MSEndpointMgr

Are you tired of “Allow my organization to manage my device”?

In this modern world, we often get invited to our customer’s tenants as a guest for better collaboration. For example in Microsoft Teams. During our workday, we are likely to switch Teams to other organizations multiple times. Every time we do, we always get a popup asking the question “Allow my organization to manage my device”. This does not only relies to Teams, but most Microsoft 365 applications will give us this popup. So what is the right choice here?

The Stay signed in to all your apps prompt.

When it comes to this notification, we don’t like it very much to begin with, but there are 4 choices for the end user:

  1. Click OK. Since it’s a blue button, this is where most users will just click without thinking. This will register the user’s device to Azure AD (Azure AD registered device) and possibly enroll to MDM or MAM, depends on what is the current state of this device and the configuration of MDM and MAM. This setting also remembers this user’s credentials on this device for other apps. More details of MDM and MAM scope, read about Oktay Sari’s post Configuring Intune MDM User Scope and MAM User Scope (allthingscloud.blog)
  2. Uncheck the “Allow my organization to manage my device, then click OK. This will not register the users device to the external Azure AD, but it will remember the users credential on the device for other apps
  3. Choose “No, sign in to this app only”. This will not register the users device to the external Azure AD, and it will only remembers the user’s credential for this app
  4. Close the window by click on X.  This will just close the notification and does nothing.

We can always make a pretty instruction for our users, let them know which option they should use. But do we want to give the users options to register the device in other tenants?  Can we make sure they always make the right choice?

How can I block users from adding additional work accounts (Azure AD registered) on my corporate Windows 10 devices?

As I mentioned before, if the user checks “Allow my organization to manage my device“, and chooses OK, this device will be Azure AD registered to the external tenant, this might not be our desired result. We really don’t want our devices to register to another companies corporate tenant. And we also don’t want to see another companies devices in our tenant. Right?

You can find the answers from Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#q-how-can-i-block-users-from-adding-additional-work-accounts-azure-ad-registered-on-my-corporate-windows-10-devices

A: Enable the following registry to block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account.

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001

When using this registry, your users will no longer see this notification when they login to ex. Microsoft 365 apps or Microsoft Edge with another work or school account, device will not be registered to another Azure AD tenant (Azure AD register), but this also means there is no Single Sign-On feature for those additional accounts, and it might still have other unexpected impacts that we have not found yet..

There is extra information about this registry and Hybrid Azure AD join planning, details can be found in https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

Some additional caveats around this is the Windows 10 Enterprise subscription activation. If users have more than 1 work account added to their device, license activation for Windows might fail, and after 30 days, users are bumped down to Windows 10 Professional. Not something we want.

Deploy as script from Intune

For Intune managed devices we typically deploy this as a PowerShell script. This simple script looks like this:

#Setting registry key to block AAD Registration to 3rd party tenants. 
$RegistryLocation = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\"
$keyname = "BlockAADWorkplaceJoin"

#Test if path exists and create if missing
if (!(Test-Path -Path $RegistryLocation)){
Write-Output "Registry location missing. Creating"
New-Item $RegistryLocation | Out-Null
}

#Force create key with value 1 
New-ItemProperty -Path $RegistryLocation -Name $keyname -PropertyType DWord -Value 1 -Force | Out-Null
Write-Output "Registry key set"

I then deploy this as required to all my Windows 10 Corporate devices. This script must run as system.

That’s is all you need to do if you want to stop this annoying prompt from bothering your users every single day they collaborate with external parties in Teams or other places.

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

Jan Ketil Skanke

Jan Ketil is an Enterprise Mobility MVP since 2016 and are working as a COO and Principal Cloud Architect at CloudWay in Norway. He has been in the industry for more than 20 years working for both Microsoft Partners and Microsoft. He loves to speak about anything around Enterprise Mobility and Secure Productivity. He is also the lead for the community conference Experts Live Norway. Jan Ketil has presented at large industry conferences like Microsoft Ignite, Microsoft Ignite The Tour, Microsoft Inspire, Experts Live Europe, Techmentor HQ (3rd best session 2019) and NIC Conference in Oslo.

9 comments

  • Thanks for the article! Does unchecking it and then pressing Okay give access to the organization all my passwords and browsing history?

    • No, but if they have configured it, they might enroll your device for management. And if that management includes enrolling a vulnerability scanner or for instance Defender for Endpoints, the will have insight into your browsing. Your passwords are “secure”, but I personally dont recommend storing any passwords in the browser itself. I use a password manager for that.

  • I’m seeing this prompt on newly provisioned Hybrid AAD joined Autopilot machines when user logs in before the hybrid join is complete. Which is most of the time. Is there any harm in registering twice? Once via this dialog, once via the hybrid join process.

      • So how do you stop personal/BYOD devices from registering with Azure AD/Intune while installing Microsoft 365 Office Apps?

      • You can stop the Intune registration by blocking personal enrollment in Intune, but you can’t stop Azure AD Registration. That is by design by Microsoft.

Sponsors