Restrict Certain Group Sign-Ins to AAD-Joined Device

Not applicable

I have joined a few machines to Azure AD. I would like to be able to prevent some users from accessing an AAD-joined device but it seems that once a device is joined every user in the organization is capable of logging in, though they at least are limited to user privileges. Is it possible to prevent this behavior? It would be preferable to be able to allow only users in specific groups to log into specific devices.


Enterprise State Roaming is enabled, if it makes a difference.

2 Replies

I'm not aware of any method, but interested to see if I might have missed something.

I’m looking to do this in our school environment too... students being able to switch and swap though different student machines is awesome, but having access to staff/admin devices is NOT! Especially as several staff members have kids in the school too... my kids being able to sign into my school laptop with their own user is a real pain for data security and limiting their internet access!