<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	
	>
<channel>
	<title>
	Comments on: Assign Deny Local Log On user right to an (Azure) AD group by using Microsoft Intune	</title>
	<atom:link href="https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/feed/" rel="self" type="application/rss+xml" />
	<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/</link>
	<description>Intune, Windows, Office 365, Microsoft 365, Azure, Automation</description>
	<lastBuildDate>Tue, 24 Jun 2025 12:05:17 +0000</lastBuildDate>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	
	<item>
		<title>
		By: Chris Johnson		</title>
		<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-253938</link>

		<dc:creator><![CDATA[Chris Johnson]]></dc:creator>
		<pubDate>Tue, 24 Jun 2025 12:05:17 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=9723#comment-253938</guid>

					<description><![CDATA[This works with windows 11 24H2 June 2025 but be aware there is a delay when adding users to the groups of a few hours.]]></description>
			<content:encoded><![CDATA[<p>This works with windows 11 24H2 June 2025 but be aware there is a delay when adding users to the groups of a few hours.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Joshua Bines		</title>
		<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-209661</link>

		<dc:creator><![CDATA[Joshua Bines]]></dc:creator>
		<pubDate>Tue, 28 Nov 2023 17:36:42 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=9723#comment-209661</guid>

					<description><![CDATA[I like this solution but... likely this does meet dymanic group licensing requirements :( 

&quot;This feature requires a Microsoft Entra ID P1 license or Intune for Education for *each* unique user that is a member of one or more dynamic groups.&quot;
https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership]]></description>
			<content:encoded><![CDATA[<p>I like this solution but&#8230; likely this does meet dymanic group licensing requirements 🙁 </p>
<p>&#8220;This feature requires a Microsoft Entra ID P1 license or Intune for Education for *each* unique user that is a member of one or more dynamic groups.&#8221;<br />
<a href="https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership" rel="nofollow ugc">https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership</a></p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: majerly		</title>
		<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-198629</link>

		<dc:creator><![CDATA[majerly]]></dc:creator>
		<pubDate>Sun, 16 Apr 2023 19:51:33 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=9723#comment-198629</guid>

					<description><![CDATA[Hi Peter,
I have tried in my laboratory the configuration that you indicate and it has worked for me and including the guest SID ok.
If the login is done with a password, the message is the one you indicate in your article and it is more or less understandable for a user.

If you do it by PIN, here it can confuse more, it says incorrect username or pin.

Hopefully they will soon release another method where you can capture it at the Azuread level, or a process that is not so cumbersome, since you have to do it that way because if you add the SID in the user right, it is not able to read the membership of that group, in It is type of configurations and I understand that this affects more similar configurations.
It is only capable of reading builtin groups or so I thought I understood,

Thanks for the article]]></description>
			<content:encoded><![CDATA[<p>Hi Peter,<br />
I have tried in my laboratory the configuration that you indicate and it has worked for me and including the guest SID ok.<br />
If the login is done with a password, the message is the one you indicate in your article and it is more or less understandable for a user.</p>
<p>If you do it by PIN, here it can confuse more, it says incorrect username or pin.</p>
<p>Hopefully they will soon release another method where you can capture it at the Azuread level, or a process that is not so cumbersome, since you have to do it that way because if you add the SID in the user right, it is not able to read the membership of that group, in It is type of configurations and I understand that this affects more similar configurations.<br />
It is only capable of reading builtin groups or so I thought I understood,</p>
<p>Thanks for the article</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Marcel Moerings		</title>
		<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-194713</link>

		<dc:creator><![CDATA[Marcel Moerings]]></dc:creator>
		<pubDate>Mon, 30 Jan 2023 20:31:36 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=9723#comment-194713</guid>

					<description><![CDATA[It all seems a bit tricky. I think the Allow Local Logon Right trumps the Deny local login right. What we are trying to accomplish is the ability for some admins to use their admin account for elevated rights, but not allow them to login wth their admin account on the system (which would give them admin access all the time).

To achieve this we add an Azure AD group to the local Administrators group. This makes sure they can elevate themselves with their admin account. We also followed your guide to add their admin accounts to another Azure AD group which we added to the Guests group. Guests are then denied the local logon right.

However... when testing this with a account that was also a member of the local administrators group, they could still logon. If the account was not a member of the local administrators group, but was a member of the guests group, the logon was denied.

I&#039;m wondering what would be a suitable solution for this issue. If they need elevation, they need to be part of the local Administrators group.]]></description>
			<content:encoded><![CDATA[<p>It all seems a bit tricky. I think the Allow Local Logon Right trumps the Deny local login right. What we are trying to accomplish is the ability for some admins to use their admin account for elevated rights, but not allow them to login wth their admin account on the system (which would give them admin access all the time).</p>
<p>To achieve this we add an Azure AD group to the local Administrators group. This makes sure they can elevate themselves with their admin account. We also followed your guide to add their admin accounts to another Azure AD group which we added to the Guests group. Guests are then denied the local logon right.</p>
<p>However&#8230; when testing this with a account that was also a member of the local administrators group, they could still logon. If the account was not a member of the local administrators group, but was a member of the guests group, the logon was denied.</p>
<p>I&#8217;m wondering what would be a suitable solution for this issue. If they need elevation, they need to be part of the local Administrators group.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: chris moore		</title>
		<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-183544</link>

		<dc:creator><![CDATA[chris moore]]></dc:creator>
		<pubDate>Sat, 04 Jun 2022 10:56:44 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=9723#comment-183544</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-183510&quot;&gt;Manuuu&lt;/a&gt;.

Yeah we saw this on our international devices. &quot;Guests&quot; is localized according to OS lang. We had luck using the &quot;LocalUsersandGroups CSP&quot; - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups - and writing the XML ourselves, specifying the local group&#039;s well-known SID in the &quot;accessgroup desc&quot; instead of the localized name.]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-183510">Manuuu</a>.</p>
<p>Yeah we saw this on our international devices. &#8220;Guests&#8221; is localized according to OS lang. We had luck using the &#8220;LocalUsersandGroups CSP&#8221; &#8211; <a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups" rel="nofollow ugc">https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups</a> &#8211; and writing the XML ourselves, specifying the local group&#8217;s well-known SID in the &#8220;accessgroup desc&#8221; instead of the localized name.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Manuuu		</title>
		<link>https://inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/#comment-183510</link>

		<dc:creator><![CDATA[Manuuu]]></dc:creator>
		<pubDate>Fri, 03 Jun 2022 13:16:16 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=9723#comment-183510</guid>

					<description><![CDATA[The language problem still seems to exist, any news aboit this? I have tried onpres sid, azure sid, azuread\sid, accounts , etc, etc still no success.
Error 65000

Anyone has else has this same issue?]]></description>
			<content:encoded><![CDATA[<p>The language problem still seems to exist, any news aboit this? I have tried onpres sid, azure sid, azuread\sid, accounts , etc, etc still no success.<br />
Error 65000</p>
<p>Anyone has else has this same issue?</p>
]]></content:encoded>
		
			</item>
	</channel>
</rss>
