cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can we restrict AAD user logins to be from specific devices for better privileged account security?

PhilRiceUoS
Brass Contributor

‎Sep 21 2020 10:15 AM - last edited on ‎Feb 19 2021 05:09 AM by

‎Sep 21 2020 10:15 AM - last edited on ‎Feb 19 2021 05:09 AM by

Can we restrict AAD user logins to be from specific devices for better privileged account security?

Hi

I am researching the idea of only allowing admin accounts to log in from specifically allowed machines - so that is the actual devices I want to specify and not named Locations / IPs using conditional access policies , but havent seen a way to do this within Conditional Access policies.

 

Does anyone know a way this can be achieved?

 

To expand on my thinking a bit , I have a general idea of having all admin access to be only possible from  windows builds that have been secured, removing things office apps / email, appcode & secure boot enabled and probably using a VM image or even Windows Virtual Machines (which might be the way forward  if what im asking is not possible as they could be created in a single Virtual network and use the IPs from that for conditional access but Id like something faster that can be implemented) . All admins have separate daily user and admin accounts (with MFA etc) already but my thinking is if we can separate it out further so the admin accounts can only be used from highly secure devices it will reduce the risk further. The above question is part of that thinking and maybe a first step along this path.

 

Thanks

Labels:
21K Views
0 Likes
4 Replies
Reply
4 Replies
JanBakkerOrphaned

‎Sep 22 2020 12:33 AM

‎Sep 22 2020 12:33 AM

Re: Can we restrict AAD user logins to be from specific devices for better privileged account securi

@PhilRiceUoS You're quite on track! Take a look at this article. This will get you started with your PAW adventure :smile: 

 

This article aims at a hybrid seyup, but if you have AAD joined PAW's only, @Peter Klapwijk has the answer for you : Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In ...

 

 

1 Like
Reply
PhilRiceUoS

‎Sep 23 2020 09:57 AM

‎Sep 23 2020 09:57 AM

Re: Can we restrict AAD user logins to be from specific devices for better privileged account securi

@JanBakkerOrphaned  useful links thanks - Ive actually looked at PAWs before although havent read through that documentation page fully (will try go through it in detail later).

It doesnt quite seem, unless ive missed it so far, to achieve what Im aiming for and that is to control on a actual device basis . So for example a policy that says if 'hardware ID -eq <id here> allow log on'  to literally restrict which actual devices can authenticate thereby if an account is compromised in anyway it is useless unless they also have an allowed device. In combination with MFA this seems pretty secure to me.

 

0 Likes
Reply
Pottma01

‎Oct 16 2021 02:18 AM

‎Oct 16 2021 02:18 AM

Re: Can we restrict AAD user logins to be from specific devices for better privileged account securi

@PhilRiceUoS, im looking for exactly the same as you. You ever managed to get it working?
0 Likes
Reply