1. Overview
🚀 For IT administrators transitioning from the legacy Basic Mobility and Security (formerly MDM for Office 365) to the robust Microsoft Intune ecosystem, understanding how policies translate is critical. While Basic Mobility and Security offered a streamlined, unified set of controls within the Microsoft Purview compliance portal, Microsoft Intune provides significantly greater granularity and administrative flexibility. Because of this expanded capability, a single legacy policy often branches into multiple Intune compliance policies, configuration profiles, and Microsoft Entra ID Conditional Access policies to maintain functional parity.
📋 This technical guide provides a comprehensive mapping of device properties, organizational access settings, and security policy metadata, ensuring that administrators can locate and manage their migrated assets within the Microsoft Intune admin center effectively.
2. Key Technical Details
⚙️ Device Properties and Administrative Actions
When viewing device inventory in the Microsoft 365 admin center, specific data fields and remote actions map directly to the hardware and overview sections of a device record in Intune. Use the following paths to locate this information in the Intune admin center:
- Enrolled User: To identify who enrolled the hardware, navigate to:
Devices > All devices > device name > Overview > Enrolled by - Hardware Category: To identify the platform type, navigate to:
Devices > All devices > device name > Overview > Operating system - Current Compliance/Management State: This is not always visible by default. You must use the “Columns” picker to enable it:
Devices > All devices > Device state column - Detailed OS Versioning: For granular build numbers, navigate to:
Devices > All devices > device name > Hardware > Operating system version - Remote Wipe (Factory Reset): To trigger a full device erasure, use:
Devices > All devices > device name > Overview > Wipe - Retire (Remove Company Data): To perform a selective wipe of corporate assets only, use:
Devices > All devices > device name > Overview > Retire
🛡️ Organization-Wide Access and Conditional Access Mapping
Legacy settings previously found under “Manage organization-wide device access settings” in the Purview portal are governed by Conditional Access in the modern stack. These are primarily underpinned by the [GraphAggregatorService] Device policy, which targets the iOS and Android platforms, focusing on mobile/desktop client apps and requiring a “compliant device” status for access.
Handling Unsupported MDM Platforms:
If you need to determine if devices not supported by Basic Mobility and Security can access Exchange email, the system modifies a specific classic Conditional Access policy at this path:
Endpoint security > Conditional Access > Classic policies > [GraphAggregatorService] Device policy > Conditions > Client apps (Preview) > Mobile apps and desktop clients > Exchange ActiveSync clients > Apply policy only to supported platform
Security Group Exclusions:
Excluding specific groups from these access controls involves modifying five distinct classic Conditional Access policies within the Intune/Entra interface:
[GraphAggregatorService] Device policy[Office 365 Exchange Online] Device policy[Outlook Service for Exchange] Device policy[Office 365 SharePoint Online] Device policy[Outlook Service for OneDrive] Device policy
To apply these exclusions, navigate to: Endpoint security > Conditional Access > policy name > Users and groups > Exclude
📅 Security Policy Identity and Metadata
In the legacy environment, a policy was a single entity. In Intune, that same policy name and description are replicated across up to three compliance policies and six configuration profiles (covering restrictions and email settings for Windows, iOS, and Android).
Policy Name Mappings:
The “Name” field is synchronized across the following paths using specific suffixes (_O365_W for Windows, _O365_i for iOS, and _O365_A for Android):
- Compliance:
Devices > By platform > [Platform] > Manage devices > Compliance > policy name_O365_[Suffix] > Properties > Basics Edit > Name - Configuration:
Devices > By platform > [Platform] > Manage devices > Configuration > policy name_O365_[Suffix] > Properties > Basics Edit > Name - Email Profiles:
Devices > By platform > [Platform] > Manage devices > Configuration > policy name_O365_[Suffix]_Email > Properties > Basics Edit > Name
Policy Description Mappings:
Similarly, the “Description” field is mapped across the same set of objects to maintain administrative context:
- Compliance/Configuration Descriptions: Follow the same paths as above, ending in:
Properties > Basics Edit > Description
3. Impact
⚠️ Administrative Overhead: The primary impact for IT Admins is the shift from a “single pane” policy view to a distributed model. While this requires managing more individual objects, it allows for platform-specific tuning that was previously impossible. For example, you can now have different password complexity requirements for Android than you do for Windows, even if they originated from the same legacy policy.
🔄 Consistent User Experience: Because the underlying [GraphAggregatorService] and classic Conditional Access policies are automatically updated, end-users should experience a seamless transition without losing access to resources, provided their devices remain compliant with the newly mapped Intune policies.
🛡️ Security Enforcement: By utilizing the require compliant device control within the mapped Conditional Access policies, organizations ensure that the transition to Intune does not create a security vacuum, maintaining strict gatekeeping for Exchange Online, SharePoint, and OneDrive.
Official Source: Read the full article on Microsoft.com