Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!

Use Group Policy to Stop Users from Linking Microsoft Accounts to Local or Domain Logins in Windows 8

So, how can I use Group Policy to prevent users from linking their Microsoft accounts to local or domain logins?

Microsoft added new capabilities to Windows 8 that allow users to synchronize configuration and application settings between computers, so that when they log on to a different device, their settings follow them. In order to enable this new feature, users must associate their local computer or domain account with a Microsoft online identity, such as a Windows Live Mail account.

While this kind of synchronization may be useful for consumers, it could introduce risks for organizations, potentially allowing users to sync settings and app data between corporate-owned or -managed PCs to personal devices, which could lead to data leakage or a security breach. An account linked to a Microsoft identity is also required to download and purchase apps from the Windows Store, although it is possible to disable access to the store independently from restricting the ability to link domain accounts to Microsoft identities.

Disable Microsoft Accounts

To disable the ability to link domain and local computer accounts to Microsoft Accounts, open the Group Policy Management Console (GPMC) on Windows 8 or Server 2012 using a domain account that has permission to create new Group Policy Objects (GPOs).

  • In the left pane of GPMC, expand your AD forest and domain.
  • Right-click the Group Policy Objects folder and select New from the menu.
  • In the New GPO dialog, name the GPO Restrict MS Account Linking and click OK.
  • Click the Group Policy Objects folder in the left pane.
  • Right-click the new GPO in the right pane of GPMC and select Edit from the menu.
  • In the Group Policy Management Editor window, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  • In the right pane of the Group Policy Management Editor window, double-click Accounts: Block Microsoft accounts.
  • In the Properties dialog window, check Define this policy setting.
  • In the drop-down menu, select Users can’t add or log in with Microsoft accounts from the menu and click OK.

Block Microsoft accounts in Group Policy

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

  • Close the Group Policy Management Editor window.
  • In the left pane of GPMC, right-click your AD domain or an Organizational Unit, and select Link an Existing GPO here from the menu.
  • In the Select GPO dialog, choose the Restrict MS Account Linking GPO and click OK.

Once Group Policy has updated on the affected machine, which you can force using the gpupdate command if you don’t want to wait, users will not be able to link a Microsoft account to their domain or a local computer account, and PC Sync settings will be unavailable.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By