Share via

Is it possible to use conditional access policy with specific logged on Windows user?

Gregory Suvalian 186 Reputation points
2024-04-30T15:10:22.2233333+00:00

Hello,

Is it possible to use currently logged user as a signal inside Conditional Access policy evaluation?

Scenario is below.

  1. Computer is joined to Entra ID and managed by Intune
  2. Computer has both Entra ID user configured and local user

Is it possible for conditional access policy to figure out if I logged on with local user instead of Entra ID (even though on compliant device) and deny access based on criteria.

I'm aware that I can configure Intune to prevent ability to use local accounts to login but I need to implement this policy on personal device where this logins shall be allowed.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,923 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,456 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,782 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 34,626 Reputation points Microsoft Employee
    2024-04-30T23:34:47.19+00:00

    Hi @Gregory Suvalian ,

    If I'm understanding your question correctly, it sounds like you are hoping to block access to local accounts via conditional access.

    Conditional Access policies are scoped only to the built-in roles documented here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa

    You can create exclusions based on device compliance, hybrid join state, and device state, but you need to use Intune or group policies to enforce anything for a specific local administrator.

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments
  2. Crystal-MSFT 44,156 Reputation points Microsoft Vendor
    2024-05-01T02:22:20.4633333+00:00

    @Gregory Suvalian, Thanks for posting in Q&A. Based on my experience, it is possible to use Conditional Access policies to control access to applications based on device compliance. However, there is no method of using the currently logged on user as a signal inside Conditional Access policy evaluation.

    To prevent the ability to use local accounts to log in, you mentioned you can do it via configuration policy. But you don't want it to be prevented on personal device. To avoid this, you can create a filter for corporate devices by setting (device.deviceOwnership -eq "Corporate") and apply the configuration policy only to corporate device.

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters

    https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters-device-properties

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.