Share via

Restrict users` local account logging in to work M365

ラナ 40 Reputation points
2024-05-10T08:07:25.6733333+00:00

scenario:

When using a personal PC for work. work or school account is set up as a domain join.

user has a personal local account in the PC.

Environment:

Microsoft 365 Business Premium, Microsoft EntraID P1 and Intune

Question:

How to restrict personal local account from accessing work M365? is it possible to do so?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,920 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,456 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,779 questions
0 comments
Accepted answer
  1. ZhoumingDuan-MSFT 8,840 Reputation points Microsoft Vendor
    2024-05-13T07:00:18.9766667+00:00

    @ラナ,Thanks for posting in Q&A.

    From your description, I know you want to restrict local user account accessing work Microsoft 365.

    Based on my researching, we can create a conditional access policy to achieve your goal.

    1.Create a Conditional Access policy > In Target resources select Cloud apps > Select Office 365.

    2.In Grant Session, select Grant access for the work account you allowed, then only work account can access Microsoft 365 resources and personal account cannot access Microsoft 365 resources.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#office-365

    Or you can use GPO to restrict personal account access Microsoft resources.

    https://www.iamsysadmin.eu/featured-posts/restrict-signing-into-365-apps-with-a-personal-microsoft-account/

    Non-official, just for reference.

    Hope it will help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pavel yannara Mirochnitchenko 11,956 Reputation points MVP
    2024-05-10T12:10:43.8166667+00:00

    Use Conditional Access and in Grant-phase, require device to be compliant. Same time, create Compliant Policies in Intune and assign in only to Corporate device or only to specific device name pattern.

    Edit: okay, I have read again and you only want to limit this for local account, but I assume, you want allow the access for home device itself, right? Maybe if you assign Compliance Policy to users only? But I am not sure, it still might flow down to device.

    1 person found this answer helpful.