Forum Discussion
How to Prevent or Block Company users from Adding another Microsoft Work account in IOS Intune
Company-Managed Apps (e.g., Outlook, Teams, OneDrive)
Conditional Access Policies: These policies ensure that users can only access corporate data on managed devices and compliant apps. Users trying to sign in with another work or school account on a corporate device (using these apps) will be blocked from doing so.
App Protection Policies: These policies can be configured to prevent adding multiple work or school accounts within Intune-managed apps (e.g., Outlook, Teams, etc.). So, if you enforce policies that allow only the corporate account, users won’t be able to add another work or school account in these apps.
Personal Apps (e.g., Personal Outlook, Gmail, etc.)
Gmail App or Personal Outlook App (not managed by the company) is not controlled by Intune policies. Users could potentially add other work or school accounts to these apps because they are outside the scope of Intune's management and control.
- Conditional Access Policies may still limit what users can do with those accounts. For example, if they try to access corporate resources (e.g., Exchange Online or SharePoint) from those personal apps, they will be blocked unless the device is compliant and managed by Intune.
To prevent or block company users from adding another Microsoft work or school account on iOS devices managed via Intune, you can apply specific device configuration policies and conditional access policies within Microsoft Intune and Azure Active Directory.
Step 1: Configure Conditional Access Policies in Azure AD
You can create a Conditional Access policy that blocks sign-in attempts from other work or school accounts on devices that are managed by Intune.
1. Go to Azure Active Directory:
- Open the Azure portal and navigate to Azure Active Directory.
2. Create a Conditional Access Policy:
- In the Azure AD portal, select Security from the left-hand menu, and then select Conditional Access.
- Click New policy.
3. Target the policy to iOS devices:
- In the Assignments section, under Users and Groups, select All Users or a specific group of users you want to restrict.
- Under Cloud Apps or Actions, select All cloud apps or limit it to specific apps (e.g., Exchange Online, SharePoint).
- In the Conditions section, under Device platforms, select iOS to apply this policy only to iOS devices.
4. Control sign-ins:
- In the Access controls section, under Grant, choose Block access for users trying to sign in with any other Microsoft work or school account.
5. Require device compliance:
- If you want to ensure that only enrolled and compliant devices can access the company account, select Require device to be marked as compliant.
6. Enable the policy:
- Review the settings, and when you're ready, set the policy to On and click Create.
Step 2: Restrict Accounts in Intune via App Protection Policies
Use App Protection Policies to restrict access to specific apps (such as Outlook, Teams, or OneDrive) to only the enrolled company account. This prevents users from adding other work or school accounts to those apps.
1. Go to Microsoft Endpoint Manager Admin Center:
- Navigate to Microsoft Endpoint Manager Admin Center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).
2. Create an App Protection Policy:
- Go to Apps > App protection policies.
- Click Create policy, and choose iOS/iPadOS as the platform.
3. Configure Policy Settings:
- Under Targeted apps, select the apps you want to protect, such as Microsoft Outlook, Teams, OneDrive, etc.
- Under Targeted users, select the user group(s) where you want this policy applied.
- In the Data protection section, under Restrict which accounts can be used in this app, select Allow only work or school accounts.
4. Block Multi-account Sign-in:
- Under Conditional Launch, configure the Restrict Accounts setting to Block multi-account sign-in. This will prevent users from adding another work or school account to the targeted apps.
5. Deploy the Policy:
- Save the configuration and deploy the policy to the targeted user groups.
Step 3: Restrict Device Enrollment to a Single Account
You can also restrict device enrollment to only one corporate account through Enrollment Restrictions.
1. Go to Microsoft Endpoint Manager Admin Center:
- Go to Devices > Enrollment restrictions.
2. Create a New Enrollment Restriction:
- Click on Create restriction and select Device limit restriction.
3. Set the Device Limit:
- Set the limit to 1 device per user, if applicable, or configure the restriction to allow only one managed account per device.
4. Assign the Policy:
- Assign this enrollment restriction to the appropriate user groups.
Step 4: Use Device Compliance Policies
You can configure Device Compliance Policies to restrict access to devices based on compliance requirements. If a device is found to have multiple work or school accounts, it can be flagged as non-compliant, restricting its access to corporate resources.
1. Go to Endpoint Manager Admin Center:
- Go to Devices > Compliance policies > Policies.
2. Create a New Compliance Policy:
- Click on Create Policy, and select iOS/iPadOS as the platform.
3. Configure the Compliance Settings:
- Under the Compliance settings, configure restrictions such as requiring the device to be enrolled and compliant with the policies.
4. Deploy the Compliance Policy:
- Deploy this compliance policy to the appropriate groups.
Final Notes:
- Conditional Access will prevent users from signing in with other work or school accounts when accessing company resources, while App Protection Policies can block users from adding secondary accounts within specific apps.
- Ensure you test the policies on a subset of users before a full rollout to avoid unintended disruptions.
By implementing these steps, you can effectively restrict your users from adding other work or school accounts on iOS devices managed by Intune.
Thank you for your reply. and providing steps.
In Step 4. Control sign-ins:
- In the Access controls section, under Grant, choose Block access for users trying to sign in with any other Microsoft work or school account.
I can not find the option you suggest saying that "choose Block access for users trying to sign in with any other Microsoft work or school account."
I have attached screenshot for your reference
prakashx86 ou're right.
The option "Block access for users trying to sign in with any other Microsoft work or school account" isn't a direct selection within Azure AD Conditional Access policies. I apologize for the confusion.
To achieve the desired outcome (blocking users from signing in with multiple work or school accounts), you would typically configure Access Controls in Conditional Access by applying certain grant controls and sign-in restrictions. However, there isn't a specific setting that directly states "block other work or school accounts."
Here’s a modified approach using the available Conditional Access features:
Updated Step 4: Control Sign-ins
In the Access controls section, under Grant, use the following options:
- Choose Block access to prevent access entirely for users who don't meet your conditions.
- Alternatively, choose Require device to be marked as compliant. This ensures that only Intune-enrolled devices that comply with your organization's policies can sign in, which indirectly prevents users from using personal or unmanaged devices with other work or school accounts.
Under Conditions:
- For Device platforms, choose iOS to apply this to mobile devices.
- For Locations, if needed, specify trusted locations to limit access based on network location (though this is optional).
- For Client apps, you can ensure this applies only to mobile apps by specifying Browser and Mobile apps and desktop clients.
Grant Control:
- Set the control to Block access for any condition that isn't met (e.g., if the device isn't compliant or enrolled in Intune).
While there's no direct policy to "block other work or school accounts" specifically, the combination of enforcing compliance and using device management ensures that only authorized and compliant devices can access corporate apps, effectively preventing users from logging in with multiple work or school accounts.
Additionally, to enforce account restrictions more strictly within specific apps (like Outlook or Teams), you can complement this with App Protection Policies in Intune, as described in Step 2. This will ensure that only the corporate account can be used within those apps, preventing users from adding secondary accounts.
- micheleariis
Thank you again for your clarification.
After applying all your steps , Will the Users be not able to Add any other Work/School Account in the Personal Outlook App or any Gmail App ?
OR these policy only applicable in Company managed Apps ?Company-Managed Apps (e.g., Outlook, Teams, OneDrive)
Conditional Access Policies: These policies ensure that users can only access corporate data on managed devices and compliant apps. Users trying to sign in with another work or school account on a corporate device (using these apps) will be blocked from doing so.
App Protection Policies: These policies can be configured to prevent adding multiple work or school accounts within Intune-managed apps (e.g., Outlook, Teams, etc.). So, if you enforce policies that allow only the corporate account, users won’t be able to add another work or school account in these apps.
Personal Apps (e.g., Personal Outlook, Gmail, etc.)
Gmail App or Personal Outlook App (not managed by the company) is not controlled by Intune policies. Users could potentially add other work or school accounts to these apps because they are outside the scope of Intune's management and control.
- Conditional Access Policies may still limit what users can do with those accounts. For example, if they try to access corporate resources (e.g., Exchange Online or SharePoint) from those personal apps, they will be blocked unless the device is compliant and managed by Intune.
