When playing around with  Windows 10 and modern device management – Automatic Azure AD enrollment is a part of this. With Windows 10 1703 you can “Enroll in Azure AD” with a provision packages created with Windows Configuration Designer.

When creating a provision packages to automatic enroll a device in Azure AD a user is created in Azure AD, it is a normal user – you dont know the password for the user.

The user will show up in your all user group, and other dynamic AzureAD groups – if you do not exclude it.

If you have a dynamic Azure AD group that’s get a licens assignment then you also need to exclude the package user. The packages does not need a specific licens assigned to be working.

Package User - 01

Who is the user created:

When you use the Windows Configuration Designer – to create a provision packages.
“Bulk Token Expiry” date is to 30 days
You need to click on the “Get Bulk Token”
WIndows Image Designer


Sign in with you Azure AD account (This does not require administrative rights in your Azure AD)

WIndows Image Designer - 01

Enter the password for the device enrollment manager

WIndows Image Designer 02You have to allow WCD to access your account in Azure AD

WIndows Image Designer 03

Then the “Bulk Token Fetched Successfully” and the packages user is created.

WIndows Image Designer 04

Every time you create a new provision packages with WCD then a new packages user is created!

Remember that :

The default number of devices that can be joined to an Azure AD tenant is limited to 20 – so you need to change this is you need to enroll more then 20 devices with one provision packages.

The user never expire – it is not possible to set a expire date on a cloud only user at the moment – please vote for “Set an AzureAD account to expire on a specified date” : https://feedback.azure.com/forums/34192–general-feedback/suggestions/16390489-set-an-azuread-account-to-expire-on-a-specified-da