Users Allowed to Join Devices

By default, Microsoft Entra ID grants all Entra users the right to register their devices as Microsoft Entra joined devices to the tenant. This setting called Users may join devices to Microsoft Entra lets any signed-in user complete the join process. If a threat actor compromises a regular user account, they can exploit this workflow to enroll a rogue workstation they fully control. The device appears in Entra ID with the victim listed as its owner, inherits that user's baseline Mobile Device Management (MDM) policies, and gives the attacker a persistent, trusted foothold inside of the environment.

While device join can trigger additional checks like Multifactor Authentication (MFA), it isn't required by default at enrollment. This means an attacker with just a stolen password can enroll a device from anywhere. If there are misconfigurations in Microsoft Intune or Conditional Access policies, the rogue device may get automatically marked as compliant, satisfying access conditions that suppress further authentication challenges. Once compliant, the attacker can silently access cloud resources behind Entra ID authentication without ever facing an MFA prompt.

Microsoft's incident response team has documented real-world breaches where a phished account was used to join a rogue device, bypass misconfigured compliance checks, and exfiltrate sensitive data from Microsoft 365 mailboxes. These cases highlight how overly permissive device-join settings can drastically widen the blast radius of a single account compromise.

This permissive setting also lets employees freely enroll personal Windows and macOS devices ("Bring Your Own Device" or BYOD), inflating the organization's device inventory and making it harder to spot malicious or unauthorized devices among the unmanaged sprawl.

By default, each user can register up to 50 devices, which means a single compromised account could host dozens of attacker-controlled endpoints without triggering alerts. These user-driven joins occur outside secure provisioning flows like Windows Autopilot self-deployment mode, bypassing hardware attestation and other onboarding safeguards that Conditional Access depends on to verify device trust.

The default Users may join devices to Microsoft Entra setting, found under "Device settings > Microsoft Entra join and registration settings," allows all users to add devices to Entra ID.

Mitigation starts by limiting who can perform Microsoft Entra joins. Set "Users may join devices to Microsoft Entra" to "None" or restrict it to a tightly controlled administrative group that includes only onboarding/helpdesk personnel or device administration staff.

Complement this control with a Conditional Access policy targeting the "Register or join devices" user action. Set the policy to Require multifactor authentication for every device join event. Additionally, if you configure Conditional Access as recommended, disable (set to "No") the "Require Multifactor Authentication to register or join devices with Microsoft Entra" toggle in the "Device settings" panel, ensuring that the Conditional Access policy is the authoritative control.

Finally, implement continuous monitoring: enable auditing for device join events, set up alerts for unusual registration patterns, and apply strict operational controls to the Cloud Device Administrator Entra role to limit who can read and modify device settings.

Name: Users Allowed to Join Devices

Codename: USERS-ALLOWED-TO-JOIN-DEVICES

Severity: Low

Type: Microsoft Entra ID Indicator of Exposure