Restrict device join to selected users/groups or none.

Why This Matters

Allowing all users to join devices to your tenant creates an unmanaged attack surface. Any compromised account could enroll a rogue device, bypassing conditional access policies and gaining unauthorized access to corporate resources. Restricting device join to specific users or groups limits this risk to only trusted identities.

What Aether365 Checks

Aether365 verifies that the Microsoft Entra ID setting "Users may join devices to Azure AD" is configured to either "None" or a defined set of users or groups. This check appears in your Aether365 dashboard under the entra-id service checks.