How to restrict user access to a specific device

Joel - Feluba 0 Reputation points
2024-04-21T14:39:15.67+00:00

Is there a way to allow a specific user just to login on a given device ?

Any other login tries should be blocked.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,920 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Sandeep G-MSFT 15,236 Reputation points Microsoft Employee
    2024-04-23T11:32:51.5+00:00

    @Joel - Feluba

    Thank you for posting this in Microsoft Q&A.

    As I understand you want to limit user to login to only one device and not any other device.

    This is possible if this user is using Azure AD credentials to login to the device.

    This can be achieved via conditional access policy in Entra ID.

    • You can access Entra ID portal and click on Protection >>Security Center.
    • Now click on Named locations on right pane.
    • Click on IP ranges location on the top.
    • Mention device IP address in the form of example 192.168.1.1/32. Make sure you add the device IP address and at the end add /32.
    • Now save it and come back to previous screen.
    • Click on Conditional access and click on Create new policy on the top.
    • Enter some name to your new policy.
    • Under assignments, select the user for whom you want to restrict device login.
    • Post that in Cloud Apps, select all apps.
    • Under conditions click on Locations and select all locations and under exclude option select the named location that you had created.
    • Now leave everything else and click on Grant on the bottom.
    • Under Grant you can click on block and save the policy.

    With this policy mentioned user cannot login and access anything other that the device IP address that you have mentioned.

    Note: Try this is your lab first and then implement the same in your production environment.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.