Approval flow for Azure AD Registration


Hello - is there a way to have an approval flow for getting a device Azure AD registered?


We are an educational institution. Say we have a set of requirements for a registered device, in order for it to access our services, but we don't want just anybody to be able to register a device. MFA is not enough, as that doesn't require people to really consider whether or not to register a certain device, so we'd need an approval flow for employees to be able to AAD register a device.


At the same time, we want students to be able to keep working from their privately owned devices, without the same requirements, yet they should be able to AAD register a device too.


We'd use Conditional Access to distinguish between students and employees logging on from AAD registered devices.



4 Replies
Are you talking about AAD Join or AAD registration, as those are different, with the latter being a requirement for O365 MDM/Intune. If AAD Join, you can limit it to specific users via the Azure AD blade > Devices > Device settings > Users may join devices to Azure AD selection.
Hello Vasil, thank you for replying. I'm talking about registration, not join, as we know that we can limit that.

It could be BYOD devices that are owned by employees themselves, including their own PC's at home, but also devices they may not directly own themselves. We're concerned that if all it takes to AAD register a device, is MFA, then they could in theory go borrow someone else's computer or maybe go to a netcafé or something like that, where they would have local admin, and then Azure AD register the device, without understanding what happens and then start syncing files from OneDrive or whatever else they might want to do. But we also don't want to eliminate the BYOD scenario entirely, thus thinking that if we could have an approval flow for such devices, then maybe that could be a workable middle ground.

Hope that makes sense?
best response confirmed by Allan With Sørensen (Contributor)
I think Microsoft's reasoning here is that you should be using the controls available within M365 MDM/Intune to address this, thus no granular control on Azure AD side.
Thank for that response - I'll post here, if we figure something out.