Last Updated: 2025 06 13
This article looks at how to restrict user device registration in Entra ID. Whilst there are ways of using Conditional Access and Intune to restrict access to only compliant devices, there might be times where we want to allow device registration providing that IT can control this.
How does Device Registration occur?
When users sign into Microsoft applications on their personal device, Microsoft will present an option for the user to register their device.
Selecting “No, this app only” is the only way to sign into the application without registering a device. However, even if we communicate this to users, they might still select this option. Therefore, we need a method to restrict user device registration.
The Challenge
Entra ID’s Conditional Access policies currently do not have a native way of blocking device registration. Whilst there is a way to scope the target resource to a user action of register or join a device, selecting this option will not allow us to block.
The Workaround
We can use a combination of Conditional Access, User Actions & Authentication Strengths to create a work around.
We do this by:
- Creating a new authentication strength, that’s configured to issuing a Temporary Access Pass.
- Creating a conditional access policy scoped to the user action of ‘Register or join device’ and requiring the authentication strength created above.
The result being that an administrator will first need to create a Temporary Access Pass for a user if they want to register their device. Without this, the device cannot be registered.
IT effectively controls which devices are registered, since they need to create this pass.
Configuration
Create a custom authentication strength with Temporary Access Passes
First, let’s log into the Entra Admin Center and navigate to ‘Authentication strengths’.
We want to create a new authentication strength. Name your new authentication strength and select ‘Temporary Access Pass (One-time use)’.
Review and save.
To expand on why we use Temporary Access Passes, only administrators can create the passes for users. This provides IT with control over which devices should be registered. If IT does not create the passes, then the user will be presented with an error message and the device will not and cannot be registered. Effectively giving us a restriction to device registration whilst also giving us the ability to be selective over which devices can be registered.
Create the Conditional Access Policy
Now that we have a custom authentication strength, we can now create the Conditional Access Policy.
Conditional Access Policy configuration:
- Target Resources
- Configured to ‘User actions’ and ‘Register or join devices’.
- Grant
- Select ‘Require authentication strength and select the custom authentication strength.
Note: You can choose to scope this to a group of users if needed.
Note: You can also exclude network ranges if you want to only allow device registration in a trusted location. This means that users will need to be in the LAN for this to occur.
The below shows the main elements to configure.
Under ‘Target Resource’ configure the drop down menu to ‘User Actions’ and select ‘Register or join devices’.
Within the ‘Grant’ settings, select ‘Require authentication strength’ and select your custom strength.
Conclusion
Hopefully this guide helps in explaining a work around method for restricting user device registration for users. Hopefully this functionality will become a native feature in the future. In any case, this work around does give us a few options for restricting and controlling device registrations.
Big thanks to Adil Hussain for working through this issue with me!
If you haven’t already, please check out my other posts on Microsoft Defender, including a handy cheat sheet.