Allow my Organization to Manage my Device

What does “Allow my organization to manage my device” mean? When signing in to Microsoft Teams or any other Microsoft 365 app for that matter, you may see a window where it asks you if you want to allow your organization to manage your device. This can be confusing and even feel uncomfortable, especially if you are working on your own personal device. In this article I will be covering what this message means, what the consequences are and how you can best deal with it.

After all, if you are working on your own computer but are accessing your work-related resources inside your Microsoft 365 environment, that doesn’t necessarily mean that you are prepared to share everything that’s on your computer with your employer or work organization.

Allow my Organization to Manage my Device – Notification

The “Allow my organization to manage my device” notification will typically appear when you are using an app that’s part of the Microsoft 365 (previously Office 365) ecosystem after you sign in with your account credentials to access your (work) data.

I mention work data, because more often than not, this is happening when people are accessing company-owned Microsoft 365 environments from their private computers. If you are accessing your Microsoft 365 environment from a company-owned device made available to you by your employer, the device will already be managed by the organization and you will not get this notification.

The notification will also display “Stay signed in to all your apps”. I’ll come back to what that means in a minute.

That being said, when you are using your own computer to access your work-related documents or emails, you may not feel comfortable with the idea that people from your work organization can “manage” your computer. And what does that even mean – manage your device? Does this mean that they will be able to access all your personal files, emails, photo’s and so on?
Let’s take a closer look.

So Why Would You Need to Allow my Organization to Manage my Device?

Before we dive in, let’s get a better understanding of why Microsoft wants you to “Allow my Organization to Manage my Device”. After all, it feels a bit intrusive, doesn’t it?

The problem is that, with remote workers and home office workers, IT departments are now facing a new type of challenge and that is the increasingly more complex task of keeping company data secure. In older days, when people came to the office and sat down at a company-owned computer (one that would never physically leave the office), it was easier to manage company policies and security measures on work computers, because they would never leave the company network.

From within the company network, IT administrators would be able to manage and monitor anti-virus policies, control whether or not certain sensitive information could be copied off the network and enforce security policies on the organization’s computers.

Now, with the increasing number of “bring your own device” (BYOD), where people are accessing their work email and documents from their personal smartphone or own computer, it’s becoming harder for companies to assess whether the minimum security requirements are met on these devices.

Microsoft has come up with an answer and that is where the “Allow my Organization to Manage my Device” comes in.

Should I Allow my Organization to Manage my Device?

If you are thinking “This is all well and good, but what does that mean for me? Should I indeed allow my organization to manage my device?” You may also be wondering whether you can simply close the notification window without clicking the ok button (by clicking on the “x” in the top right corner).

Well, the simple answer is: you can (close the window). Everything will work just fine, you don’t have to worry about your employer potentially accessing your private stuff on your computer and you can still make use of the Microsoft 365 environment that your employer has provided for you to collaborate with your colleagues.

But wait, then what is this option actually used for, you might ask yourself. The answer is that your computer will be registered within your organization’s Microsoft Azure Active Directory when you leave the option “Allow my Organization to Manage This Device” checked and click ok.

Pro tip: most people do indeed leave the default settings checked and click the blue ok button without fully understanding what it means or without giving it any further thought. Don’t be like most people.

If you leave the settings at their defaults and simply click ok, then your computer will be registered with your organization (employer) Microsoft Azure Active Directory, which means that your password for the app that you are signing in on will be remembered in the Azure Active Directory database, but also passwords for other apps on your computer. For instance, if you use Microsoft Teams with your own personal Microsoft account AND with your employer’s Microsoft 365 account, your personal account password may also be stored in your employer’s Azure database.

These passwords will always be encrypted, but even then, this may feel unnecessarily far-reaching.

This is why I always recommend UN-checked the option to “Allow my Organization to Manage This Device”, when presented with the dialog screen where Microsoft is asking you to “Stay signed in to all your apps”. If you then click the option that says “No, sign in to this app only”, your computer will not be registered with your organization’s Azure AD.

When your computer is registered with your organization’s Azure AD, it also means that Microsoft 365 administrators in your organization can remotely wipe any Microsoft 365 account data from your device (or even wipe your entire device, depending on their environment). This is so that organizations can remotely protect company-specific data from being exposed in case your computer (laptop) gets stolen or forgotten somewhere. The goal here is to ensure safety and security.

Wait, does that mean that my organization can remotely wipe my entire computer? Well, actually in some cases, yes. Depending on the Microsoft subscriptions they have, they may be able to remotely wipe your computer or reset it to factory defaults.

That’s a lot of control. And well-worth considering.

Before I go into how you can prevent your organization from managing your device, allow me to give you an overview of the things they can see on your computer when you register your computer with your organization’s Azure AD.

Things they can see on your computer:

• Device name
• Management name
• Ownership
• Serial number
• Primary user
• Enrolled by
• Compliance
• Operating system and version
• Device model
• Device manufacturer
• Last check-in time
• Storage space
• Discovered apps

Things they can NOT see on your computer:

• Phone records
• Personal data
• Photos
• Text messages
• Browsing history

How Can I Make Sure to Not Allow my Organization to Manage my Device?

If you are still not sure what to do when it comes to using your organization’s Microsoft 365 apps, I have made a summary for you to make things easier for you.

Basically, when the dialog to allow your organization to manage your computer shows up when signing in to an app, you have 4 options.

1. Accept the default settings and click ok. This will register your computer with your organization’s Azure Active Directory AND remember your passwords for other apps as well.
2. Deselect the option that says “Allow my Organization to Manage This Device” and then click the ok button. Now your computer will not be registered with your organization’s Azure AD, but it will remember your passwords for other apps on your device.
3. Click the “No, sign in to this app only”. This will also not register your computer in your organization’s Azure AD and only remember your password for the current app that you're signing in to.
4. Click the “x” in the top right corner of the notification window. This will just close the notification screen and stop there.

What Can I Do if I Already Allowed my Organization to Manage This Device?

If you already have allowed your organization to manage your device and want to undo that, you can do so by signing in to the online Microsoft Office portal at:

https://portal.office.com/account#installs

Then, on the left side, click “Apps and devices”. Now, on the right side of the screen, you will see your devices listed. Click your device and then click “sign out”.

How to Block Users From Adding Microsoft 365 Work Accounts on Windows Computers?

If you’re a Microsoft 365 administrator, you may want to prevent users from registering their Windows 10 or Windows 11 devices in other organization’s Azure AD tenants. Other organizations also may not want to see external companies’ devices being registered in their Azure AD tenant. Luckily, there’s a way to prevent this from happening. Unfortunately, it requires making a change in the Windows registry, so as always, pay careful attention to make the right changes.

How to prevent users from adding a Microsoft 365 work account on a Windows computer?

Add the following registry entry:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, “BlockAADWorkplaceJoin”=dword:00000001

This registry entry will stop the “Allow my Organization to Manage This Device” from appearing so users won’t accidentally register their devices to other Azure AD tenants.

Conclusion

With this article I have tried to shed some light on a very common dialog box that many Windows users will come across sooner or later and that is often misunderstood or causes some confusion to say the least.

By now you hopefully better understand what the message means, what it implies and what your options are. I have also shown you how to undo your actions when you already have allowed your organization to manage your device.