Block Users from Installing programs with Azure AD joined Devices

I am looking for a way to block users from installing programs without an on prem AD domain (so no GPOs etc.). We have Office365 and the included Azure AD. The devices have not yet been joined to Azure AD but that is in the works. We are also considering adding Intune and or a Premium version of Azure AD for co-management if that will help us.

Basically, we need a way to block users from installing programs or applications on their machines. Ideally, there would be an easy way to make exceptions either for particular users or for particular applications but this is not a requirement.

Is there a way to implement such a policy using Azure AD, Intune or other programs which are part of the Office365 suite?


Solution 1:

There’s nothing native in just Azure AD to do this, you would also need to look at something like inTune.

InTune supports various different restrictions on Windows 10 - https://docs.microsoft.com/en-us/intune/configuration/device-restrictions-windows-10#app-store