Forum Discussion

Brass Contributor

Mar 03, 2024

Unlink a users workplace join account while device is also Entra ID joined

We have a number of users on Entra ID joined devices that were prompted to register their devices when signing into teams with another org account. My question has two parts - how can we programmatic...

Identity

ftrout

Brass Contributor

Mar 04, 2024

Thanks, but unfortunately this doesn't help me. These devices were AAD joined using Autopilot and then registered to another org tenant. Basically, users signed into Teams with another org creds and were prompted to register the device (a design decision I still scratch my head over). Since these are in another orgs tenant, we do not have the capability to clean up the devices, and dsregcmd /leave just completely breaks everything.

IntuneNinja

Copper Contributor

Feb 24, 2025

To clean up: As per my research, there is no way to just remove workplace join remotely. Manual removal of the account is what we use.

To restrict users to do it again: you can create a custom policy to edit remotely the registry as group policy:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin,"autoWorkplaceJoin"=dword:0

https://learn.microsoft.com/en-us/entra/identity/devices/faq#how-can-i-block-users-from-adding-more-work-accounts--microsoft-entra-registered--on-my-corporate-windows-10-11-devices

KaliN
Copper Contributor
Mar 09, 2025
The BlockAADWorkplaceJoin is more than enough.
No need for autoWorplaceJoin, you're making double confirmation for no particualr reason.
- IntuneNinja
  Copper Contributor
  Mar 24, 2025
  KaliNThanks for the information.
  Do you have anything to automate the removal of the existing workplace joined devices? Without impacting the Hybrid or Azure join.