Do I need a DEM account in a tenant if using the custom app registration and consenting with client admin account?

I created a DEM account for our (MSP) tenant and setup the custom immybot app registration but I am confused if I have to also setup a DEM account for every client tenant or just consent that tenant using an M365 global admin account. Looking for the best way to handle tenants that we have a GDAP relationship with and our tenant is set as the MSP tenant in Immybot and I can see the client tenants in there and want to be able to do AAD joins and such for the client tenants. Any help is appreciated.

Jerbar I believe answered my question but not positive. The DEM account is used for the Azure/Entra/Intune deployments as tha Oauth2 credentials so it should be created for any tenant you want to deploy these types of tasks. Is that an accurate statement?

If you need to AzureAD join devices with ImmyBot, then a DEM account should be created. It is one of Microsoft’s prerequisites to bulk enrollment, which is what we use for AzureAD joining. That includes both the OAuth2 and Username/Password flows.

1 Like