Block Personal Microsoft Accounts via Intune

On a default Windows device, nothing stops a user from signing into their personal OneDrive, adding a personal Outlook account, or syncing files to personal cloud storage. For a corporate device, this creates a data leakage risk: company files can end up in personal OneDrive accounts, and personal accounts can introduce files onto corporate machines.

You can block this through Intune using a Settings Catalog configuration profile. It takes about 10 minutes to set up.

ℹ️

What this actually blocks

This policy blocks personal Microsoft accounts from being added to Windows itself (Settings app, Accounts) and from signing into Microsoft apps like OneDrive, Outlook, and Teams with a personal account. It does not block users from browsing to outlook.com in a browser.

Create the Configuration Profile

📋 Policy Setup

intune.microsoft.com› Devices› Configuration› Create› New Policy

Platform: Windows 10 and later
Profile type: Settings Catalog

Give the policy a clear name such as CORP-Block-PersonalMicrosoftAccounts.

Add the Settings

⚙️ Configuration

In the Settings Catalog, search for Accounts. You need two specific settings.

Setting 1: Block Microsoft Accounts (Windows)

Search for Accounts Allow Microsoft Account Connection and set it to Disabled. This prevents users adding any personal Microsoft account to the Windows Accounts settings page.

🔐

Accounts

Windows account connection restrictions

Accounts Allow Microsoft Account ConnectionBlocks personal Microsoft accounts from being added to Windows

Disabled

Setting 2: Block Personal OneDrive Sync

Search for OneDrive Disable Personal Sync. This specifically stops the OneDrive sync client from signing in with a personal Microsoft account, which is the most common way company files end up in personal cloud storage.

☁️

OneDrive

Personal sync restrictions

Disable Personal SyncPrevents OneDrive from syncing personal Microsoft account files on domain-joined or Intune-managed devices

Enabled

Optional: Block consumer Microsoft account sign-in in apps

If you want to also block personal accounts from signing into Microsoft apps at the app level (not just the OS level), search for Allow Microsoft Account Sign In Assistant and set it to Disabled. This stops the Sign-In Assistant service which personal Microsoft account sign-ins rely on.

⚠️

Test before rolling out widely

Some line-of-business apps use Microsoft accounts for licence activation or sign-in. Test on a pilot group first and check for any apps that break before assigning this policy to all devices.

Assign and Deploy

Assign the policy to your All Corporate Devices group or a specific device group. The policy applies at next check-in, which you can force with a manual sync. Once applied, any attempt to add a personal Microsoft account in Windows Settings will be blocked, and the OneDrive personal sync option will be greyed out.

Verify It Worked

On a test device after policy sync, go to Settings > Accounts > Email and accounts and click Add a Microsoft account. The option should either be missing or return an error stating the account type is not permitted by your organisation.

In OneDrive, right-click the tray icon, go to Settings, and check the Account tab. The option to add a personal account should not appear.

How to Block Personal Microsoft Accounts on Company Devices with Intune