Office 2016: Disallow sign-in to Office, but continue using Office 365 email in Outlook

microsoft-outlook microsoft-office exchange office365

24,802

Solution 1

Add the following registry key: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL=0

This disables Modern Authentication on your home computer, which is what is causing your home Office/Outlook to log in all together in one shot.

Solution 2

You wish to use the work account only on Outlook, but for Microsoft this means a login on all Office products.

I assume that the account details are stored in the registry, so your problem is running Outlook with these registry entries, but the rest of Office without.

A simple solution to this problem is to use Sandboxie, which creates a virtual environment for selected programs, where all file and registry updates are diverted to some disk storage which is called the sandbox. This means that these updates do not exist for programs that are not started via Sandboxie and outside the sandbox.

This way you could start Outlook via Sandboxie and logon to your work account once and for all. The other Office applications you will start directly, not through Sandboxie, so they do not use your work account, and you may even logon to your personal Outlook account.

Thus Outlook will have two launch modes, sanboxed or not, each using a different account.

You can create a desktop shortcut that will launch Outlook directly inside the sandbox, to simplify its use. See the Sandboxie FAQ of Windows Shell Integration.

The free version of Sandboxie is limited to only one sandbox. However, for $34.95 you can have an unlimited lifetime license. (Edit: Sandboxie is now freeware.)

To make Outlook work in the sandbox, I have set the Email the following settings of Sandboxie :

Solution 3

Update: Please see Boby's answer. This approach works, but Boby's solution is far simpler and more practical.

After much searching (and fruitlessly asking this same question at answers.microsoft.com), I've finally come up with a workable, if complicated, solution: Running Davmail locally as an exchange proxy, then configuring Outlook 2016 to retrieve mail via imap and my calendar via calDav. I'm posting the procedure here for anyone else that might be having a similar problem.

NOTE: Davmail's stated purpose is to enable Mozilla Thunderbird (and other clients) to communicate with exchange servers. Thunderbird is fully featured, and may be a perfectly suitable email client for you. Consider trying it. If, like me, you still want to use Outlook, continue on.

Download and install Davmail. Accept all of the default configuration settings. Since Office 365 is apparently the most commonly used exchange system, DavMail pre-populates the correct exchange url. Your davmail configuration screen should look like this:

(Obscured url: https://outlook.office365.com/EWS/Exchange.asmx)

Open Outlook. Remove your existing Office 365 exchange account if necessary, and restart Outlook. Additionally, using any Office suite application, log out of Office 365 (File > Account > Sign Out). Close all Office applications, and then start Outlook again.
Click File, then add account. Select Manual Setup, or additional server types. Fill in the settings as shown below (note that the inbound and outbound servers are both 'localhost'), then click More Settings.

Click the 'Outgoing Server' tab, then check the "My outgoing server (SMTP) requires authentication". Leave "Use the same settings as my incoming server" selected.

Click the 'Advanced' tab. For Incoming Server, enter port 1143. For outgoing server, enter port 1025. Ensure that the encryption setting remains on 'none' for both servers. Don't worry, these unencrypted connections are only used locally.

Click Ok, and then Next. Your email should begin to sync with the server via IMAP. This may take a while if you have a lot of email.
Now we need to set up your calendar. This presents a minor problem, as Outlook does not natively support the CalDav protocol used by DavMail. Fortunately, a well-maintained plugin for Outlook exists to solve this problem. Download the Outlook CalDav Synchronizer Plugin. Install the plugin, then restart Outlook.
A new ribbon entry should appear, entitled "CalDav Synchronizer". Click this tab, then 'Synchronization Profiles'. Click the green plus sign to create a new profile. Enter a name for the profile, then select an Outlook Folder - you may simply create a new folder named 'Calendar', as shown below. If you have multiple accounts set up in Outlook, make sure your folder is under the correct one.

Afterwards, fill in the DAV url, replacing your own email address:

http://localhost:1080/users/<[email protected]>/calendar/

Then fill in your username (your email address), your password, and, again, your email address. You may also wish to decrease the calendar synchronization interval from its default of 30 minutes. When you're finished, your screen should look like this:

Click OK. You should now be able to see your calendar by clicking on the folder you created in step 8. It may take several minutes for calendar entries to appear the first time. It may also be necessary to restart outlook one last time for the calendar to appear in its traditional location, viewed by the 'calendar' button.

Having completed these steps, your copy of Outlook should be in the following state:

Capable of sending/receiving email using your Office 365 address (via IMAP)
Capable of sending/accepting meeting invitations and interacting with the calendar in a normal way (via CalDav)
Outlook & Office should -not- be signed in to any account whatsoever.

Further, it is now possible to enable the "Don't allow Office sign-ins" group policy without impacting this email account and calendar.

If anyone has further suggestions or ways to improve/simplify this procedure, I welcome the input.

24,802

Fopedush

Updated on September 18, 2022

Comments

Fopedush over 1 year

My organization uses Office 365 and Office-365-associated email accounts. At work, we have the option to use Office 2016, 365, or the browser-based version of Office. All of this works swimmingly.

At home, I've got a personal copy of Office 2016. I've got to have access at home to my work email and calendar, so I've added the exchange account to Outlook. Much to my dismay, after doing so, I discovered that I was signed in to all of the office applications with this account. For example, here's a screenshot of OneNote:

I find it to be very intrusive that I've been signed into the entire Office suite using my work account. If I click the sign-out link in the above screenshot, Office reverts to the desirable signed-out state - that is, until I re-launch Outlook, whereupon I am prompted to sign in for my email once again, and the entire Office suite is once again connected to the Office 365 account.

In an effort to prevent this behavior, I configured local group policy to disallow sign-in to Office (User Configuration > Administrative Templates > Microsoft Office 2016 > Miscellaneous > Block Signing Into Office : Enabled / None Allowed). This has the desired effect of preventing the rest of the Office applications from signing in, but also completely prevents me from accessing my exchange account. Upon launching Outlook or attempting to perform any mail-related activities, I get this dialog:

In the mean time I've been forced to allow the entire Office suite to remain signed in to my organization's Office 365 account.

Given that I must have access to my work Email from home, and I won't accept being signed into Office 365 at home, how can I configure Outlook and/or Office to meet both of these conditions? Any input or suggestions are appreciated.

Point of clarification: I do not have a personal Office 365 or Microsoft account that I would rather be signed in to - my goal is for my personal copy of Office to remain not signed in to any account.
Fopedush over 6 years

This is a clever approach that had not occurred to me. I'll try it out.
Fopedush over 6 years

Unfortunately, while running in sandboxie, Outlook is unable to connect to exchange. It's possible that with some tinkering this could be made to work, but it isn't an ideal solution. I applaud the originality of this approach but unfortunately it's far from perfect.
harrymc over 6 years

You need to allow Internet in the sandbox, as by default the sandbox is very restrictive (which is why it's called sandbox). Open Sandbox Control, right-click the sandbox and choose Sandbox Settings > Restrictions > Internet Access, then Allow all programs, finish by OK.
Fopedush over 6 years

Internet was already permitted. It seems that if I run outlook un-sandboxed and log in, then launch it sandboxed, it remains logged in and works. However, if I then use a different Office app e.g. Word to log out of office, and re-launch Outlook in the sandbox, it requires me to log in once again (and said login attempt always fails). Unfortunately, it seems that whatever mechanism is used to handle Office logins is able to bypass the sandbox. Perhaps one of the office services is responsible?
harrymc over 6 years

You should do the office login in Outlook inside the sandbox, starting from a situation where you are not logged-into that account. Therefore the updates when you login inside the sandbox stay in the sandbox. if instead you do the login outside of the sandbox then there are no modifications to store inside the sandbox and you use whatever was in the non-sandboxed registry, which means that if you change the login outside the sandbox then it will also be used inside the sandbox, since there are no sandboxed updates to override.
Fopedush over 6 years

Unfortunately, Outlook is unable to start sandboxed if not already logged in. It just sits and spins on the splash dialog forever.
harrymc over 6 years

Ah, it seems that an email reader is a special case : see Sandboxie description of how to configure it properly : Error SBIE2212.
Fopedush over 6 years

I actually had to follow those directions earlier just to get to this point.
harrymc over 6 years

I just now followed the same instructions, by allowing anything that has in it "outlook" or "windows", and Outlook started fine in sandboxed mode. But as I don't use it and I don't want it to access my mail, I didn't go any further.
Fopedush over 6 years

Awarding the bounty to harrymc for his effort. I still consider this question open, however.
harrymc over 6 years

Thanks for the bounty, but why can't you to get it to work? Let me know what error you're getting, and include screenshots of the Sandboxie settings mentioned in the link so I can compare with mine.
Fopedush over 6 years

Added screenshots to question. As I mentioned, if I leave Office in a signed-out state and attempt to start outlook sandboxed, the loading dialog appears and spins forever. Outlook never successfully launches. The white box appearing behind the splash screen I recognize as the Office 365 sign-in dialog, but no content loads inside the box.
harrymc over 6 years

This doesn't happen to me : I have added the screenshots of my settings. To note that I;m using stand-alone Outlook and not the Office 365 version.
harrymc over 6 years

Another difference is that I'm using the paid version of Sandboxie, and this article from 2016 may indicate that Office 365 is limited to that version, although there's no mention of this in the current documentation. You may contact their Support or Sales to ask if this is still the case.
Fopedush over 6 years

Copied your settings, still no love. I'm using Office 2016, not Office 365, however the e-mail account in question is an Office 365 account. I think the line between those two versions has become more blurred recently.
harrymc over 6 years

Ask Sandboxie Support - it might require the paid version, but I have no experience with your particular setup.
Fopedush over 6 years

This worked perfectly. I can't believe there was such a simple solution. Thank you very much.
Fopedush over 5 years

If your organization requires mutli-factor authentication, this approach will not work. Refer instead to the Davmail/Caldav solution below in that case.
Christi over 4 years

This is amazing! All the online guff that totally fails to integrate with nextcloud just disappears!
stvn almost 4 years

I cannot thank you enough for this. I feel like Microsoft deliberately makes it hard to disable this default intrusive login behavior. It was driving me nuts. Thank you!