Forum Discussion
How to Prevent or Block Company users from Adding another Microsoft Work account in IOS Intune
Company-Managed Apps (e.g., Outlook, Teams, OneDrive)
Conditional Access Policies: These policies ensure that users can only access corporate data on managed devices and compliant apps. Users trying to sign in with another work or school account on a corporate device (using these apps) will be blocked from doing so.
App Protection Policies: These policies can be configured to prevent adding multiple work or school accounts within Intune-managed apps (e.g., Outlook, Teams, etc.). So, if you enforce policies that allow only the corporate account, users won’t be able to add another work or school account in these apps.
Personal Apps (e.g., Personal Outlook, Gmail, etc.)
Gmail App or Personal Outlook App (not managed by the company) is not controlled by Intune policies. Users could potentially add other work or school accounts to these apps because they are outside the scope of Intune's management and control.
- Conditional Access Policies may still limit what users can do with those accounts. For example, if they try to access corporate resources (e.g., Exchange Online or SharePoint) from those personal apps, they will be blocked unless the device is compliant and managed by Intune.
Thank you for your reply. and providing steps.
In Step 4. Control sign-ins:
- In the Access controls section, under Grant, choose Block access for users trying to sign in with any other Microsoft work or school account.
I can not find the option you suggest saying that "choose Block access for users trying to sign in with any other Microsoft work or school account."
I have attached screenshot for your reference
prakashx86 ou're right.
The option "Block access for users trying to sign in with any other Microsoft work or school account" isn't a direct selection within Azure AD Conditional Access policies. I apologize for the confusion.
To achieve the desired outcome (blocking users from signing in with multiple work or school accounts), you would typically configure Access Controls in Conditional Access by applying certain grant controls and sign-in restrictions. However, there isn't a specific setting that directly states "block other work or school accounts."
Here’s a modified approach using the available Conditional Access features:
Updated Step 4: Control Sign-ins
In the Access controls section, under Grant, use the following options:
- Choose Block access to prevent access entirely for users who don't meet your conditions.
- Alternatively, choose Require device to be marked as compliant. This ensures that only Intune-enrolled devices that comply with your organization's policies can sign in, which indirectly prevents users from using personal or unmanaged devices with other work or school accounts.
Under Conditions:
- For Device platforms, choose iOS to apply this to mobile devices.
- For Locations, if needed, specify trusted locations to limit access based on network location (though this is optional).
- For Client apps, you can ensure this applies only to mobile apps by specifying Browser and Mobile apps and desktop clients.
Grant Control:
- Set the control to Block access for any condition that isn't met (e.g., if the device isn't compliant or enrolled in Intune).
While there's no direct policy to "block other work or school accounts" specifically, the combination of enforcing compliance and using device management ensures that only authorized and compliant devices can access corporate apps, effectively preventing users from logging in with multiple work or school accounts.
Additionally, to enforce account restrictions more strictly within specific apps (like Outlook or Teams), you can complement this with App Protection Policies in Intune, as described in Step 2. This will ensure that only the corporate account can be used within those apps, preventing users from adding secondary accounts.
- micheleariis
Thank you again for your clarification.
After applying all your steps , Will the Users be not able to Add any other Work/School Account in the Personal Outlook App or any Gmail App ?
OR these policy only applicable in Company managed Apps ?Company-Managed Apps (e.g., Outlook, Teams, OneDrive)
Conditional Access Policies: These policies ensure that users can only access corporate data on managed devices and compliant apps. Users trying to sign in with another work or school account on a corporate device (using these apps) will be blocked from doing so.
App Protection Policies: These policies can be configured to prevent adding multiple work or school accounts within Intune-managed apps (e.g., Outlook, Teams, etc.). So, if you enforce policies that allow only the corporate account, users won’t be able to add another work or school account in these apps.
Personal Apps (e.g., Personal Outlook, Gmail, etc.)
Gmail App or Personal Outlook App (not managed by the company) is not controlled by Intune policies. Users could potentially add other work or school accounts to these apps because they are outside the scope of Intune's management and control.
- Conditional Access Policies may still limit what users can do with those accounts. For example, if they try to access corporate resources (e.g., Exchange Online or SharePoint) from those personal apps, they will be blocked unless the device is compliant and managed by Intune.
Hello micheleariis
I humble request you to also Please check below thread to block User to login to another iOS device. and provide your valuable Input.