Prevent ‘Use this account everywhere on your device’ – M365 Apps

Prevent ‘Use this account everywhere on your device’ – M365 Apps

When you install Office 365 ProPlus / M365 Apps, you may be presented with a screen which says ‘Use this account everywhere on your device’.

Below is how to prevent that screen appearing, and prevent the Azure AD device registration that may result from pressing yes.

All goes well, until they get presented with this, at which point in a state of confusion they likely either just press yes, or possibly another option as we will see below:

Hide this screen by preventing Azure AD registration

This screen can be hidden by editing the registry as per https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#review-things-you-should-know:

You can prevent your domain joined device from being Azure AD registered by adding this registry key – HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001

This registry key takes effect immediately and does not require a reboot. You won’t see the screen again. Note that you can still use Hybrid join via AD Connect.

 

Disable AzureAD Security Defaults – MFA

Disable AzureAD Security Defaults – MFA

Microsoft recently turned on security defaults for M365 Tenants forcing MFA for users.

You can check by going into Azure AD > Properties > Manage Security defaults

M365 tenancy

 

If defaults are set to “Yes” that is the reason MFA turned on. You should be able to set that to NO to remove the “new” defaults and turn MFA off. – However it is highly recommended to use MFA for all accounts.

disable security defaults

 

 

 

Disable Azure AD registration for devices

Disable Azure AD registration for devices

Disable Azure AD registration for devices

Login to M365 portal as a Global Administrator.

Browse to Azure Active Directory > Devices

Go into Device settings.

Select None under the ‘Users may join devices to Azure AD‘ option

azure ad device page

 

Check status of machine to see if it is joined to azure AD

Run powershell as Admin

dsregcmd /status

 

If the device is deleted in Azure AD, you need to re-register the device. To re-register, you must take a manual action on the device.

See below for instructions for re-registration based on the device state.

To re-register hybrid Azure AD joined Windows 10 and Windows Server 2016/2019 devices, take the following steps:

Open the command prompt as an administrator.
Enter dsregcmd.exe /debug /leave

Sign out and sign in to trigger the scheduled task that registers the device again with Azure AD.