Microsoft accounts that are associated to domain accounts can help users (or network administrators) to transfer settings of their workplace between computers. For administrators it is also possible to disable the ability to use Microsoft accounts with Group Policy.

block-ms-account

The Group Policy setting used to disable Microsoft account use is named Accounts: Block Microsoft accounts, and the setting is found in Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. You can choose from three different settings:

  • This policy is disabled: If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
  • Users can’t add or log on with Microsoft accounts: If you select the “Users can’t add or log on with Microsoft accounts” option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
  • Users can’t add Microsoft accounts: If you select the “Users can’t add Microsoft accounts” option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.