How to restrict the other domains and user accounts to use and enroll the device and use apps and add in a domain enrolled device via Intune, Entra ID etc. and what are the ways to do it?

Question

How to restrict the other domains and user accounts to use and enroll the device and use apps and add in a domain enrolled device via Intune, Entra ID etc. and what are the ways to do it?

Mytoast Admin 285

For example: I don't want users to user other domains user accounts to use with any of the M365 apps and services on the my domain enrolled machines.

Rahul Jindal [MVP] 10,811 Reputation points MVP

2024-09-13T21:10:05.21+00:00

You are looking at a combination of managed devices and app protection policies through Intune and Conditional access policy checking for device compliance.
Mytoast Admin 285 Reputation points

2024-09-14T06:50:01.16+00:00

Rahul Jindal [MVP]

No I am not looking for compliance for managed devices.

I am looking for the policy and configuration settings which I can setup to prevent users to use other domain accounts than our company domain in browser based apps and also on the device as well so how I can do it via Intune and Entra?

Accepted answer

1 additional answer

Your answer

Rahul Jindal [MVP] 10,811 Reputation points MVP

2024-09-13T21:10:05.21+00:00

You are looking at a combination of managed devices and app protection policies through Intune and Conditional access policy checking for device compliance.
Mytoast Admin 285 Reputation points

2024-09-14T06:50:01.16+00:00

Rahul Jindal [MVP]

No I am not looking for compliance for managed devices.

I am looking for the policy and configuration settings which I can setup to prevent users to use other domain accounts than our company domain in browser based apps and also on the device as well so how I can do it via Intune and Entra?

Answer 1

Hello @Mytoast Admin,

Thank you for posting your query on Microsoft Q&A.

Based on your description, I understand that you are trying to restrict access to users from other domains on your company’s corporate devices. For example, if a device is part of Tenant A, users should only be able to log in to browser-based applications using credentials from your tenant. If someone attempts to log in with credentials from another tenant (e.g., Tenant B), access should be restricted. Please correct me if I’ve misunderstood.

To address this requirement, I’d like to share an alternative approach you can consider. Below, you will find a flowchart illustrating Tenant Restrictions V2.

Diagram illustrating tenant restrictions v2.

As shown in the flowchart, if a user on a Contoso-managed device tries to access resources using credentials from an unknown tenant, the login will be restricted. For more details, please refer to the following documentation:

tenant restrictions v1

tenant restrictions v2

Universal tenant restrictions

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Mytoast Admin 285 Reputation points

2024-09-26T15:13:15.65+00:00

Hi Raja Pothuraju

This is what I was looking for. This seems going to help us.

Let me take a look and I will do the needful.

Thanks.

Answer 2

ZhoumingDuan-MSFT 17,165 Microsoft External Staff

@Mytoast Admin, Thanks for posting in Q&A.

From your description, I know you want to restrict the other domains and user accounts to use and enroll the device and use apps and add in a domain enrolled device via Intune.

Based on my research, for Windows, we can configure Automatic Enrollment under Enrollment restrictions to Some and select the user account that you want to enroll in Intune and create a conditional access policy that require device must be marked as compliant so that they can access apps

User's image

For Android device and iOS device, we can create an app protection policy to restrict some user's access.

https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-android#conditional-launch

https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#conditional-launch

Hope above information can help you, if there is any update, feel free to let me know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Mytoast Admin 285 Reputation points

2024-09-17T05:02:59.03+00:00

ZhoumingDuan-MSFT

I have done this before but I wanted to push these policies on Windows devices as well.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-09-17T06:33:36.4833333+00:00

@Mytoast Admin, Thanks for your reply.

The above information is available for Windows device, when you set Automatic Enrollment for some groups containing specific users and create a conditional access policy, then only the user in the groups can enroll their device in Intune can access the apps.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-09-19T06:25:10.8+00:00

@Mytoast Admin, Hope things going well.

May I know the above information is helpful? If there is any update, feel free to let me know.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-09-26T09:09:21.5233333+00:00

@Mytoast Admin, Hope you have a good day.

If the answer is helpful, please click "Accept Answer" and kindly upvote it to help others with the same problem as soon as possible.

Share via

How to restrict the other domains and user accounts to use and enroll the device and use apps and add in a domain enrolled device via Intune, Entra ID etc. and what are the ways to do it?

1 additional answer

Your answer