Microsoft Intune TSA separation is the work of standing up endpoint management in the Newco Microsoft tenant, rebuilding the compliance and configuration policies, repackaging the managed applications, re enrolling every device, and exiting the seller tenant before Newco endpoints keep reporting to the seller management plane. The work sits inside the broader carve-out advisory program and depends on the Entra tenant separation because Intune is bound to the identity tenant. Treated casually, it leaves Newco devices managed by the seller and Newco unable to enforce its own security on its own laptops.
Intune separation starts with an inventory of the seller tenant. The buyer needs the enrolled device estate by platform, the compliance policies, the configuration and security profiles, the managed applications and their deployment rules, the conditional access policies that depend on device compliance, the Autopilot enrollment profiles, and the update rings. Intune manages the endpoints the entire workforce uses, so the inventory is a map of how every laptop and phone is secured.
The defining constraint is that Intune is bound to the Microsoft tenant. It is the device management service of Entra, so Newco devices managed in the seller tenant cannot simply be pointed at a new console, they must be enrolled into the Newco tenant. This is why Intune separation follows the Entra tenant separation: there is no Newco Intune without a Newco tenant to host it.
The clean end state is endpoint management running in the Newco Microsoft tenant, managing Newco devices under Newco policies. A shared seller tenant is acceptable only as a bridge during the TSA, because the seller controls the management plane, can wipe Newco devices, and sees Newco endpoint data. The bridge has a hard limit because the device cannot belong to two tenants at once.
A clean inventory drives the sequence: the Newco tenant configuration, the policy and application rebuild, the re enrollment approach, and the cutover. Because re enrollment touches every device and every user, the inventory is also the basis for the logistics of moving a physical fleet.
Intune is licensed through Microsoft 365 and Enterprise Mobility plans, so the commercial sits inside the broader Microsoft agreement Newco signs. That agreement does not transfer in a carve-out, and Newco contracts its own Microsoft licensing sized to its real user and device count, with the plan tier that includes the Intune capabilities it needs. The risk is inheriting an assumption about plan coverage that does not match the Newco agreement.
Because Intune rides on the Microsoft tenant, the commercial conversation is part of the wider Microsoft separation rather than a standalone negotiation. Negotiating leverage comes from the overall Microsoft commitment Newco brings. The buyer scopes the endpoint management requirements from the device inventory so the licensing covers every device that must be enrolled.
Where the seller continues to manage Newco devices through a TSA period, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA defines who administers Newco devices, how endpoint data is returned, and the wipe boundary so the seller cannot wipe a Newco device after the data has moved. The TSA also sets a firm re enrollment deadline because a shared tenant cannot be a steady state.
Implementation, where a partner is engaged, is fixed fee for defined deliverables under disciplined change control. An endpoint management stand up and a fleet re enrollment have a finite scope, contracted against named policies, applications, and a device count rather than open ended consulting time. The engagement model is Fixed Fee plus Portfolio Retainer.
Compliance and configuration policies are rebuilt in the Newco tenant. The compliance rules that define a healthy device, the configuration profiles that set security baselines, and the security policies for disk encryption, firewall, and antivirus are recreated so Newco enforces its own standard. The buyer reviews the seller policies, retains what fits the standalone business, and uses the rebuild to clean rules that accumulated for the seller estate.
Managed applications are repackaged and redeployed. The applications Intune delivered in the seller tenant, whether from the Microsoft store, line of business packages, or managed Microsoft 365 apps, are recreated in the Newco tenant with their assignment rules. An application that deployed automatically in the seller tenant does not follow the device to the Newco tenant, so the deployment is rebuilt.
Conditional access is the policy that ties everything together. Intune compliance feeds the conditional access rules that decide whether a device may reach email and applications, so those rules are rebuilt in the Newco tenant against Newco compliance signals. The discipline aligns with the broader Azure Active Directory separation because conditional access lives in the identity tenant that Intune reports to.
Autopilot and enrollment profiles are recreated so new Newco devices provision into the Newco tenant out of the box. The enrollment configuration that shaped the seller provisioning experience is rebuilt so Newco can deploy a new laptop without manual setup.
Re enrollment is the heart of an Intune separation and the part buyers underestimate. A device managed in the seller tenant must un enroll and enroll into the Newco tenant, because a device cannot be managed by two tenants simultaneously. There is no server side switch that moves a fleet between tenants, so every laptop and phone goes through a re enrollment that often involves the user.
The approach depends on platform and on how much disruption the business can absorb. Windows devices can be re enrolled in place where the configuration allows, or wiped and reprovisioned through Autopilot for a clean state. Mobile devices re enroll through the company portal. The buyer chooses the approach per platform, balancing a clean rebuild against the user disruption of reconfiguring a device.
The logistics are real because the fleet is physical and distributed. The buyer plans the re enrollment in waves, provides clear user instructions, and staffs support for the window when users move their devices. Data on the device, whether in user profiles or local files, is protected through the move so re enrollment does not cost users their work.
Because re enrollment depends on the user acting, communication carries the workstream. Users are told when to re enroll, what to expect, and where to get help, and the buyer tracks completion so no device is left reporting to the seller tenant after the deadline.
Cutover moves the fleet from seller management to Newco management, device by device through re enrollment. Because endpoint management is a security control, the cutover is sequenced so devices do not fall out of management during the move, and the runbook covers the policy activation, the application deployment, the re enrollment waves, the conditional access switch, and the support plan for users.
Validation confirms management works on real devices. A re enrolled device reports compliance, receives its policies, installs its applications, and satisfies conditional access so it reaches email and business applications. The buyer validates a device of each platform end to end before scaling the re enrollment, because a policy gap discovered after the fleet has moved is expensive to fix at scale.
Stabilization runs while the fleet completes re enrollment. Devices stuck mid enrollment, missing applications, and conditional access lockouts are triaged within agreed service-level commitments, and the buyer tracks the share of the fleet enrolled in the Newco tenant. Only when the fleet has moved and reports healthy does the buyer certify endpoint management for TSA exit.
Decommissioning the seller management is explicit. Once Newco devices are enrolled in the Newco tenant and the TSA tail closes, the seller retires the Newco device records so the seller can no longer manage or wipe Newco endpoints, and confirms Newco endpoint data is removed from the seller tenant.
Intune separation cost is driven by the Microsoft licensing and overwhelmingly by the labor of re enrolling a distributed fleet. The discipline is to size licensing to Newco real needs, choose the re enrollment approach per platform to balance clean state against disruption, and plan the fleet logistics early because the device count and geography drive the effort more than the policy rebuild.
The common failure mode is underestimating re enrollment and treating Intune like a console migration. There is no tenant to tenant device move, so every device re enrolls, and a plan that assumes a server side switch collapses on contact with the fleet. Buyers that plan the re enrollment waves and support early avoid devices stranded in the seller tenant past the deadline.
The common security mistake is leaving the wipe boundary undefined. The seller can wipe a device it still manages, so the TSA defines when seller wipe rights end and the buyer confirms devices leave seller management before that risk lingers. A PMO maintains the dependency map across endpoint management, the Microsoft tenant, and conditional access, escalating blocks inside forty eight hours.
A clean Intune separation produces a Newco that manages its own devices in its own tenant, under its own policies, with a seller that can no longer touch Newco endpoints. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
No. Intune is bound to the Microsoft tenant and a device cannot be managed by two tenants at once, so there is no server side move. Every device un enrolls from the seller tenant and enrolls into the Newco tenant, which is why re enrollment is the largest part of the work and touches every user.
Because Intune is the device management service of Entra and lives inside the Microsoft tenant. There is no Newco Intune until there is a Newco tenant to host it, so endpoint management follows the identity tenant separation and the conditional access rebuild that ties device compliance to access.
While the seller still manages a Newco device, the seller can wipe it. The TSA defines when seller wipe rights end so the seller cannot wipe a Newco device after the data has moved, and the buyer confirms devices leave seller management on schedule so the risk does not linger past exit.
The policy and application rebuild is quick, but re enrolling a distributed fleet drives the timeline. Most buyers plan three to five months so re enrollment can run in waves with user support, following the Entra tenant separation that Intune depends on.
Apple Business Manager strategy, the device re-enrollment, and the MDM rebuild.
Read the article →The endpoint strategy, the device estate, and Day-One management for Newco.
Read the article →Tenant strategy, the identity move, and the conditional access rebuild.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Stand up standalone IT before the TSA meter and the seller's dependencies compound against you.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →