Sep 21 2020
10:15 AM
- last edited on
Feb 19 2021
05:09 AM
by
TechCommunityAP
Sep 21 2020
10:15 AM
- last edited on
Feb 19 2021
05:09 AM
by
TechCommunityAP
Hi
I am researching the idea of only allowing admin accounts to log in from specifically allowed machines - so that is the actual devices I want to specify and not named Locations / IPs using conditional access policies , but havent seen a way to do this within Conditional Access policies.
Does anyone know a way this can be achieved?
To expand on my thinking a bit , I have a general idea of having all admin access to be only possible from windows builds that have been secured, removing things office apps / email, appcode & secure boot enabled and probably using a VM image or even Windows Virtual Machines (which might be the way forward if what im asking is not possible as they could be created in a single Virtual network and use the IPs from that for conditional access but Id like something faster that can be implemented) . All admins have separate daily user and admin accounts (with MFA etc) already but my thinking is if we can separate it out further so the admin accounts can only be used from highly secure devices it will reduce the risk further. The above question is part of that thinking and maybe a first step along this path.
Thanks
Sep 22 2020 12:33 AM
@PhilRiceUoS You're quite on track! Take a look at this article. This will get you started with your PAW adventure
This article aims at a hybrid seyup, but if you have AAD joined PAW's only, @Peter Klapwijk has the answer for you : Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In ...
Sep 23 2020 09:57 AM
@JanBakkerOrphaned useful links thanks - Ive actually looked at PAWs before although havent read through that documentation page fully (will try go through it in detail later).
It doesnt quite seem, unless ive missed it so far, to achieve what Im aiming for and that is to control on a actual device basis . So for example a policy that says if 'hardware ID -eq <id here> allow log on' to literally restrict which actual devices can authenticate thereby if an account is compromised in anyway it is useless unless they also have an allowed device. In combination with MFA this seems pretty secure to me.
Oct 16 2021 02:18 AM
May 30 2023 05:41 AM