Forum Discussion

davidscharf's avatar
davidscharf
Copper Contributor
Nov 02, 2024

Enrollment Scope only AzureAD Joined

Hi, I'm new to intune and was wondering how I could prevent AzureAD registered devices to enroll on intune. I've tried using a security group and limiting the enrollment scope to this group. The dyn...
Intune
mobile device management (mdm)
micheleariis's avatar
micheleariis
MCT
Nov 03, 2024

davidscharf Hi, to restrict enrollment in Microsoft Intune only to devices joined to Azure AD and prevent enrollment of devices registered to Azure AD, I would do this:

Registration Restrictions in Intune: configure restrictions to block personal devices, ensuring that only enterprise devices joined to Azure AD can enroll (assign these restrictions to the appropriate user groups.
Registration Scope in Azure AD)

Set the MDM (Mobile Device Management) scope to include only users who need to enroll joined devices in Azure AD.

Set the MAM (Mobile Application Management) scope to “None” to exclude registered devices.

Dynamic Groups: use a proper dynamic group rule: (device.deviceOSType -eq “Windows”) and (device.deviceTrustType -eq “AzureADJoined”)

This configuration will ensure that only devices joined to Azure AD can be enrolled in Intune.

 

Clearly as soon as you can activate Autopilot 🙂