Intune: If Migrating, Don’t Worry About Those EAS Records

If you have an existing MDM solution and are migrating devices over to Intune, you might notice some EAS records being created. These will be viewable as devices, even if the user did not enroll them into Intune. Sometimes, you’ll see these EAS records being created in Intune for users that have never even installed Company Portal! What is going on here?

The answer can be found in Microsoft’s KB about Intune Conditional Access:

The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled and recognized by Intune. This process allows or blocks e-mail access.

In other words, the Intune Exchange Connector actively reads the account information of active users, and if any ActivesyncIDs are detected, Intune automatically creates a record for that ID. This happens even if the device has never touched Intune! So if you are migrating users from one MDM environment to Intune (with the Exchange Connector configured), you will most likely see these “ghost” EAS records.

If you are confused because you don’t have conditional access enabled, you aren’t alone. The thing is, this behavior will happen even if conditional access is turned off! Being “disabled” apparently doesn’t mean “completely disabled” to Microsoft.

As long as your conditional access is not enabled though, you don’t need to stress too much:

  • These “ghost” EAS records will only be created for users that have an Intune license associated with their Azure AD account. So plan out your license distribution carefully.
  • If you don’t have conditional access turned on yet, these EAS records will have no impact to the user. Further note on this, you can even delete these records with no impact, but note that Intune will just re-create them again upon another scan.
  • If the user enrolls the EAS device into Intune, it will merge the MDM and EAS records together (provided that the UPN of the user is the same too).

 

Leave a Reply

Your email address will not be published. Required fields are marked *