Forum Discussion
What does disabling an Azure AD device actually do?
In a AAD only org, with Windows 10 Enterprise computers all Azure AD joined and managed by Intune, exactly what does "disabling" the device via the AAD Portal -->Devices-->Select a device-->Disable do?
It seems to have absolutely no impact on our devices' abilities to continue to login to AAD, and access Office 365 apps/services, for example. Perhaps I naively assumed that disabling a device actually meant that it would be disabled in the sense that you couldn't login to your org via AAD login, or, even if you were, you wouldn't be able to do anything that required AAD - which in my mind includes Office 365. Am I mistaken?
Thanks,
Bob
6 Replies
Remarks:
- You need to be a global administrator or cloud device administrator in Azure AD to enable / disable a device.
- Disabling a device prevents a device from successfully authenticating with Azure AD, thereby preventing the device from accessing your Azure AD resources that are guarded by device CA or using your WH4B credentials.
- Disabling the device will revoke both the Primary Refresh Token (PRT) and any Refresh Tokens (RT) on the device.
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
Rui Cabral
Question - once the device is re-enabled.
I've disabled a device - then needed to re-enable device once it was returned by termed user.
However, i am unable to sign in to the device now- There is no "other" user and what appears to be only the local account of the previous termed user available.
Does a disabled device eventually connect again with AAD?- Yes it does. However, if you are wanting to lock down a device so users cannot login to it, you will need to create a group (for example locked-devices) and then apply a strict policy where it prevents users from logging into the computer. Once the said computer is added to the group, sync it from intune. The user should no longer be able to sign in.
Base on this article, it takes update to 1 hour for a revoke to be applied
https://docs.microsoft.com/en-us/azure/active-directory/devices/faq
Q: Why can a user still access resources from a device I disabled in the Azure portal?
A: It takes up to an hour for a revoke to be applied.
Note
For enrolled devices, we recommend that you wipe the device to make sure users can't access the resources. For more information, see What is device enrollment?.
Yinghua Zeng, in an hour someone can copy all my data...
Hi,
now I'm forced to learn how Azure works to consult our clients..
I'm not very good in Azure skills and also need to know this mistery - to what type of resourses the user/device must lost an access after device disabling in Azure? Obviously, that's not a loss of login to azure portal or o365 apps using, nor on-premises login or e.g. shared folders using. So what it could be? Any ideas?
Roman
