The title says it for itself. It is a useful capability for shared workstations and other scenarios, where the PC access needs to be limited. The credit goes to this blog post on EMM.how, you can read it for full details and pictures I just want to make a few points that I’ve taken out of that post and add some of mine.
- In their scenario, the machine is Azure-only joined (way to go – hybrid join is a mess!). Turns out AAD doesn’t have a native way of achieving this – you must use MDM to manage the local Users security group on the machine.
- You use a Restriced Groups CSP to do it. Simply put, this allows you to explicitly define the group membership via the XML payload – you push down a list, and the group membership is adjusted accordingly. So you pull out the “Authenticated Users” group (= any AAD user) from the local Users group, and insert an explicit list of names.
<groupmembership> <accessgroup desc = "Users"> <member name = "AzureAD\user1@aad.com" /> <member name = "AzureAD\user2@aad.com" /> <member name = "NT Authority\INTERACTIVE" /> </accessgroup> </groupmembership>
- Note that for AAD users including “AzureAD\” is a must.
- In their post, the author uses InTune. Since this is a standard XML-based CSP, you can use any MDM capable of deploying the custom XML. Here’s VMware Policy Builder doing it. In any case, you have to build XML payload yourself, but as you see it is very straightforward.

That’s pretty much it. Simple? Useful? Let me know!
Leave a Reply