Set up Basic Mobility and Security

The built-in Basic Mobility and Security for Microsoft 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports.

Have questions? We've put together a FAQ to help address common questions. Be aware that you cannot use a delegated administrator account to manage Basic Mobility and Security.

Device management is part of the Security & Compliance Center so you'll need to go there to kick off MDM setup.

To set up Basic Mobility and Security you'll need to:

Activate the Basic Mobility and Security service

Set up Mobile Device Management

Make sure users enroll their devices

Activate the Basic Mobility and Security service

  1. Sign in to Microsoft 365 with your global admin account.

  2. Click this link: Activate Basic Mobility and Security.

It can take some time to activate Basic Mobility and Security. When it finishes, you'll receive an email that explains the next steps to take.

Set up Mobile Device Management

When the service is ready, complete the following steps to finish setup.

Step 1: (Required) Configure domains for MDM

If you don't have a custom domain associated with Microsoft 365 or if you're not managing Windows devices, you can skip this section. Otherwise, you'll need to add DNS records for the domain at your DNS host. If you've added the records already, as part of setting up your domain with Microsoft 365, you're all set. After you add the records, Microsoft 365 users in your organization who sign in on their Windows device with an email address that uses your custom domain are redirected to enroll in Basic Mobility and Security.

Need help setting up the records? Find your domain registrar in the list provided in Create DNS records at any DNS hosting provider for Microsoft 365 and select the registrar name to go to step-by-step help for creating DNS records. Use those instructions to create CNAME records described in Simplify Windows enrollment without Azure AD Premium.

After you add the two records, go back to the Security & Compliance Center and navigate to Data loss prevention > Device management to complete the next step.

Step 2: (Required) Configure an APNs Certificate for iOS devices

To manage iOS devices like iPad and iPhones, you need to create an APNs certificate.

  1. Sign in to Microsoft 365 with your global admin account.

  2. In your browser type:

  3. Select Data loss prevention > Device management, and choose APNs Certificate for iOS devices.

  4. On the Apple Push Notification Certificate Settings page, choose Next.

  5. Select Download your CSR file and save the Certificate signing request to a somewhere on your computer that you'll remember. Select Next.

  6. On the Create an APNs certificate page:

    • Select Apple APNS Portal to open the Apple Push Certificates Portal.

    • Sign in with an Apple ID.

      Important: Use a company Apple ID associated with an email account that will remain with your organization even if the user who manages the account leaves. Save this ID because you'll need to use the same ID when it's time to renew the certificate.

    • Select Create a Certificate and accept the Terms of Use.

    • Browse to the Certificate signing request you downloaded to your computer from Microsoft 365 and select Upload.

    • Download the APN certificate created by the Apple Push Certificate Portal to your computer.

      Tip: If you're having trouble downloading the certificate, refresh your browser.

  7. Go back to Microsoft 365 and select Next to get to the Upload APNS certificate page.

  8. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.

  9. Select Finish.

Step 3: (Recommended) Set up multi-factor authentication

MFA helps secure the sign in to Microsoft 365 for mobile device enrollment by requiring a second form of authentication. Users are required to acknowledge a phone call, text message, or app notification on their mobile device after correctly entering their work account password. They can only enroll their device after this second form of authentication is completed. After users’ devices are enrolled in Basic Mobility and Security, users can access Microsoft 365 resources with just their work account.

To learn how to turn on MFA in the Azure AD portal, see Set up multi-factor authentication.

After you set up MFA, go back to the Security & Compliance Center and navigate to Data loss prevention > Device management > Device policies to complete the next step.

Step 4: (Recommended) Manage device security policies

The next step is to create and deploy device security policies to help protect your Microsoft 365 organization's data. For example, you can help prevent data loss if a user loses their device by creating a policy to lock devices after 5 minutes of inactivity and have devices wiped after 3 sign-in failures.

  1. Sign in to Microsoft 365 with your global admin account.

  2. Click this link: Activate Mobile Device Management. If the service is Activated you will see a link to the Manage Devices instead the activation steps.

  3. Go to Device policies.

    Add a device security policy
  4. Create and deploy device security policies appropriate for your organization following the steps in Create and deploy device security policies.


  • When you create a new policy, you might want to set the policy to allow access and report policy violation where a user's device isn't compliant with the policy. This lets you see how many mobile devices would be impacted by the policy without blocking access to Microsoft 365 .

  • Before you deploy a new policy to everyone in your organization, we recommend you test it on the devices used by a small number of users.

  • Also, before you deploy policies, let your organization know the potential impacts of enrolling a device in Basic Mobility and Security. Depending on how you set up the policies, devices that don't comply with them (non-compliant devices) could be blocked from accessing Microsoft 365. Non-compliant devices might also have apps installed, photos, and other personal information which, on an enrolled device, could be deleted if the device is wiped. More info: Wipe a mobile device in Microsoft 365.

Make sure users enroll their devices

After you've created and deployed a mobile device management policy, each licensed Microsoft 365 user in your organization that the device policy applies to will receive an enrollment message the next time they sign into Microsoft 365 from their mobile device. They must complete the enrollment and activation steps before they can access Microsoft 365 email and documents. See Enroll your mobile device for work or school.

Important: If a user's preferred language isn't supported by the enrollment process, users may receive enrollment notification and steps on their mobile devices in another language. Not all languages supported in Microsoft 365 are currently supported for the enrollment process on mobile devices.

Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.

Related Topics

Capabilities of Basic Mobility and Security
Create and deploy device security policies

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.