Block signing into Office Using Administrative Template Policy | Intune | Organization only

Let’s learn to deploy the Administrative Template Policy to Block signing into Office in this post. Block signing into Office is Enabled only allowed to sign in with Organization ID.

Intune Administrative templates are similar to group policy (GPO) settings in Active Directory (AD). These are ADMX-backed settings that use XML. Intune administrative templates are 100% cloud-based.

These templates offer a simple and straightforward way to configure the settings and find the settings you want. If the settings are not available in the administrative templates, it’s a bit complex configure. You can find chrome and Firefox configuration details, this might help to understand the complexity.

Create Block Policy

• Navigate to Devices -> Windows -> Configuration profiles
• Click on + Create Profile button
• From the create a profile blade – select Platform as Windows 10 and Later
• Select Administrative Template from the profile drop-down menu
• Click on CREATE button to continue

• Let’s configure the Basic settings
  • Enter the Name of Intune Administrative Template – “Block Signing into Office”
  • Enter the Description for Administrative template – “Block Signing into Office”
  • Click on the Next button.

• Select User Configuration from Configuration Settings.
• Enter “Block Signing into office” to search box.
• Click on the search result called “Block Signing into Office.”

This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by your organization for accessing Office 365. If you enable this policy setting, you can specify one of the following options:

• If you select “Both IDs allowed“, users can sign in and access Office content by using either ID
• If you select “Microsoft Account only“, users can sign in only by using their Microsoft Account.
• If you select “Organization only“, users can sign in only by using the user ID assigned by your organization for accessing Office 365.
• If you select “None allowed“, users cannot sign in by using either ID.
• If you disable or do not configure this policy setting, users can sign in by using either ID.

Note: This policy does not apply to license. A user can license their product using any applicable ID if they have a valid license associated with that account. Providing credentials for licensing purposes when that ID type has been disabled, however, will not affect the signed-in state of Office.

• Click on the Next button.
• Click on Create button from Review + Create a page

Sync Intune Policies on Windows 10 Device

You can sync Intune policies on Windows 10 device to have a quick test of the Administrative Template Policy to Block signing into Office.

• Right click on the Task Bar icon of Company Portal
• Click on Sync this Device

Event Logs – Administrative Template Policy to Block signing into Office

Let’s check the event log entries to confirm whether the policy got deployed or not. New ADMX injection (office16v2) happens after the sync as you can see in the below event logs.

• office16v2
• Policy~L_MicrosoftOfficeSystem~L_miscellaneous437
• L_SignInOptions

• Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

Event ID 873 - MDM PolicyManager: ADMX ingestion starting new Admx ingestion. EnrollmentId (AAB267BF-EBF2-4649-822C-74511A4CC253), app name (office16v2), setting type (Policy), unique Id (office16v2).

Event ID 866 - MDM PolicyManager: ADMX Ingestion: EnrollmentId (AAB267BF-EBF2-4649-822C-74511A4CC253), app name (office16v2), setting type (Policy), unique Id (office16v2), area (NULL).

Event ID 814 - MDM PolicyManager: Set policy string, Policy: (L_SignInOptions), Area: (office16v2~Policy~L_MicrosoftOfficeSystem~L_miscellaneous437), EnrollmentID requesting merge: (AAB267BF-EBF2-4649-822C-74511A4CC253), Current User: (S-1-12-1-1245278575-1092210432-2695042466-3045220724), String: (), Enrollment Type: (0x6), Scope: (0x1).

String Value 👉: <enabled/><data id="L_SignInOptions5" value="2" /> 

Registry Values

• Let’s check the ADMX injection happened for Office 365 policies.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\AAB267BF-EBF2-4649-822C-74511A4CC253\office16v2\Policy\office16v2

• All the ADMX backed policies for Office 365 is created.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\AAB267BF-EBF2-4649-822C-74511A4CC253\office16v2~Policy~L_MicrosoftOfficemachine~L_LicensingSettings\L_SCLCacheOverride

• The actual Office 365 policy configured below mentioned registry entry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\AAB267BF-EBF2-4649-822C-74511A4CC253\default\S-1-12-1-1245278575-1092210432-2695042466-3045220724\office16v2~Policy~L_MicrosoftOfficeSystem~L_miscellaneous437

Results – Intune Reports

Let’s check the reports from Intune portal now. This shall help to get the results of Administrative Template Policy to Block signing into Office.

Resources

• OneDrive Outlook Security Policies Troubleshooting with Event Logs Registry | Intune
• Use Update Channel and Target Version settings to update Office 365 with Microsoft Intune Administrative Templates
• Use Windows 10 templates to configure group policy settings in Microsoft Intune