3.11.27.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'

Information

This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs.

The recommended state for this setting is: Enabled

Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled

Administrative Templates\Windows Components\Microsoft accounts\Block all consumer Microsoft account user authentication

Impact:

All applications and services on the device will be prevented from

new

authentications using consumer Microsoft accounts via the Windows OnlineID and WebAccountManager APIs. Authentications performed directly by the user in web browsers or in apps that use OAuth will remain unaffected.

See Also

https://workbench.cisecurity.org/benchmarks/16853