Subscribe to Help Center RSS FeedThis policy enables organizations to centrally manage Microsoft Account and user account settings on Windows devices through JumpCloud MDM. By standardizing account configuration, organizations can enhance security, streamline user onboarding, and ensure consistent access controls across all managed Windows endpoints. Implementing this policy helps prevent unauthorized account usage, supports compliance, and improves IT productivity.
Prerequisites
- Devices must be enrolled in Windows MDM (Mobile Device Management).
- Target windows devices must have reliable network connectivity and the JumpCloud Agent installed and operational.
- Target devices must be running Windows 10 version 1607 [10.0.14393] or later. This policy is supported on the following Windows editions:
- Windows Pro
- Windows Enterprise
- Windows Education
- Windows SE
- IoT Enterprise
- IoT Enterprise LTSC
- For more information on device compatibility, see Agent Compatibility, System Requirements, and Impacts.
Creating the Policy
To create the policy:
- Log in to the JumpCloud Admin Portal.
Important:
If your data is stored outside of the US, check which login URL you should be using depending on your region, see JumpCloud Data Centers to learn more.
- Go to Device Management > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Windows tab.
- Search and select Allow Microsoft Account Sign-In Assistant policy from the list, then click configure.
- (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
- (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.
- In the Settings section, configure the following policy options:
- Allow Adding Non-Microsoft Accounts Manually - Use this to permit or prevent users from manually adding third-party email providers (like Gmail or Yahoo) via the app's interface.
- Allow Microsoft Account Connection - Select Allowed to let users link their Microsoft Accounts for services like the App Store and settings sync, or Not Allowed to restrict these integrations.
- Restrict to Enterprise Device Authentication Only - Select a suitable option from the dropdown menu to mandate that only device-level authentication is used. This enhances security by blocking individual user sign-ins.
- Allow Microsoft Account Sign-In Assistant - Select a suitable option from the dropdown menu to keep essential background services active. Selecting Disable will turn off the Sign-In Assistant, which can block Windows updates and break software subscriptions.
- Allowed Domain Names for Email Sync - Select this field to restrict synchronization to approved domains only. Input your list using semicolons to separate entries (e.g.,
contoso.com; fabrikam.com).
- (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
- (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
- Click Save. If prompted, click Save again. The policy configuration settings are applied automatically and do not require a system restart.
Back to Top
In this Article