How prevent user for sign-in to iOS Device for which they have not assigned or Enrolled.

prakashx86 Hi, one solution might be this:

1-Create a Compliance Policy in Intune
This policy will ensure that only devices that meet specific criteria (such as being correctly enrolled with the assigned user) are considered compliant and allowed access to company resources.

Steps:

Go to the Intune portal.

Create a new Device Compliance Policy:

Ensure that the device is required to be enrolled in Intune.
Set minimum security requirements, such as PIN lock, encryption, and OS version requirements.
Associate the policy with iOS devices.
Configure the policy to ensure only devices assigned to specific users are considered compliant.

2-Set Device Enrollment Limits in Intune
You can limit the number of devices each user can enroll in your environment. This ensures that a user can only enroll a specific number of devices assigned to them.

Steps:

Go to Intune > Device Enrollment > Enrollment Restrictions.
Create or modify an existing enrollment restriction.
Set a device enrollment limit (e.g., 1 or 2 devices per user).
Assign this restriction to the relevant users or groups.
This will prevent users from enrolling additional devices beyond the ones assigned to them.

3-Use User Affinity During Manual Enrollment
When users manually enroll devices (without using ADE), Intune allows you to enable User Affinity, ensuring that the device is tied to a specific work or school account.

Steps:

Go to Intune > Device Enrollment > Apple Enrollment > Enrollment Profiles.
Create a new iOS enrollment profile with User Affinity enabled.
Ensure that the device is associated with the correct user account during manual enrollment.
This will ensure that devices are linked to the assigned user, and unauthorized users cannot enroll on the device.

4-Set Up Conditional Access Policies in Azure AD
Conditional Access in Azure AD will ensure that only compliant devices can access company resources (such as Office 365 apps).

Steps:

Go to Azure Active Directory > Security > Conditional Access.
Create a new conditional access policy targeting all users or a specific group.
Set the condition that only compliant and enrolled devices can access company resources.
Apply this policy to company resources like Exchange Online, SharePoint, Teams, etc.
In the "Grant" section, require the device to be compliant.
This will ensure that only properly enrolled and compliant devices (those assigned and configured) can access company resources.

5-Block Access for Non-Compliant Devices
You can configure Intune to block non-compliant devices from accessing any resources.

Steps:

Go to Microsoft Intune > Compliance policies.
Create a new compliance policy to block non-compliant devices.
Define the compliance requirements (such as OS updates, encryption, etc.) and ensure that only devices enrolled by authorized users are considered compliant.
This ensures that only compliant devices (assigned and registered) can access corporate data and apps, preventing unauthorized users from signing in to unassigned devices.

You can create a Conditional Access policy with the following settings:

Target source: Office 365 Apps
User: Select the user or security group you want to apply this policy to
Condition: In Device Platforms, configure 'Yes' and select iOS. In Client Apps, configure 'Yes' and check both Browser and Mobile Apps
Grant access control: Select 'Grant control' and require the device to be marked as compliant"
Select Enable this policy

Please test it with a test user account or group before applying it to everyone. Users must enroll their device in Intune before accessing the work or school account