Block personal accounts from syncing in Microsoft Edge with Microsoft Intune

Today another blog post related to the new Microsoft Edge Chromium based browser and managing the browser with Microsoft Intune (Microsoft Endpoint Manager). This time about blocking personal accounts from syncing in Microsoft Edge.

In the new Edge browser we have to option to sign-in to the browser and sync data like Favorites, Passwords and more. Sign-in to the browser can be done by using a Work or School account, or a personal account (Outlook.com for example).
If you want to block personal account sign-in/ sync in Edge, there isn`t an option to just block personal accounts and only allow (Azure) Active Directory accounts. But we have an option to restrict which accounts can be used as Microsoft Edge primary accounts, which gives us a workaround.

Configure Administrative Templates profile

Like a lot of other settings, the setting to restrict which accounts can be used as Microsoft Edge primary accounts is available in the Administrative Templates profile for Edge.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows
  • On the Configuration Profiles tab click Create profile
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Choose Windows 10 as Platform
  • Choose Administrative Templates as Profile type
  • Click Create
  • Open the settings tab
  • Select Edge version 77 and later from the drop-down list
  • Search for Restrict which accounts
  • Click the setting Restrict which accounts can be used as Microsoft Edge primary accounts
  • Click Enabled
  • Add the domain(s) from which you allow sign-in to the browser.
    The format is .*@mempowered.eu
    Multiple domains need to be separated by |

Assign the profile to a security group and we`re done.

End-user experience

Start the Microsoft Edge browser.
To check if the policy is applied enter edge://policy in the address bar. As you can see the policy RestrictSigninToPattern is active and shows two domains as value.

If you try to add a personal account (or Work account which is not set in the policy) sign-in is blocked. And therefor sync is blocked for the account.
Your system administrator has not granted @outlook.com sign-in permissions.

In the Profiles section of the settings you can see I can still add both my Work accounts and sync is turned on.

That`s it for this blog.
If you want to read more Microsoft Edge related posts, they are listed HERE.

2 Comments

  1. Thank, this was the only place to refer to the devider or how to write multiple email domains in one place. Helped me as I was stuck in more complex regex.

Leave a Reply

Your email address will not be published.


*