Prevent registering personal devices into Azure

%3CLINGO-SUB%20id%3D%22lingo-sub-2371829%22%20slang%3D%22en-US%22%3EPrevent%20registering%20personal%20devices%20into%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371829%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20spent%20some%20time%20with%20device%20policies%20and%20conditional%20access%20requirements%2C%20but%20am%20yet%20unable%20to%20prevent%20a%20user%20from%20%3CSTRONG%3Eregistering%3C%2FSTRONG%3E%20a%20non-company%20owned%20device%20into%20Azure.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20moving%20to%20Intune%2C%20the%20ability%20to%20stop%20users%20from%20registering%20devices%20is%20no%20longer%20available%20as%20per%20screenshot.%26nbsp%3B%26nbsp%3BOur%20organization%20is%20a%20hybrid%20Azure%2FAD%20environment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20greatly%20appreciate%20any%20feedback%20from%20someone%20who%20has%20been%20able%20to%20achieve%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2371829%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2371953%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20registering%20personal%20devices%20into%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2371953%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1058979%22%20target%3D%22_blank%22%3E%40marcus2704%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20How%20are%20the%20mdm%2Fuser%20intune%20scopes%20definied%3F%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_1-1621518272666.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F282171i96F6C1B427AC85F4%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_1-1621518272666.png%22%20alt%3D%22Rudy_Ooms_1-1621518272666.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20a%20user%20is%20in%20both%20the%20MAM%20user%20scope%20and%20MDM%20user%20scope%20and%20the%20user%20adds%20a%20work%20or%20school%20account%2C%20the%20device%20will%20be%20Azure%20AD%20registered%20and%20not%20automatically%20enrolled%20in%20Intune%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2372026%22%20slang%3D%22en-US%22%3ERe%3A%20Prevent%20registering%20personal%20devices%20into%20Azure%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2372026%22%20slang%3D%22en-US%22%3EBoth%20the%20MAM%20and%20MDM%20scores%20are%20set%20to%20None.%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20we%20are%20trying%20to%20achieve%2C%20is%20that%20a%20user%20is%20prevented%20from%20registering%20their%20personal%20device%20into%20Azure%20AD%2C%20but%20we%20are%20happy%20for%20them%20to%20use%20web%20applications%20such%20as%20Outlook%2FTeams%20via%20office.com%20on%20any%20device.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

I have spent some time with device policies and conditional access requirements, but am yet unable to prevent a user from registering a non-company owned device into Azure.   

 

Since moving to Intune, the ability to stop users from registering devices is no longer available as per screenshot.  Our organization is a hybrid Azure/AD environment.  

 

Would greatly appreciate any feedback from someone who has been able to achieve this.

5 Replies

@marcus2704 

 

Hi, How are the mdm/user intune scopes definied?

 

Rudy_Ooms_1-1621518272666.png

If a user is in both the MAM user scope and MDM user scope and the user adds a work or school account, the device will be Azure AD registered and not automatically enrolled in Intune

Both the MAM and MDM scores are set to None.

What we are trying to achieve, is that a user is prevented from registering their personal device into Azure AD, but we are happy for them to use web applications such as Outlook/Teams via office.com on any device.

Hi

Ahh Okay, I misunderstood the question I guess....


The restriction only can be managed in Azure AD. You can't restrict Azure AD join or registration when Intune MDM is configured.

 

Rudy_Ooms_0-1621520878328.png

How to manage devices using the Azure portal | Microsoft Docs

 

You need to make sure when using intune, all the devices are managed and you block personal devices for enrollment. And of course conditional access to require compliant devices to access your data. But preventing the possibility to register devices is still not possible so far as I know.

 

I hope there will be some additional ca policies to block this

 

Thank you thats very helpful.

Personal devices are set to blocked, which does stop them enrolling but not registering, which as I have just learn doesn't seem possible.

I will therefore look into building a policy that will allow for web access from any device, but prevent the usage of 'full clients' on non-hybrid joined devices which we do not manage.
Yeah, It's a bit annoying when you opened up AAD devices(without the filter) and you see so many random device names. The good thing is they do not show up in Intune.

Surely conditional access will manage the app restriction for you.