Purpose

This knowledge base article outlines the standard process for reissuing an Intune-managed iPad from an existing user to a new user. This ensures the device is securely wiped, correctly assigned, and fully operational for the incoming staff member.

Scope

This procedure applies to:

  • iPads managed via Microsoft Intune

  • Devices enrolled in Apple Business Manager (ABM)

  • Users authenticating with Microsoft Entra ID (Azure AD)

Prerequisites

Before starting, ensure the following:

  • Device is online or will be available during setup

  • New user account is created in Microsoft 365

  • User is added to the MDM II AD → ABM Sync security group

  • Microsoft Authenticator is installed on the user’s mobile phone

  • User has access to a stable Wi‑Fi connection

⏱️ Important: The ABM account provisioning sync runs approximately every 40 minutes. After adding a user to the MDM II AD → ABM Sync group, allow up to 40 minutes before the Microsoft account can be used as a Managed Apple ID.

Procedure

Scenario A: User Has Not Started Yet (Pre‑Staging)

If the new user has not yet commenced employment:

  1. Wipe the iPad via Intune

  2. Leave the device at the initial setup screen

  3. Do not sign into Apple ID or Company Portal

  4. Once the user starts, continue with the steps below

This ensures the device is ready for immediate setup on the user’s first day.

Scenario B: User Has Started (Active Setup)

Follow the steps below to fully reissue the device.

1. Wipe the iPad via Intune

  1. Log in to Microsoft Intune Admin Center

  2. Navigate to Devices → iOS/iPadOS → All devices

  3. Select the target iPad

  4. Choose Wipe and confirm

⚠️ This will remove all existing data and user associations from the device.

2. Add User to ABM Sync Group

  1. In Microsoft Entra ID (Azure AD), add the user to the MDM II AD → ABM Sync security group

  2. This group automatically provisions the user into the Apple Business Manager app in Azure

  3. Azure will then sync the account to Apple Business Manager (ABM)

⏱️ Allow up to 40 minutes for provisioning to complete before the Microsoft account can be used as a Managed Apple ID.

3. Set Up Passwordless Sign‑In (First User Step)

This is the first step performed with the user.

  1. Install Microsoft Authenticator on the user’s mobile phone

  2. Register the user for passwordless sign‑in

  3. Confirm successful authentication approval from the mobile device

This authentication method will be used for both Apple ID and Company Portal sign‑in.

  1. Log in to Microsoft Intune Admin Center

  2. Navigate to Devices → iOS/iPadOS → All devices

  3. Select the target iPad

  4. Choose Wipe and confirm

⚠️ This will remove all existing data and user associations from the device.


4. Apple Business Manager Configuration

  1. In Azure / Entra ID, ensure the user’s Microsoft email is:

    • Added and synced to Apple Business Manager

    • Set to be used as the Apple ID

This allows the user to sign in with their Microsoft account instead of a personal Apple ID.

5. Initial iPad Setup (User‑Assisted)

  1. Power on the iPad and connect to Wi‑Fi

  2. Skip all manual Apple setup steps when prompted

  3. Allow remote management to apply automatically

  4. Wait for the Intune enrollment screen to complete

6. Apple ID & Company Portal Sign‑In

  1. On the iPad, sign in to Apple ID using the user’s Microsoft account (Managed Apple ID)

  2. Approve sign‑in using Microsoft Authenticator

  3. Open the Company Portal app

  4. Sign in using the Microsoft account

  5. When prompted, complete the “Being set up” / device configuration workflow

⚠️ Completing this setup prompt is mandatory for device compliance and app deployment.

  1. Sign in using the user’s Microsoft account

  2. Approve sign-in using Microsoft Authenticator (passwordless)

  3. Open the Company Portal app

  4. Confirm device compliance status

7. App Deployment & Verification

  • Restart the iPad once enrollment completes

  • Allow required apps to auto-install

  • Confirm:

    • All apps download successfully

    • User can sign in to each required app

8. Final Configuration

  • Rename the iPad to match naming standards

  • Confirm Apple ID shows the user’s Microsoft email

  • Test email access and core business apps

Completion Checklist

✔ Device wiped via Intune
✔ New user enrolled successfully
✔ Apple ID linked via ABM
✔ Company Portal signed in
✔ Apps deployed and verified
✔ User confirmed successful access