How to block any Windows Logins from an AAD Users except on 1 specific computer?

Bletzer, Eike-Alexander 0

I have a challenge in my company to set up a user who is only allowed to log on to a specific computer. On all other computers the Windows login must be blocked. All other users are still allowed to log in on all computers. I have already tried it with conditional access, but there the Windows login is not blocked, only the web apps. I have also found an Intunes catalog, which I would have to roll out for each individual device and that just does not always work from experience with 100% of the devices. Do you have any other ideas or tutorials?

JamesTran-MSFT 36,361 Reputation points Microsoft Employee

2023-03-23T23:18:14.5966667+00:00
@Bletzer, Eike-Alexander

Thank you for your post and I apologize for the delayed response!

I understand that you're trying to only allow certain users to login to a specific computer, and if the user tries to login to another device (other than their own) that login should be blocked.

After looking into this some more, it looks like there's no native way to do this via Azure AD, but you can do this through Custom Configuration profiles in Intune.

Additional Links:

Restrict which users can logon into a Windows 10 device with Microsoft Intune

Can we restrict AAD user logins to be from specific devices for better privileged account security?

how to stop users from logging into a device except specific accounts

I've added the Intune tag to this thread so their community experts can take a closer look into your issue as well.

I hope this helps!
Bletzer, Eike-Alexander 0 Reputation points

2023-03-24T06:56:33.65+00:00

I did a combination of the first link and CA to block the User to login on any other Device. CA is currently a problem, because all browser submit the wrong informations. For Example Unknown Device ID and OS: Windows 10 (and it is a nativ installed win11). The strange thing is that the Company Portal Software is installed and recognize the device and even intune installed the right things, but all browser submit the wrong informations. I sold it as a security feature and just assign a E3 License to the User for the Desktop Apps and blocked all the WebApps.

1 answer

Andy David - MVP 141.1K Reputation points MVP

2023-03-21T13:11:27.9033333+00:00

Can you filter for devices with a CA policy and block the user to all devices except that one machine?

https://learn.microsoft.com/en-us/windows-365/enterprise/restrict-office-365-cloud-pcs
Please sign in to rate this answer.
Bletzer, Eike-Alexander 0 Reputation points

2023-03-21T13:13:43.4633333+00:00

i already did this. But CA don´t block Windows Logins. Just Cloud Apps. If i select "any User action" i can´t restrict it to Devices anymore.
Sign in to comment