How to Get Started with Intune for Microsoft 365

Think of Intune as the cloud management hub for all your corporate endpoints:

• Windows 10/11 PCs and laptops
• macOS devices
• iOS/iPadOS devices (iPhone, iPad)
• Android phones and tablets

From an IT and compliance perspective, Intune gives you a single place to:

• Enroll and inventory devices
• Apply security baselines and endpoint protection
• Enforce compliance policies (e.g., OS version, disk encryption, antivirus)
• Push configuration profiles (OneDrive behavior, Windows settings, etc.)
• Deploy and update apps (including Microsoft 365 Apps)
• Protect corporate data on personal devices via app protection policies

For organizations trying to align with a cis benchmark microsoft 365 model or preparing for a formal m365 security assessment, Intune is essentially how you prove that endpoints are configured and secured in a consistent, auditable way.

In the real world, most companies look a lot like the fictional “crunching numbers” firm from the transcript:

• 50-ish staff, mostly on Windows desktops and laptops
• Company-owned iPhones for executives
• Users checking Outlook and Teams on personal phones
• Data stored in OneDrive and SharePoint
• Mix of Microsoft 365 Apps plus a few line-of-business applications

That blend of company-owned and personally-owned devices is where microsoft 365 compliance can go sideways quickly.

The basic rule of thumb:

• Company-owned devices → enroll fully into Intune, manage the OS, apps, and security end-to-end.
• Personally-owned devices (BYOD) → avoid full device enrollment; instead use app protection policies to protect only corporate data inside specific apps (Outlook, Teams, OneDrive, etc.).

That separation makes your m365 security audit conversations much easier. You can clearly show which devices are under full control, and where you rely on controlled, app-level protections for BYOD devices.

Microsoft offers several Intune plans:

• Intune Plan 1 – core device management and security
• Intune Plan 2 – advanced features
• Intune Suite – bundle of extra security and management add-ons

For most small and mid-sized organizations, the easiest and most cost-effective option is Microsoft 365 Business Premium. It includes:

• Microsoft Intune Plan 1 (core capabilities)
• Microsoft 365 Apps (Office)
• Microsoft Defender for Business
• Exchange Online, SharePoint Online, OneDrive, Teams, etc.

In practice, this means you don’t have to buy Intune separately. That simplifies both budgeting and microsoft 365 audit preparation because your licensing story is clean and consistent.

If you’re aiming long term at cis certified microsoft 365 posture or trying to align with the cis microsoft 365 foundations benchmark, Business Premium plus Intune Plan 1 is a very solid starting foundation.

Plan 1 is enough to:

• Enroll and manage devices
• Push apps and policies
• Enforce basic compliance requirements

You might consider extra add-ons or higher plans if you need:

• Advanced endpoint analytics or specialty add-ons like Remote Help
• Extra reporting or integration with SIEM/SOAR
• Complex multi-tenant or MSP scenarios

But for a beginner’s setup focused on improving m365 security assessment outcomes and basic microsoft 365 compliance, Plan 1 via Business Premium is more than enough.

To get started:

1. Sign into the Microsoft 365 admin portal as an admin.
2. Go to Admin centers → Endpoint management (or Intune depending on your portal).
3. This opens the Microsoft Intune admin center.

You’ll see sections for:

• Devices
• Apps
• Endpoint security
• Reports
• Tenant administration

Parallel to this, open the Microsoft Entra admin center (sometimes labeled Identity). You’ll be switching between these two quite a bit.

In my experience, you’ll save yourself a lot of headaches later if you build dynamic groups in Entra before you start creating policies in Intune.

Two very useful patterns:

1. Dynamic device group for Windows 11

• Go to Entra admin center → Groups → New group
• Group type: Security
• Membership: Dynamic device
• Add a rule on device OS version like:
• startsWith `10.0.2` (example syntax for Windows 11 builds)
• Validate the rule against an existing Windows 11 device.

Result: every time a new Windows 11 device joins Entra ID, it automatically lands in this group and can receive policies and apps without manual assignment.

2. Dynamic user group for a department (e.g., Executives)

• New group → Security → Dynamic user
• Rule based on department equals `Executive`
• Validate with a sample user.

Now you can target more permissive policies, extra protection, or special apps just for that department.

This group-based approach becomes crucial later when you’re proving to auditors that:

• All Windows 11 endpoints receive a consistent baseline (think cis benchmark microsoft 365 aligned settings).
• Sensitive roles (execs, finance, HR) have stronger protections applied via group-based assignments.

In the Intune admin center, go to Devices → Device enrollment and look at:

• Device limit restrictions – how many devices each user can enroll (default is 5).
• Device platform restrictions – which platforms can enroll, and whether personal devices are allowed.

For Windows, there’s a key setting:

• "Personally owned" Windows devices – Allow or Block.

Conceptually, blocking personally-owned Windows devices from enrolling is a good idea if you want tight control and clean m365 compliance checklist results. But there’s a catch:

• Intune can’t actually tell if a device is personal or corporate at the moment of enrollment.
• If you set personally owned = Block, then simple user-initiated enrollment from Settings might fail, even for a company PC.

So you have two practical options:

• Short term / simple: Allow personally-owned Windows devices so you can use the built-in "Add work or school account" flow.
• Long term / best practice: Use Windows Autopilot (and mark devices as corporate), then safely block personal Windows devices at the policy level.

For a beginner rollout, it’s perfectly fine to start with the simpler path while you plan Autopilot properly.

On a new or existing Windows 10/11 company device:

1. Go to Settings → Accounts → Access work or school.
2. Click Connect.
3. Enter the user’s Microsoft 365 work account and password.
4. Complete MFA, if required.
5. Let the enrollment process finish.

Behind the scenes, this:

• Joins the device to Entra ID (Azure AD join).
• Enrolls it into Intune.
• Adds it to any applicable dynamic device groups (e.g., your "All Windows 11 devices" group).

You can confirm:

• In Entra: Identity → Devices → All devices – you’ll see the device as Azure AD joined.
• In Intune: Devices → All devices – the device appears and starts receiving assigned policies.

For an m365 security audit, this is your evidence that corporate endpoints are actually under management—not just floating around unmanaged on your network.

If you’re using Microsoft 365 Business Premium, you get Defender for Business, which integrates directly into Intune as Defender for Endpoint.

To hook it up:

1. In the Microsoft 365 admin center, go to Security (Defender portal).
2. Run the initial Defender for Business setup wizard:

• Choose who gets admin access.
• Configure alert recipients.
• Select all devices to onboard.
• Choose to manage settings in Intune.

3. Back in the Intune admin center, go to Endpoint security → Microsoft Defender for Endpoint.
4. Enable the connector (e.g., "Connect Windows devices to Microsoft Defender for Endpoint").

Once the connection shows as Enabled and devices start onboarding, you get:

• Central antivirus and endpoint protection management
• Exposure and vulnerability data
• Integration points that are highly relevant to microsoft 365 audit preparation and m365 security assessment reviews.

In Intune, under Endpoint security, you’ll see categories like:

• Antivirus
• Disk encryption
• Firewall
• Attack surface reduction
• Security baselines

You’ve got two reasonable approaches:

1. Use Microsoft security baselines (fast start)

• Go to Endpoint security → Security baselines.
• Choose a baseline like Microsoft Defender for Endpoint baseline.
• Create a profile and assign it to your Windows 11 device group.

This gives you a broad set of Microsoft-recommended settings, including BitLocker, firewall, Defender AV configurations, and some Edge settings.

2. Create custom policies (more control, audit-friendly)

• For example, under Antivirus → Create policy → Windows 10 and later → Microsoft Defender Antivirus.
• Use the built-in defaults where appropriate (Microsoft provides a default value for most settings).
• Assign these policies to your dynamic device groups.

Custom policies let you match internal security standards or external frameworks more precisely—helpful if you’re aligning to cis microsoft 365 foundations or mapping to ISO 27001, NIST CSF, and similar.

Either way, the key is that endpoint protection settings are now centrally defined, deployed, and auditable.

In Intune, go to Endpoint security → Device compliance → Policies and create a new policy for Windows 10 and later.

A practical starter policy might include:

• Device Health
• Require BitLocker = Yes (for Windows 10/11)
• Device properties
• Minimum OS version set to supported Windows builds only
• System security
• Firewall = Required
• Antivirus = Required
• Anti-spyware = Required
• Microsoft Defender service = Required

Then configure Actions for noncompliance, such as:

• Mark device noncompliant immediately
• (Optional) Email the user and IT when a device becomes noncompliant
• (Optional) Retire or block devices if they stay noncompliant for too long

Finally, assign the policy to your Windows 11 device group (or whatever device groups you defined).

From a microsoft 365 compliance and m365 security audit perspective, this gives you:

• A clearly documented set of minimum endpoint standards
• A live list of which devices meet those standards (and which don’t)
• A mechanism for follow-up and remediation

It’s a much stronger story than “we think most devices probably have BitLocker on.”

Where compliance policies really become powerful is when you combine them with Conditional Access in Microsoft Entra.

Typical pattern:

• Conditional Access policy: "Require compliant device to access Exchange Online and SharePoint".
• If a device falls out of compliance (e.g., outdated OS, no disk encryption), it can’t access corporate email or files until it’s fixed.

This is essentially how you implement automated m365 compliance assessment at the access layer. The device’s compliance state automatically controls its access to sensitive resources, based on Intune evaluations rather than manual checks.

In Intune, go to Devices → Configuration and create a new profile for Windows 10 and later.

You’ll see two main approaches:

1. Templates – prebuilt collections of settings for common scenarios.

• Example: Device restrictions template
• You can centrally control:
• Access to the Settings app
• Time and language controls
• Personalization options (wallpaper, themes)
• Start menu layout

2. Settings catalog – the full, granular list of configurable options.

• Example: create a profile named OneDrive Configuration
• In the catalog, search for OneDrive and pick options like:
• Configure team site libraries to sync automatically
• Use OneDrive Files On-Demand
• Block file downloads on low disk space

Both approaches support a more repeatable and auditable configuration posture—important for any cis benchmark microsoft 365 guide or internal standard you’re trying to follow.

From a pure security angle, configuration profiles might feel like "nice to have" admin conveniences. But for microsoft 365 compliance they actually do a lot of heavy lifting:

• Ensure all devices behave consistently (no rogue local settings undermining policy)
• Reduce the chance of accidental data exposure via misconfiguration
• Provide stable evidence that corporate settings are centrally enforced

When paired with continuous checking tools (more on that a bit later), these profiles become a key part of an automated compliance m365 story: you can both set and continuously verify the intended configuration state.

In the Intune admin center:

1. Go to Apps → All apps → Add (or Create).
2. For app type, select Microsoft 365 Apps for Windows 10 and later.
3. Configure the Office suite:

• Choose which Office apps to install (Word, Excel, PowerPoint, Outlook, etc.).
• Optionally exclude things you don’t use (Access, Publisher, sometimes OneNote).
• Set 64-bit, current channel, and choose whether to remove other Office versions.

4. Assign the app suite to:

• Your Windows 11 devices group, or
• All devices / all users (depending on your model).

Within a short while, enrolled devices should show Microsoft 365 Apps for enterprise installed.

For auditors and internal reviews, this shows:

• A consistent deployment model for core productivity apps
• Reduced risk of outdated Office versions floating around
• A clear, repeatable approach to application rollout tied to group membership rather than ad-hoc installs.

Beyond Office, Intune can deploy:

• Win32 apps (packaged .intunewin installers)
• Store apps
• Web links (as pseudo-apps)
• iOS/Android apps via the respective stores

For custom line-of-business apps, Win32 app deployment through Intune is usually the way to go. You package the installer, upload it, define detection rules, and assign to your target groups.

This again plays directly into microsoft 365 compliance automation goals: you can show that approved versions of business apps are consistently and centrally deployed, rather than each user installing whatever they find online.

App protection policies are the middle ground between "we don’t manage the device" and "we manage everything on your phone."

In Intune:

1. Go to Apps → App protection policies.
2. Click Create policy and choose a platform (e.g., iOS/iPadOS or Android).
3. Give the policy a name, like iOS App Protection – Corporate Data.
4. Target apps:

• All Microsoft apps, or
• Core apps (Outlook, Teams, OneDrive, Office apps).

Configure Data protection settings, for example:

• Block backup of organizational data to iCloud/iTunes
• Restrict saving corporate data to only policy-managed apps
• Require encryption of work data in the app
• Block printing of organizational data

Then configure Access requirements, for example:

• Require a PIN to open corporate apps
• Disallow simple PINs
• Allow Touch ID/Face ID as a convenience, if you’re comfortable with that

Assign the policy to relevant user groups (e.g., all users or a subset).

This setup means:

• The phone remains personally owned and unmanaged.
• Corporate data inside the designated apps is encrypted and controlled.
• If a user leaves, you can wipe just the corporate app data, not their whole device.

App protection policies alone don’t do much until you require them for access.

In Microsoft Entra (or via the Conditional Access blade surfaced in Intune):

1. Create a new Conditional Access policy.
2. Target All users (or specific groups).
3. Target All cloud apps (or key ones like Exchange Online, SharePoint Online, Teams).
4. Under Conditions → Device platforms, select iOS and/or Android.
5. Under Access controls → Grant:

• Choose Grant access.
• Check Require app protection policy.

6. Enable the policy.

Now, users on iOS or Android must use apps that are covered by your app protection policies to access corporate resources. This is a very practical step toward automated m365 compliance assessment on mobile: access is allowed only when the right protections are in place.

The steps in this guide get you to a solid baseline:

• All corporate Windows devices enrolled into Intune and Entra ID.
• Defender for Endpoint integrated and applied through Intune policies.
• Compliance policies enforcing disk encryption, supported OS versions, and key security controls.
• Configuration profiles standardizing Windows and OneDrive behavior.
• Apps (especially Microsoft 365 Apps) deployed in a controlled way.
• BYOD scenarios protected via app protection policies + Conditional Access.

To move from "we’re doing the basics" toward "we align with cis benchmark microsoft 365" you’ll usually need to:

• Map your Intune policies to specific CIS controls.
• Check regularly for drift (settings changing, devices falling out of compliance).
• Generate audit-ready reports that show configuration, evidence, and remediation steps.

Doing all of that manually in the portals is possible, but honestly, it gets painful fast—especially as your tenant grows or auditors start asking for formal proof.

If your next step after getting Intune working is to strengthen your m365 compliance checklist and streamline microsoft 365 audit preparation, it’s worth looking at tools that sit on top of Intune and Entra to continuously check your configuration.

ConfigCobra is one such tool that’s particularly focused on the CIS Microsoft 365 Foundations Benchmark and automated compliance m365 scenarios. It:

• Automatically assesses your Microsoft 365 tenant against 129 CIS Microsoft 365 Foundations Benchmark controls.
• Supports both Level 1 (Essential) and Level 2 (Enhanced) profiles, which is valuable if you’re aiming for a more robust, cis certified microsoft 365 posture.
• Schedules continuous assessments (daily, weekly, monthly) and detects configuration drift in real time.
• Generates audit-ready PDF reports with evidence and remediation guidance.
• Maps CIS controls to multiple frameworks like NIS2, HIPAA, PCI DSS, ISO/IEC 27001, NIST CSF, which is extremely helpful when one set of controls has to satisfy several regulations.
• Supports custom rule sets for specific compliance needs (SOC 2, GDPR, etc.).
• Provides role-based access control so security, compliance, and IT teams can collaborate without stepping on each other.

When you already use Intune to push and enforce policies, a tool like ConfigCobra can continuously verify and document that your configuration actually matches what CIS and other frameworks expect.

You can explore how that works in more detail here: https://configcobra.com/compliance