How to control who can Workplace Join Windows 10 devices

Brass Contributor
Hello to all members of this great community.

We are co-managing with SCCM and Intune with primary auth being AD/SCCM. Hybrid Azure AD Join works fine.

Recently we had to enable MAM enrollment in Intune so to provide iOS and Android device management. This also works fine and the devices properly register to Azure AD.

At that point, I realized that even after using Enrollment Restrictions, the end result is that this only controls Intune Enrollment for Windows 10 devices and not Azure AD Registration which happens either ways.

I tried to check if Intune provides a way to control this behavior and only allow users in a specific group to Azure AD Register (Workplace Join( their Windows 10 devices. I haven’t found such a setting or policy.

Can anyone point me to a proper direction for this?

1 Reply

Just getting an answer up so its useful to others. This is done under Intune -> Device Enrollment -> Enrollment Restrictions. There you can create restriction profiles with different restrictions and assign users to those restriction profiles.