Mar 28 2024 01:00 AM
Most of our clients are on M365 these days, and they consist of the following variations in how they integrate:
For clients using integration methods 1 and 2, we always see multiple device registrations in Entra ID, and for clients using integration method 3, we see a primary user that was used to hybrid join the device, along with additional users showing up as registered in Entra ID.
However, we have just recently discovered that clients that use method 4, i.e. they are 100% Entra ID with no on-prem AD, the only user that shows in Entra ID is the user that joined the device. Any other use that logs in and creates a profile on one of these machines is not recorded as a registered user in Entra ID for that device.
So, for clients that use integration methods 1-3, if we want to remotely block access on a particular device for a specific user, we just need to delete their Entra ID registration for that device. However, for clients using method 4, we have no visibility for the additional user, nor can we remotely block a user in this scenario.
Is this behaviour a current bug in the Entra ID join/register process? Or is this the expected behaviour? If the latter, then this seems to be a flaw in the join/register process.
Mar 28 2024 01:30 AM