I am pretty sure what you are trying to achieve is not recommended and in some situations may not be even possible. You can enroll a device in Intune using DEM, that is no problem, but you cannot or in my opinion, should not, use these devices for single user use. This is in breach with Microsoft licensing compliance. The recommended way is single user use is meant to be assigned with user based licenses, M365, Intune etc, and shared use scenarios need to have device based license for Intune enrolment. Users using these devices for M365 apps, will still require user based M365 licenses.
Can I Use a Single Intune Enrollment Manager License to Enroll 40 Devices and Manage Them with a Shared ID to Save on Licensing Costs?
David Prakash
0
Reputation points
I would like to understand if it is possible to use the Intune Enrollment Manager license to enroll 40 devices or more devices by utilizing a single license, thereby avoiding the need to purchase 39 additional licenses. My plan is to manage all these devices through the Company Portal using the Enrollment Manager account credentials.
Additionally, I intend for the end users to access applications such as Outlook and Microsoft Teams via their web browsers by logging in with a shared common ID that has a standard license. Essentially, I would be using one Microsoft 365 E3 license along with one standard license to cover all 40 users, aiming to significantly reduce licensing costs.
User will be logging to the PC using individual accounts on Microsft Entra with out any license added to it and only they will get the option of Username, password and MFA Additional.
Could you please provide an analysis of this approach, including potential drawbacks, limitations, and any impact this strategy might have on licensing compliance, security, user experience, and overall device management? Also, is this a viable and recommended approach to implement from both a technical and licensing perspective?
Microsoft Security | Intune | Enrollment
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 10%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
David Prakash 0 Reputation points2025-08-06T13:14:00.1833333+00:00 Yes Rahul, you are correct, this is not the recommended solution. However, the client I am working with has a very specific requirement for a group of people. They don't use individual email accounts; instead, they operate using a single generic email address for all communications and their device needed to be managed on Intune. And Everyone uses the separate AD Login credentials without License attached and they will be benefited with SSO, MFA and Conditional access.
Because of this, no licenses will be assigned to individual users. Instead, all users will access the generic email account via a browser. Access will be managed and controlled through a Conditional Access (CA) policy that restricts login to only 40 specific devices. Any other devices attempting to access the account will be blocked to prevent any breach activity.
This idea emerged during our brainstorming sessions as a possible solution. I would really value your feedback and suggestions