By default, all users can join devices to Microsoft Entra ID. This can be risky because users can add their private computers to Microsoft Entra ID, which is usually undesirable.

However, this is even more of a problem when a user account is compromised and an attacker would join their own computer to Microsoft Entra ID. Such a computer could then potentially become compliant and gain access to internal applications and services, or bypass some of the restrictions from which compliant devices are excluded. In fact, very often MFA is not required from compliant devices.

How to prevent users from joining their devices to Microsoft Entra ID

The first part of the settings is located directly in Microsoft Entra ID. Open Devices – Device Settings, where the very first setting is the one we are looking for – Users may join devices to Microsoft Entra. If possible, I recommend switching this setting to None or limiting it to only a select group of user accounts, such as IT administrators.

Blocking Microsoft Entra ID device join for regular users blocks all user-driven enrollment methods, including user-driven AutoPilot enrollment.

This setting will prevent end users from being able to join Windows devices to Microsoft Entra ID. This setting will not affect hybrid join or devices in AutoPilot self-deployment mode, because in that case the join is not done in the user context.

Prevent users from enrolling devices to Microsoft Intune

Although it is not directly related to Microsoft Entra ID device join, I recommend to also disable end user device enrollment to Microsoft Intune.

In addition to adding their devices to Microsoft Entra ID, users can also enroll their devices only into Microsoft Intune in the Mobile Device Management mode. This is a typical scenario for Bring Your Own Device (BYOD), which should also be disabled for security reasons. Users should only work from corporate devices provided by their IT.

We can disable end user device enrollment to Microsoft Intune MDM in Intune Admin Center – Devices – Enrollment – Device platform restrictions. Open Windows platform restrictions (or other platforms as well) and switch Personally owned devices to Block.