How to disallow Work or School Accounts from external organizations?

2020-05-12

Question

_{Tuesday, May 12, 2020 4:56 PM}

I am maintaining several Windows 10 Pro workstations connected to our domain. Recently, there's been a few cases where a regular user adds their university email account to Outlook, after which:

The university account is added as a Work or School Account
The computer gets listed in "Devices & activity" as "workplace joined" under the user's university Azure AD account (for remote management purposes?!?)
Microsoft Office gets activated with the user's university Microsoft 365 subscription instead of our Office 365 subscription
Windows uses the user's university Microsoft 365 subscription to upgrade from Windows 10 Pro to Enterprise

I'm especially concerned about messing up Office and Windows activations. Is there a way to harden the workstations so that connecting external Azure AD account to Windows would be blocked?

We are using Office 365, so blocking access to Azure or Microsoft 365 is not an option. But only our Office 365 accounts/subscriptions should be allowed to be connected to Windows.

I have enabled "Accounts: Block Microsoft accounts" and "Block all consumer Microsoft account user authentication" but they block only personal Microsoft account, not Azure AD accounts.

All replies (4)

_{Wednesday, May 13, 2020 1:56 AM}

Hi,

You can use an allow list or a deny list to allow or block invitations to B2B users from specific organizations.

This article may helpful:

/en-us/power-platform/admin/restrict-access-online-trusted-ip-rules

To help you better, I suggest you submit a new case on Azure AD forum as they will be more professional on your issue.

As the Azure AD topic have been moved to Microsoft Q&A, please kindly re-post your issue to the link below:

/en-us/answers/topics/azure-active-directory.html

The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.

Thank you for your understanding.

Please remember to mark the replies as answers if they help.
"Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
For more information, please refer to the sticky post.

_{Friday, May 15, 2020 5:50 AM}

Hi,

Just checking in to see if the information provided was helpful.

If the reply helped you, please remember to mark it as an answer.

If no, please reply and tell us the current situation in order to provide further help.

_{Tuesday, May 19, 2020 2:59 PM}

Hi,

Thank you, but that wasn't applicable to our issue. This is a question of Windows 10 hardening, not Azure AD hardening. Therefore, Conditional Access is not the answer to this issue.

What I'm looking for is a way to restrict using external Azure AD accounts (not in our control) on our workstations. They are not B2B invitations, just users connecting all kinds of Azure accounts to our workstations as Work or School accounts. Something similar as the "Allow syncing OneDrive accounts for only specific organizations" Group Policy, but just with a wider scope.

Thank you!

_{Friday, May 29, 2020 2:48 AM}

Hi,

As far as I know, there is no options to set the option.

Let's look forward to other reply from forum users.

Best Regards,

Farena

Share via

How to disallow Work or School Accounts from external organizations?

Question

All replies (4)

Additional resources