Safeguarding and stopping the user personal device from Azure AD register to my Azure tenant?

Question

Currently, I am utilizing Hybrid Azure AD - Exchange Online in conjunction with Azure AD Connect. Additionally, I am licensed for Intune and Azure AD Premium P2.

How can I prevent and restrict the user's personal devices or compromised computers from using the below feature to perform Azure AD register?

Because the above methods are still available to everyone in the world even after I have configured the Hybrid Azure AD join using: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control#targeted-deployment-of-hybrid-azure-ad-join-on-windows-current-devices

Any assistance or recommendations you may have would be deeply appreciated.

Answer 1

Hello,

you can disallow user to regsiter devices directly in your tenant:

Kind regards

Answer 2

Hello,

Thank you for your question and for reaching out with your question today.

To prevent and restrict users' personal devices or compromised computers from using the Azure AD registration feature, you can implement the following measures:

1. Conditional Access Policies: Azure AD allows you to create Conditional Access policies to enforce specific requirements for accessing your organization's resources. You can create a policy that blocks or grants access based on various conditions, such as device compliance, location, or risk level. By configuring a policy to block access from personal or compromised devices, you can prevent users from registering such devices with Azure AD.
2. Intune Device Compliance Policies: As you mentioned being licensed for Intune, you can leverage Intune's device compliance policies to enforce specific security requirements on devices. By configuring these policies, you can define device-level settings, such as requiring a minimum OS version, enabling encryption, or enforcing password policies. Devices that do not meet the compliance criteria can be blocked from accessing Azure AD resources and registering with Azure AD.
3. Azure AD Device Registration Settings: Azure AD provides granular control over device registration settings. You can configure the device registration settings to only allow specific types of devices to register with Azure AD. For example, you can restrict device registration to only devices that are hybrid Azure AD joined or compliant with Intune policies. By setting up these restrictions, you can prevent personal or compromised devices from registering with Azure AD.
4. Azure AD Privileged Identity Management (PIM): Azure AD PIM allows you to manage and control access to privileged roles in your organization. By utilizing PIM, you can require just-in-time activation for privileged roles, reducing the risk of compromised accounts gaining unauthorized access. This additional layer of security helps protect against potential misuse of administrative privileges on devices attempting to register with Azure AD.

By combining these measures, you can establish a strong security posture and prevent personal devices or compromised computers from registering with Azure AD. It's important to regularly review and update your policies and settings to align with the evolving security landscape and best practices recommended by Microsoft.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.