Forum Discussion
PhilRiceUoS
Sep 21, 2020Brass Contributor
Can we restrict AAD user logins to be from specific devices for better privileged account security?
Hi I am researching the idea of only allowing admin accounts to log in from specifically allowed machines - so that is the actual devices I want to specify and not named Locations / IPs using condit...
PhilRiceUoS
Sep 23, 2020Brass Contributor
JanBakkerOrphaned useful links thanks - Ive actually looked at PAWs before although havent read through that documentation page fully (will try go through it in detail later).
It doesnt quite seem, unless ive missed it so far, to achieve what Im aiming for and that is to control on a actual device basis . So for example a policy that says if 'hardware ID -eq <id here> allow log on' to literally restrict which actual devices can authenticate thereby if an account is compromised in anyway it is useless unless they also have an allowed device. In combination with MFA this seems pretty secure to me.