Restricting who can enroll devices into Microsoft Entra ID is a great way to reduce the attack surface of your organisation. By default all users can enroll devices which creates risk as users may enroll insecure devices or if a users account is breached an attacker can enroll a malicious device to your environment.
1. Create a Security Group in Microsoft Entra ID
-
Sign in to the Azure Portal
- Navigate to Azure Portal.
- Sign in with an account that has sufficient permissions (e.g., Global Administrator or Privileged Role Administrator).
-
Go to Microsoft Entra ID
- In the left-hand menu, select "Microsoft Entra".
-
Access Groups
- Under the Microsoft Entra menu, select "Groups".
-
Create a New Group
- Click on "+ New group".
-
Configure Group Settings
- Group Type: Choose "Security".
- Group Name: Enter a name for your security group.
- Group Description: Optionally, provide a description for the group.
- Membership Type: Select "Assigned" for manually adding members.
-
Create the Group
- Click "Create" to finalize the creation of the security group.
2. Add Members to the Security Group
-
Open Group Settings
- In the "Groups" section of Microsoft Entra ID, find and select the group you just created.
-
Add Members
- Go to the "Members" tab within the group's settings.
- Click on "+ Add members".
-
Select Users
- Use the search box to find and select the users you want to add.
- Click "Select" once you've chosen the users.
-
Confirm
- Click "Add" to finalize adding the selected users to the group.
3. Configure Device Enrollment Restrictions
-
Navigate to Device Enrollment Settings
- Go to "Microsoft Entra".
- Under the Microsoft Entra menu, select "Devices".
-
Access Device Settings
- In the "Devices" section, select "Device settings".
-
Restrict Device Enrollment
- In the "Device settings" blade, find the "Users and groups" section.
- Click "Edit" under "Users and groups".
-
Set Enrollment Restrictions
- Choose "Selected" to allow only specific groups to enroll devices.
- Click "Select groups" and then choose the security group you created.
- Click "Select" to confirm.
-
Save Changes
- Click "Save" to apply the changes.