Forum Discussion
Popup Window: Stay signed in to all your apps
Hi,
This post is maybe not the right place for the discussion, but feel free to place it in the right discussion board. The issue came to light when using Teams though.
When using Microsoft applications like Teams, after you login with your credentials the window "Stay signed in to all your apps" will popup.
I found this is a security risk when logging in from a public windows 10 system. The risk is that when the user doesn't pay attention and click "Ok" button, the device will be AAD joined. After this you will be able to logon Teams without a password.
I want to disable this popup, to prevent users from just pressing the ok button. Is this possible? And if yes, is this only possible for the Teams app?
Online people talk about conditional access, but this is a MEM(Intune) feature and not everyone have the license to do that.
Here is an article that explains very well regarding the "Stay signed in to all your apps" popup in Teams;
I found an article that describes a way to prevent the system from AAD joining with a registry setting;
Handy when you want to prevent this in your organisation. But users will login from there private home systems and maybe from public systems. What then?
If things are unclear, please let me know.
- SekoBayoCopper ContributorNobody?
- SekoBayoCopper Contributor
Hi brian_nfc,
Not at all. Opened a Microsoft support ticket and have been told it's by design.
Have also been referred to the Registry change what I have mentioned in my initial post, which only make sense if you are in your own organisation environment. And did get a link to raise up my voice; https://microsoftteams.uservoice.com/forums/555103-public/suggestions/40588795-please-stop-allow-my-organization-to-manage-my-d
Didn’t do it yet, but now just did.
- Jacob1Brass ContributorYou say it Joins the device to Azure AD but it registers.
- Alaa_AdlyMicrosoft
Following MS document https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#how-can-i-block-users-from-adding-more-work-accounts--azure-ad-registered--on-my-corporate-windows-10-devices
Highlights the following FAQ
How can I block users from adding more work accounts (Azure AD registered) on my corporate Windows 10 devices?
And the solution is to create the following registry key
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
This key will block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account.
After creating this key you will not recevie this pop up anymore.- Mike BennerCopper Contributor
Alaa, thank you so much for pointing me towards this documentation. I've been looking for this so long as this has been a huge pain point for our front line help desk support! Our users keep clicking "OK" when that box pops up no matter how many times we train them not to.
- SekoBayoCopper ContributorThis is already known. I already mentioned the registry key in my initial post. See second link where this register key is mentioned.
The goal of this post was to prevent other systems who are not part of an organization or enterprise. For example, home computers, shared computers, or even worse public computers where you don’t have control of as an organization/enterprise.
I still see this “popup” as a potential security risk, because when people login to check their account temporarily on a system which is not their own personal system, then know the potential risks.
I will describe a scenario. User logs in on a friend’s computer system with Teams. User ignores the popup and press ok. User log offs. The owner of that system opens Teams and still see that his friend previous has logged in. When he would click on this account, he would be able to login without any password asked. This is an example of many ways it can occur.
Even though the user reads the popup, it is so unclear what is mentioned there that people would still press ok without understanding it. IT person would understand it, but a normal user often doesn’t.
This popup should not default join your account to the computer. The default should be an extra check box with an option to join and not the other way around.
Hope this helps the understanding of the security risk that exist with this very annoying popup.- SekoBayoCopper Contributor
By the way. For the people who don’t know how to the delete a joined user account.
- Click the ‘Start’ button, and then click ‘Settings’.
- Click ‘Accounts’.
- Click ‘Access work or school’.
- Click on the user account and click ‘Disconnect’.
SekoBayo I did some checking/testing recently on this between Windows CSP Vs. Registry Fix. I couldn't make Windows CSP - disallow workplace join work using MEM Intune. https://www.anoopcnair.com/disable-stay-signed-in-to-all-your-apps-intune/
- SekoBayoCopper ContributorMaybe because it's preview 😉
- Dave_PouwCopper ContributorAfter 2 years I still have this problem, does anyone have a way to disable this checkbox on public, home computer?
- Jacob1Brass ContributorHave you tried this yet? I have not tested it. https://www.slipstick.com/office-365/save-choice-stay-signed-apps/
If you dont have Intune or the user account does not have an intune license, it just gives them an error anyway.
- tenhotdogsCopper ContributorIf you accidentally click "OK", like I did... go to Settings -> Accounts -> Access work or school and disconnect the account. You will be logged out of everything. You can then relogin to the original app and click "No, sign in to this app only".
- Jacob1Brass ContributorOh, so it does add them to the "access work or school"? That is very annoying!