blockAADWorkplaceJoin Affects SSO for Shared Classroom PCs

APB Campus Vesta 0 Reputation points
2025-05-16T09:06:42.02+00:00

In a classroom environment with PCs assigned to accounts from ******@myschool.com to ******@myschool.com, instructors from different organizations log in to access their cloud-stored PowerPoint presentations.

The issue arises when instructors leave the option "allow my organization to manage this device" checked, which leads to unauthorized access for subsequent users. Given the high turnover of instructors and the limited time they spend at the institution, it's impractical to train them to uncheck this option each time.

To address this, the option for workplace joining has been disabled using BlockAADWorkplaceJoin = 1. However, since implementing this change, Office is unable to log in with the shared classroom credentials (e.g., ******@myschool.com).

With the limitation of not being able to provide individual Office licenses for all instructors due to high costs and limited use, what alternatives exist to resolve this SSO issue?

Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator
    2025-05-20T02:21:57.6966667+00:00

    Hello @APB Campus Vesta

    Disabling the workplace join option by setting BlockAADWorkplaceJoin = 1 can indeed help prevent unauthorized access on shared classroom PCs. However, it’s important to note that this setting may also impact users' ability to sign into Office applications using shared classroom credentials, which can lead to Single Sign-On (SSO) issues.

    To resolve the SSO issue while maintaining both security and usability, here are a few alternative approaches:

    1. Use Conditional Access Policies in Microsoft Entra ID:
      Conditional Access allows you to enforce security requirements (like requiring compliant devices or specific locations) without completely blocking workplace joins. This way, you can maintain control over who accesses Office applications and under what conditions.
      More details: Conditional Access for Office 365 Applications
      https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-unknown-unsupported

    Implement Shared Device Mode for Windows 10/11: Shared device mode is designed for scenarios where multiple users use the same device (e.g., classrooms, labs). It allows users to log in with their credentials, ensuring a personalized experience while maintaining security and proper session management. Reference: Set up a shared or guest PC

    By leveraging these alternatives, you can address the SSO challenges on shared classroom PCs without sacrificing security or usability for instructors and students.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.