Forum Discussion
Solved
Approval flow for Azure AD Registration
Hello - is there a way to have an approval flow for getting a device Azure AD registered? We are an educational institution. Say we have a set of requirements for a registered device, in order fo...
- I think Microsoft's reasoning here is that you should be using the controls available within M365 MDM/Intune to address this, thus no granular control on Azure AD side.
Hello Vasil, thank you for replying. I'm talking about registration, not join, as we know that we can limit that.
It could be BYOD devices that are owned by employees themselves, including their own PC's at home, but also devices they may not directly own themselves. We're concerned that if all it takes to AAD register a device, is MFA, then they could in theory go borrow someone else's computer or maybe go to a netcafé or something like that, where they would have local admin, and then Azure AD register the device, without understanding what happens and then start syncing files from OneDrive or whatever else they might want to do. But we also don't want to eliminate the BYOD scenario entirely, thus thinking that if we could have an approval flow for such devices, then maybe that could be a workable middle ground.
Hope that makes sense?
It could be BYOD devices that are owned by employees themselves, including their own PC's at home, but also devices they may not directly own themselves. We're concerned that if all it takes to AAD register a device, is MFA, then they could in theory go borrow someone else's computer or maybe go to a netcafé or something like that, where they would have local admin, and then Azure AD register the device, without understanding what happens and then start syncing files from OneDrive or whatever else they might want to do. But we also don't want to eliminate the BYOD scenario entirely, thus thinking that if we could have an approval flow for such devices, then maybe that could be a workable middle ground.
Hope that makes sense?
I think Microsoft's reasoning here is that you should be using the controls available within M365 MDM/Intune to address this, thus no granular control on Azure AD side.
- Thank for that response - I'll post here, if we figure something out.