Restrict which users can logon into a Windows 10 device with Microsoft Intune

Today a short article in which I show how we can restrict which users can logon into a Azure AD joined Windows 10 device with Microsoft Intune.

Intune or Azure Active Directory don`t provide an out-of-the-box solution for this, but with a custom Intune profile we can do the job.

My first thought was to remove Authenticated Users from the build-in Users group with the Configuration Service Provider (CSP) policy ConfigureGroupMembership and add the Azure AD users which are allowed to sign-in to the device to the Users group.
I was successful in removing Authenticated Users and adding the AAD users, but other users where still able to sign-in to the device.

At that moment I realized, I already used such a solution for a Windows 10 kiosk device, which is described here. Here I restricted the logon rights to only local accounts by using CSP policy AllowLocalLogon (User Right to Sign In Locally).

After some testing I was able to add multiple Azure AD account to the AllowLocalLogon setting, which prohibits other users from logging on into the Windows device.

Configure the Custom Configuration profile

To achieve the required restrictions, we use the CSP policy AllowLocalLogon. To deploy the policy setting to a Intune managed device, we need to use a Custom Configuration profile.

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click the Settings tab
  • Click Add

Information needed to create the OMA-URI and additional information can be found on Microsoft Docs here.
In the value field we need to enter the accounts which we allow to sign-in to the device. Put the accounts between <![CDATA[ and ]]> to have the right format.
When you add multiple accounts, the accounts are separated with &#xF000;

Enter below information to the policy;
Name: UserRights – AllowLocalLogOn
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLocalLogOn
Data Type: String

Click OK (twice) and click Create.

Assign the profile to a security group and your ready for testing.

End-user experience

As soon as the policy is applied to the device, we can see in the MDMDiagnostics log the settings are successfully applied.

And when a user tries to sign in to the Windows 10 device, which is not granted the User Right to Sign In Locally (AllowLocalLogOn), he is prohibited and receives this error message.
The sign-in method you`re trying to use isn`t allowed. For more info, contact your network administrator.

That`s it for this post, thank you for reading!

If you`d like to read how we can create a local user account with Intune, read this post.

NB: In the Endpoint Manager admin center, the policy shows an Error state even if the policy is applied successful.


  1. I like your method – I was wondering if this could be reversed. If I wanted to restrict a group from logging into certain computers?
    I have a group of shared temp accounts, I want them to only be able to sign into certain computers. So maybe a domain wide config that “excludes” this particular group of users?? Is that possible?

  2. Hi Peter,
    I followed your guidelines but I am unable to access with any user .
    our local admin is being renamed to something else and I replace the line Administrator to admin-temp but I cannot login with it .
    What I am missing ?

    • Hi Guy,

      I wouldn`t remove the administrators group from the setting. As your admin-temp is member of that, he should be able to logon to the device.
      If that works fine, add an user (or group) next to the administrators group and try to logon. If it doesn`t work, you`re at least able to sign-in with an administrator account and able to review the event logs.

  3. I want to do a 1 to 1 configuration, that is, assign only one user to a laptop, I have 10 users and 10 laptops. I have to create a personalized profile for each user?

  4. Hi, thanks for your response.

    that how can I do it ??? I think it can be with OMA-URI AllowLocalLogOn but I am not very clear how to do it. You can help?

Leave a Reply

Your email address will not be published.