SOLVED

Prevent Azure AD & Intune Enrollment

Iron Contributor

Is there a way to prevent a user from connecting a personal/home PC to Azure AD and, more importantly, to prevent them from enrolling in Intune? We have a growing number of personal systems that show as Azure AD devices and a significant number of those are Intune enrolled.

 

TIA

~DGM~

3 Replies
best response confirmed by DGMalcolm (Iron Contributor)
Solution

Hi @DGMalcolm ,

 

yes it is possible.

 

To block Intune enrollment you have the option to set  enrollment restrictions 

 

https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

 

For azure ad you have to option users may join azure ad. And you can allow azure ad join for some users, all users or block (none)

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#confi...

 

kind regards,

 

rene 

setting up server side prevention by configuring the enrollment restrictions is indeed the way to go
https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/#part1
As configuring a registry key for each device (or using a gpo) client side isn't the best method
Thank you for this, it's given me a good start.
1 best response

Accepted Solutions
best response confirmed by DGMalcolm (Iron Contributor)
Solution

Hi @DGMalcolm ,

 

yes it is possible.

 

To block Intune enrollment you have the option to set  enrollment restrictions 

 

https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

 

For azure ad you have to option users may join azure ad. And you can allow azure ad join for some users, all users or block (none)

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#confi...

 

kind regards,

 

rene 

View solution in original post