Technical Blog - How to restrict Entra ID device enrollment to specific users - IT Support & Cyber Security

Andrew Ballantyne

October 13, 2024

Technical Blog – How to restrict Entra ID device enrollment to specific users

Sign in to the Azure Portal
- Navigate to Azure Portal.
- Sign in with an account that has sufficient permissions (e.g., Global Administrator or Privileged Role Administrator).
Go to Microsoft Entra ID
- In the left-hand menu, select “Microsoft Entra”.
Access Groups
- Under the Microsoft Entra menu, select “Groups”.
Create a New Group
- Click on “+ New group”.
Configure Group Settings
- Group Type: Choose “Security”.
- Group Name: Enter a name for your security group.
- Group Description: Optionally, provide a description for the group.
- Membership Type: Select “Assigned” for manually adding members.
Create the Group
- Click “Create” to finalize the creation of the security group.

Open Group Settings
- In the “Groups” section of Microsoft Entra ID, find and select the group you just created.
Add Members
- Go to the “Members” tab within the group’s settings.
- Click on “+ Add members”.
Select Users
- Use the search box to find and select the users you want to add.
- Click “Select” once you’ve chosen the users.
Confirm
- Click “Add” to finalize adding the selected users to the group.

Navigate to Device Enrollment Settings
- Go to “Microsoft Entra”.
- Under the Microsoft Entra menu, select “Devices”.
Access Device Settings
- In the “Devices” section, select “Device settings”.
Restrict Device Enrollment
- In the “Device settings” blade, find the “Users and groups” section.
- Click “Edit” under “Users and groups”.
Set Enrollment Restrictions
- Choose “Selected” to allow only specific groups to enroll devices.
- Click “Select groups” and then choose the security group you created.
- Click “Select” to confirm.
Save Changes
- Click “Save” to apply the changes.

Tags :