![\"\"](\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2021\/05\/image-9.png\")
<\/a><\/figure><\/div>\n\n\n\nWhatever is your reaction to this decision there is a practical issue for some companies with strict security requirements. From their point of view access to Teams personal accounts, on the same mobile or desktop used for corporate connection, could impact the security policies.<\/p>\n\n\n\n
The next logical step is to disable the access to Teams personal accounts on the devices used for work. A similar issue (and solution) can be used to limit access to unapproved Office 365 tenants. Surprisingly, the above control is not something that you can do using a Teams policy.<\/p>\n\n\n\n
Teams Free account<\/p>\n\n\n\n
Creating a free account in Teams requires just a few steps (see images below) and you can use an existing email address<\/p>\n\n\n\n
<\/a><\/figure><\/div>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\nThe new account will be shown as “personal<\/p>\n\n\n\n
<\/a><\/figure><\/div>\n\n\n\nDesktop App Experience: <\/p>\n\n\n\n
Now, inside the desktop app, you are able to add your personal account<\/p>\n\n\n\n
<\/a><\/figure><\/div>\n\n\n\nAfter that, it is easy to switch between the two accounts<\/p>\n\n\n\n
<\/a><\/figure><\/div>\n\n\n\nThe personal account will open as an additional window<\/p>\n\n\n\n
<\/a><\/figure><\/div>\n\n\n\nBlocking Undesired Teams Logins in Windows 10<\/p>\n\n\n\n
A post from Microsoft explains (also) how to \u201cRestrict sign in to Teams\u201d https:\/\/docs.microsoft.com\/en-us\/microsoftteams\/sign-in-teams#how-to-restrict-sign-in-on-desktop-devices<\/a> To use the GPOs, you should install the \u201cAdministrative Template files (ADMX\/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016<\/strong>\u201d As an alternative, it is possible to apply the required changes to the Windows Registry (I will explain this one after the GPO based approach)<\/p>\n\n\n\n Blocking Logins Using GPOs<\/p>\n\n\n\n To add the required Administrative Templates, download the correct version (X86 or x64) and decompress the files in a folder<\/p>\n\n\n\n <\/p>\n\n\n\n In my test the Central Store was \\\\test2019.corp\\sysvol\\Test2019.corp\\Policies\\PolicyDefinitions<\/p>\n\n\n\n Using Group Policy Management I have created a policy called “No_Personal_Logins<\/strong>“<\/p>\n\n\n\n <\/p>\n\n\n\n The imported ADMX files are shown in the GPO <\/p>\n\n\n\n Under User Configuration – Administrative Template Policy Definitions – Microsoft Teams<\/strong> we have a parameter called “Restrict Teams Signin to Accounts in Specific tenants<\/strong>” <\/p>\n\n\n\n The parameter is set to Enable<\/strong>, the list of the authorized tenant uses the Tenant IDs (if you want to know it from the domain FQDN I suggest using https:\/\/www.whatismytenantid.com\/<\/a> ). Each Tenant ID must be separated using comma<\/p>\n\n\n\n Windows 10 User Experience<\/p>\n\n\n\n If you try to switch to an unauthorized account, now, you have the message below<\/p>\n\n\n\n
A paragraph is dedicated to mobile devices and another one to Windows 10 access. For this post I will focus on how to restrict sign-in on desktop devices \/ Windows 10.
The policies can be set using<\/p>\n\n\n\n
https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=49030<\/a>
Note: Supported Operating System for the DC is Windows Server 2016 and Windows Server 2019<\/span><\/p>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n
You are able to copy the required files into a Central Store ( see the Microsoft document https:\/\/docs.microsoft.com\/en-us\/troubleshoot\/windows-client\/group-policy\/create-and-manage-central-store<\/a>) and finally use them inside a GPO.<\/p>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n<\/a><\/figure><\/div>\n\n\n\n