Prevent unauthorized third-party devices from enrolling in Microsoft Entra ID (Azure AD)

  • This topic is empty.
  • Post
    • December 13, 2024 at 10:35 am
    Weekend Wiki
    Keymaster
    To prevent unauthorized third-party devices from enrolling in Microsoft Entra ID (Azure AD) without admin approval, you can implement the following strategies:

    1. Restrict Device Enrollment in Entra ID Settings

    • Go to the Microsoft Entra admin center and navigate to Devices > Device Settings.
    • Under Users may join devices to Azure AD, select None or limit enrollment to specific groups. This way, only selected users or groups can enroll devices.

    2. Use Enrollment Restrictions in Intune

    • Go to the Intune admin center > Devices > Enrollment restrictions.
    • Create Device Type Restrictions and Device Limit Restrictions to block enrollment of certain device types or restrict the number of devices a user can enroll.
    • You can also specify Platform Restrictions to block unauthorized device types, such as unknown or unsupported platforms.

    3. Require Multi-Factor Authentication (MFA) for Device Enrollment

    • Enforce MFA for device registration. This adds an extra layer of security by requiring MFA for any device enrollment.
    • Go to Security > Conditional Access in the Microsoft Entra admin center.
    • Create a new policy targeting User Actions > Register or join devices and require MFA for this action.

    4. Use Conditional Access to Require Compliant or Hybrid Devices

    • Go to Security > Conditional Access and create a policy that targets specific applications (e.g., Microsoft 365 or sensitive applications).
    • In Conditions, select Device State and require devices to be Compliant or Hybrid Azure AD joined.
    • This setting only allows devices that meet compliance requirements or are part of your on-premises AD (for hybrid environments) to access resources.

    5. Enable Admin Consent for Device Enrollment

    • Implement Enrollment Manager roles in Intune for admins who are responsible for device enrollment.
    • By assigning this role, you can restrict other users from enrolling devices without permission.

    6. Monitor and Remove Unwanted Devices

    • Regularly monitor enrolled devices under Devices > All Devices in the Microsoft Entra admin center.
    • You can manually disable or delete devices that aren’t compliant or authorized, ensuring only approved devices remain active.

    These steps allow you to control device enrollment in Microsoft Entra ID and prevent third-party devices from accessing company resources without admin approval.

  • You must be logged in to reply to this topic.
en_USEnglish
arArabic en_USEnglish