Improvements to Intune admin licensing: Allow Unlicensed Administrators into your Intune environment
Previously. the Microsoft Intune suite required administrators to have an Intune license assigned to their account to access the Microsoft Endpoint Manager admin center.
You had to pay a monthly fee for any partner support personnel who needed access to your Microsoft Endpoint Manager console for end-user and escalation support.
In these cases, where the administrator would not be enrolling a device under the same account, it was effectively wasting Intune licenses. Both customers and support partners were both paying Microsoft for the same licenses.
Enter Unlicensed Administrators!
Thankfully, Microsoft heard our cries and have enabled a solution where you can have unlicensed administrators accessing your Microsoft Endpoint Manager admin center console.
Enter Unlicensed Administrators!
Thankfully, Microsoft heard our cries and have enabled a solution where you can have unlicensed administrators accessing your Microsoft Endpoint Manager admin center console.
Setup Intune for Unlicensed Administrators
You can enable unlicensed administrators within your Microsoft Endpoint Manager admin center by:
-
Signing in to https://endpoint.microsoft.com
-
Navigating to Tenant Administration > Roles > Administrator licensing
-
Selecting Allow access to unlicensed admins
Note: Once you enable unlicensed administrators you will not be able to disable it.
This works for both member accounts and guest accounts in your tenant and is supported for administrators accessing with Global Administrator or Intune Administrator Azure AD roles and administrators using Intune Role-based access control (RBAC) roles.
Ensuring Secure Access for Support Partners in Microsoft Intune
While this is useful to minimize underutilized Intune licenses, you will still want to ensure you have licensing setup to use security features such as Conditional Access and Privileged Identity Management (PIM) requiring Azure AD Premium P1 and P2 licenses, respectively.
You will want to use Conditional Access to enforce Multi-Factor Authentication and other access controls, and you will want to make sure that you include the guest administrators as well in these policies as you are responsible for enforcing their access controls while they are in your tenant.
PIM is available for the Intune Administrator Azure AD role but is not available for administrators only using RBAC Intune role.
Monthly Active Users Ratio for Unlicensed Administrators in Microsoft Intune
There are a few ways of getting the Azure AD Premium P1 and P2 licenses such as through an Enterprise Mobility + Security license, Azure or Microsoft 365 subscription, or through a Microsoft Volume Licensing plan.
For guest licensing there is the Monthly Active Users (MAU) model which replaces the existing 1:5 ratio model.
With this model your first 50,000 MAUs per month are free for both Azure AD Premium P1 and Premium P2 features. After 50,000 MAUs in a month there is a low charge per additional MAU.
Microsoft’s pricing calculator for external identities is available via this link.
You can read more about enabling this model via this link.
Conclusion
These new support options make it easier to bring in professional help when managing devices through Microsoft Intune. Mobile Mentor offers an ongoing Intune Support service where you can chat and submit tickets to a Microsoft Gold Partner and have a certified Microsoft engineer help troubleshoot your issue or answer your questions.
Microsoft Intune is a part of Microsoft Endpoint Manager and provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your company.
For more information contact us or check out our Endpoint Support service.