Forum Discussion

Callum_W's avatar
Callum_W
Copper Contributor
May 05, 2023

Only allow certain groups to log into machines - Intune

Hello, First time poster here.

I was looking to see how (Using Intune) we could restrict interactive login of certain devices to members of groups in Azure AD. 

The requirement is because we keep getting Staff in schools logging into Student laptops/devices in an attempt to work, which breaks a whole host of different lockdown settings. In a perfect world Staff would just use their Staff devices & not log into students!

I know it is possible through Intune to restrict it at a user level (Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In The Cloud 24-7 (inthecloud247.com) ) 

But has anyone had any experience or success with Azure AD groups? if so, how? Maybe I'm looking in the wrong place and instead need to set a Conditional Access policy? any guidance is appreciated!

 

Thanks,

  • rubelr's avatar
    rubelr
    Copper Contributor
    Hello, found any solution or workaround?
    I am in exact same situation as you now.
    • Callum_W's avatar
      Callum_W
      Copper Contributor

      rubelr Sadly not. In my case where the client was a school that worked with vulnerable YP's, we ended up going down the route of labelling it as a safeguarding risk if teachers were to log into the devices that were assigned for student use.

      Obviously that might not be helpful if you're trying to restrict it for different reasons or settings..! Maybe Microsoft will dish out the capability some day.

      • SebCerazy's avatar
        SebCerazy
        Iron Contributor
        Surely that is not too much to ask? The authentication happens in AAD & if the user is member of forbidden group it should give an error message & deny login!

Resources