In this modern world, we often get invited to our customer’s tenants as a guest for better collaboration. For example in Microsoft Teams. During our workday, we are likely to switch Teams to other organizations multiple times. Every time we do, we always get a popup asking the question “Allow my organization to manage my device”. This does not only relies to Teams, but most Microsoft 365 applications will give us this popup. So what is the right choice here?
When it comes to this notification, we don’t like it very much to begin with, but there are 4 choices for the end user:
- Click OK. Since it’s a blue button, this is where most users will just click without thinking. This will register the user’s device to Azure AD (Azure AD registered device) and possibly enroll to MDM or MAM, depends on what is the current state of this device and the configuration of MDM and MAM. This setting also remembers this user’s credentials on this device for other apps. More details of MDM and MAM scope, read about Oktay Sari’s post Configuring Intune MDM User Scope and MAM User Scope (allthingscloud.blog)
- Uncheck the “Allow my organization to manage my device, then click OK. This will not register the users device to the external Azure AD, but it will remember the users credential on the device for other apps
- Choose “No, sign in to this app only”. This will not register the users device to the external Azure AD, and it will only remembers the user’s credential for this app
- Close the window by click on X. This will just close the notification and does nothing.
We can always make a pretty instruction for our users, let them know which option they should use. But do we want to give the users options to register the device in other tenants? Can we make sure they always make the right choice?
How can I block users from adding additional work accounts (Azure AD registered) on my corporate Windows 10 devices?
As I mentioned before, if the user checks “Allow my organization to manage my device“, and chooses OK, this device will be Azure AD registered to the external tenant, this might not be our desired result. We really don’t want our devices to register to another companies corporate tenant. And we also don’t want to see another companies devices in our tenant. Right?
You can find the answers from Microsoft documentation https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#q-how-can-i-block-users-from-adding-additional-work-accounts-azure-ad-registered-on-my-corporate-windows-10-devices
A: Enable the following registry to block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account.
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001
When using this registry, your users will no longer see this notification when they login to ex. Microsoft 365 apps or Microsoft Edge with another work or school account, device will not be registered to another Azure AD tenant (Azure AD register), but this also means there is no Single Sign-On feature for those additional accounts, and it might still have other unexpected impacts that we have not found yet..
There is extra information about this registry and Hybrid Azure AD join planning, details can be found in https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state
Some additional caveats around this is the Windows 10 Enterprise subscription activation. If users have more than 1 work account added to their device, license activation for Windows might fail, and after 30 days, users are bumped down to Windows 10 Professional. Not something we want.
Deploy as script from Intune
For Intune managed devices we typically deploy this as a PowerShell script. This simple script looks like this:
#Setting registry key to block AAD Registration to 3rd party tenants. $RegistryLocation = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\" $keyname = "BlockAADWorkplaceJoin" #Test if path exists and create if missing if (!(Test-Path -Path $RegistryLocation)){ Write-Output "Registry location missing. Creating" New-Item $RegistryLocation | Out-Null } #Force create key with value 1 New-ItemProperty -Path $RegistryLocation -Name $keyname -PropertyType DWord -Value 1 -Force | Out-Null Write-Output "Registry key set"
I then deploy this as required to all my Windows 10 Corporate devices. This script must run as system.
That’s is all you need to do if you want to stop this annoying prompt from bothering your users every single day they collaborate with external parties in Teams or other places.
We experienced issues with Intune Apps users download from the company portal to stay in “download pending” state, so not installing when there were Work Accounts added. So it does have a big impact when users are able to register their device to other tenants ..
is there a way to prevent that that windows appears ? if i block personal enrollment on intune and a user select that option i will give them an error. Is there a way to prevent that? just block personal enrollment and avoid error messages on client side?
thanks a lot.
is there a way to get it to select option two? if i use this setting on a system before auto-enrollment, during the enrollment process it never prompts but also does not remember passwords. i need a setting that makes the dialog silent, but acts as option 2.
We are getting the “Allow my organization to manage my device” pop up when logging into Teams on one Azure tenant but not another.
What is the exact trigger that makes this launch? Is it at all associated with auth in ADFS or does it happen with other auth methods?
Hi Jan and Sandy
We have Azure AD Connect sync (on-premise AD) syncing to Azure, this includes the computer devices and mobile phones are managed thru a third-party software.
Is there any value to Check allow my org to manage device or sing in to this app only?
I created the GPO below and I could not access computer outlook 2016 and Teams, I removed the registry and I was able to access the outlook 2016 and Teams after a while.
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001
Thanks for the great information in this article.
The problem we face is that users usually hit the limit of 5 devices to their account. We would like to get the devices registered to Azure AD to get benefits of SSO however not every device where user log onto. Not sure if it is possible to achieve is the first option if by default the checkbox is unchecked then users will most of the times won’t check it.
Second option – Allow users to remove unused/legacy devices from their account without having them high privileged roles like Cloud Device admin/Intune admin/GA. Can a user him/herself remove the device from their account if they hit the limit of 5 as a user level privilege?
Hi, thanks for this article. Very useful. However, I have tried option 2, and it seems to be the same as option 1. Any idea why this could be the case? I still notice my accounts being added to the list of accounts.
I just tried it on 2 different PCs. Unchecking the box means that the account name will not appear as one of the sign in options, but you don’t have to enter the password again.
Checking the box means account name appears.
I do not know the implications in the background, but this is what I can see.
Thanks for the article! Does unchecking it and then pressing Okay give access to the organization all my passwords and browsing history?
No, but if they have configured it, they might enroll your device for management. And if that management includes enrolling a vulnerability scanner or for instance Defender for Endpoints, the will have insight into your browsing. Your passwords are “secure”, but I personally dont recommend storing any passwords in the browser itself. I use a password manager for that.
I’m seeing this prompt on newly provisioned Hybrid AAD joined Autopilot machines when user logs in before the hybrid join is complete. Which is most of the time. Is there any harm in registering twice? Once via this dialog, once via the hybrid join process.
It depends, there are details in Microsoft doc about handing Azure AD register state before doing Hybrid AAD join https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state
Thank you so much for pointing me to this info. This helps to explain why some of our 1709 devices were getting in a weird state since the dual-registration was not getting cleaned up.
What about personal devices?
You can’t deploy any policy or script to personal devices that aren’t managed by your organization.
So how do you stop personal/BYOD devices from registering with Azure AD/Intune while installing Microsoft 365 Office Apps?
You can stop the Intune registration by blocking personal enrollment in Intune, but you can’t stop Azure AD Registration. That is by design by Microsoft.
I know this is old, but I just came across it.
My issue when I tried to reduce personal devices that I have no control over was by blocking personal enrollment with Intune, it blocked users from enrolling work devices from OOBE. This is an issue when a device is not in autopilot and the device is never in the hands of IT.