Block Microsoft 365 account from logging on Windows machine?

CeciNestPasLegal 25 Reputation points
2024-07-10T19:45:16.64+00:00

Hello! How can I block a user from logging on Windows with Azure AD on our machines, but still allow it to use Microsoft 365?

 

Basically we have a service account that should only be accessed from iOS MDM devices by default. A way to exempt some Windows machines would be nice, but the preference is ban the account from Windows logon altogether. 

We use Microsoft 365 with Intune. All machines are managed.

 

Thanks in advance!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft 365 and Office | Install, redeem, activate | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 53,986 Reputation points Microsoft External Staff
    2024-07-11T01:48:03.5866667+00:00

    @CeciNestPasLegal, Thanks for posting in Q&A. For the policy, it only applies to specific editions and OS. Please ensure the affected device is supported.

    User's image

    Meanwhile, please ensure the value we set is with AzureAD\userUPN . And go to one affected device to check the Event log under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin to see if any error exists.

    If there's any update, feel free to let us know.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. Karelpelck 710 Reputation points
    2024-07-10T21:07:08.17+00:00

    Blocking him from signing in to windows is wil not deny the account of logging on to cloud apps from the windows platform on unmanaged devices or devices that have been signed in by a different user. You can start by blocking the account of logging into any cloud apps on a windows device by creating a conditional access policy scoped on the user for all apps as so:
    User's image

    Now, if you want to go further and keep the account from signing into your managed windows devices you can user the settings catalog use the Deny Local Log On setting. Make sure you specify the account correctly. And you can add multiple accounts there if you like. Screenshot:
    User's image

    Hope this helps.


  2. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-07-10T23:29:16.0366667+00:00

    Hi @CeciNestPasLegal ,

    There's no native way to do this using Entra ID. Conditional Access will block the cloud app logins but not the local logins. You can, however, achieve this through Custom Configuration Profiles (CSPs) in Intune.

    Resources:

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching similar questions.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.