New Tenancy Setup

Introduction

These are the best practices that I follow when setting up a new tenant from scratch.

Admin Account Setup

We should be creating the following accounts:

• Global Administrator (unlicenced and never licenced)

  • E.g., [email protected]

• Entra ID Local Administrator (for Entra ID-joined devices)

  • E.g., [email protected]

• Licenced Account (can have a licence, should never has an admin-role assigned)

  • E.g., [email protected]

Entra ID Group Setup

The following groups should also be created as a standard:

• SG-LIC-{Licence Name} for each of the licences that are being deployed.

  • Use the full licence name, without spaces. E.g., SG-LIC-Microsoft 365 Business Premium

• SG-DynDev-Windows 10 Devices

  • Dynamic Device Group with query (device.deviceOSType -eq "Windows") and (device.deviceOSVersion -startsWith "10.0.1")

• SG-DynDev-Windows 11 Devices

  • Dynamic Device Group with query (device.deviceOSType -eq "Windows") and (device.deviceOSVersion -startsWith "10.0.2")

• SG-DynDev-AutoPilot Devices

  • Dynamic Device Group with query (device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

Licence Setup

Microsoft 365 Business Premium

When the licence is assigned to the group, disable the following Services, as they are rarely used and this will help reduce noise:

• Microsoft Kaizala Pro

• Microsoft Invoicing (this has been retired)

• Outlook Customer Manager (this has been retired)

Enable PIN Reset Service

Navigate to the following URLs using an account with App Admin or Global Admin:

Microsoft Pin Reset Service Production

Microsoft PIN Reset Client Production In Endpoint Manager:

Select Devices > Configuration profiles > Create profile.

Enter the following properties:

• Platform: Select Windows 10 and later.

• Profile type: Select Settings catalog.

Select Create.

In Basics, enter the following properties:

• Name: Enter a descriptive name for the profile.

• Description: Enter a description for the profile. This setting is optional but recommended.

Select Next.

In Configuration settings, select Add settings.

In the settings picker, select Windows Hello For Business > Enable Pin Recovery.

Configure Enable Pin Recovery to true.

Select Next.

In Scope tags, assign any applicable tags (optional).

Select Next.

In Assignments, select the security groups that will receive the policy.

Select Next.

In Review + create, review your settings and select Create.*

Enable MDM

Log into the Azure Portal

Go to Azure Active Directory

On the left-hand side, select Mobility (MDM and MAM)

Click on Microsoft Intune

Ensure that MDM user scope is set to All

Ensure that MAM user scope is set to None (unless you need MAM policies as well)

Configure Intune

AutoPilot Profile

TBA

Compliance Policies

Create a Compliance Policy for each Operating System that is in scope.

Configuration Profiles

Windows Health Monitoring

Update Policies

Update Rings