Hello Prasad
Sounds like you want to prevent your users from ever hitting the https://myaccount.microsoft.com/device-list page (and seeing their BitLocker keys). Out of the box that URL is part of the Microsoft Account/Microsoft Entra “My Account” self-service portal, so the user themselves is allowed to see the devices and recovery keys that have been escrowed to your directory. There isn’t a simple “block this URL” toggle in Azure AD, but here are the main levers you can pull:
- Disable device registration entirely • In the Azure portal, go to Azure Active Directory > Devices > Device settings • Under “Users may register their devices with Azure AD,” set to “No.” • That prevents new devices (and their keys) from being registered, but won’t stop users viewing devices already registered.
- Require MDM enrollment (Intune) before device registration • Azure AD > Devices > Device settings > “Users may register their devices” → “Require Multi-Factor Auth” or “Only allow corporate-owned (Hybrid Azure AD joined) devices.” • This forces users to enroll in Intune (or join on-premises AD + ADFS) before the registered device and its keys show up. • If no device ever makes it into Azure AD, there’s nothing to display.
- Lock down self-service BitLocker key retrieval via RBAC • By default any user can see their own keys. There’s no built-in Azure AD permission that says “hide BitLocker for everyone except admins.” • You could build a custom solution where key escrow/recovery happens outside of Azure AD (for example, in an on-prem PKI), so Azure AD never stores user-retrievable keys.
- Block access to the My Account portal via Conditional Access (workaround) • In Azure AD > Security > Conditional Access create a policy that blocks the cloud app “Microsoft Entra Admin” or “User Actions” for your user population when they attempt to access the My Account portal from any location. • Caveat: this will block all self-service account pages, not just the device list.
- Remove existing keys and rotate to a different escrow location • If you can’t prevent users registering devices, at least stop storing recovery keys in Azure AD. • Use a third-party key manager or on-prem HSM/PKI to store BitLocker keys.
- (Brute force) Use network-level filtering or a web proxy to explicitly block access to that specific URL—this isn’t managed in Azure AD but can be done in your corporate firewall/proxy.
If none of the above hit the mark, can you clarify:
• Are these personal Microsoft Accounts or Entra (Azure AD) accounts?
• Are the devices corporate-owned (Intune/MDM enrolled) or BYOD?
• Do you need to completely shut off all My Account features, or just hide BitLocker keys?
• Are you okay blocking the entire My Account site, or do you need more surgical control?
References:
• Manage device identities in Microsoft Entra ID – https://learn.microsoft.com/entra/identity/devices/manage-device-identities
• Azure AD Devices settings – https://learn.microsoft.com/azure/active-directory/devices/overview#device-settings
• Conditional Access overview – https://learn.microsoft.com/azure/active-directory/conditional-access/overview
• Device registration FAQ – https://learn.microsoft.com/entra/identity/devices/faq
Let us know if you have any questions.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 63%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)