Today, I would like to explain how to enable Allowed Domains for Apps in MS Edge Browser using the Microsoft 365 Admin Center Policy. The AllowedDomainsForApps policy blocks users from signing into Google services with unprovided accounts.
Turning on this policy in Microsoft Edge activates the restricted sign-in feature in Google Workspace. This means users cannot change this setting. Users can only access Google tools with accounts from specific domains. Add `consumer_accounts` to the list of allowed domains to allow Gmail or Google Mail accounts.
This policy adds the X-GoogApps-Allowed-Domains header to every HTTP and HTTPS request to google.com domains. This header lists the allowed domain names, separated by commas. Example: X-GoogApps-Allowed-Domains: mydomain1.com, mydomain2.com
This policy is based on the Chrome policy with the same name. Through this blog post, I will explain how to enable Allowed Domains for Apps (AllowedDomainsForApps) in Microsoft Edge using the Microsoft 365 Admin Center Policy.
Table of Contents
What are Allowed Domains for Apps?
AllowedDomainsForApps policy settings block users from logging in or adding a secondary account on managed devices using Google authentication if the account is from an unapproved domain.
Windows Registry Settings of AllowedDomainsForApps Policy
The registry is a database that stores settings for Windows and some applications. The Registry Editor allows you to change settings inaccessible through the regular user interface, including system policies and details about installed applications.
| Value Name | Value Type | Mandatory Path | Recommended Path: |
|---|---|---|---|
| AllowedDomainsForApps | REG_SZ | SOFTWARE\Policies\Microsoft\Edge | N/A |
Steps to Enable Allowed Domains for Apps in Microsoft Edge
The AllowedDomainsForApps policy rule helps keep users on a corporate network from using personal Gmail accounts or logging into a managed Google account from another domain. When you block access to consumer accounts, users might see the following message: “This account is not allowed to sign in within this network.”
If you do not specify a domain name, users can access Google Workspace with any account. The AllowedDomainsForApps policy in Microsoft Edge can be enabled from the Microsoft 365 admin center. You can start allowing this policy from the Settings blade in the Microsoft 365 admin center.
- On the Settings, select Microsoft Edge.
- Click on the Configuration Policies
- Click on + Create Policy
- Enable Disable Google Cast in Google Chrome with Intune Settings Catalog Policy
- Best Guide to Enable Disable Edge Browser Auto Sign-in and Sync with Intune
- User Accounts Settings In Windows 11
Basics
In the Basics section, you can enter your policy’s Name and Description. The Name is required, and the description is optional, but including it will help you recognize the policy later. Here, we can also see the Policy Type (Intune) and the Platform (Windows 10 and 11).
- Click on the Next button
Settings
The Settings section is crucial for creating policies within Microsoft 365. Here, you can select various settings (policies). To add settings, click the +Add Settings option, as shown in the screenshot below.
Once you click on Add settings, a Configure a setting window will appear. In this window, you will find various categories of settings. I chose Additional settings and then selected the AllowedDomainsForApps setting. After making this selection, you will see the Value and More Details tabs.
Value
On the Value tab, you can enable or disable the selected policy. I selected the Enabled option since my policy aims to enable a feature. If you want to disable this policy, you can choose disabled option.
More Details
On the More Details tab, you can explore the specifics of the selected policy settings, which helps you better understand the policy. After you click the Select button, you will receive a notification confirming the policy’s successful update. The screenshot below provides a clear view of the details displayed on the More Details tab.
After selecting the policy, you can close the configuration settings page. Your settings, including the policy chosen name and value, will appear on the Settings page. Click Next to continue creating the policy.
- Here, you must click on the checkbox near the Policy name and click on the Next button.
Extensions
The details for the default extensions are on the Extensions page. To continue, scroll down to the, where you will discover the option for the +Add extension. If you want to add the extension, click the + Add extension. You can skip the Extensions, as it is not essential for creating policies within the Microsoft 365 Admin Center.
- Click Next
Assignments
The Assignments tab is important for creating policies. It lets you choose groups for the settings you want to assign. To use it, click the +Select group option, select a Microsoft Entra Group, and then click the Select button.
After clicking on Select, you will receive a notification on this page that the Group has been updated. However, the data will not be saved until reviewed and saved in the Finish step.
Finish
The Finish tab allows you to review your policy details. If you need to make changes, click the back button. Once satisfied, click Review and Create to finalize your policy.
After clicking the Review and Create, the portal will show a success message and confirm the policy has been created. The newly created policy will be displayed in the configuration policies section.
Device and User Check-in Status of Enable AllowedDomainsForApps
After creating the policy, sync your device to activate the AllowedDomainsForApps feature. This process improves policy deployment speed. To do this, open the Company Portal and click the Sync button in the settings.
Once syncing is complete, you can check AllowedDomainsForApps’s Device and User Check-in Status on the Intune Portal. Since the selected policy type is Intune, the status can be found there. In this section, the result shows one (1) succeeded, indicating that the policy has been successfully deployed.
Client Side Verification
Client-side verification can be performed using the Event Viewer on the Policy Enable device. To check for successful events, look for Event IDs 813 or 814. To do this, navigate to
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin
- Here, the successful Event ID is 814.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.