Preventing Azure AD Registration

Tomnibus 21 Reputation points
2022-02-04T14:45:34.153+00:00

I have all these Azure AD Registered devices in my tenant and I don't want them there. These are not Locally joined AD machines. It happens when someone on a personal device logs into, say, OneDrive or something and they are prompted with the question, "Allow My Organization To Manage My Device" and the default is yes so most people hit yes.

I utilize Autopilot and Intune and I have some machines that are locally AD Joined but we're weeding those out and going fully cloud.

I know under Devices -> Device Settings There is "Users may join devices to Azure AD" and I have that set to "All" because we allow an auto-piloted computer to be logged in by the user to get setup. However, Is this something separate? Because the help indicator says "This setting does not apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure and Azure AD joined devices using Windows Autopilot self-deployment mode as these methods work in a userless context."

the "Users may register their devices with Azure AD" is greyed out and set to "all". But I assume if I change the first one to none, then I can set the other one to none and I won't have all these personal devices in my tenant?

Also, can I delete these personal devices from my tenant and it won't break their own systems?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,352 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee
    2022-02-07T09:04:15.55+00:00

    @Tomnibus Thanks for reaching out. Yes you can safely remove the Azure AD registered device state for personal devices from Azure AD.
    Once removed, user might be prompted for registering them again, so educating users on selecting what to do will also help, otherwise they might end up in Azure AD portal again. Unfortunately this prompt cannot be controlled at this point of time for personal devices.

    For corporate devices,
    If you have a device which is domain joined and also registered as Azure AD registered, it can lead to a dual state scenario- you can read further to understand how to prevent it : https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

    Enable the following registry to block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10/11 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account.

    HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001

    For Personal Devices

    ===============

    For now, you can only educate the users on selecting the options they have and the end result. This blog covers the 4 options users have when they see that prompt
    https://msendpointmgr.com/2021/03/11/are-you-tired-of-allow-my-organization-to-manage-my-device/

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful