Use Group Policy to Stop Users from Linking Microsoft Accounts to Local or Domain Logins in Windows 8

So, how can I use Group Policy to prevent users from linking their Microsoft accounts to local or domain logins?

Microsoft added new capabilities to Windows 8 that allow users to synchronize configuration and application settings between computers, so that when they log on to a different device, their settings follow them. In order to enable this new feature, users must associate their local computer or domain account with a Microsoft online identity, such as a Windows Live Mail account.

While this kind of synchronization may be useful for consumers, it could introduce risks for organizations, potentially allowing users to sync settings and app data between corporate-owned or -managed PCs to personal devices, which could lead to data leakage or a security breach. An account linked to a Microsoft identity is also required to download and purchase apps from the Windows Store, although it is possible to disable access to the store independently from restricting the ability to link domain accounts to Microsoft identities.

Disable Microsoft Accounts

To disable the ability to link domain and local computer accounts to Microsoft Accounts, open the Group Policy Management Console (GPMC) on Windows 8 or Server 2012 using a domain account that has permission to create new Group Policy Objects (GPOs).

  • In the left pane of GPMC, expand your AD forest and domain.
  • Right-click the Group Policy Objects folder and select New from the menu.
  • In the New GPO dialog, name the GPO Restrict MS Account Linking and click OK.
  • Click the Group Policy Objects folder in the left pane.
  • Right-click the new GPO in the right pane of GPMC and select Edit from the menu.
  • In the Group Policy Management Editor window, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  • In the right pane of the Group Policy Management Editor window, double-click Accounts: Block Microsoft accounts.
  • In the Properties dialog window, check Define this policy setting.
  • In the drop-down menu, select Users can’t add or log in with Microsoft accounts from the menu and click OK.

Block Microsoft accounts in Group Policy

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

  • Close the Group Policy Management Editor window.
  • In the left pane of GPMC, right-click your AD domain or an Organizational Unit, and select Link an Existing GPO here from the menu.
  • In the Select GPO dialog, choose the Restrict MS Account Linking GPO and click OK.

Once Group Policy has updated on the affected machine, which you can force using the gpupdate command if you don’t want to wait, users will not be able to link a Microsoft account to their domain or a local computer account, and PC Sync settings will be unavailable.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: