Block signing into Office Using Administrative Template Policy | Intune | Organization only

Block signing into Office Using Administrative Template Policy

Let’s learn to deploy the Administrative Template Policy to Block signing into Office in this post. Block signing into Office is Enabled only allowed to sign in with Organization ID.

Intune Administrative templates are similar to group policy (GPO) settings in Active Directory (AD). These are ADMX-backed settings that use XML. Intune administrative templates are 100% cloud-based.

These templates offer a simple and straightforward way to configure the settings and find the settings you want. If the settings are not available in the administrative templates, it’s a bit complex configure. You can find chrome and Firefox configuration details, this might help to understand the complexity.

Create Block Policy

  • Navigate to Devices -> Windows -> Configuration profiles
  • Click on + Create Profile button
  • From the create a profile blade – select Platform as Windows 10 and Later
  • Select Administrative Template from the profile drop-down menu
  • Click on CREATE button to continue
  • Let’s configure the Basic settings
    • Enter the Name of Intune Administrative Template – “Block Signing into Office”
    • Enter the Description for Administrative template – “Block Signing into Office”
    • Click on the Next button.
Administrative Template Policy to Block signing into Office
Administrative Template Policy to Block signing into Office
  • Select User Configuration from Configuration Settings.
  • Enter “Block Signing into office” to search box.
  • Click on the search result called “Block Signing into Office.”
Administrative Template Policy to Block signing into Office
Administrative Template Policy to Block signing into Office

This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by your organization for accessing Office 365. If you enable this policy setting, you can specify one of the following options:

  • If you select “Both IDs allowed“, users can sign in and access Office content by using either ID
  • If you select “Microsoft Account only“, users can sign in only by using their Microsoft Account.
  • If you select “Organization only“, users can sign in only by using the user ID assigned by your organization for accessing Office 365.
  • If you select “None allowed“, users cannot sign in by using either ID.
  • If you disable or do not configure this policy setting, users can sign in by using either ID.

Note: This policy does not apply to license. A user can license their product using any applicable ID if they have a valid license associated with that account. Providing credentials for licensing purposes when that ID type has been disabled, however, will not affect the signed-in state of Office.

Org ID Only
Org ID Only
Select Assignment - Administrative Template Policy to Block signing into Office
Select Assignment – Administrative Template Policy to Block signing into Office
  • Click on the Next button.
  • Click on Create button from Review + Create a page

Sync Intune Policies on Windows 10 Device

You can sync Intune policies on Windows 10 device to have a quick test of the Administrative Template Policy to Block signing into Office.

  • Right click on the Task Bar icon of Company Portal
  • Click on Sync this Device
Sync Intune Policies on Windows 10 Device
Sync Intune Policies on Windows 10 Device

Event Logs – Administrative Template Policy to Block signing into Office

Let’s check the event log entries to confirm whether the policy got deployed or not. New ADMX injection (office16v2) happens after the sync as you can see in the below event logs.

  • office16v2
  • Policy~L_MicrosoftOfficeSystem~L_miscellaneous437
  • L_SignInOptions
  • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Event ID 873 - MDM PolicyManager: ADMX ingestion starting new Admx ingestion. EnrollmentId (AAB267BF-EBF2-4649-822C-74511A4CC253), app name (office16v2), setting type (Policy), unique Id (office16v2).
Event ID 866 - MDM PolicyManager: ADMX Ingestion: EnrollmentId (AAB267BF-EBF2-4649-822C-74511A4CC253), app name (office16v2), setting type (Policy), unique Id (office16v2), area (NULL).
Event ID 814 - MDM PolicyManager: Set policy string, Policy: (L_SignInOptions), Area: (office16v2~Policy~L_MicrosoftOfficeSystem~L_miscellaneous437), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (S-1-12-1-1245278575-1092210432-2695042466-3045220724), String: (), Enrollment Type: (0x6), Scope: (0x1).
String Value 👉: <enabled/><data id="L_SignInOptions5" value="2" /> 
Policy~L_MicrosoftOfficeSystem~L_miscellaneous437

Registry Values

  • Let’s check the ADMX injection happened for Office 365 policies.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\AAB267BF-EBF2-4649-822C-74511A4CC253\office16v2\Policy\office16v2
  • All the ADMX backed policies for Office 365 is created.
Administrative Template Policy to Block signing into Office
Administrative Template Policy to Block signing into Office
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\AAB267BF-EBF2-4649-822C-74511A4CC253\office16v2~Policy~L_MicrosoftOfficemachine~L_LicensingSettings\L_SCLCacheOverride
  • The actual Office 365 policy configured below mentioned registry entry:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\S-1-12-1-1245278575-1092210432-2695042466-3045220724\office16v2~Policy~L_MicrosoftOfficeSystem~L_miscellaneous437
Administrative Template Policy to Block signing into Office
Administrative Template Policy to Block signing into Office

Results – Intune Reports

Let’s check the reports from Intune portal now. This shall help to get the results of Administrative Template Policy to Block signing into Office.

Device Status - Select Assignment - Administrative Template Policy to Block signing into Office
Device Status – Select Assignment – Administrative Template Policy to Block signing into Office

Resources

Leave a Comment

Your email address will not be published. Required fields are marked *