Share via

Can I use domain group policies with AzureAD?

ChikaraTaro 80 Reputation points
2024-09-06T12:38:44.96+00:00

I am currently preparing the AzureADJoin environment.

I was told on this site that in order to log in to a PC kitted with AutoPilot with a different EntraID,

the following needs to be set.

In local group policy, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment. Look for Allow local login and make sure that the correct user group, such as a specific Azure AD group, exists.

However, in this case, since the setting is done with local group policy, the PC administrator is inevitably involved in PC kitting, which greatly reduces the benefits of AutoPilot.

What I want to achieve is to allow the user to kit the PC with AutoPilot themselves, without the PC administrator having to set up the PC each time (without intervention), and to be able to log in to that PC with another EntraID.

If you have any advice, I would appreciate it.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
471 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,919 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,183 questions
Microsoft Entra
0 comments
Accepted answer
  1. Crystal-MSFT 49,346 Reputation points Microsoft Vendor
    2024-09-09T01:29:17.19+00:00

    @ChikaraTaro, Thanks for posting in Q&A. For Autopilot enrollment, there are two types when we join to Azure AD (Microsoft Entra), one is Microsoft Entra join and the other is Microsoft Entra Hybrid Join.

    For Microsoft Entra join, it can let all Microsoft Entra users to login any Microsoft Entra joined device by default.

    https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join

    But if you want to specific users to login the device, you can configure Intune policy setting "Allow Local Log On" to add the user you want to login this PC. Here is a link with more details.

    https://petervanderwoude.nl/post/restricting-the-local-log-on-to-specific-users/#:~:text=Click%20Add%20settings%20and%20perform%20the%20following%20in,all%20on%20separate%20lines%20%E2%80%93%20and%20click%20Next

    Note: Non-Microsoft link, just for the reference.

    As a note, if you have the same setting configured in both local group policy and Intune policy, the local group policy will win over Intune policy and take effect. Therefore, please only configure policy in one place to avoid any issue. In addition, domain group policy can not apply to Microsoft Entra joined devices.

    For Microsoft Entra Hybrid joined device, we use domain user account to login. And domain group policy can apply to these devices.

    https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.