Enterprise Mobility and Security (EMS) –How to Secure your Devices in 15 minutes (Part 1)

EMS – the Easy Way

Since I deployed Microsoft’s Enterprise Mobility and Security products (EMS) (and blogged about it).I have been inundated with requests for a how-to guide (well a few people were curious anyway).

So here it is. This post is part of a series that will show and tell how to sign up for, enable and use Office 365 and Enterprise Mobility and Security E3 (I didn’t capture the steps when I did it, it was literally too fast (and I didn’t think about it)). So I will sign up for trials in both services and show those. The only steps not shown live will be the linking to my custom domain, which relies on DNS records and does not slow down progress in any other way.

Buy your Licences

The first step is to buy the products. Depending upon your needs , size and status the process and varies. I am assuming you are a small business like me and can sign up for 5 users at the relevant Microsoft Web sites.

I will do this through trial sign ups.

First, for later use make sure you have a real custom domain. Mine is Excaliburservicesuk.co.uk (without this you will be tied to an ‘onmicrosoft’.com domain which doesn’t look good for your business). You can sign up for a domain almost anywhere (www.godaddy.com is prominent in web searches for this and provides a cheap service other registrars are available such as www.123-reg.co.uk)

The next step is to sign up for a trial of Office365 E3 (The E3 subscription provides me with all the services I need, make sure you pick the right one for you – it can be confusing there are so many to choose from as the tables show. Enterprise Plans, Business Plans )

Sign up Here. This will provide a trial period of Office 365 E3 subscription.


Complete the data entry above and click the arrow to the right of Just one more step.


Again, complete the data entry required (TIP Keep the name of your company shown by the arrow very short this is your login ID until you add a custom domain and it can get quite long and tedious)

Once you have completed the prove you are not a pesky BOT verification by text



you will have a freshly minted Office 365 subscription and underpinning that is an Azure Active Directory where all your users, groups and device information is stored (More of that later).


Notice that although you can immediately download one of your 5 allocated copies of Office 2016 Pro Plus there are some services that are not yet complete. But you do have full access to the Admin portal.

Having created an Office 365 tenant we now need to add the Enterprise Mobility and Security E5 SKU to it. as a free trial. (The trial version available is E5 not E3, but this is good as you get access to all the goodies in the cupboard such as Cloud App Security).

To do that open a browser ‘InPrivate’ or ‘Incognito’ or their equivalent. Login to your office 365 tenant as an administrator (the email address you used to create the trial above)

Then add a new tab to the browser and navigate to www.microsoft.com/enterprisemobility and click try now. if all goes well and the office tenant was created properly and you are logged in correctly, you will see this message


Click the arrow to the right of Yes, add it to my account and the Enterprise Mobility and Security (EMS) Licences will be added to your .onmicrosoft.com tenant Azure Active Directory (AAD). You will see the following screen before the addition is completed.

EMS Sign upEMS Sign up

In the first one click Try Now and in the second Continue. (Note you have 100 EM&S licences and only 5 for Office 365)

After a few minutes open another browser window (NOT EDGE as edge cannot support Silverlight and the Intune Console currently runs on Silverlight) (UPDATE – there is also a Preview of Intune in the Azure Portal)

In that browser navigate to manage.microsoft.com and log in as the Office 365 / EMS global administrator (the email address you used earlier).

You will be greeted with the following Intune EMS screen


This is the Microsoft Intune portal and where you carry out all setup and maintenance of your Mobile Device management (MDM) policies and configuration.

NOTE this How to DOES NOT INCLUDE HOW TO USE INTUNE WITH System Center Configuration Manager (SCCM) – A separate post will deal with that – NOTE that currently you can use EITHER Intune OR SCCM to do the management in a single tenant but NOT BOTH.

So, this will have taken you longer than 15 minutes. I have done this many many times and when I purchased the Licences it probably took me 2 or 3 minutes to get to this point. I then attached my tenant to a custom domain (excaliburservicesuk.co.uk) as that is my corporate identity.

I will show you the steps to do this but this too will take longer than 15 minutes as it needs the DNS entries to propagate and that is if you have control of the DNS zone for your domain.

Adding a Custom Domain

The easiest and best way to achieve this is through the Office 365 Portal, indeed the portal will guide you through all your setup steps. Navigate to


Click on Go to setup and follow the instructions for adding  a TXT record to your domains DNS zone. Once this is complete setup will give you all the other records required for Exchange Online, Lync Online and the enterprise registration records for Intune.

You can even get Office 365 to manage all your DNS records if you want to.

Part 1 of this marathon is now complete.

What have we achieved?

Well you have signed up to Intune and Office 365 trials and allocated a custom domain to your tenant.

In the next Post we will concentrate on deploying the Intune policies necessary to manage your devices and also installing the Company Portal application to allow enrollment of iOS devices.

We will also cover some of the other EMS products.

Comments are closed.