rvlsoft - Fotolia

Manage Learn to apply best practices and optimize your operations.

Build bridges between domain and Microsoft accounts with Group Policy

BYOD disrupted how the IT department managed resources. Now, administrators face a management challenge presented by a new interloper -- Microsoft accounts.

Most corporations use domain accounts as the primary means of authentication and access control. But Microsoft...

is trying to entice users to log in to Windows 10 using a Microsoft account to access external Microsoft services, such as OneDrive and Outlook.com.

While Microsoft accounts and domain accounts may seem to be at odds, there is a way to use both simultaneously. It is also possible for administrators to restrict Microsoft accounts so users can only log in with domain accounts.

With Windows 10, Microsoft accounts serve two main purposes. Microsoft accounts allow users to download apps from the Microsoft Store. They also allow data to synchronize across devices and connect the user to external Microsoft services.

So why would an organization allow the use of both domain accounts and Microsoft accounts? It comes down to the degree of freedom administrators wish to give to users. The BYOD trend resulted from users insisting on accessing work-related messages and documents from their personal devices. Where IT once had tight reins on the infrastructure and only domain-joined PCs could get on the network, BYOD loosened these restrictions.

The ability to access personal resources from a domain-joined PC appears to be the next phase of this movement. Although many organizations prohibit Microsoft account use and personal data access from domain-joined PCs, some organizations allow the practice as the lines between personal and business resources blur more.

If an organization allows the simultaneous use of Microsoft accounts and domain accounts, then administrators do not need to do anything outside of the normal account setup procedure. Administrators can domain join the Windows 10 PCs, and users log in to domain accounts in the usual manner.

Use Group Policy to set limits

So why would an organization allow the use of both domain accounts and Microsoft accounts? It comes down to the degree of freedom administrators wish to give to the users.

There are no native Active Directory features that map domain accounts to Microsoft accounts. If there is no single sign-on option, the easiest thing an administrator can do is allow users who wish to use a Microsoft account to establish their own account mapping. A user logs in to a PC using her domain credentials, clicks Settings>Accounts >Your Email and Accounts and selects Add a Microsoft account. Then, the system will prompt the user to enter the credentials for the Microsoft account.

Administrators can disable Microsoft accounts at the group policy level to prevent users from connecting to a Microsoft account on their domain-joined PC. The setting is located at Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options. On Windows 10 machines, the policy setting is called Block Microsoft Accounts. As shown in Figure 1, this setting is not defined by default.

Block Microsoft accounts
Figure 1. Administrators can block a Microsoft account at the group policy level.

Microsoft accounts have a variety of uses, and administrators can block certain functionality without restricting the entire account. For example, an administrator might wish to prevent users from installing apps from the Microsoft Store. This process is a little bit tricky. The group policy setting that existed in Windows 8 to block the Microsoft Store no longer exists. Instead, the administrator can disable store access through AppLocker, a feature that limits which users or groups can run particular applications.

Open the Group Policy Editor and locate AppLocker. Expand the AppLocker container and then right-click on the Packaged App Rules container and select the option to create a new rule. Click Next on the Before You Begin screen, and then choose the Deny option on the permissions screen. At the Publisher screen, choose the option to Use an installed app package as a reference then click Select. When the selection choices appear, choose the Store option, as shown in Figure 2, and then click Next. Now, complete the wizard to finish creating the rule.

Deny the Microsoft Store
Figure 2. Use AppLocker t to set limits on Microsoft accounts.

Next Steps

How to manage user accounts in Office 365

Get granular control over systems with Group Policy

Security features for Windows 10

Dig Deeper on Enterprise infrastructure management