Set up Microsoft Intune
Updated: April 24, 2015
The information in this topic leads you through the tasks of setting up a cloud-only instance of Microsoft Intune. If you plan to use your subscription with Microsoft System Center 2012 Configuration Manager, do not continue in this topic. Instead, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.
The first task in setting up Intune is to subscribe. After that, there are several tasks to set up your subscription, some of which you’ll do a single time and some that you’ll return to from time to time. When you initially set up your subscription, we recommend that you set up the tasks in the same order as they are listed in this topic. You can setup a trial subscription, and then at a later time convert it to a full subscription. To convert a trial subscription, see How to buy Intune.
When you subscribe to a cloud-based service from Microsoft, your instance of that service becomes a tenant of Microsoft Azure Active Directory (Azure AD), which provides identity and directory services for your cloud-based service. You should be familiar with the concept of an Azure AD tenant. When documentation refers to Azure AD or an Azure AD tenant, it means your instance of Microsoft Intune.
For more information about your Azure AD tenant, see What is an Azure AD tenant?.
After you complete the following tasks, you are ready to manage mobile devices and computers:
When you sign up for Intune, you subscribe to a trial subscription. You can convert the trial into a paid, full subscription at any time from within the Microsoft Intune account portal.
To sign up, you use an existing work or school account, or create a new account. The account you use has rights to your subscription as a How Intune divides administrative tasks with the global administrator role.
To subscribe to Microsoft Intune
On the Sign up page, you have two options:
Subscribe using the same account you use to subscribe to other Microsoft cloud services: Click Sign in if you already use a work or school account to subscribe to services, like Microsoft Office 365, and want to use the same account to subscribe to both services. When you use the same account for multiple services, those services use the same Azure AD infrastructure and are tenants of Azure AD. Azure AD provides the core directory and identity management capabilities for Microsoft cloud services.
Subscribe to Microsoft Intune only: If you do not yet subscribe to a cloud-based service, complete the form on the Sign up page to subscribe to Intune.
Country or region
Sets the country or region for your organization. This location also determines billing and applicable taxes for the cloud-based service.
This selection determines the fields that appear later in this form where you specify your physical address.
Sets the language that you want to use for business communications from Microsoft.
First name and Last name
Sets the first and last name that is associated with the initial user account that Intune creates to manage your subscription.
Sets your organizational name and is the name that is displayed to users who interact with your subscription.
Sets the mailing address of your organization.
Sets the email address where you receive service information, billing, and details for password resets. Additionally, promotional information that you choose to receive is sent to this address.
New domain name
Sets the domain name to use with onmicrosoft.com. This domain name is free with your trial or paid subscription.
By default, this domain name is associated with your subscription and user accounts that you add to Intune. After you subscribe, you can add and use a domain name that you already own, or continue to use the free onmicrosoft.com domain.
New user ID, and password
Sets an account name and password for the initial tenant administrator account for your subscription. This name can be any name you choose and is associated with the first name and last name that you provided in this same form.
After you complete the form and accept the Microsoft Online Subscription Agreement:
You are automatically signed in to the Microsoft Intune account portal with the tenant administrator account.
An email message that contains your account information is sent to the email address that you provided during the sign-up process. This message confirms that your subscription is active.
To change your trial subscription to a full subscription
In the Microsoft Intune account portal, click Purchase > Buy now.
On the Customize your order page, complete your purchase.
After you complete your purchase, your trial subscription is converted to a full subscription, which does not expire within the original time-limited period.
By default, Microsoft Intune uses the domain name that you select when you subscribe to the service, which looks like <domain>.onmicrosoft.com. When your organization owns a custom domain, you can configure your instance of Intune to use that domain instead of the domain name provided with your subscription.
Before you create new user accounts or synchronize accounts from your Active Directory, we recommend that you decide whether to use only the .onmicrosoft.com domain or to add one or more of your custom domain names. When you do not configure a custom domain name and suffix, each user account you import receives the onmicrosoft.com suffix for their user principal name (UPN). Although you do not need to configure a custom domain before adding users, doing so can help simplify the management of user identities for your subscription by enabling users to sign in with the credentials they use to access other domain resources.
For more information about using your custom domain with a cloud-based service from Microsoft, see Internet domain management.
Because the tasks to configure Intune to use your organizations custom domain name are the same as for other Azure AD tenants, use the information and procedures found in Add your domain.
After you set up your domain name, return to this topic to continue configuring Intune.
Before a user can access Intune or enroll a device, a tenant administrator must complete the following tasks.
Add user accounts
Set the sign-in status
Assign a license to user accounts to use Intune
You use the New users wizard to add individual user accounts.
To manually add individual user accounts
In the Microsoft Intune account portal, click Users > New.
Click User to start the New users wizard.
On the Details page, complete the required fields.
On the Settings page, set the location for the user.
On the Group page, click Next to accept the default and assign a license for Intune to the user account. By default, the check box is selected, which assigns a license for Intune to the user account.
On the Email page, specify up to five email addresses to receive notification of the user name and temporary password for the account. Separate multiple email addresses by semicolons (;). When ready, click Create to add the user account to your subscription.
On the Results page, you can view the new account name and its temporary password. Intune automatically creates the temporary password.
The new user account now appears in the Users node of the account portal. When the user signs-in for the first time, the user must specify a new password for the account.
You can add multiple user accounts to Intune when you use the Bulk add users wizard to upload a comma-separated values (CSV) file that contains your user data.
The CSV file you upload requires that the first row contains in correct sequence each of the user data column labels. These are described in the table later in this section. Then, for each user in the CSV file, you must include the user name (like email@example.com) and a display name (like Bob Kelly).
To add multiple user accounts from a CSV file
In the Microsoft Intune account portal, click Users > New.
Click Bulk add to start the Bulk add users wizard.
On the Select file page, click Browse to specify and load an existing CSV file from your computer. You can also download a sample CSV file or blank template file.
On the Verification page, review the results, and then click View for more details.
On the Settings page, confirm that the sign-in status is Allowed, and set the location. These settings apply to all user accounts added by the CSV file.
On the Group page, click Next to accept the default and assign a license for Intune to all user accounts added by the CSV file. By default, the check box is selected, which assigns a license for Intune to each account.
On the Email page, specify up to five email addresses to receive notification of the user names and temporary passwords that Intune creates for each account. Separate multiple email addresses by semicolons (;). When ready, click Create to add the users to your subscription.
On the Results page, you can view the account names and temporary password for each user account.
Each user account that you added by importing it now appears in the Users node of the account portal. When each new user signs in for the first time, each user must specify a new password for their user account.
To learn about the CSV format, download and use the blank template or sample CSV file from within the Bulk add users wizard:
Download the file:
In the Microsoft Intune account portal, click Users > New > Bulk add. On the first page of the Bulk add users wizard, click an available download link.
Edit the file:
You can edit the file in a text editor, like Notepad.
Look at the format:
The template contains the headings (user data column labels), which is the first row in the sample CSV file. You add each record (user) to a separate line under the heading. The sample file is an example of a correctly formatted CSV file, and you can replace the example data with your user information. It's important not to add, change, or delete any of the column headings, or else Intune might fail to create user accounts from the information in the file.
Separate values with commas:
You must use a comma between each of the fields (user's first name, last name, and so on).
Save the file with a new name:
Save the file with a new name for each CSV file that you create. Be sure to use the .csv file name extension.
Frequently asked questions about using CSV files:
What if I don’t have all the information required for each user?
The User Name and Display Name are required, and you cannot add a new user account without this information. If you don't have some of the other information, like Fax, you can use a space plus a comma to indicate that the field should remain blank.
How small or large can the CSV file be?
The CSV file must have at least two rows. One is for the column headings (the user data column label) and one for the user. You cannot have more than 251 rows. If you need to import more than 250 users, you can create more than one CSV file.
What languages can I use?
When you create a CSV file, you can enter user data column labels in any language or characters, but you must not change the order of the labels, as shown in the sample. You can then make entries into the fields, using any language or characters, and save your file in a Unicode or UTF-8 format.
Can I add users from different countries or regions?
You must use separate CSV files to add users from different locations. You'll step through the bulk add users wizard for each CSV file, giving a single location of all users included in the file that you're working with.
Is there a limit to the number of characters I can use in each field?
The following table shows the user data column labels and maximum character length for each in the sample CSV file.
User data column labels
Maximum character length
User Name (Required)
The maximum total length of the user name is 79 characters (including the at sign (@), in the format firstname.lastname@example.org. The user’s name cannot exceed 30 characters, and the domain name cannot exceed 48 characters.
Display Name (Required)
State or Province
ZIP or Postal Code
Country or Region
You can configure directory synchronization to import user accounts from your on-premises Active Directory to Microsoft Azure AD identity management. When you use multiple services with the same Azure AD, the user accounts that you synchronize are available to each cloud-based service that shares your Azure AD.
There are several methods you can use for Directory integration with Intune.
After you set up directory integration, return to this topic to continue configuring Intune.
A user must have a license to your subscription before they can sign in to use the Intune service. When a user has a license, they are a member of the Microsoft Intune user group. This group includes all users who have a license to use the subscription. Each user license supports enrolling up to five devices.
When you use the account portal to add users to your subscription either manually or by bulk import from a CSV file, Intune assigns an available license to each user account. If you do not have an available license, then no license is assigned. With both methods, you have the option to not assign licenses to the new user accounts at the time you add them to your subscription.
When you import users from your on-premises Active Directory, Intune does not assign a license to each user account. Instead, at a later time, you must edit the user account to assign a license to the user.
When your subscription shares Azure AD with other Azure AD tenants, you have access to users that were added to those services. These users do not have a license to Intune until you assign a license to each of them.
If the option to assign or revoke a license to Intune is dimmed, your subscription might include volume licensing options, such as the options available when using Enterprise Mobility Suite. For information on how to assign or revoke licenses, see the documentation for your licensing options.
To view the number of licenses you own and use
To view the number of licenses you own: In the Microsoft Intune account portal, click Licenses to view the number of valid licenses you own. You can also click Manage to view the number of licenses you own and the expiration dates for those licenses.
To view the number of available licenses that are not yet assigned to users: In the Microsoft Intune account portal, click Users, select any user account, click Edit, and then view the Group tab. The value for group members identifies the number of unassigned licenses that remain from your total pool of licenses.
To buy additional licenses
In the Microsoft Intune account portal, click Purchase. For the type of license you want, click Add, and then specify the number of user licenses you want to buy.
Click Add to cart.
Click Check out to review you order, and then complete the purchase form.
After your purchase is complete, the new licenses are available to be assigned to users.
To assign or revoke a license
In the Microsoft Intune account portal, click Users.
Select the users you plan to manage, and then click Edit:
To edit a single user:
On the Group tab of the user, select the Microsoft Intune check box to assign a license to this user and clear the selection to revoke the license.
Click Save > Yes.
To edit multiple users:
In the Bulk edit users wizard, proceed to the Group page, and then select the license options you want to apply to each user in the set of users you selected. Select the Intune check box to assign a license to each user, and clear the selection to revoke licenses.
Click Submit > Finish.
When you are finished, the count of available licenses is adjusted.
After you add additional users to your subscription, we recommend that you grant a few user accounts administrative credentials. The console you use to assign administrative credentials depends on the type of administrator you want to assign:
Tenant administrator: Use the Microsoft Intune account portal to assign this type of administrator to manage your subscription, including billing, cloud storage, and managing the users who can use Intune.
Service administrator: Use the Microsoft Intune administrator console to assign this type of administrator for day-to-day tasks including management of mobile devices or computers, deploying policy or software, and running reports.
To assign tenant administrator permissions
In the Microsoft Intune account portal, click Users.
Select the user account that you want to promote to a tenant administrator, and then click Edit.
On the Settings tab, under Assign role, click Yes, and then select the appropriate role for this account.
Enter the alternate email address for this user, and then click Save
To assign service administrator permissions
In the Microsoft Intune administrator console, click Admin > Administrator Management > Service Administrators, and then click Add.
In the Add Service Administrator dialog box, for User ID, specify as <name>@<domain.com> the name of a user account that is to be elevated to service administrator. The name you specify must match the sign-in credentials for that account.
Select the appropriate Access permissions for this user, and then click OK.
To view a list of tenant or service administrators
In the Microsoft Intune administrator console, click Admin > Administrator Management.
Under Tasks, click one of the following:
View Service Administrators: The console displays only service administrators that are configured in the administration console. It does not display tenant administrators that have the Global administrator role.
View Tenant Administrators: The console displays only tenant administrators that are assigned the Global administrator role.
In the Microsoft Intune account portal, you can create, edit, and delete security groups. You can use security groups as criteria for the organization groups that service administrators use for day-to-day management of Intune, including deploying software or assigning policies.
Security groups can include the following:
Users and groups you sync from your on-premises Active Directory
Users and groups you add directly to your subscription
To create a security group
In the Microsoft Intune account portal, click Security Groups > New to start the New security group wizard.
On the Details page, provide a name for the group, and then click Save.
On the Members page, you can add both users and groups to a group:
To add users: Set List type to Users, select one or more users to add to this group, and then click Add.
To add groups: Set List Type to Groups, select one or more groups, and then click Add.
After you add the users and groups you want to include, click Save and Close to complete the wizard.
To view or edit a security group
In the Microsoft Intune account portal, click Security Groups.
To view the membership of a group or to edit a group, select the group you want to manage, and then click Edit.
To modify a group that you synchronize from your on-premises Active Directory, you must edit the group in your on-premises Active Directory, and then synchronize the changes.
On the Details tab, you can change the group name.
On the Members tab, you can:
View the members of the group.
Add members: Under Available members, select one or more users, and then click Add.
Remove members: Under Selected members, select one or more users to remove, and then click Remove.
To delete a group, select the group you want to manage, and then click Delete > Yes > Close.
The Microsoft Intune company portal is where users access company data and can do common tasks like enrolling devices, installing apps, and locating information for assistance from your IT department.
When you customize the Company Portal, the configurations apply to both the company portal website and company portal apps.
To customize the company portal
In the Microsoft Intune administrator console, click Admin > Company Portal.
Configure one or more of the following optional items.
Maximum character length
Company contact information and privacy statement
This name is displayed as the title of the company portal.
IT department contact name
This name is displayed on the Contact IT page.
IT department phone number
This contact number is displayed on the Contact IT page.
IT department email address
This contact address is displayed on the Contact IT page.
You must enter a valid email address in the format email@example.com.
This additional information is displayed on the Contact IT page.
Company privacy statement URL
You can specify your own company privacy statement that appears when users click the privacy links from the company portal.
You must enter a valid URL in the format https://www.contoso.com.
Support website URL
If you have a support website that you want your users to use, specify the URL here. The URL must be in the format https://www.contoso.com.
If you do not specify a URL, nothing is displayed for the support website on the Contact IT page in the company portal.
This name is the friendly name that is displayed for the URL to the support website.
If you specify a support website URL and no friendly name, then Go to IT website is displayed on the Contact IT page in the company portal.
Select a theme color to apply to the company portal.
Include company logo
When you enable this option, you can upload your company logo to show in your company portal. You can upload two logos:
One logo that is displayed when the company portal background is white
One logo that is displayed when the company portal background uses your selected theme color
Each logo must be a .png or .jpg file type and meet the following criteria:
Maximum resolution of 400 x 100 pixels
Size of 750 KB or less
Choose a background for Windows 8 Company Portal app
This setting affects the background for the Windows 8 company portal app only.
Click Save to save your changes.
After you save your changes, you can use the links provided at the bottom of the Company Portal page of the administration console to view the company portal website. These links cannot be changed. When a user signs in, these links display your subscriptions in the company portal.