Forum Discussion
Can we restrict AAD user logins to be from specific devices for better privileged account security?
PhilRiceUoS You're quite on track! Take a look at this article. This will get you started with your PAW adventure 
This article aims at a hybrid seyup, but if you have AAD joined PAW's only, PKlapwijk has the answer for you : Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In The cloud 24-7 (inthecloud247.com)
JanBakkerOrphaned useful links thanks - Ive actually looked at PAWs before although havent read through that documentation page fully (will try go through it in detail later).
It doesnt quite seem, unless ive missed it so far, to achieve what Im aiming for and that is to control on a actual device basis . So for example a policy that says if 'hardware ID -eq <id here> allow log on' to literally restrict which actual devices can authenticate thereby if an account is compromised in anyway it is useless unless they also have an allowed device. In combination with MFA this seems pretty secure to me.