How can I block employees from signing in to personal Email accounts on company devices?

[Max Coder]

Hello,

Is it possible to block employees from signing in to personal email accounts on company devices?

AFAIK,  There is OWA policy.

For example, we use Microsoft 365, We just only want users to be able to be able to sign in with our domains.

[Michael B. Smith]

If you are using Intune, absolutely. You configure an app configuration policy to only allow Outlook and only allow “work or school” accounts.

 

Other MDM’s (or none) or different apps – you need to ask the vendor. Or at least provide more information here for people who know those apps to respond.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b74-af11-f80e1707af55n%40googlegroups.com.

[Shawn K. Hall]

It is *not* a silver bullet, but the "Accounts: Block Microsoft
accounts" policy is probably what you're looking for.

Accounts: Block Microsoft accounts
This setting prevents using the Settings app to add a Microsoft account
for single sign-on (SSO) authentication for Microsoft services and some
background services, or using a Microsoft account for single sign-on to
other applications or services.
<https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/wind
ows-10/security/threat-protection/security-policy-settings/accounts-bloc
k-microsoft-accounts>

-S

> -----Original Message-----
> From: ntsys...@googlegroups.com
> [mailto:ntsys...@googlegroups.com] On Behalf Of Max Coder
> Sent: Tuesday, July 29, 2025 02:55
> To: ntsysadmin
> Subject: [ntsysadmin] How can I block employees from signing
> in to personal Email accounts on company devices?
>

> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b7
> 4-af11-f80e1707af55n%40googlegroups.com

> <https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b
> 74-af11-f80e1707af55n%40googlegroups.com?utm_medium=email&utm_
> source=footer> .
>
>

[Kurt Buff]

Are you only talking about Outlook, or do you wish to block access via web browser to, e.g., gmail, protonmail, yahoo mail, etc.?

Kurt

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b74-af11-f80e1707af55n%40googlegroups.com.

[maxcoder1]

Are you only talking about Outlook, or do you wish to block access via web browser to, e.g., gmail, protonmail, yahoo mail, etc.?

Actually, I'm talking about both of them.  Outlook and web browser.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6f7Z5C-h%3DvuQinTV4inrwo4q87Rgz6hgLmHYoRud_7wg%40mail.gmail.com.

[Kurt Buff]

I am not familiar with InTune, so will bow to others, but trying to block web-based email in our environment would probably require adjustments to the firewall, or to our XDR, to block access to those providers.

Kurt

On Wed, Jul 30, 2025 at 10:03 AM maxcoder1 <maxc...@gmail.com> wrote:

Are you only talking about Outlook, or do you wish to block access via web browser to, e.g., gmail, protonmail, yahoo mail, etc.?

Actually, I'm talking about both of them.  Outlook and web browser.

On Wed, Jul 30, 2025 at 6:54 PM Kurt Buff <kurt...@gmail.com> wrote:

Are you only talking about Outlook, or do you wish to block access via web browser to, e.g., gmail, protonmail, yahoo mail, etc.?

Kurt

On Tue, Jul 29, 2025 at 3:55 AM Max Coder <maxc...@gmail.com> wrote:

Hello,

Is it possible to block employees from signing in to personal email accounts on company devices?

AFAIK,  There is OWA policy.

For example, we use Microsoft 365, We just only want users to be able to be able to sign in with our domains.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b74-af11-f80e1707af55n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6f7Z5C-h%3DvuQinTV4inrwo4q87Rgz6hgLmHYoRud_7wg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBUCtg9BipmybsoxDJ6nAYEYVi%3Dv8y%2B%2BGcHTBSDB%2B7JBw%40mail.gmail.com.

[Michael B. Smith]

So my initial response presumed Intune, but the OP didn’t comment.

 

I agree with your assessment regarding web-based email. In a MSFT-only environment, it would require changes in Microsoft Defender (the relevant EDR) or to the local firewall.

 

Without more info about the environment, I don’t think there is much more to say. 😊

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce63o_KzKm4%2Bd%3D%3DbhRHtSEZesYQumLxEAe%2BSwNY_dvLUFA%40mail.gmail.com.

[maxcoder1]

Hi Michael,

Yes, Intune is available. By the way, I saw OWA Policy. Does it work the same way? I'm asking about Outlook apps.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/27aac64829344556b06b5bf1fdc130ab%40smithcons.com.

[John Scott]

From my documentation

365 (Exchange Online): Policy based

Connect-ExchangeOnline

Get-OwaMailboxPolicy | Select-Object Name, Identity

Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" -PersonalAccountsEnabled $false -PersonalAccountCalendarsEnabled $false

verify

Get-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" | Select-Object Name, PersonalAccountsEnabled, PersonalAccountCalendarsEnabled

Result

Users will see an error message if they try to add a personal account:

Classic Desktop: Group Policy or Registry

[HKEY_CURRENT_USER\Software\Policies\Microsoft\office\16.0\outlook]
"disableexchangeconsumeraccounts"=dword:00000001
"disablepst"=dword:00000001

"disableexchangeconsumeraccounts" blocks adding Outlook.com accounts.

"disablepst" blocks creation of new .pst files

Limit number of Exchange accounts:

[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\exchange]
"disablemultipleexchange"=dword:00000001
"maxnumexchange"=dword:00000001

This restricts Outlook to a single Exchange account profile

I'd just use firewall or proxy to block web based email.

John

[Nathan Woodcock]

At one client we use a clunky HOSTS file based block managed by an rmm script. 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rDJL6QtSuedJhwf%2B0QTeqPDz0nZJaiTgHOQNrevU8sDMw%40mail.gmail.com.

[Philip Elder]

If the environment allowed for it we’d set up a DNS Forward Lookup Zone for Hotmail.Com, Gmail.Com, ProtonMail.Com and so on with an internal IP for DNS A record.

 

If hitting via web we could use ARR/URLReWrite to hit a local IIS site to let them know they shouldn’t be doing that.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Wednesday, July 30, 2025 11:16
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] How can I block employees from signing in to personal Email accounts on company devices?

 

I am not familiar with InTune, so will bow to others, but trying to block web-based email in our environment would probably require adjustments to the firewall, or to our XDR, to block access to those providers.

 

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce63o_KzKm4%2Bd%3D%3DbhRHtSEZesYQumLxEAe%2BSwNY_dvLUFA%40mail.gmail.com.

[Philip Elder]

I just remembered that browser vendors are using DNS over HTTPS to circumvent local DNS for their queries.

 

That means that they can do whatever they please.

 

So, what is yet untested here is a Windows Firewall Rule for TCP/UDP 53 (DNS) that allows outbound to the local DNS server(s) only at the client end. By untested, I’m not sure if the network stack, that includes the firewall parsing, would be enough to catch that clandestine browser DNS call?

 

Another option would be HTTPS snooping at the edge/router/firewall that forced the HTTPS tunnel open to catch that DNS call.

 

I shall refrain from expressing my opinion on DNS over HTTPS but that should be enough to let all y’all know what I really think of it.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/23efec9c10934612b629685e933aac37%40MPECSInc.Ca.

[Shawn K. Hall]

DoH can use any port, but usually uses HTTPS on 443. DoT can use any port, too. They can both also use any domain. However, you can disable it in browser policy in any modern browser.

Edge: DnsOverHttpsMode (https://github.com/MicrosoftDocs/Edge-Enterprise/blob/public/edgeenterprise/microsoft-edge-browser-policies/DnsOverHttpsMode.md)

Chrome/Chromium: DnsOverHttpsMode (https://chromeenterprise.google/policies/#DnsOverHttpsMode)

Firefox: DNSOverHTTPS\Enabled (https://mozilla.github.io/policy-templates/#dnsoverhttps)

-S

> -----Original Message-----
> From: ntsys...@googlegroups.com

> [mailto:ntsys...@googlegroups.com] On Behalf Of Philip Elder
> Sent: Tuesday, August 5, 2025 12:08
> To: ntsys...@googlegroups.com
> Subject: RE: [ntsysadmin] How can I block employees from
> signing in to personal Email accounts on company devices?
>

> I just remembered that browser vendors are using DNS over
> HTTPS to circumvent local DNS for their queries.
>
>
>
> That means that they can do whatever they please.
>
>
>
> So, what is yet untested here is a Windows Firewall Rule for
> TCP/UDP 53 (DNS) that allows outbound to the local DNS
> server(s) only at the client end. By untested, I’m not sure
> if the network stack, that includes the firewall parsing,
> would be enough to catch that clandestine browser DNS call?
>
>
>
> Another option would be HTTPS snooping at the
> edge/router/firewall that forced the HTTPS tunnel open to
> catch that DNS call.
>
>
>
> I shall refrain from expressing my opinion on DNS over HTTPS
> but that should be enough to let all y’all know what I really
> think of it.
>
>
>
> Philip Elder MCTS
>
> Senior Technical Architect
>
> Microsoft High Availability MVP

> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
>
> MPECS Inc.
>
> E-mail: Phili...@mpecsinc.ca <mailto:Phili...@mpecsinc.ca>
>
> Phone: +1 (780) 458-2028
>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
> Twitter: Twitter.com/MPECSInc <https://twitter.com/MPECSInc>

>
> Teams: Phili...@MPECSInc.Cloud
>
>
>
> Please note: Although we may sometimes respond to email, text
> and phone calls instantly at all hours of the day, our
> regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
>
>
>
> From: ntsys...@googlegroups.com
> <ntsys...@googlegroups.com> On Behalf Of Philip Elder
> Sent: Tuesday, August 5, 2025 13:00
> To: ntsys...@googlegroups.com
> Subject: RE: [ntsysadmin] How can I block employees from
> signing in to personal Email accounts on company devices?
>
>
>
> If the environment allowed for it we’d set up a DNS Forward
> Lookup Zone for Hotmail.Com, Gmail.Com, ProtonMail.Com and so
> on with an internal IP for DNS A record.
>
>
>
> If hitting via web we could use ARR/URLReWrite to hit a local
> IIS site to let them know they shouldn’t be doing that.
>
>
>
> Philip Elder MCTS
>
> Senior Technical Architect
>
> Microsoft High Availability MVP

> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
>
> MPECS Inc.
>
> E-mail: Phili...@mpecsinc.ca <mailto:Phili...@mpecsinc.ca>
>
> Phone: +1 (780) 458-2028
>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
> Twitter: Twitter.com/MPECSInc <https://twitter.com/MPECSInc>

> https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b7
> 4-af11-f80e1707af55n%40googlegroups.com
> <https://groups.google.com/d/msgid/ntsysadmin/aa8b8970-9866-4b
> 74-af11-f80e1707af55n%40googlegroups.com?utm_medium=email&utm_
> source=footer> .
>

> --
> You received this message because you are
> subscribed to the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop
> receiving emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6f7Z5C-h%3
DvuQinTV4inrwo4q87Rgz6hgLmHYoRud_7wg%40mail.gmail.com > <https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce6f7Z5C-h%
> 3DvuQinTV4inrwo4q87Rgz6hgLmHYoRud_7wg%40mail.gmail.com?utm_med
ium=email&utm_source=footer> .

>
> --
> You received this message because you are subscribed to
> the Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to
> ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBUCtg9Bipm
> ybsoxDJ6nAYEYVi%3Dv8y%2B%2BGcHTBSDB%2B7JBw%40mail.gmail.com
> <https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBUCtg9Bip
> mybsoxDJ6nAYEYVi%3Dv8y%2B%2BGcHTBSDB%2B7JBw%40mail.gmail.com?u
tm_medium=email&utm_source=footer> .

>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce63o_KzKm4%
> 2Bd%3D%3DbhRHtSEZesYQumLxEAe%2BSwNY_dvLUFA%40mail.gmail.com
> <https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce63o_KzKm4
> %2Bd%3D%3DbhRHtSEZesYQumLxEAe%2BSwNY_dvLUFA%40mail.gmail.com?u
tm_medium=email&utm_source=footer> .

>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/23efec9c10934612b
> 629685e933aac37%40MPECSInc.Ca
> <https://groups.google.com/d/msgid/ntsysadmin/23efec9c10934612
> b629685e933aac37%40MPECSInc.Ca?utm_medium=email&utm_source=footer> .

>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/74c84978ce124ef78
> bcd3a7c6a234bc8%40MPECSInc.Ca
> <https://groups.google.com/d/msgid/ntsysadmin/74c84978ce124ef7
> 8bcd3a7c6a234bc8%40MPECSInc.Ca?utm_medium=email&utm_source=footer> .
>
>

[Kurt Buff]

A good L7 firewall should be able to block DoH - I'm thinking Palo Alto or Check Point, as I've used both. There are probably others.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/74c84978ce124ef78bcd3a7c6a234bc8%40MPECSInc.Ca.