Today a short article in which I show how we can restrict which users can logon into a Azure AD joined Windows 10 device with Microsoft Intune.
Intune or Azure Active Directory don`t provide an out-of-the-box solution for this, but with a custom Intune profile we can do the job.
My first thought was to remove Authenticated Users from the build-in Users group with the Configuration Service Provider (CSP) policy ConfigureGroupMembership and add the Azure AD users which are allowed to sign-in to the device to the Users group.
I was successful in removing Authenticated Users and adding the AAD users, but other users where still able to sign-in to the device.
At that moment I realized, I already used such a solution for a Windows 10 kiosk device, which is described here. Here I restricted the logon rights to only local accounts by using CSP policy AllowLocalLogon (User Right to Sign In Locally).
After some testing I was able to add multiple Azure AD account to the AllowLocalLogon setting, which prohibits other users from logging on into the Windows device.
Configure the Custom Configuration profile
To achieve the required restrictions, we use the CSP policy AllowLocalLogon. To deploy the policy setting to a Intune managed device, we need to use a Custom Configuration profile.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- On the Configurations profiles tab click + Create profile
- Choose Windows 10 and later as Platform
- Choose Custom as Profile type
- Click Create
- Give the configuration profile a Name
- Enter a Description (optional)
- Click the Settings tab
- Click Add
Information needed to create the OMA-URI and additional information can be found on Microsoft Docs here.
In the value field, we need to enter the accounts which we allow to sign-in to the device. Where the documentation describes the CDATA tag <![CDATA[…]]> needs to be used, this gives an error in the Intune portal (even though the policy is applied with success). You can just add the account in the value field.
When you add multiple accounts, the accounts should be separated with  when using the CDATA tag. When we don`t use the CDATA tag, we need to convert  via for example this tool. The outcome (square box), can be used as a separator.
Enter below information to the policy;
Name: UserRights – AllowLocalLogOn
Data Type: String
Click OK (twice) and click Create.
Assign the profile to a security group and your ready for testing.
As soon as the policy is applied to the device, we can see in the MDMDiagnostics log the settings are successfully applied.
And when a user tries to sign in to the Windows 10 device, which is not granted the User Right to Sign In Locally (AllowLocalLogOn), he is prohibited and receives this error message.
The sign-in method you`re trying to use isn`t allowed. For more info, contact your network administrator.
That`s it for this post, thank you for reading!
If you`d like to read how we can create a local user account with Intune, read this post.
Thanks to Mark Thomas for the workaround mentioned on Twitter.