Information
This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by the organization for accessing Office 365.
By selecting the Org ID only option, users can sign in only by using the user ID assigned by the organization for accessing Office 365.
The recommended state for this setting is: Enabled: Org ID only
Rationale:
If end users are allowed to connect personal Microsoft Accounts to an organization's Office applications, then confidential data could be exfiltrated to the users' personal cloud storage. Likewise, the users' personal data could more easily end up on work-related systems. By restricting Office 365 sign in to Organization ID only, users will also be forced to sign into a tenant that has managed policies and restrictions assigned to them.
Impact:
Users will be unable to connect to cloud services not maintained by the organization (such as SharePoint services in Office 365) and access the files and services provided by the cloud services.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Org ID only:
User Configuration\Administrative Templates\Microsoft Office 2016\Miscellaneous\Block Signing into Office
Default Value:
Enabled: Both IDs allowed
Additional Information:
This setting can be further enhanced by utilizing the CIS Microsoft 365 Benchmark to restrict sign in to specific domains, such as the organization's domain.