Hello, First time poster here.

I was looking to see how (Using Intune) we could restrict interactive login of certain devices to members of groups in Azure AD. 

The requirement is because we keep getting Staff in schools logging into Student laptops/devices in an attempt to work, which breaks a whole host of different lockdown settings. In a perfect world Staff would just use their Staff devices & not log into students!

I know it is possible through Intune to restrict it at a user level (Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In ... ) 

But has anyone had any experience or success with Azure AD groups? if so, how? Maybe I'm looking in the wrong place and instead need to set a Conditional Access policy? any guidance is appreciated!

Thanks,