Office 2016: Disallow sign-in to Office, but continue using Office 365 email in Outlook

My organization uses Office 365 and Office-365-associated email accounts. At work, we have the option to use Office 2016, 365, or the browser-based version of Office. All of this works swimmingly.

At home, I've got a personal copy of Office 2016. I've got to have access at home to my work email and calendar, so I've added the exchange account to Outlook. Much to my dismay, after doing so, I discovered that I was signed in to all of the office applications with this account. For example, here's a screenshot of OneNote:

OneNote signed in to Office 365

I find it to be very intrusive that I've been signed into the entire Office suite using my work account. If I click the sign-out link in the above screenshot, Office reverts to the desirable signed-out state - that is, until I re-launch Outlook, whereupon I am prompted to sign in for my email once again, and the entire Office suite is once again connected to the Office 365 account.

In an effort to prevent this behavior, I configured local group policy to disallow sign-in to Office (User Configuration > Administrative Templates > Microsoft Office 2016 > Miscellaneous > Block Signing Into Office : Enabled / None Allowed). This has the desired effect of preventing the rest of the Office applications from signing in, but also completely prevents me from accessing my exchange account. Upon launching Outlook or attempting to perform any mail-related activities, I get this dialog:

This feature has been disabled by your administrator

In the mean time I've been forced to allow the entire Office suite to remain signed in to my organization's Office 365 account.

Given that I must have access to my work Email from home, and I won't accept being signed into Office 365 at home, how can I configure Outlook and/or Office to meet both of these conditions? Any input or suggestions are appreciated.

Point of clarification: I do not have a personal Office 365 or Microsoft account that I would rather be signed in to - my goal is for my personal copy of Office to remain not signed in to any account.


Solution 1:

Add the following registry key: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL=0

This disables Modern Authentication on your home computer, which is what is causing your home Office/Outlook to log in all together in one shot.

Solution 2:

Update: Please see Boby's answer. This approach works, but Boby's solution is far simpler and more practical.

After much searching (and fruitlessly asking this same question at answers.microsoft.com), I've finally come up with a workable, if complicated, solution: Running Davmail locally as an exchange proxy, then configuring Outlook 2016 to retrieve mail via imap and my calendar via calDav. I'm posting the procedure here for anyone else that might be having a similar problem.

NOTE: Davmail's stated purpose is to enable Mozilla Thunderbird (and other clients) to communicate with exchange servers. Thunderbird is fully featured, and may be a perfectly suitable email client for you. Consider trying it. If, like me, you still want to use Outlook, continue on.

  1. Download and install Davmail. Accept all of the default configuration settings. Since Office 365 is apparently the most commonly used exchange system, DavMail pre-populates the correct exchange url. Your davmail configuration screen should look like this:

DavMail config screen

(Obscured url: https://outlook.office365.com/EWS/Exchange.asmx)

  1. Open Outlook. Remove your existing Office 365 exchange account if necessary, and restart Outlook. Additionally, using any Office suite application, log out of Office 365 (File > Account > Sign Out). Close all Office applications, and then start Outlook again.

  2. Click File, then add account. Select Manual Setup, or additional server types. Fill in the settings as shown below (note that the inbound and outbound servers are both 'localhost'), then click More Settings.

Outlook Settings

  1. Click the 'Outgoing Server' tab, then check the "My outgoing server (SMTP) requires authentication". Leave "Use the same settings as my incoming server" selected.

Outlook Settings

  1. Click the 'Advanced' tab. For Incoming Server, enter port 1143. For outgoing server, enter port 1025. Ensure that the encryption setting remains on 'none' for both servers. Don't worry, these unencrypted connections are only used locally.

Outlook Settings

  1. Click Ok, and then Next. Your email should begin to sync with the server via IMAP. This may take a while if you have a lot of email.

  2. Now we need to set up your calendar. This presents a minor problem, as Outlook does not natively support the CalDav protocol used by DavMail. Fortunately, a well-maintained plugin for Outlook exists to solve this problem. Download the Outlook CalDav Synchronizer Plugin. Install the plugin, then restart Outlook.

  3. A new ribbon entry should appear, entitled "CalDav Synchronizer". Click this tab, then 'Synchronization Profiles'. Click the green plus sign to create a new profile. Enter a name for the profile, then select an Outlook Folder - you may simply create a new folder named 'Calendar', as shown below. If you have multiple accounts set up in Outlook, make sure your folder is under the correct one.

CalSync Calendar Folder Selection

Afterwards, fill in the DAV url, replacing your own email address:

http://localhost:1080/users/<[email protected]>/calendar/

Then fill in your username (your email address), your password, and, again, your email address. You may also wish to decrease the calendar synchronization interval from its default of 30 minutes. When you're finished, your screen should look like this:

Outlook Settings

Click OK. You should now be able to see your calendar by clicking on the folder you created in step 8. It may take several minutes for calendar entries to appear the first time. It may also be necessary to restart outlook one last time for the calendar to appear in its traditional location, viewed by the 'calendar' button.

Having completed these steps, your copy of Outlook should be in the following state:

  1. Capable of sending/receiving email using your Office 365 address (via IMAP)
  2. Capable of sending/accepting meeting invitations and interacting with the calendar in a normal way (via CalDav)
  3. Outlook & Office should -not- be signed in to any account whatsoever.

Further, it is now possible to enable the "Don't allow Office sign-ins" group policy without impacting this email account and calendar.

If anyone has further suggestions or ways to improve/simplify this procedure, I welcome the input.

Solution 3:

You wish to use the work account only on Outlook, but for Microsoft this means a login on all Office products.

I assume that the account details are stored in the registry, so your problem is running Outlook with these registry entries, but the rest of Office without.

A simple solution to this problem is to use Sandboxie, which creates a virtual environment for selected programs, where all file and registry updates are diverted to some disk storage which is called the sandbox. This means that these updates do not exist for programs that are not started via Sandboxie and outside the sandbox.

This way you could start Outlook via Sandboxie and logon to your work account once and for all. The other Office applications you will start directly, not through Sandboxie, so they do not use your work account, and you may even logon to your personal Outlook account.

Thus Outlook will have two launch modes, sanboxed or not, each using a different account.

You can create a desktop shortcut that will launch Outlook directly inside the sandbox, to simplify its use. See the Sandboxie FAQ of Windows Shell Integration.

The free version of Sandboxie is limited to only one sandbox. However, for $34.95 you can have an unlimited lifetime license. (Edit: Sandboxie is now freeware.)

To make Outlook work in the sandbox, I have set the Email the following settings of Sandboxie :

Email Reader

Internet Access