Disabling Personal Email Access on Corporate Devices via Intune

Question

Is it possible to restrict access to personal email accounts on corporate Windows devices using Intune? Many users in the organization are signing in to apps like Copilot and Adobe with their personal email IDs.

Answer 1

@Sheik Mohamed Yasar Hello,

You have two ways to do it my favorite one is using Azure AD Conditional Acesss;

Using Intune App Protection Policies

While App Protection Policies are more traditionally used for mobile devices (iOS/Android), you can leverage similar principles on Windows when using Office apps (such as Outlook) that support these policies. You can enforce data protection settings to ensure only work accounts are used.

Steps:

1. Access the Endpoint Manager Admin Center:
   • Go to endpoint.microsoft.com and sign in.
2. Create an App Protection Policy:
   • Navigate to Apps > App Protection Policies.
   • Click Create policy and choose the platform (select Windows 10 and later if available).
   • Name and describe your policy so that you and other admins know its purpose.
3. Configure Data Protection Settings:
   • Under the Data Protection tab, configure settings such as:
   • Restricting copy and paste between corporate and personal apps.
   • Preventing data transfers to unauthorized apps.
   • This indirectly limits the risk of personal email apps interfacing with corporate data.
4. Define Access Requirements:
   • Under the Access Requirements section, enforce policies that may require a work account or restrict the use of unapproved credentials.
   • Although direct domain filtering might not be an explicit option here, combining these settings with Conditional Access (below) can strengthen the barrier.
5. Assign the Policy to User Groups:
   • Select the target groups or devices where you want this policy enforced.
   • Click Create to deploy the policy.

Using Azure AD Conditional Access

Conditional Access policies are ideal for enforcing which accounts can access specific cloud resources from corporate devices. This can stop users from signing in with personal accounts for accessing apps like Office 365 or corporate portals.

Steps:

Open Azure Portal:

Sign in at portal.azure.com.

Navigate to Conditional Access Policies:

  Go to **Azure Active Directory > Security > Conditional Access**.
  
     Click **+ New policy**.
     
     **Configure the Policy:**
     
        **Name:** Give your policy a clear name, such as “Block Personal Email Sign-Ins.”
        
           **Assignments:**
           
                 **Users and Groups:** Select all users or specific groups.
                 
                       **Cloud Apps:** Choose the corporate apps where this should apply (for example, Microsoft 365 apps).
                       
                          **Conditions (Optional):**
                          
                                Limit the policy by platform (e.g., only target Windows devices).
                                
                                      Optionally, set conditions for client app types if needed.
                                      
                                      **Define Access Controls:**
                                      
                                         Under **Grant**, select **Block access** or require “compliant” device status. For example:
                                         
                                            **Grant access only if the device is marked compliant** (this forces users to use devices that have been managed and locked down per your policies).
                                            
                                            **Implement Domain Restrictions (Indirectly):**
                                            
                                               While Conditional Access itself won’t “blacklist” a login domain directly, you can combine it with Identity Protection or custom security measures to flag suspicious logins from non-corporate domains.
                                               
                                                  Additional Identity Governance policies in Azure AD can help detect and warn against personal email usage if integrated with sign-in logs.
                                                  
                                                  **Enable and Deploy:**
                                                  
                                                     Review the policy and set it to **Report-only** mode initially if you want to monitor the impact.
                                                     
                                                        Once satisfied, enable the policy in **On** mode.
                                                        

😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

Answer 2

@Sheik Mohamed Yasar, Thanks for posting in Q&A.

From your description, I know you want to restrict personal email account accessing apps like Copilot and Adobe.

Based on my research, we can create an app protection policy for Copilot and Adobe and then in the Access requirements page set Work or school account credentials for access Require, after that only work account can sign in these two apps.

Hope it can help you.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.