Person seated at a wooden desk using a laptop displaying a black-and-white "NO ACCESS" illustration, surrounded by bookshelves, clouds, and a clipboard. The desk holds a coffee cup, potted plant, lamp, pen, and notebooks. A leather couch and patterned rug are visible in the cozy background.
Locking Down Access: How to Block Specific User Groups on Microsoft Intune-Managed Devices
Posted inCases from the Field Microsoft Intune Windows 11

Locking Down Access: How to Block Specific User Groups from signing-in on Microsoft Intune-Managed Devices

Last week, I was asked by a customer if it was possible to block a specific group of users from logging in to Windows 11 devices managed by Microsoft Intune. Why? Let me briefly discuss the use case on this one.

What is the use case here?

The client is an educational institution where all users (employees & students) have an active Microsoft 365 A5 license and are currently implementing Microsoft Intune for Windows 11 on their devices for employees. The devices are only available to employees, and therefore, the question of blocking login for students to use these devices came up, to avoid devices being temporarily “loaned” to students. Blocking login will make these devices “unusable” for students. Students are only allowed to log in on specific desktops at the location.

Now, how did I do this? For this, we need some things like:

  • Microsoft Entra ID Dynamic user & device group
  • Two Configuration Policies in Microsoft Intune
  • An enrolled Windows 11 device

INFORMATION: This also works on Windows 10 devices; however, since Windows 10 is out of support as of October 14, 2025, we will focus on Windows 11 devices from now on.

Solution

Microsoft Entra ID

The first thing we need is a dynamic user group based on a particular property of the Entra ID user account. We use the “EmployeeId” property because the client does not use this attribute, and the more logical “EmployeeType” is not supported as a property for creating a dynamic group in Microsoft Entra ID.

INFORMATION: You can find a list of supported properties here.

User properties – EmployeeID

The first thing to check is that the EmployeeId for all students is entered in Entra ID. This is important for auto-membership in our dynamic user group.

You can do this manually per user in the user’s properties in Entra ID. If you want to apply this in bulk for all relevant users, you can use a .csv file with UserPrincipalName, EmployeeID, and the script below:

#Step 1: Check if the Microsoft Graph Module is installed, if not install it
 
$graphModule = Get-Module -ListAvailable Microsoft.Graph
if ($graphModule) {
    Write-Host "The Microsoft Graph PowerShell Module is already installed." -ForegroundColor Green
} else {
    Write-Host "The Microsoft Graph PowerShell Module is NOT installed." -ForegroundColor Red
    Write-Host "Installing now..." -ForegroundColor Yellow
 
        try {
            Install-Module Microsoft.Graph -Scope CurrentUser -Force
            Write-Host "The Microsoft Graph PowerShell Module installed successfully." -ForegroundColor Green
        }
        catch {
            Write-Host "Failed to install the Microsoft Graph PowerShell Module: $_" -ForegroundColor Red
        }
    }
 
#Step 2: Connect to Microsoft Graph and update employeeId in bulk from CSV
##Step 2.1: Connect to Microsoft Graph with the required scopes
Connect-MgGraph -Scopes "User.ReadWrite.All"
 
##Step 2.2: Confirm connection to Microsoft Graph
$context = Get-MgContext
Write-Host "Connected as $($context.Account)" -ForegroundColor Cyan
 
##Step 2.3: Import CSV
$csvPath = "Path To Your .csv File"
$userList = Import-Csv -Path $csvPath
 
##Step 2.4: Loop through users and update employeeId for all users in the CSV
foreach ($user in $userList) {
    $upn = $user.UserPrincipalName
    $employeeId = $user.EmployeeID
 
    try {
        Update-MgUser -UserId $upn -EmployeeId $employeeId
        Write-Host "Updated $upn with EmployeeID $employeeId" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed to update $upn $_" -ForegroundColor Red
    }
}
 
#Step 3: Disconnect from Microsoft Graph
Disconnect-MgGraph

INFORMATION: You can download this script and .csv template from my GitHub page here. You only need to fill in the .csv file and change the path to your .csv in the PowerShell script.

Microsoft Entra ID Dynamic Groups

As mentioned earlier, we also need two dynamic groups: a dynamic user group (All Student Users) and a dynamic device group (All Managed Devices).

Dynamic User Group

Now, let’s create a dynamic user group in Entra ID. If you don’t know how to create one, you can check out one of my articles here. Create a dynamic user group and use the following dynamic query based on the EmployeeID property of the Student users:

(user.employeeId -eq "Student")
Dynamic Device Group

For the dynamic device group, we will create a device group that will contain all Intune-managed devices. Why not just All Devices? I myself am not a fan of this, and like working with dynamic groups.

Now, let’s create a dynamic device group with the following query:

(device.managementType -eq "MDM")

So, now that we have created our groups, we can start configuring our Configuration policies in Microsoft Intune.

Microsoft Intune

For the Microsoft Intune part, we need to create two Configuration Policies, one for adding our Student group to a local group (we will be using the local Guest group) and one that will deny logon locally on the device.

Get Guest Group SID

For the SID of the local Guests group, we can simply find out via PowerShell on a Windows 11 device.

INFORMATION: Why SID instead of names? Using SID instead of names makes it easier and avoids issues with policies if different OS languages are used. This still seems to be a problem in Windows.

Open PowerShell and enter the command below:

Get-LocalGroup -Name Guests | fl Name, SID

This gives the following result: the SID for the Guest group is S-1-5-32-546

Now that we have this information, we can create our Configuration Profiles in Microsoft Intune.

Configuration Profiles

In Microsoft Intune, we are now going to create two policies, one where we are going to make our Microsoft Entra ID user group a member of the local Guests group, and one where we are going to make sure that we block members from the local Guests group from signing into the Microsoft Intune-managed device.

Go to Microsoft Intune admin center | Endpoint Security | Account Protection, and create a new policy with the Local user group membership profile.

Configure the policy as shown below, where we will add our Microsoft Entra ID dynamic user group to the local Guests group.

Assign this policy to the created Microsoft Entra ID dynamic device and choose Create.

Profile 2: Deny Local Logon

The second policy we’re going to create is the one where we block members of the local Guests group from signing-in on our Microsoft Intune-managed devices.

Go to Microsoft Intune admin center | Devices | Configuration and create a new configuration policy, and in Settings Catalog search for Deny Local Logon.

In the settings, specify the SID of the local Guests group, which we found out in the previous steps. Important is the asterisk in front of the SID

Assign this policy to the created Microsoft Entra ID dynamic device and choose Create.

Now that our policies have been created and assigned, we are waiting for synchronization with the devices. Now, what does this give as an end-user experience?

End-User Experience

If you try to sign in with a staff account, you can sign in without any problems. If you try to sign in with a student account, you get the message “The sign-in method you’re trying to use isn’t allowed. For more info, contact your network administrator.”

Conclusion

So with this configuration, you can restrict login to a Microsoft Intune-managed device to certain members by making them members of a specified group.