2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

Information

This policy setting prevents users from adding new Microsoft accounts on this computer.

The recommended state for this setting is: Users can't add or log on with Microsoft accounts

Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems.

Solution

To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts :

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts

Impact:

Users will not be able to log onto the computer with their Microsoft account.

See Also

https://workbench.cisecurity.org/benchmarks/10052

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv7|16.2

Plugin: Windows

Control ID: 345c49047d39229cb8d2f8117841824d52e6351186aab78f09a64538320706fc