Windows Autopilot enrollment (2021.1 SU1)

This topic applies to Endpoint Manager version 2021.1 SU1 and newer. Customers running older versions should go here: Azure AD enrollment.

By linking Azure Active Directory and your CSA, you can automatically enroll corporate-owned Windows 10/11 devices during device setup and pre-configure them with policies and settings for a custom out-of-box experience. You can also enroll devices owned by users defined in your Azure AD at any time.

NOTE: A CSA can only connect to a single Azure AD account. If you have multiple Azure AD accounts you would like you use with Autopilot, you will need to set up an additional CSA for each account.

To configure Autopilot enrollment

1.In a browser, log in to the Azure AD Portal ( with your Global Administrator account.

2.Use the expandable menu on the left side of the screen to navigate to Azure Active Directory.

3.Select App registrations in the left menu.

4.Click New registration. The default Single tenant with no Redirect URI is sufficient. [[Add details, not sure what to enter/click here]]

5.Click the app you created for Autopilot.

6.Click Certificate & secrets in the left menu.

7.Copy to somewhere safe your Application (client) ID and Directory (tenant) ID, since those will be entered in Endpoint Manager.

8.From the menu beside your app name, click the Certificate & secrets menu link and create a Client secret. Make a note of this too so you can enter it later.

9.Select API permissions in the left menu.

10.Select Mobility (MDM and MAM) in the left menu.

11.Click Add a permission and then click the Microsoft Graph box.

12.On the Request API permissions page, click the Application permissions box.

13.For each of the permissions below, type the name of the permission being requested in the search bar and select the ".ReadWrite.All" version of the permission. Click Add permission at the bottom of the page. Once all of the permissions have been added, click the Grant admin consent for <domain> button (to the right of the Add a permission button), to consent to this grant of permissions.

Group: Read, Write

Directory: Read, Write

DeviceManagementApps: Read, Write

DeviceManagementConfiguration: Read, Write

DeviceManagementServiceConfig: Read, Write

DeviceManagementManagedDevices: Read, Write

Applications: Read, Write

For information about deploying the agent after MDM enrollment, see Installing the agent for hybrid management.

User Experience

Out-of-box experience. During the initial device setup, the user enters their corporate credentials on the Sign in with Microsoft work or school account screen. They are shown the enrollment agreement configured in Endpoint Manager. If they accept the agreement, the device enrolls and walks them through the rest of the Windows setup.

Bring your own device. The user navigates to Windows Settings > Accounts > Access work or school. They click Connect and enter their corporate credentials. They are shown the enrollment agreement configured in Endpoint Manager. If they accept the agreement, the device enrolls.