In the Active directory it was possible to allow a user to log in only to certain computers. This is no longer so easy with Azure AD and Intune. In this blog we would like to look at how you can realize this with the help of a custom profile.
Creating the Custom Profile for the login restriction
- Open the MEM Portal
- Navigate to Devices -> Configuration Profile
- Click + Create profile
- Select Windows 10 and later as Platform
- Select Template -> Custom as Profile type
- Click Create
- Enter a Name and click Next
- Click Add
- Enter the following informations:
- Name: LocalLoginRestriction
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
- Data Type: String
- Value:
As Value you have to specify the account you want to use. It is also possible to specify multiple accounts, but you must use the following tag to separate them:
& #xF000; (Without Space between & and #)
But you can’t use the tag just like that. This must be converted via an XML decoder. There are tools for this on the internet or you can copy the ascii key from her:
Here are a few examples that you can specify as value:
Allow login only for local accounts:
<![CDATA[*S-1-5-113]]>
All users who have already logged on locally:
<![CDATA[*S-1-2-0]]>
Add the Administrators group and an Azure AD User
AdministratorsAzureAD\user@tenant.com
- Click Save
- Click Next
- Assign the Policy to a group
- Click Next
- Click Next
- Click Create
LSo now let’s test this out. I am trying to log in with a user that is not allowed.
This is how the screen looks like when a user tries to log in who is not in the list.
Conclusion
Restricting the login may be required for special use cases. Unfortunately, this is currently only possible with local and azure ad users or local groups. Central management via an Azure AD group is not possible as of today. A blog with a possible workaround will follow soon
Stay healthy, Cheers
Jannik
Modern Device Management 
Hi, is it possible to add an Azure AD group, rather than a username? Thanks!
LikeLike
Hey yes it is now possible via a new Account Protection Policy. If you want I can create a blog post about this.
LikeLike
AdministratorsAzureAD\sys.admin@xxxxx.com we are using this in the Value part , but the user is not able to log in into device. The device is stuck and so are we.
LikeLike
Hey Ashish, can you try this solution: https://jannikreinhard.com/2022/05/22/how-to-restrict-the-login-to-dedicated-users-with-intune-part-2/
LikeLike
As far as i know via Account Protection policy it is only possible to modify known local groups ? can this also be used to restrict / allow login for azure AD Groups ? how does this look like just via SID or also AzureAD\Groupname ? if you can give more information on that would be great
LikeLike
[…] via Intune. Intune has a cool new feature that allows you to manage the members of local groups. In my previous blog I did this restriction with a configuration profile and put a aad user into the local group. Now […]
LikeLike
Hi.
We tried this, using AdministratorsAzureAD\person@domain.com. This denied everyone from logging on, includnig any admins and the user listed. This persists even after deleting the configuration policy. Do you know a fix for this?
Thanks
LikeLike
Hey Anders, yes this is an issue of this configuration profile. You can remove this via a Account protection policy. Here you cen specify delete group.
LikeLike