Forum Discussion

Brass Contributor

Mar 03, 2024

Unlink a users workplace join account while device is also Entra ID joined

We have a number of users on Entra ID joined devices that were prompted to register their devices when signing into teams with another org account. My question has two parts - how can we programmatic...

MVP

Mar 04, 2024

Worth to take a look at this:

https://github.com/MicrosoftDocs/azure-docs/issues/34065

ftrout
Brass Contributor
Mar 04, 2024
Thanks, but unfortunately this doesn't help me. These devices were AAD joined using Autopilot and then registered to another org tenant. Basically, users signed into Teams with another org creds and were prompted to register the device (a design decision I still scratch my head over). Since these are in another orgs tenant, we do not have the capability to clean up the devices, and dsregcmd /leave just completely breaks everything.
- IntuneNinja
  Copper Contributor
  Feb 24, 2025
  To clean up: As per my research, there is no way to just remove workplace join remotely. Manual removal of the account is what we use.
  To restrict users to do it again: you can create a custom policy to edit remotely the registry as group policy:
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin,"autoWorkplaceJoin"=dword:0
  
  https://learn.microsoft.com/en-us/entra/identity/devices/faq#how-can-i-block-users-from-adding-more-work-accounts--microsoft-entra-registered--on-my-corporate-windows-10-11-devices
  - KaliN
    Copper Contributor
    Mar 09, 2025
    The BlockAADWorkplaceJoin is more than enough.
    No need for autoWorplaceJoin, you're making double confirmation for no particualr reason.

Resources