Disable that Office 2016 automatically logs in with Office 365 account

%3CLINGO-SUB%20id%3D%22lingo-sub-187406%22%20slang%3D%22en-US%22%3EDisable%20that%20Office%202016%20automatically%20logs%20in%20with%20Office%20365%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187406%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20a%20client%20i'm%20reviewing%20some%20client%20cases%20to%20use%20Office%20365.%20One%20security%20issue%20we're%20facing%20is%20that%20Office%202016%20can%20be%20installed%20on%20an%20unmanaged%20machine.%20Once%20the%20company%20user%20logges%20in%20with%20his%2Fher%20O365%20credentials%20they%20have%20the%20opportunity%20to%20add%20their%20O365%20account%20to%20that%20unmanaged%20machine%20with%20the%20result%20that%20they%20can%20open%20Word%20(for%20example)%20without%20entering%20their%20O365%20credentials.%20But%20connections%20to%20SharePoint%20and%20OneDrive%20are%20also%20restored%20by%20opening%20Word.%20So%20there%20is%20a%20potential%20risk%20that%20on%20a%20shared%20device%20like%20a%20home%20Windows%2010%20computer%20somebody%20else%20then%20the%20company%20worker%20can%20view%20files%20on%20SharePoint%20by%20opening%20Word%202016.%3C%2FP%3E%3CP%3EMy%20question%2C%20is%20there%20an%20option%20to%20disable%20the%20feature%20of%20adding%20your%20O365%20account%20to%20a%20Windows%2010%20client%20with%20the%20result%20that%20the%20O365%20username%20and%20password%20are%20always%20required%20when%20opening%20an%20local%20installation%20of%20an%20Office%202016%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-187406%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187508%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%20that%20Office%202016%20automatically%20logs%20in%20with%20Office%20365%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187508%22%20slang%3D%22en-US%22%3E%3CP%3ENo.%20Office%20doesn't%20actually%20use%20username%2Fpassword%20anymore%2C%20it%20uses%20a%20token%20that%20can%20remain%20valid%20for%20a%20loooong%20time%20with%20use%20and%20will%20allow%20the%20user%20to%20access%20Office%20365%20resource%20without%20requiring%20username%2Fpassword.%20Technically%2C%20this%20is%20all%20stored%20on%20the%20client%20PC%20and%20you%20can%20remove%20the%20token%2C%20however%20for%20unmanaged%20machines%20this%20will%20not%20be%20an%20option.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20you%20can%20do%20instead%20is%20limit%20or%20even%20block%20logins%20outside%20of%20your%20network.%20There%20are%20different%20ways%20to%20achieve%20this%2C%20the%20easier%20will%20probably%20be%20to%20use%20Conditional%20access.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi all,

 

For a client i'm reviewing some client cases to use Office 365. One security issue we're facing is that Office 2016 can be installed on an unmanaged machine. Once the company user logges in with his/her O365 credentials they have the opportunity to add their O365 account to that unmanaged machine with the result that they can open Word (for example) without entering their O365 credentials. But connections to SharePoint and OneDrive are also restored by opening Word. So there is a potential risk that on a shared device like a home Windows 10 computer somebody else then the company worker can view files on SharePoint by opening Word 2016.

My question, is there an option to disable the feature of adding your O365 account to a Windows 10 client with the result that the O365 username and password are always required when opening an local installation of an Office 2016 app.

1 Reply
Highlighted

No. Office doesn't actually use username/password anymore, it uses a token that can remain valid for a loooong time with use and will allow the user to access Office 365 resource without requiring username/password. Technically, this is all stored on the client PC and you can remove the token, however for unmanaged machines this will not be an option.

 

What you can do instead is limit or even block logins outside of your network. There are different ways to achieve this, the easier will probably be to use Conditional access.