Microsoft Change – MC226037
Starting November 19th 2020, Microsoft will begin a staged rollout of personal account support in the Microsoft teams desktop app for Windows and MacOS.
New users will be able to sign in with a personal account after installing the Teams app. Existing users with a work or school account, will see an option to add one personal account via their profile menu. Work and personal experiences will run in separate windows to visually differentiate them.
Not all organisations will want to allow this from a security perspective.
So.. what can be done?
There is a way to restrict sign in on desktop devices. It will involved a registry key to be installed. The Microsoft article here covers not just the Desktop client, but it does state that there will be an update to include Administrative Template Files (ADMX/ADML) to make administration easier. So in the short term, its going to be a registry key.
This wont affect the ability to switch organisations, but will prevent you to initially log in with accounts outside your organisation tenant.
You can manually set keys in Windows Registry:
- Value Name: RestrictTeamsSignInToAccountsFromTenantList
- Value Type: String
- Value Data: Tenant ID, or comma-separated list of Tenant IDs
- Path: use one of the following
Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Cloud\Office\16.0\Teams Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\16.0\Teams Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Teams
Example: SOFTWARE\Policies\Microsoft\Office\16.0\Teams\RestrictTeamsSignInToAccountsFromTenantList = Tenant ID or SOFTWARE\Policies\Microsoft\Office\16.0\Teams\RestrictTeamsSignInToAccountsFromTenantList = Tenant ID 1,Tenant ID 2,Tenant ID 3
For the policy to work you will need Teams version 1.3.00.30866 or higher.
Note, that you can log set up to allow logins to multiple tenants by separating them with a comma.
From what I can gather, it looks like the Tenant ID can be in the format of either TENANT.onmicrosoft.com or the Tenant GUID that can be found in Azure AD properties.
I personally haven’t been able to test this feature, but as soon as I can get the latest update there will be an update to this quick post!