Control: 5.1.4.1 Ensure the ability to join devices to Entra is restricted
Description
This setting enables you to select the users who can register their devices as Microsoft Entra joined devices.
The recommended state is Selected or None.
Note: This setting is applicable only to Microsoft Entra join on Windows 10 or newer. This setting doesn't apply to Microsoft Entra hybrid joined devices, Microsoft Entra joined VMs in Azure, or Microsoft Entra joined devices that use Windows Autopilot self-deployment mode because these methods work in a userless context.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Entra ID>DevicesselectDevice settings. - Set
Users may join devices to Microsoft EntratoSelected(and add members) orNone.
Default Value
All.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v600_5_1_4_1 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when azure_ad_join -> 'allowedToJoin' ->> '@odata.type' = '#microsoft.graph.enumeratedDeviceRegistrationMembership' or azure_ad_join -> 'allowedToJoin' ->> '@odata.type' = '#microsoft.graph.noDeviceRegistrationMembership' then 'ok' else 'alarm' end as status, case when azure_ad_join -> 'allowedToJoin' ->> '@odata.type' = '#microsoft.graph.enumeratedDeviceRegistrationMembership' then tenant_id || ' has device join restricted to selected users or groups.' when azure_ad_join -> 'allowedToJoin' ->> '@odata.type' = '#microsoft.graph.noDeviceRegistrationMembership' then tenant_id || ' has device join restricted.' else tenant_id || ' has device join allowed for all users.' end as reason , tenant_id as tenant_idfrom azuread_device_registration_policy;