thx, i know that post regrettably it is not helpful.
it shows how to block the interface, not ability to actually block adding accounts which may be done e.g. from any office app and possibly other ways
by the way it shows second mostly repeated information, copy pasted from ms doc without explanation: about blocking MSA.. but why would i like to do that? I've read dozed blog post and everyone is copy pasting cons from doc's without explanation what are pros and scenarios of blocking MSA /: if that is the way of blocking adding accounts, disadvantages are quite painful and unacceptable.
i was hoping for some trick being able to define allowed domains thru device restriction or similar. you can configure AllowLogonLocally restrictions via device restrictions, which is close to what I'm looking for, issue there is that you need provide actual user name and not a *@domain.name