Information
This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs.
The recommended state for this setting is: Enabled.
Rationale:
Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems.
Impact:
All applications and services on the device will be prevented from new authentications using consumer Microsoft accounts via the Windows OnlineID and WebAccountManager APIs. Authentications performed directly by the user in web browsers or in apps that use OAuth will remain unaffected.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration\Windows Components\Microsoft accounts
Setting Name: Block all consumer Microsoft account user authentication
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Disabled. (Applications and services on the device will be permitted to authenticate using consumer Microsoft accounts via the Windows OnlineID and WebAccountManager APIs.)