Event details
We have just started moving away from an On-Prem Server to a AAD Joined (not using Hybrid). One of the features I miss already is the ability to lock out an account from signing in to their laptop. Blocking Sign In to their AAD/email account and Revoking Access to their signed in sessions doesn't prevent the user from signing in to Windows. On top of that, changing the users password for their AAD/email account doesn't stop them using their old password to sign in UNTIL the new password is used. It also doesn't prompt for a password change on signing in to windows after setting their account to "change on next sign in". Am I missing something? can we disable the caching of credentials? Thank you!
- You may be able to use the web sign in credential provider. This will block the users from using their password to login to Windows and will allow MFA using either WHfB, FIDO2, or MS MFA app to login using the new passwordless experience. https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-experience/ Otherwise, if they're autopiloted you can block access and that will prevent them from logging in. Hope that helps! ☺️
- Thanks. I will have a play around with web sign in on a test laptop. might be what i need.