Can an unlicensed user login to an Azure AD joined device?

Question

Hi,

I'm trying to work out if an unlicensed user can login to an Azure AD joined device.
We want to join all our devices to Azure AD, but have a few users who do not need a mailbox, but do need access to a PC.
Do these users need a license, and if so what license is needed?
I've done a few tests and it seems I do need a license, unless there is a setting in AzureAD I can configure to allow the user to login.

Many thanks

Answer 1

You need a license to join a device, yes:
https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#why-do-i-see-the--oops--an-error-occurred---dialog-when-i-try-to-azure-ad-join-my-pc

and from this, one to logon to it as well:
https://www.reddit.com/r/Intune/comments/fgudam/which_license_is_needed_to_login_into_a/

Correct. To get policies, configurations, apps, company portal, etc the user logging in must be licensed.

Scenario:

User A is licensed enrollment user

User B is a normie with no license

Provision a computer (autopilot, manual AAD join, OOBE, whatever) and User A logs in. Policies are applied apps installed, and whatever else is configured in InTune. Then, User B logs in. It will copy what it can based off of what was set by InTune in the defaultprofile to create new user profiles BUT will not be enforced.

Example: if you have a custom start menu with icons locked, it will be locked for a licensed user. An unlicensed user logs in and the icons are in the configured arrangement but user is able to edit them.

Another example; User A logs in and gets locked down screen/display timeouts

User B logs in and can modify those settings freely.

I understand why, but this is a gaping hole; if I set security policies via InTune and we forget to license one user, that user can bypass all policies and restrictions set by InTune just because they have no license. Even on devices used by 2+ people. The u licensed user basically get the same experience as if they were a standard user on a personal computer.

Think of InTune license as the classic user CALs for windows server and GPOs. You will need one for every single user that logs in, whom you’d want to apply and enforce configurations, apps, and policies.

Answer 2

Hi,
apologies for resurrecting this thread, but i'm in the same position.
Moved all computers from on prem AD into AAD/Intune.
I have 7 computers in a ticketing office whereby a single AAD user account will log into all of them. This user doesn't use anything other than RDP to sign into a remote portal, so spending over £16pcm for using nothing seems a bit outgrageous.
I have another 12 computers in an academy classroom whereby another single AAD account will be used to login to them all as our scholars then login to the MS office portal using their separate college account to access their stuff.
So the above 2 accounts won't have any licences assigned to them at all.
When i tested this i seemed to struggle to get a non-licenced AAD account actually logged into an Intune joined device.
I wonder if granting these 2 users an Intune licence (infinitely cheaper than a Business Premium licence) would work.
Also would it ok for the same AAD account to be logged into several computers at the same time on the same network (don't see why not), but MS are all about the money money money i guess.

the alternative is i just create standard user local accounts on each computer (ball ache).

As regards security, surely the local admin can set a local policy to avoid users doing what they want?

Would welcome any further input you guys have.