Blocking personal email access in Outlook (Windows)

To block personal email access in Outlook for Windows and prevent users from adding personal or unauthorized accounts, there are a few methods that can be implemented using Microsoft Intune, Group Policy, or registry modifications. Below are some effective approaches that could meet your requirements:

1. Use Intune App Protection Policies
You can use Microsoft Intunes App Protection Policies to control data and block access to personal accounts in Outlook. Specifically, these policies are useful for managing mobile devices, but they can also apply to desktop clients to control which accounts are allowed.

- Navigate to Microsoft Intune > Apps > App protection policies.
- Create a new policy for Windows 10 (or higher).
- Define the restrictions that only allow corporate accounts based on a specific domain and block any other domains.

However, you mentioned that the single domain limitation does not meet your needs. For more complex setups, consider a combination of the next methods.

2. Use Outlook Account Settings with Group Policy
You can create a Group Policy Object (GPO) that restricts users from adding new email accounts or only allows certain domains.

Here’s how to set it up:

1. Download the Office ADMX Templates:
Download and import the latest Office Administrative Templates from [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=49030).

2. Configure the Policy:
- Open Group Policy Management.
- Create or edit an existing GPO applied to the users PCs.
- Navigate to User Configuration > Administrative Templates > Microsoft Outlook 2016 or Office 2016 (depending on your version) > Account Settings.
- Enable the setting "Block users from adding new accounts".

This will prevent users from adding personal email accounts or any other unauthorized email accounts in Outlook.

3. Registry Key Modification to Block New Accounts
If you don’t want to use Group Policy, you can directly modify the registry to prevent users from adding new accounts.

1. Open Registry Editor (regedit).
2. Navigate to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook\options
3. Create a DWORD value named DisableAccounts.
4. Set the value to 1.

This will block users from adding any new accounts in Outlook.

4. Configure a Device Configuration Profile in Intune
You can also configure device restrictions via Intune. This method allows some control over the allowed domains but might still be limited based on your complex setup.

1. In the Microsoft Endpoint Manager admin center, go to Devices > Configuration profiles > Create profile.
2. Select Windows 10 and later > Settings Catalog.
3. Add settings related to Outlook or Office, such as blocking users from making changes to the email accounts in the app.

5. Use Conditional Access Policies in Azure AD
You can apply Conditional Access Policies in Azure AD to ensure that only corporate accounts can access Outlook. Conditional Access can block the use of unmanaged devices or non-corporate accounts across Office 365 apps.

Steps:
1. Go to Azure AD > Security > Conditional Access.
2. Create a new policy targeting Office 365 apps (Outlook in particular).
3. Add rules to allow only accounts from your corporate domains, blocking external or personal accounts.

The combination of Group Policy (GPO) and Intunes App Protection Policies is likely the most effective way to manage email accounts across devices and block personal accounts in Outlook. While GPO provides granular control at the desktop level, Intune offers flexibility across different device types.

For a more complex setup, such as supporting multiple domains while blocking others, Conditional Access Policies and Intune’s App Protection would be the most scalable and secure solution.