Skip to main content
Version: 2.1.1-preview

MT.1070 - Restrict device join to selected users/groups or none.

Overview​

Description​

Verifies that device join to Entra ID is restricted to selected users/groups or disabled entirely.

Why This Matters​

Device join should be restricted because:

  • Unauthorized Access: Unrestricted device join allows any user to connect personal or unmanaged devices to corporate resources.
  • Data Leakage: Uncontrolled devices may not have proper security controls, increasing risk of data exposure.
  • Compliance: Many regulatory frameworks require controlled device access to organizational resources.
  • Shadow IT: Unmanaged devices bypass security policies and monitoring capabilities.
  • Attack Surface: Each joined device represents a potential entry point for attackers.

Restricting device join to selected users/groups ensures only authorized devices with proper security controls can access organizational resources.

Remediation action​

This setting can be changed via device settings in the Microsoft Entra or Azure portal or via Microsoft Graph API / Graph PowerShell Module.

Admin Portal:

  1. Go to Entra Admin Center
  2. Navigate to Devices β†’ Device settings
  3. Set Users may join devices to Microsoft Entra to Selected or None
    • If Selected, configure the specific users/groups that can join devices
    • If None, disable device join entirely
  4. Click Save

Use the following PowerShell commands to restrict device join:

# Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "Policy.ReadWrite.DeviceConfiguration"

# Option 1: Disable device join completely
$params = @{
    azureADJoin = @{
        allowedToJoin = @{
            "@odata.type" = "#microsoft.graph.noDeviceRegistrationMembership"
        }
    }
}

# Option 2: Restrict to selected users/groups
$params = @{
    azureADJoin = @{
        allowedToJoin = @{
            "@odata.type" = "#microsoft.graph.enumeratedDeviceRegistrationMembership"
            users = @("[email protected]", "[email protected]")
            groups = @("group-id-1", "group-id-2")
        }
    }
}

# Apply the policy
Update-MgPolicyDeviceRegistrationPolicy -BodyParameter $params

Test Metadata​

FieldValue
Test IDMT.1070
SeverityMedium
SuiteMaester
CategoryEntra
PowerShell testTest-MtEntraDeviceJoinRestricted
TagsDevice, Entra, MT.1070

Source​

  • Pester test: tests/Maester/Entra/Test-MtEntraDeviceRegistrationPolicy.Tests.ps1
  • PowerShell source: powershell/public/maester/entra/Test-MtEntraDeviceJoinRestricted.ps1