From time to time, I see some default settings in Azure AD which are not desired (in most cases) and had been missed or ignored to be configured. One of those settings is called “Users may join devices to Azure AD” underneath Azure AD – Devices – Device settings. This settings is set to “All” by default. It means everybody with an account in Azure AD (cloud identity or synced from your local AD to Azure AD) is eligible to join any device – even private devices – to your Azure AD.
One of your very first tasks after setting up a tenant should be to set above setting to “None” or to “Selected” if you want to delegate to a specific group. In case your IT strategy changes somewhen in the future, you can easily change this setting back to “ALL” or from “None” to “Selected”.
So, check this setting in your test and production tenants and do the needful.
