Share via

Block Microsoft 365 account from logging on Windows machine?

CeciNestPasLegal 25 Reputation points
2024-07-10T19:45:16.64+00:00

Hello! How can I block a user from logging on Windows with Azure AD on our machines, but still allow it to use Microsoft 365?

 

Basically we have a service account that should only be accessed from iOS MDM devices by default. A way to exempt some Windows machines would be nice, but the preference is ban the account from Windows logon altogether. 

We use Microsoft 365 with Intune. All machines are managed.

 

Thanks in advance!

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,178 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,532 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,673 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,233 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,229 questions
0 comments
Accepted answer
  1. Crystal-MSFT 49,601 Reputation points Microsoft Vendor
    2024-07-11T01:48:03.5866667+00:00

    @CeciNestPasLegal, Thanks for posting in Q&A. For the policy, it only applies to specific editions and OS. Please ensure the affected device is supported.

    User's image

    Meanwhile, please ensure the value we set is with AzureAD\userUPN . And go to one affected device to check the Event log under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin to see if any error exists.

    If there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karelpelck 710 Reputation points
    2024-07-10T21:07:08.17+00:00

    Blocking him from signing in to windows is wil not deny the account of logging on to cloud apps from the windows platform on unmanaged devices or devices that have been signed in by a different user. You can start by blocking the account of logging into any cloud apps on a windows device by creating a conditional access policy scoped on the user for all apps as so:
    User's image

    Now, if you want to go further and keep the account from signing into your managed windows devices you can user the settings catalog use the Deny Local Log On setting. Make sure you specify the account correctly. And you can add multiple accounts there if you like. Screenshot:
    User's image

    Hope this helps.

  2. Marilee Turscak-MSFT 36,891 Reputation points Microsoft Employee
    2024-07-10T23:29:16.0366667+00:00

    Hi @CeciNestPasLegal ,

    There's no native way to do this using Entra ID. Conditional Access will block the cloud app logins but not the local logins. You can, however, achieve this through Custom Configuration Profiles (CSPs) in Intune.

    Resources:

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.