Restrict Windows sign-in with Azure joined device

Martins 20 Reputation points
2023-01-18T08:27:26.3433333+00:00

Hello,

We are using Azure AD with all-cloud integration (dont have any on-prem servers).

Is it possible to somehow restrict specific Azure users (e.g. break glass account) from logging into laptops/endpoints, so that they can be only login to web-apps, e.g. admin.microsoft.com, Intune?

Idea would be to restrict break glass account, so noone can use it locally, or maybe global administrators restricted to PAW devices and nothing else.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,256 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Carlos Solís Salazar 18,086 Reputation points MVP
    2023-01-18T10:23:34.01+00:00

    Thank you for asking this question on the Microsoft Q&A Platform.

    You can activate conditional access to that "break glass account" and apply all required restrictions.

    Hope this helps!


    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.


  2. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2023-01-23T04:52:12.5466667+00:00

    Hello Martins,

    In order to block certain users from logging onto Windows Machine via Intune is using custom CSP.

    As per UserRights/AllowLocalLogOn, this user right determines which users can sign in to the computer.

    Example:

    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn

    Data Type: String

    Value:

    <![CDATA[AzureAD******@contoso.com&#xF000*;AzureAD******@contoso.com]]>*

    User's image

    (adding screenshot as clipboard is not copying the differential)

    Once applied the non authorized user would get following message:

    User's image

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" and "rate" your experience if the suggestion works as per your business need. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.