In the Active directory it was possible to allow a user to log in only to certain computers. This is no longer so easy with Microsoft Entra ID and Intune. In this blog we would like to look at how you can realize this with the help of a custom profile.
Creating the Custom Profile for the login restriction
- Open the Intune admin center
- Navigate to Devices -> Configuration Profile
- Click + Create profile
- Select Windows 10 and later as Platform
- Select Template -> Custom as Profile type
- Click Create
- Enter a Name and click Next
- Click Add
- Enter the following information:
- Name: LocalLoginRestriction
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
- Data Type: String
- Value:
As Value you have to specify the account you want to use. It is also possible to specify multiple accounts, but you must use the following tag to separate them:
& #xF000; (Without Space between & and #)
But you can’t use the tag just like that. This must be converted via an XML decoder. There are tools for this on the internet or you can copy the ascii key from her:
Here are a few examples that you can specify as value:
Allow login only for local accounts:
<![CDATA[*S-1-5-113]]>
All users who have already logged on locally:
<![CDATA[*S-1-2-0]]>
Add the Administrators group and a Microsoft Entra ID user
AdministratorsAzureAD\user@tenant.com
- Click Save
- Click Next
- Assign the Policy to a group
- Click Next
- Click Next
- Click Create
So now let’s test this out. I am trying to log in with a user that is not allowed.
This is how the screen looks like when a user tries to log in who is not in the list.
Conclusion
Restricting the login may be required for special use cases. Unfortunately, this is currently only possible with local and Microsoft Entra ID users or local groups. Central management via a Microsoft Entra ID group is not currently possible. A separate blog post covers a possible workaround
Stay healthy, Cheers
Jannik
Hi, is it possible to add an Azure AD group, rather than a username? Thanks!
Hey yes it is now possible via a new Account Protection Policy. If you want I can create a blog post about this.
AdministratorsAzureAD\sys.admin@xxxxx.com we are using this in the Value part , but the user is not able to log in into device. The device is stuck and so are we.
Hey Ashish, can you try this solution: https://jannikreinhard.com/2022/05/22/how-to-restrict-the-login-to-dedicated-users-with-intune-part-2/
As far as i know via Account Protection policy it is only possible to modify known local groups ? can this also be used to restrict / allow login for azure AD Groups ? how does this look like just via SID or also AzureAD\Groupname ? if you can give more information on that would be great
Hi.
We tried this, using AdministratorsAzureAD\person@domain.com. This denied everyone from logging on, includnig any admins and the user listed. This persists even after deleting the configuration policy. Do you know a fix for this?
Thanks
Hey Anders, yes this is an issue of this configuration profile. You can remove this via a Account protection policy. Here you cen specify delete group.