Deny device logon for a user/group
It would be good to have the ability to apply a device configuration policy that would deny logon for a user or a group of users. Any staff/student of an organisation can login to any device that is Azure AD joined. It would be good to prevent certain users in the school from logging onto particular workstations. The particular use case would be say preventing students from logging onto desktops/laptops that are for teachers/staff only. Or preventing one group of students from logging into highly specialised workstations that are for another group of students only.
The way I imagine it would work could be through Azure AD -> Device Settings and/or Intune -> Device Configuration, and simply adding a group of users who are denied logging in to a group of devices. Even if the user authentication transaction occurs first, then the user is simply met with a "logon denied" message and is immediately logged out.
Chandler Cunningham commented
If they just make the "Windows Sign-In" application that Azure references on a local logon available to conditional access, this would be extremely easy.
This is definitely needed.