Share via

Is it possible to use conditional access policy with specific logged on Windows user?

Gregory Suvalian 186 Reputation points
2024-04-30T15:10:22.2233333+00:00

Hello,

Is it possible to use currently logged user as a signal inside Conditional Access policy evaluation?

Scenario is below.

  1. Computer is joined to Entra ID and managed by Intune
  2. Computer has both Entra ID user configured and local user

Is it possible for conditional access policy to figure out if I logged on with local user instead of Entra ID (even though on compliant device) and deny access based on criteria.

I'm aware that I can configure Intune to prevent ability to use local accounts to login but I need to implement this policy on personal device where this logins shall be allowed.

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 54,306 Reputation points Microsoft External Staff
    2024-05-01T02:22:20.4633333+00:00

    @Gregory Suvalian, Thanks for posting in Q&A. Based on my experience, it is possible to use Conditional Access policies to control access to applications based on device compliance. However, there is no method of using the currently logged on user as a signal inside Conditional Access policy evaluation.

    To prevent the ability to use local accounts to log in, you mentioned you can do it via configuration policy. But you don't want it to be prevented on personal device. To avoid this, you can create a filter for corporate devices by setting (device.deviceOwnership -eq "Corporate") and apply the configuration policy only to corporate device.

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters-device-properties

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  2. Marilee Turscak-MSFT 37,391 Reputation points Microsoft Employee Moderator
    2024-04-30T23:34:47.19+00:00

    Hi @Gregory Suvalian ,

    If I'm understanding your question correctly, it sounds like you are hoping to block access to local accounts via conditional access.

    Conditional Access policies are scoped only to the built-in roles documented here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa

    You can create exclusions based on device compliance, hybrid join state, and device state, but you need to use Intune or group policies to enforce anything for a specific local administrator.

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.