🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 3
Domain 3 — Module 5 of 5 100%
22 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 3: Manage Applications Premium ⏱ ~10 min read

App Configuration: Managed Apps & Managed Devices

App configuration policies push settings to apps automatically — email server addresses, default URLs, feature toggles — so users don't have to configure anything manually.

What are app configuration policies?

☕ Simple explanation

Think of app configuration like pre-setting a rental car’s GPS destination before the driver picks it up.

Instead of the driver manually entering the address, searching for the right route, and choosing settings — everything’s ready when they get in. App configuration policies do the same for apps: pre-fill the email server address, set the default homepage in the browser, enable specific features — all automatically when the app opens for the first time.

App configuration policies in Intune deliver key-value pairs or XML configuration to applications. These settings are consumed by the app to pre-configure its behaviour — email accounts, VPN settings, default URLs, feature flags, and more. Configuration policies can target managed devices (enrolled in MDM) or managed apps (apps with app protection policies, no enrollment required).

Two delivery channels

App Configuration: Managed Devices vs Managed Apps
FeatureManaged DevicesManaged Apps
Device enrollment requiredYes — MDM enrolledNo — works on unenrolled BYOD
Delivery mechanismMDM channel (device-level)MAM channel (app-level)
Supported platformsiOS, Android, Windows (limited)iOS, Android
Configuration formatXML or key-value pairs via MDMKey-value pairs via Intune App SDK
Best forCorporate-owned devices with full managementBYOD devices with app protection policies
Works withAny MDM-managed appApps integrated with Intune App SDK/App Wrapping Tool

When to use which

ScenarioChannel
Corporate iPhone enrolled in Intune — configure Outlook email accountManaged Devices
Personal Android phone (not enrolled) — configure Outlook email accountManaged Apps
Corporate Windows laptop — configure Edge browser homepageManaged Devices (or Intune config profile)
Any device — configure a LOB app with specific backend URLManaged Apps (if app supports it)

Common app configuration scenarios

Outlook email configuration

The most common use case — auto-configure Outlook so users don’t manually enter server settings:

KeyValuePurpose
com.microsoft.outlook.EmailProfile.EmailAccountNameUser display nameShows in account list
com.microsoft.outlook.EmailProfile.EmailAddressUser email (use token: {{mail}})Pre-fills email address
com.microsoft.outlook.EmailProfile.EmailUPNUser UPN (use token: {{userprincipalname}})Authentication identity
com.microsoft.outlook.EmailProfile.ServerAuthenticationModernAuthenticationUse modern auth (not basic)

Token replacement

Intune supports dynamic tokens that are replaced with user-specific values:

TokenReplaced With
{{userprincipalname}}User’s UPN (e.g., sam@tuisolutions.com)
{{mail}}User’s email address
{{partialupn}}UPN prefix (e.g., “sam” from sam@tuisolutions.com)
{{AccountId}}Intune account ID
{{deviceid}}Intune device ID
{{userid}}Intune user ID

Sam uses tokens to create a single configuration policy that auto-configures Outlook for all 500 Tui Solutions users — each user gets their own email address populated automatically.

Edge browser configuration

KeyValuePurpose
com.microsoft.intune.mam.managedbrowser.homepagehttps://intranet.tuisolutions.comSet default homepage
com.microsoft.intune.mam.managedbrowser.bookmarksJSON array of bookmarksPre-load company bookmarks
💡 Exam tip: managed apps vs managed devices confusion

The exam tests whether you know which channel to use:

  • If the device is enrolled → you can use either channel, but Managed Devices is preferred (more reliable delivery, supports XML)
  • If the device is NOT enrolled (BYOD) → you MUST use Managed Apps channel (MDM channel requires enrollment)
  • If both are configured for the same app → Managed Devices takes priority on enrolled devices

Common trap: “An admin configures an app configuration policy using the Managed Devices channel for a BYOD phone.” This won’t work — BYOD isn’t enrolled, so the MDM channel can’t deliver the config.

ℹ️ Deep dive: apps that support configuration

Not every app supports app configuration. The app must be built with one of:

  • Intune App SDK — embedded in the app code (most Microsoft apps: Outlook, Teams, Edge, OneDrive)
  • App Wrapping Tool — wraps an existing app with Intune management layer
  • Android Enterprise managed configurations — standard Android feature, supported by many apps (Zoom, Chrome, etc.)
  • iOS managed app configuration — Apple’s MDM standard for delivering key-value pairs

Check the app’s documentation to see which configuration keys are supported. Microsoft publishes configuration keys for all their apps.

🎬 Video walkthrough

🎬 Video coming soon

App Configuration: Managed Apps & Devices — MD-102 Module 22

App Configuration: Managed Apps & Devices — MD-102 Module 22

~10 min

Flashcards

Question

What's the difference between Managed Devices and Managed Apps app configuration?

Click or press Enter to reveal answer

Answer

Managed Devices: requires MDM enrollment, delivers config via device MDM channel, supports XML. Managed Apps: no enrollment needed, delivers config via app-level MAM channel, uses key-value pairs. Use Managed Devices for corporate devices, Managed Apps for BYOD.

Click to flip back
Question

What are Intune configuration tokens and what do they do?

Click or press Enter to reveal answer

Answer

Tokens like {{userprincipalname}}, {{mail}}, and {{deviceid}} are placeholders in app configuration policies. Intune replaces them with actual user/device values at delivery time. This lets you create one policy that auto-configures for every user.

Click to flip back
Question

Which channel must you use for app configuration on unenrolled BYOD devices?

Click or press Enter to reveal answer

Answer

Managed Apps channel — the Managed Devices (MDM) channel requires device enrollment and won't work on unenrolled BYOD devices.

Click to flip back

Knowledge Check

Knowledge Check

Sam creates an app configuration policy to auto-configure Outlook email for all Tui Solutions employees. He uses the Managed Devices channel. It works on corporate laptops but not on a contractor's personal phone (Entra Registered, not MDM enrolled). Why?
Knowledge Check

Riko wants Outlook on all devices at Pixel & Co to automatically configure with each user's email address — without creating individual policies for each of the 80 users. What should she use?

Next up: Endpoint Security: Antivirus, Firewall & Encryption — the first line of defense for your managed devices.

← Previous

App Protection Policies & Conditional Access

Next →

Endpoint Security: Antivirus, Firewall & Encryption

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.