Apr 23 2021 06:56 AM
Hi,
This post is maybe not the right place for the discussion, but feel free to place it in the right discussion board. The issue came to light when using Teams though.
When using Microsoft applications like Teams, after you login with your credentials the window "Stay signed in to all your apps" will popup.
I found this is a security risk when logging in from a public windows 10 system. The risk is that when the user doesn't pay attention and click "Ok" button, the device will be AAD joined. After this you will be able to logon Teams without a password.
I want to disable this popup, to prevent users from just pressing the ok button. Is this possible? And if yes, is this only possible for the Teams app?
Online people talk about conditional access, but this is a MEM(Intune) feature and not everyone have the license to do that.
Here is an article that explains very well regarding the "Stay signed in to all your apps" popup in Teams;
I found an article that describes a way to prevent the system from AAD joining with a registry setting;
Handy when you want to prevent this in your organisation. But users will login from there private home systems and maybe from public systems. What then?
If things are unclear, please let me know.
May 19 2021 12:36 AM
@SekoBayo Hi there did you get anywhere with this? This window is a liability.
May 19 2021 07:47 AM
Hi @brian_nfc,
Not at all. Opened a Microsoft support ticket and have been told it's by design.
Have also been referred to the Registry change what I have mentioned in my initial post, which only make sense if you are in your own organisation environment. And did get a link to raise up my voice; https://microsoftteams.uservoice.com/forums/555103-public/suggestions/40588795-please-stop-allow-my-...
Didn’t do it yet, but now just did.
May 19 2021 08:00 AM
@SekoBayo Appreciate your response. Yes, the reg key is of no value on users' home computers. You can block enrolment of personal devices in Endpoint Manager but it doesn't stop this message and the user still gets an ugly error message that they don't understand.
I don't get why Microsoft wants personal computers to end up in Endpoint Manager. I still feel like there HAS to be a tenant level setting somewhere for blocking this window.
May 19 2021 10:28 AM
@brian_nfc great to hear that I am not the only one that is thinking this way.
You could check the setting below, but do not know if it will do the trick. I don't have have a tenant where I just can test this.
Also am not able to check it at all because this option is greyed on my customers tenant, cannot figure out why.
You can find this setting under Azure AD > Devices > Device settings.
Jul 25 2021 10:43 AM
Jul 25 2021 10:44 AM
Jul 25 2021 01:15 PM
Jul 26 2021 04:24 AM
Sep 28 2021 11:55 AM - edited Oct 08 2021 01:55 PM
Following MS document https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#how-can-i-block-users-from-addin...
Highlights the following FAQ
How can I block users from adding more work accounts (Azure AD registered) on my corporate Windows 10 devices?
And the solution is to create the following registry key
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001
This key will block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account.
After creating this key you will not recevie this pop up anymore.
Oct 08 2021 10:58 AM
Alaa, thank you so much for pointing me towards this documentation. I've been looking for this so long as this has been a huge pain point for our front line help desk support! Our users keep clicking "OK" when that box pops up no matter how many times we train them not to.
Oct 09 2021 05:06 AM
Oct 09 2021 05:23 AM
By the way. For the people who don’t know how to the delete a joined user account.
Oct 10 2021 01:21 PM
Just having the same issue when connecting to AvD using the remote desktop client
Just wanted to say that its not adding the client to the eind point. Its adding the client to Azure Ad devices.
Any how hoorible
Oct 10 2021 01:38 PM
Oct 11 2021 03:42 AM
I do not have experience with AvD, but I would think that you can solve this by creating an intune configuration policy to run a powershell script that will add the regarding registry key. I have done this with one of my customers.
Of course, to be able to do this, you would need an intune subscription and the device need to join Azure instead of registering. If you don’t have intune, then your only option is to add the registry key manually by hand.
Correction on previous posts where I have mentioned that computers will join the device to Azure which is not correct. It will register the device to Azure instead of joining it like @Jacob1 mentioned in a post above.
Oct 11 2021 05:02 AM
You wrote "4) Lets say another user (B) uses the same PC and browse to (for example) to office.com then are the data of user (A) exposed. That is a big data leak."
You are mentioning here with a web browser. When using Edge it will try to do SSO. But I think Edge will detect that an account is registered and ask if you want to synchronize your account. Here you will get asked in a normal way and get the option to choose ‘Synchronize’ or ‘No, thanks’.
Oct 11 2021 06:37 AM
Your right. Edge offers to synch.
even if you chose (NO) edge wil sign in with the cached creds. And that is not OK.
Any how it is a NoGo for our AvD project.
Nov 12 2021 09:33 AM
@SekoBayo I did some checking/testing recently on this between Windows CSP Vs. Registry Fix. I couldn't make Windows CSP - disallow workplace join work using MEM Intune. https://www.anoopcnair.com/disable-stay-signed-in-to-all-your-apps-intune/