How to restrict the login to dedicated users with intune – Part 1

In the Active directory it was possible to allow a user to log in only to certain computers. This is no longer so easy with Azure AD and Intune. In this blog we would like to look at how you can realize this with the help of a custom profile.

Creating the Custom Profile for the login restriction

  • Open the MEM Portal
  • Navigate to Devices -> Configuration Profile
  • Click + Create profile
  • Select Windows 10 and later as Platform
  • Select Template -> Custom as Profile type
  • Click Create
  • Enter a Name and click Next
  • Click Add
  • Enter the following informations:
  • Name: LocalLoginRestriction
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
  • Data Type: String
  • Value:

As Value you have to specify the account you want to use. It is also possible to specify multiple accounts, but you must use the following tag to separate them:

& #xF000;    (Without Space between & and #)

But you can’t use the tag just like that. This must be converted via an XML decoder. There are tools for this on the internet or you can copy the ascii key from her:

Here are a few examples that you can specify as value:

Allow login only for local accounts:


All users who have already logged on locally:


Add the Administrators group and an Azure AD User

  • Click Save
  • Click Next
  • Assign the Policy to a group
  • Click Next
  • Click Next
  • Click Create

LSo now let’s test this out. I am trying to log in with a user that is not allowed.

This is how the screen looks like when a user tries to log in who is not in the list.


Restricting the login may be required for special use cases. Unfortunately, this is currently only possible with local and azure ad users or local groups. Central management via an Azure AD group is not possible as of today. A blog with a possible workaround will follow soon

Stay healthy, Cheers

8 thoughts on “How to restrict the login to dedicated users with intune – Part 1

  1. Hi.
    We tried this, using AdministratorsAzureAD\ This denied everyone from logging on, includnig any admins and the user listed. This persists even after deleting the configuration policy. Do you know a fix for this?


Comments are closed.