PingSentry   |   Blog   |   System32   |   GitHub   |   Free tools

Accounts: Block Microsoft accounts

6e815a39-7aa8-42e4-88d3-1778dfe85333

Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult. It is best practice to disable "Add and Login for Microsoft account" in enterprise or secure environments.

More info: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts

Remediation

To fix this configure the policy value for:
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ Security Options
|_ Accounts: Block Microsoft accounts Set [Users can't add or log on with Microsoft accounts]

https://www.tenforums.com/tutorials/97556-allow-block-microsoft-accounts-windows-10-a.html

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts

STIG: Desktop: https://www.stigviewer.com/stig/windows_8_8.1/2015-06-16/finding/V-36771

Nist 800-53: AC-2(1),
CSCv7: v16.2
CIS v7: v16.2 Configure Centralized Point of Authentication
CSI v8: v5.6
IAIA-1



Tags

desktop bestpractice-desktop cis-csc-desktop stig-medium-desktop nist800-53-server nist800-53-desktop domaincontroller-bestpractices domaincontroller cis-csc-server