required step of your desire
Note: If you do not have iOS devices you do not need to configure that section 

• After configuration of DNS entries you will need to go to Compliance Center to configure the policy to the devices 

• Press + sign to create a device policy and give a name and description 


• Select the options of desired configuration of the security policy


• After the configuration of the desired policy the dashboard will show the details

Note: Wait a few moments for the status be “On”.

Now after the configuration you will need to follow the steps on the devices to authorize access.

The enrollment process on Windows phone will be like these screenshots:


In Windows 10, the screenshots are:



Note: Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.

After all these steps are configured, your organization is ready to leverage security with features of MDM for Office 365.

You now have configured the MDM for Office 365 and have the options on Mobile Devices Dashboard to manage your devices.


You can also see the devices of a user on your Azure AD.
Note: This is the only option if you want to delete a device that is not available on Dashboard of Mobile Devices on Office 365 portal.


Summary – Mobile Device Management for Office 365 (MDM Office 365) helps reduce organizational risk and enable regulatory compliance by providing an extra layer of security on a user’s devices in addition to a user’s account credentials. For that purpose, it leverages for additional security on what devices can connect to the service with policies that can leverage to the next level of security. A solution that can be complemented with Intune to raise their level of security am compliance.

MDM for Office 365 is becoming the new way for organizations to secure access and how businesses ensure trust in a multi-device, mobile, cloud world.

Final Note:

Microsoft is currently in the process of updating the service with Windows 10 to connect your devices to Azure AAD. This will mean that once these updates are available, you can manage your Windows 10 devices with MDM for Office 365

Introduction to Windows 10 and Azure Active Directory

With Windows 10 features for configuring and deploying corp-owned Windows devices your user can Domain Join your AAD. With Azure AD Join the user registers devices in the directory so that they are visible and can be managed by an organization. But with Azure AD Join, Windows authenticates directly to Azure AD, no Domain Controller needed.

The scenarios that organizations may use are:
• Users will be able to join their work Windows 10 devices directly to Azure Active Directory and sign into Windows using their Azure Active Directory account and password – while still having single sign-on access to Office 365 and to on-premises services that leverage Active Directory authentication. The devices can be automatically enrolled into a mobile device management (MDM) service at the same time.
• Users will be able to add their work account to their personal (BYOD) Windows 10 devices, establishing a link between Windows and their work account managed in Azure Active Directory, which will provide single sign-on access to the organization’s services. The devices may also be automatically enrolled in mobile device management (MDM).
• Traditional PC devices, joined to an existing Active Directory domain, will have single sign-on access to cloud-based services like Office 365, the Windows Store, or any other Azure Active Directory-aware application. Windows 10 understands that the Active Directory account is associated with a synchronized Azure Active Directory account. (Device management continues to be provided using Active Directory Group Policy and System Center Configuration Manager.)

These scenarios provide organizations a great deal of flexibility – choose the scenario that makes the most sense for each device.

If your organizations need more features than MDM for Office 365, you can use Microsoft Intune (see comparison here). Microsoft Intune is a part of the Microsoft Enterprise Mobility Suite, and has additional management capabilities on devices and applications. With Microsoft Intune your organization is more secure.

Support Links:

Overview of MDM for Office 365

MDM Office 365 
Explore the built-in Mobile Device Management (MDM) feature for Office 365
FAQ’s for MDM for Office 365

About the author


Nuno is manager at GFI  and a specialist in Office 365, with a focus on Exchange, Virtualization, Azure and System Center. With more than 17 years’ experience in Datacenter Architectures, and a masters degree in Information Technologies, Nuno has 30+ certifications (MCSE, MCITP, MCSA and MCTS among others). Experienced in enterprise environments, he has worked in a range of several industries. He also has assisted Microsoft in the development of workshops and special events and case studies, and has served as a speaker at several Microsoft events. Follow him on Twitter @nunoariassilva.

Published: 8/8/2015 12:04

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.