Hello @APB Campus Vesta
Disabling the workplace join option by setting BlockAADWorkplaceJoin = 1
can indeed help prevent unauthorized access on shared classroom PCs. However, it’s important to note that this setting may also impact users' ability to sign into Office applications using shared classroom credentials, which can lead to Single Sign-On (SSO) issues.
To resolve the SSO issue while maintaining both security and usability, here are a few alternative approaches:
- Use Conditional Access Policies in Microsoft Entra ID:
Conditional Access allows you to enforce security requirements (like requiring compliant devices or specific locations) without completely blocking workplace joins. This way, you can maintain control over who accesses Office applications and under what conditions.
More details: Conditional Access for Office 365 Applications
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-unknown-unsupported
Implement Shared Device Mode for Windows 10/11: Shared device mode is designed for scenarios where multiple users use the same device (e.g., classrooms, labs). It allows users to log in with their credentials, ensuring a personalized experience while maintaining security and proper session management. Reference: Set up a shared or guest PC
By leveraging these alternatives, you can address the SSO challenges on shared classroom PCs without sacrificing security or usability for instructors and students.