Outcome

• Verified on May 11, 2026 that the tenant app-only Graph path is working.
• Direct Intune enrollment could not be executed from combined_keep_set.csv because the file only contains Entra device metadata (Object ID, Device ID, trust type, OS version) and not the hardware tuple required for the Graph corporate-identifier import path.
• Microsoft Graph can manage Intune enrollment configuration and import Windows corporate identifiers, but it cannot force an existing Entra device to enroll from Object ID / Device ID alone.

Verified state

• Keep-set rows: 68
• Intune managed devices in tenant: 1
• Keep-set rows already managed in Intune: 1 (AL0037-NHatfiel)
• Imported Windows corporate identifiers currently in Intune: 0
• Windows rows on supported builds for corporate identifiers: 56
• Windows rows blocked by unsupported build: 12
• Duplicate display names exist in the keep set, so device name alone is not safe as a unique join key.

Artifacts

• Output folder: C:\Users\SAguiar\Documents\Codex\intune_enrollment_graph_20260511_181315
• Readiness CSV: C:\Users\SAguiar\Documents\Codex\intune_enrollment_graph_20260511_181315\keep_set_enrollment_readiness.csv
• Windows import template: C:\Users\SAguiar\Documents\Codex\intune_enrollment_graph_20260511_181315\windows_corporate_identifier_template.csv
• Duplicate-name review: C:\Users\SAguiar\Documents\Codex\intune_enrollment_graph_20260511_181315\duplicate_display_names.csv
• Assessment summary: C:\Users\SAguiar\Documents\Codex\intune_enrollment_graph_20260511_181315\SUMMARY.md
• Keep-set assessment script: C:\Users\SAguiar\Documents\New project\Invoke-IntuneKeepSetAssessment.ps1
• Graph import script: C:\Users\SAguiar\Documents\New project\Invoke-IntuneCorporateIdentifierImport.ps1