Implementation of Azure AD and Intune for

3,000 users

Project Location : Remotely

Project Timelines : 02 (Two) months

Current Infrastructure
- Currently there are approximately 3000 employees who are using their personal laptops
which are in workgroup and not part of any Active Directory domain to deliver the
required services on behalf of <CLIENT>.
- The users are telemarketing agents.

Requirement
- <CLIENT> wants to ensure 3000 end user’s system are compliant in terms of OS, anti-
virus, Windows system updates and DLP agent being deployed on their registered
systems with <CLIENT>.

Sensitivity: Internal & Restricted

1 Proposed architecture and solution description

2 Technology stack
Product name OEM Description

Azure EMS E3 Microsoft Azure AD premium 1, Intune (MDM) and conditional access.

RDP Microsoft For taking remote desktop control only by privileged users

3 Software BOM
Product Quantity
Azure EMS E3 3000

4 Scope of Work:

4.1 SOW for Intune Implementation

A Assess phase
1 Assess DNS, network, and infrastructure needs.
Check client needs (Internet browser, client operating system, and services' needs) and
2 share report on unsupported devices.

Sensitivity: Internal & Restricted

 3 User identity and provisioning.
Enabling eligible services that have been purchased and defined to be part of the
4 onboarding.
5 Establish the timeline for remediation activities.
6 Provide a remediation checklist for both Intune and Azure AD Premium.
B Remediate phase

Based on the assessment share and discuss all the observation with <CLIENT>’s IT team
and fine tune the rollout plan for pilot and production users
1
C Enable phase
1 Activating your Microsoft online service tenant or subscription.
2 Sync 3000 users onto Azure AD DS
3 Enforce policies and test if they are working as expected
4 Configuring TCP/IP protocols and firewall ports.
5 Configuring DNS for eligible services.
6 Validating connectivity to Microsoft online services.
7 Configuring managed authentication with the Azure Active Directory Connect tool.
D Enable phase - Microsoft Azure Active Directory Premium
1 Activating your Azure AD Premium tenant.
2 Validating connectivity to Azure AD Premium services.
Configuring an authentication method (Password Hash Sync or Pass-Through
3 Authentication) with the Azure AD Connect tool.
4 Configuring Azure Active Directory Pass-through Authentication, if required.
5 Configuring Azure Active Directory Seamless Single Sign-On (SSO), if required.
E Enable phase - Azure AD Premium with Azure AD Connect
1 User provisioning, including licensing.
2 Azure AD Connect directory synchronization
3 Self Service Password Reset (SSPR), if required.
4 Azure Multi-Factor Authentication, if required.
5 Customized logon screen, including logo, text, and images.
7 Azure Active Directory Conditional Access.
F Enable phase – Intune
Configuring identities to be used by Intune, by leveraging cloud identities (Azure Active
1 Directory).
2 Licensing the end users.
Adding users to Intune subscription, defining IT admin roles, and creating user and
3 device groups.
Configuring Mobile Device Management (MDM) authority, based on your management
4 needs, including:

Sensitivity: Internal & Restricted

 o Configure Intune to check if the Anti-virus on device is up-to-date on
supported devices
o Configure Intune to check if the device is updated with latest Windows
patches on supported devices
o Configure Intune to check if the device is installed with DLP agent on
supported devices
o Configure Intune to allow access to users/devices only if registered to
company portal and is compliant with <CLIENT>’s policies
o Configure reports in Intune for Hardware and software asset
management.
o Configure Intune to deploy software packages for end user system.
o Discuss with <CLIENT> team if they want to explore more services of
Intune.

5 Setting up Windows Autopilot.

6 Configure and setup Microsoft Intune for Windows Autopilot.
Create and assign devices to Windows Autopilot profiles (e.g. a Windows Autopilot
7 profile that restricts Local Administrator account creation).
Customize the Out-of-box-experience (OOBE) to comply with organization's
8 Requirements.
9 Configuring MDM Auto-enrollment in Azure AD and Intune.
10 Configuring system to normal state post operating system crash

4.2 New user enrollment statement of work

Sr. No Deliverables
1 Manually configure and setup Microsoft Intune
Manually create and assign devices to Windows Autopilot profiles (e.g. a Windows
2 Autopilot profile that restricts Local Administrator account creation).
3 Configuring MDM Auto-enrollment in Azure AD and Intune.

5 Pre-requisites for user enrollment

- Windows 10 OS Enterprise on end users systems
- Azure standard subscription
- Port 80 and 443 enabled
- Updated internet browser

Sensitivity: Internal & Restricted

6 Out of scope:
• Any network related issues are out of scope.
• Any hardware issues.
• Patching for Linux/Unix system.
• Any type of application development/customization and integration.
• Any customization beyond native capabilities of Microsoft Intune.
• Third party software independent testing is out of scope.
• Application access related issue.
• Any anti-virus and OS level issues, We will only ensure end user devices stays
compliant.
• Any activity that shall not in part of scope in the proposal document will be treated as out
of scope.

7 Assumptions
• The activity will be carried out from remote location.
• If an untrusted or 3rd party email platform is used the data leak protection cannot be
guaranteed.
• Required bandwidth, media, licenses, access, permissions, staging area and information
needed to deliver the project will be provided by <CLIENT>
• <CLIENT> will provide a SPOC during the entirety of the implementation project who will
help project team with any required information related to project activity.
• All the systems will be new and will be domain join using Azure Intune Auto-pilot service
or manual approach.
• Any data migration from end system post domain enrollment will not be in our
responsibility.

Sensitivity: Internal & Restricted