This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 63%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Hi All,
i am stuck in a scenario can someone please help me to get out from this situation.
i am using Microsoft 365 trial version, i enrolled a windows laptop on Endpoint Manager using Bulk Enrollment method and it went successful.
Now i can login with any of the user already created on Azure AD, but when i reset the user password from Microsoft Admin Center user is still able to login with old credentials on that windows machine which i don't want in my case. i want to block the user to access the laptop with Azure AD credentials.
How can i achieve this or what should i have to do for it? Is it possible?
Looking for urgent Help.
Thanks
Daniyal
This is not directly possible today as that's not how logins to an AAD joined device work (note that this is completely unrelated to Intune).
Watch https://syfuhs.net/ops108-windows-authentication-internals-in-a-hybrid-world for lots of in-depth details on this.
Can you expand on the use case here? What's the full scenario?
Hi Jason
My use case is that we don't have any on Prem Active Directory, and we are planning to migrate on Azure AD. for testing purpose i purchased the microsoft 365 trial version.
i enrolled a windows 10 laptop using windows bulk enroll method, and then try to login with one of my test user to whom i assigned a M365 license. Now if i want to block/prevent that user to not login on this Azure AD joined laptop how can i achieve this thing via Endpoint Manager or Microsoft Azure portal or is there any other way around.
Because as in traditional on premise active directory simply we can block the user or reset his password to prevent the sign in on AD joined machine. But how can we achieve the same thing in Azure Active Directory.
Hope this explain my scenario
Thanks
Daniyal.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 32%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
"conditional access" was not the answer.
That only leads you to more "apps" and M365"
It appears to be meant to allow or deny to "app" type resources"
Things that are completely in the cloud.
And virtual machines that are in the cloud.
I'd like to know if ANY local settings can be provisioned or synced starting with the user's password at the Windows 10 computer fromn Azure AD WITHOUT added license
or complicated apps that may do this.
I am getting my own impression that the only way to do this is that some local app needs to be running on the machine..
That app itself "syncs" from settings that are in Azure AD or another cloud "app" that is in the cloud,
All of which require special additional licensing (versus free or included licensing in many business packages) and somewhat complicated setup.
Not sure if this is correct but is one of my possible guesses/conclusions.
And should be way overkill of a solution to centrally manage a small company's ten computer user passwords (and whether they are a local admin or not).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 2%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
@Jason Sandys , If I have understand correctly the problem statement , I have similar issue with my device too. Recently I have changed the password of my Azure ad account using SSPR but when I tried to login with my Azure AD device, it always prompt me wrong password, & I m able to login with old credentials.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
How is this considered normal behavior? We've reset a user's password, we can log in with the new password online. However we're unable to log in to the user's PC, as we don't know the previous password. We can't even switch users, log in with another user on this Windows 11 Pro machine.
What a mess!
The "cloud" was suppose to simplify and unify management, now it's just a mess of identities everywhere, broken services.
Please tell me what I'm doing (or expecting) wrong!