I have joined a few machines to Azure AD. I would like to be able to prevent some users from accessing an AAD-joined device but it seems that once a device is joined every user in the organization is capable of logging in, though they at least are limited to user privileges. Is it possible to prevent this behavior? It would be preferable to be able to allow only users in specific groups to log into specific devices.
Enterprise State Roaming is enabled, if it makes a difference.