Can we restrict AAD user logins to be from specific devices for better privileged account security?

%3CLINGO-SUB%20id%3D%22lingo-sub-1693391%22%20slang%3D%22en-US%22%3ECan%20we%20restrict%20AAD%20user%20logins%20to%20be%20from%20specific%20devices%20for%20better%20privileged%20account%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1693391%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3EI%20am%20researching%20the%20idea%20of%20only%20allowing%20admin%20accounts%20to%20log%20in%20from%20specifically%20allowed%20machines%20-%20so%20that%20is%20the%20actual%20devices%20I%20want%20to%20specify%20and%20not%20named%20Locations%20%2F%20IPs%20using%20conditional%20access%20policies%20%2C%20but%20havent%20seen%20a%20way%20to%20do%20this%20within%20Conditional%20Access%20policies.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20a%20way%20this%20can%20be%20achieved%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20expand%20on%20my%20thinking%20a%20bit%20%2C%20I%20have%20a%20general%20idea%20of%20having%20all%20admin%20access%20to%20be%20only%20possible%20from%26nbsp%3B%20windows%20builds%20that%20have%20been%20secured%2C%20removing%20things%20office%20apps%20%2F%20email%2C%20appcode%20%26amp%3B%20secure%20boot%20enabled%20and%20probably%20using%20a%20VM%20image%20or%20even%20Windows%20Virtual%20Machines%20(which%20might%20be%20the%20way%20forward%26nbsp%3B%20if%20what%20im%20asking%20is%20not%20possible%20as%20they%20could%20be%20created%20in%20a%20single%20Virtual%20network%20and%20use%20the%20IPs%20from%20that%20for%20conditional%20access%20but%20Id%20like%20something%20faster%20that%20can%20be%20implemented)%20.%20All%20admins%20have%20separate%20daily%20user%20and%20admin%20accounts%20(with%20MFA%20etc)%20already%20but%20my%20thinking%20is%20if%20we%20can%20separate%20it%20out%20further%20so%20the%20admin%20accounts%20can%20only%20be%20used%20from%20highly%20secure%20devices%20it%20will%20reduce%20the%20risk%20further.%20The%20above%20question%20is%20part%20of%20that%20thinking%20and%20maybe%20a%20first%20step%20along%20this%20path.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1693391%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698344%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20we%20restrict%20AAD%20user%20logins%20to%20be%20from%20specific%20devices%20for%20better%20privileged%20account%20securi%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698344%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F646041%22%20target%3D%22_blank%22%3E%40PhilRiceUoS%3C%2FA%3E%26nbsp%3BYou're%20quite%20on%20track!%20Take%20a%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fsecuring-privileged-access%2Fprivileged-access-workstations%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20article.%20This%20will%20get%20you%20started%20with%20your%20PAW%20adventure%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20article%20aims%20at%20a%20hybrid%20seyup%2C%20but%20if%20you%20have%20AAD%20joined%20PAW's%20only%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F3194%22%20target%3D%22_blank%22%3E%40Peter%20Klapwijk%3C%2FA%3E%26nbsp%3Bhas%20the%20answer%20for%20you%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.inthecloud247.com%2Frestrict-which-users-can-logon-into-a-windows-10-device-with-microsoft-intune%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ERestrict%20which%20users%20can%20logon%20into%20a%20Windows%2010%20device%20with%20Microsoft%20Intune%20%7C%20Peter%20Klapwijk%20-%20In%20The%20cloud%2024-7%20(inthecloud247.com)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi

I am researching the idea of only allowing admin accounts to log in from specifically allowed machines - so that is the actual devices I want to specify and not named Locations / IPs using conditional access policies , but havent seen a way to do this within Conditional Access policies.

 

Does anyone know a way this can be achieved?

 

To expand on my thinking a bit , I have a general idea of having all admin access to be only possible from  windows builds that have been secured, removing things office apps / email, appcode & secure boot enabled and probably using a VM image or even Windows Virtual Machines (which might be the way forward  if what im asking is not possible as they could be created in a single Virtual network and use the IPs from that for conditional access but Id like something faster that can be implemented) . All admins have separate daily user and admin accounts (with MFA etc) already but my thinking is if we can separate it out further so the admin accounts can only be used from highly secure devices it will reduce the risk further. The above question is part of that thinking and maybe a first step along this path.

 

Thanks

2 Replies

@PhilRiceUoS You're quite on track! Take a look at this article. This will get you started with your PAW adventure :smile: 

 

This article aims at a hybrid seyup, but if you have AAD joined PAW's only, @Peter Klapwijk has the answer for you : Restrict which users can logon into a Windows 10 device with Microsoft Intune | Peter Klapwijk - In ...

 

 

@JanBakkerOrphaned  useful links thanks - Ive actually looked at PAWs before although havent read through that documentation page fully (will try go through it in detail later).

It doesnt quite seem, unless ive missed it so far, to achieve what Im aiming for and that is to control on a actual device basis . So for example a policy that says if 'hardware ID -eq <id here> allow log on'  to literally restrict which actual devices can authenticate thereby if an account is compromised in anyway it is useless unless they also have an allowed device. In combination with MFA this seems pretty secure to me.