Only allow certain groups to log into machines - Intune

Copper Contributor

Hello, First time poster here.

I was looking to see how (Using Intune) we could restrict interactive login of certain devices to members of groups in Azure AD. 

The requirement is because we keep getting Staff in schools logging into Student laptops/devices in an attempt to work, which breaks a whole host of different lockdown settings. In a perfect world Staff would just use their Staff devices & not log into students!

I know it is possible through Intune to restrict it at a user level (Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In ... ) 

But has anyone had any experience or success with Azure AD groups? if so, how? Maybe I'm looking in the wrong place and instead need to set a Conditional Access policy? any guidance is appreciated!



3 Replies
Hello, found any solution or workaround?
I am in exact same situation as you now.

@rubelr Sadly not. In my case where the client was a school that worked with vulnerable YP's, we ended up going down the route of labelling it as a safeguarding risk if teachers were to log into the devices that were assigned for student use.

Obviously that might not be helpful if you're trying to restrict it for different reasons or settings..! Maybe Microsoft will dish out the capability some day.

Surely that is not too much to ask? The authentication happens in AAD & if the user is member of forbidden group it should give an error message & deny login!