In this post I will discuss on the difference between MDM user scope vs MAM user scope. At first the looks quite confusing and sometimes can create conflict for the desired settings we are looking for personal owned devices (BYOD – Bring Your Own Devices) vs Corporate owned device.

To understand the seamless Intune enrollment process, we must need to understand the difference between MDM user scope and MAM user scope.

In a nutshell, if I have to explain this: MDM user scope (Mobile Device Management) is used for Device enrollment which is specifically used for Corporate devices which are Azure AD join or Hybrid Azure AD join while MAM user scope (Mobile Application Management) is used for BYOD devices which applies Windows Information Protection (WIP) policies. For BYOD device, this doesn’t mean that you can’t enroll the device, it can certainly be done – but we should not be doing it for personal devices as we don’t want to manage personal devices. If you disable MAM user scope, BYOD device will also get enrolled if MDM user scope enabled and making the device lightly managed. To be precise, we should enable both MDM and MAM user scope if we have combination of corporate and personal devices.

Let’s understand the setting individually first and then I will combine the settings together to see the impact on devices.

What is MDM user scope

Mobile Device Management (MDM user scope ) is used to enroll the device in Intune through which it can be fully managed. This setting tells which users are allowed to enroll the device into Intune and responsible for automatic MDM enrollment.

Devices with Azure AD join or hybrid Azure AD join are treated as corporate device.

We can find this setting while navigating to Microsoft Endpoint Manager admin center, go to Home > Windows > Windows enrollment and click on Automatic Enrollment. This setting is available on Azure portal as well, for that navigate to Azure Active Directory > Mobility (MDM and MAM)

MDM user scope setting
MDM user scope setting.

We can see MDM user scope has 3 options to select:

  • None: Disable the MDM user scope
  • Some: Set the option for specific group / groups
  • All: Enable MDM user scope for all users

Once set to Some or All, it allows set of users / all users to automatically enroll the device to Intune.

With this we are enabling MDM auto-enrollment for AAD joined devices / Hybrid Azure AD joined devices and Bring Your Own Devices (BYOD)

What is MAM user scope

Mobile Application Management user scope is valid for BYOD (Bring your Own Devices) scenario only. With MAM user scope you can use Windows Information Protection (WIP) policies to apply on devices to restrict the applications. This setting is not meant for enrolling the device. As the device is not enrolled, organization is not having control on seeing your personal files, they can’t deploy any apps though they can control the corporate / work profile related applications and policies as part of MAM user scope.

MAM is the option for users who don’t want to enroll their personal devices, but still wanted to use organization resources / apps such as Office 365, teams etc.

Devices with workplace join (Azure AD registered) are treated as personal device.

When MAM is used for application management without enrollment (also known as MAM-WE), we are just managing apps for work profile without getting it enrolled with Intune MDM. Hence, protecting organization’s data within an application which prevents accidental copying of data from work profile to personal profile.

MAM is available for following platforms:

  • Android
  • iOS/iPadOS
  • Windows

However, MAM user scope is only valid for Windows Devices. We can still manage the applications using MAM using App protection policies and App configuration policies.

MAM user scope setting
MAM user scope setting

MAM user scope also has 3 similar settings to apply ie. None, Some and All.

Another point to note down is:

  • For BYOD devices, MAM user scope policy will always take precedence over MDM user scope policy if both are enabled for user. This means device will not be enrolled in Intune.
  • For Corporate devices, MDM user scope policy will always take precedence.

Note: Microsoft is deprecating Windows Information Protection (WIP). Microsoft will continue to support WIP on supported versions of Windows but new versions of Windows won’t include new capabilities for WIP. Check Announcing sunset of Windows Information Protection for more details. Microsoft is recommending to explore Microsoft Purview Data Loss Prevention (DLP) which is deeply integrated with Microsoft Purview Information Protection to protect sensitive data.

Difference between MDM user scope and MAM user scope

What will be the differences if multiple combinations of MDM user scope and MAM user scope is applied ? Lets discuss:

MDM user scopeMAM user scopeAzure AD Joined devices (Corporate)Azure AD registered devices (Personal)
  Enrollment Status

Above mentioned table is for reference.

For Azure AD Joined devices, MDM user scope will be taking precedence for corporate device, hence irrespective of MAM user scope. Device will always get enrolled.

But for Azure AD Registered device, this can be a different behaviour as shown in the table. Let’s cover 2 scenarios:

Scenario 1:  With both MDM user scope and MAM user scope enabled.

enable both MDM user scope and MAM user scope
enable both MDM user scope and MAM user scope

Login to Windows 10, navigate to Start > Settings > Accounts > Access work or school and click on Connect.

Access work or school Connect

As I have to perform Azure AD Registered state, provide email address.


Provide username and wait for device to get registered.

We can see the device got Azure AD registered with windows sign.

Azure AD registered
Azure AD registered

Click on the info, the biggest difference you will see for MAM enrollment is “Managed by mddprov account” showing along with “Areas managed by mddprov account”. This means the device is provisioned using Mobile Application Management. For more details on mddprov account check the link.

Managed by mddprov account
Managed by mddprov account

Open Event Viewer and navigate to Applications and Services Logs \ Microsoft \ Windows \ User Device Registration \ Admin. On right pane, we can see the message:

The registration status has been successfully flushed to disk.

Join type: 5 (WORKPLACE)

Join type with number 5 is Azure AD registered or workplace join

Join type: 5 (Workplace)
Join type: 5 (Workplace)

You can verify workplace join with MAM policies applied through command dsregcmd /status:

Work Account 1
Work Account 1

When we login to Azure portal, device is showing as Azure AD registered.

Azure AD registered device in AAD
Azure AD registered device in AAD

While we login to MEM Admin Center, we can’t find the device as enrolled device.

Azure AD registered device not found in Intune
Azure AD registered device not found in Intune

Scenario 2:  With MDM user scope enabled and MAM user scope disabled.

This time we made the following change:

MDM user scope: All

MAM user scope: None


Note: As there is no MAM user scope specified. We are expecting to MDM user scope kicking in and enrolling the device even though it is a personal owned device.

Once again go to Access work or school, click on Connect and perform the Azure AD registered process by providing email address.

Once registration completes, we can again see the windows sign (not the briefcase sign) which is an indication of Azure AD registration.


However, when we click on Info, we can see info as “Managed by <companyname> along with “Areas managed by <companyname>

Managed by company name
Managed by company name

Event viewer is still showing as “Join type: 5 (WORKPLACE)”.

In Azure Portal > Azure Active Directory > Devices, we see some slight changes this time. Join Type is still showing “Azure AD registered” but MDM authority is showing as “Microsoft Intune” as well. Which means it got enrolled as well.

Azure AD registered in Intune

We can verify the enrollment of device by logging on to MEM Admin center.

We can see device listed here and Managed by Intune.

Azure AD registered device enrolled in Intune
Azure AD registered device enrolled in Intune

As we did Azure AD registered (not Azure AD Join), the device is showing Ownership as “Personal”.

And for personal devices, organization is not able to see the applications installed on it. The list is empty. This is a scenario of lighty managed device.


See below how a corporate owned device with Azure AD joined (enrolled device) will show all discovered apps:

Discovered apps in Intune
Discovered apps in Intune

When to enable both, ie MDM user scope and MAM user scope

I would say, this should be the ideal scenario as in current scenario we have corporate owned devices and personal own devices as well where we have Office 365, teams and apps installed.

When both are enabled, personal owned devices will not get enrolled in Intune. Which means organization is not able to touch your personal data, they don’t have visibility on what you do or what you have. Though they have full control on work profile related content which can be wiped. Organization can control how you use work profile applications and can impose restrictions and policies on it, but this won’t apply on your personal device.

The same is applicable for your Windows device as well if they are just Azure AD registered when both MDM user scope and MAM user scope is enabled. It won’t enroll to Intune.

Important Links

Set up enrollment for Windows devices by using Microsoft Intune | Microsoft Docs

Mobile Application Management (MAM) for unenrolled devices in Microsoft Intune | Microsoft Docs

Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM) | Microsoft Docs