When you install Office 365 ProPlus, you may be presented with a screen which says ‘Use this account everywhere on your device’. This is how to prevent that screen appearing, and prevent the Azure AD device registration that may result from pressing yes.
So this is how it goes, a user installs Office without issues. They fire up an Office app and get presented with this screen, so they duly sign in:
All goes well, until they get presented with this, at which point in a state of confusion they likely either just press yes, or possibly another option as we will see below:
Hide this screen by preventing Azure AD registration
This screen can be hidden by editing the registry as per https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-things-you-should-know:
You can prevent your domain joined device from being Azure AD registered by adding this registry key – HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001.
This registry key takes effect immediately and does not require a reboot. You won’t see the screen again. Note that you can still use Hybrid join via AD Connect. If you want to know more about what this screen actually does, read on…
The screen above is confusing for users who often don’t know which option to use. There are in fact 4 options for a user to take on this screen:
- Click Yes
- Untick ‘Allow my organisation to manage my device’ and then clicking Yes.
- Click the cross
- Click ‘This app only’
Either of the first two options will allow Windows to remember your credentials, and make it easier to sign in to other apps in the future.
Now most users will just press Yes without unchecking the tick box. If they do this, the device will try and register itself in Azure Active Directory, which may or may not succeed. If it succeeds, devices will end up registered in Azure AD and you can see them in the Azure Portal. See https://docs.microsoft.com/en-us/azure/active-directory/devices/overview if you want to know more about what device registration does.
When a device is registered in Azure AD, it allows an Administrator to block access to that tenant by clicking Delete. This will prevent the device from gaining access to any data in that tenant, so can be used if a device is lost for example. It does not allow any other management, for example the administrator cannot wipe or reset your device, or see any information on it. Further management can be done using Intune as an MDM, but this requires further configuration of the PC (enrolment).
This screenshot shows a Windows machine which is registered in Azure AD.
…and can be seen in the Access work or school page in Settings (and this is also how to deregister a device):
Hello,
Great Article! I clicked Yes with the checkbox for allowing device to be controlled selected.
However, the sign in failed.
I’m curious to know if my device got registered since I selected the checkbox.
What bothered me that whether organization would have access to my PC and files.
However, I don’t see any details in the Access work or school page in Settings
Does it mean my device was never registered?
Thanks.
Hi, then no, registration failed for whatever reason. Even if it was, your company would not be able to see files or settings.
Thanks for clarifying. Also since company wouldn’t be able to see files, it also mean not even MS office files like word docs, excel sheets etc that are saved locally even though company actually provided O365.
Hi,
Is device enrolment independent of other devices?
We know we can install office 365 on 5 devices.
If I enroll 1 device with AD, then are other devices too are managed by the company? Or only the specified device’s settings are managed by organization?
What happens if I format a device which was registered earlier?Does it go into state of unlinked PC?
I’m interested in learning Azure.
Where should I begin from?
Thanks.
Hi Chirag
The Office activations are not linked to number of enrolled devices.
If you format a device, it will remain in Azure AD but will be stale and can then be removed. If you remove an active registered device in Azure AD, it will be blocked from sign in and would require re-registering.
Sadly this hasn’t stopped it for us. Configuring 90 users on an RDS Farm and each of them are being asked for it. You’d think it shouldn’t be doing it on a Server OS. We even have Seamless Sign On configured and Outlook still asks for a password. Everything else works with SSO!
Outlook should not be asking for a password, something is wrong with your SSO set up. Also did you use shared computer activation on the RDS server?
Hi Hal,
What if we select third option “Click the cross” with checkbox selected as it is. Would it still allow the org. to manage the device.
Hi Hal, Haven’t heard back from you on the above. I was going thru the process and clicked on the cross (X) with all the options intact ( checkbox checked etc. )
Would it still allow the organisation to manage the device?
or anything else?
Hi John. Ok not sure but you can check if the device is registered in Settings – Access work or school
Going through the sign in process, the screen came up and I clicked on cross without changing the checkbox state. I want to know what would be the behaviour now as the text mentions that the organisation will be able to manage the device.
As above: When a device is registered in Azure AD, it allows an Administrator to block access to that tenant by clicking Delete. This will prevent the device from gaining access to any data in that tenant, so can be used if a device is lost for example. It does not allow any other management, for example the administrator cannot wipe or reset your device, or see any information on it.
If I checked the box and clicked yes, can I somehow unregister my device from the organization Azure accont?
Yes as per the last sentence – go into Settings, Accounts, Access Work or School and disconnect it.
Pingback:Notes of Azure AD authentication, SSO, etc. – rakhesh.com