So, how can I use Group Policy to prevent users from linking their Microsoft accounts to local or domain logins?
Microsoft added new capabilities to Windows 8 that allow users to synchronize configuration and application settings between computers, so that when they log on to a different device, their settings follow them. In order to enable this new feature, users must associate their local computer or domain account with a Microsoft online identity, such as a Windows Live Mail account.
While this kind of synchronization may be useful for consumers, it could introduce risks for organizations, potentially allowing users to sync settings and app data between corporate-owned or -managed PCs to personal devices, which could lead to data leakage or a security breach. An account linked to a Microsoft identity is also required to download and purchase apps from the Windows Store, although it is possible to disable access to the store independently from restricting the ability to link domain accounts to Microsoft identities.
Disable Microsoft Accounts
To disable the ability to link domain and local computer accounts to Microsoft Accounts, open the Group Policy Management Console (GPMC) on Windows 8 or Server 2012 using a domain account that has permission to create new Group Policy Objects (GPOs).
- In the left pane of GPMC, expand your AD forest and domain.
- Right-click the Group Policy Objects folder and select New from the menu.
- In the New GPO dialog, name the GPO Restrict MS Account Linking and click OK.
- Click the Group Policy Objects folder in the left pane.
- Right-click the new GPO in the right pane of GPMC and select Edit from the menu.
- In the Group Policy Management Editor window, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
- In the right pane of the Group Policy Management Editor window, double-click Accounts: Block Microsoft accounts.
- In the Properties dialog window, check Define this policy setting.
- In the drop-down menu, select Users can’t add or log in with Microsoft accounts from the menu and click OK.
- Close the Group Policy Management Editor window.
- In the left pane of GPMC, right-click your AD domain or an Organizational Unit, and select Link an Existing GPO here from the menu.
- In the Select GPO dialog, choose the Restrict MS Account Linking GPO and click OK.
Once Group Policy has updated on the affected machine, which you can force using the gpupdate command if you don’t want to wait, users will not be able to link a Microsoft account to their domain or a local computer account, and PC Sync settings will be unavailable.