Blog
Posted by on 13th September 2024

Technical Blog - How to restrict Entra ID device enrollment to specific users

Restricting who can enroll devices into Microsoft Entra ID is a great way to reduce the attack surface of your organisation. By default all users can enroll devices which creates risk as users may enroll insecure devices or if a users account is breached an attacker can enroll a malicious device to your environment.

1. Create a Security Group in Microsoft Entra ID

  1. Sign in to the Azure Portal

    • Navigate to Azure Portal.
    • Sign in with an account that has sufficient permissions (e.g., Global Administrator or Privileged Role Administrator).
  2. Go to Microsoft Entra ID

    • In the left-hand menu, select "Microsoft Entra".
  3. Access Groups

    • Under the Microsoft Entra menu, select "Groups".
  4. Create a New Group

    • Click on "+ New group".
  5. Configure Group Settings

    • Group Type: Choose "Security".
    • Group Name: Enter a name for your security group.
    • Group Description: Optionally, provide a description for the group.
    • Membership Type: Select "Assigned" for manually adding members.
  6. Create the Group

    • Click "Create" to finalize the creation of the security group.

2. Add Members to the Security Group

  1. Open Group Settings

    • In the "Groups" section of Microsoft Entra ID, find and select the group you just created.
  2. Add Members

    • Go to the "Members" tab within the group's settings.
    • Click on "+ Add members".
  3. Select Users

    • Use the search box to find and select the users you want to add.
    • Click "Select" once you've chosen the users.
  4. Confirm

    • Click "Add" to finalize adding the selected users to the group.

3. Configure Device Enrollment Restrictions

  1. Navigate to Device Enrollment Settings

    • Go to "Microsoft Entra".
    • Under the Microsoft Entra menu, select "Devices".
  2. Access Device Settings

    • In the "Devices" section, select "Device settings".
  3. Restrict Device Enrollment

    • In the "Device settings" blade, find the "Users and groups" section.
    • Click "Edit" under "Users and groups".
  4. Set Enrollment Restrictions

    • Choose "Selected" to allow only specific groups to enroll devices.
    • Click "Select groups" and then choose the security group you created.
    • Click "Select" to confirm.
  5. Save Changes

    • Click "Save" to apply the changes.
Recent Posts

Some of our happy clients...

Drop us a message...