In this modern world, we often get invited to our customer’s tenants as a guest for better collaboration. For example, in Microsoft Teams we may be likely to log on to a shared computer and need to use Teams. Every time we do, we always get a popup asking the question “Allow my organization to manage my device”. This does not only apply to Teams, but most Microsoft 365 applications. So, what is the right choice here?
When it comes to this notification, we don’t like it very much to begin with, but there are 4 choices for the end user:
- Click OK. Since it’s a blue button, this is where most users will just click without thinking. This will register the user’s device to Azure AD (Azure AD registered device) and possibly enroll to MDM or MAM, depending on what is the current state of this device and the configuration of MDM and MAM. This setting also remembers this user’s credentials on this device for other apps.
- Uncheck the “Allow my organization to manage my device, then click OK. This will not register the user’s device to the external Azure AD, but it will remember the users credential on the device for other apps.
- Choose “No, sign in to this app only”. This will not register the user’s device to the external Azure AD, and it will only remember the user’s credential for this app.
- Close the window by clicking on X. This will just close the notification and does nothing.
We can always make detailed instructions for our users and let them know which option they should use. They won’t read it. Also do we really want to give the users options to register the device with other tenants. We can force the choice.
How can I Stop “Allow my organization to manage my Device”
As I mentioned before, if the user checks “Allow my organization to manage my device“, and chooses OK, this device will be Azure AD registered to the external tenant, this might not be our desired result. We really don’t want our devices to register to another company’s corporate tenant. And we also don’t want to see other companies’ devices in our tenant. Right?
You can find the answers from Microsoft documentation
Do it Through the Registry
Here’s the key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001
When using this registry, your users will no longer see this notification when they login to ex. Microsoft 365 apps or Microsoft Edge with another work or school account, device will not be registered to another Azure AD tenant (Azure AD register), but this also means there is no Single Sign-On feature for those additional accounts, and it might still have other unexpected impacts that we have not found yet..
There is extra information about this registry and Hybrid Azure AD join planning, details can be found in
Deploy as script from Intune
For Intune managed devices you would typically deploy this as a PowerShell script. This simple script looks like this:
#Setting registry key to block AAD Registration to 3rd party tenants.
$RegistryLocation = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\"
$keyname = "BlockAADWorkplaceJoin"
#Test if path exists and create if missing
if (!(Test-Path -Path $RegistryLocation)){
Write-Output "Registry location missing. Creating"
New-Item $RegistryLocation | Out-Null
}
#Force create key with value 1
New-ItemProperty -Path $RegistryLocation -Name $keyname -PropertyType DWord -Value 1 -Force | Out-Null
Write-Output "Registry key set"
I then deployed this as required to all my Windows 10 Corporate devices. This script must run as “system”.
That’s all you need to do if you want to stop this annoying prompt from bothering your users every single day they collaborate with external parties in Teams or other places.