![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 83%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Exchange Online
A Microsoft email and calendaring hosted service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 69%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHV%3C/text%3E%3C/svg%3E)
Hi @SURAJ KALAMBE
Thank you for posting your question in Microsoft Q&A.
Based on my research, Microsoft has blocked the creation of new personal Microsoft accounts using work or school email addresses when the domain is registered and configured in Azure Active Directory (References: Cleaning up the #AzureAD and Microsoft account overlap | Microsoft Community Hub).
If this issue still persists, it may be caused by one of the following reasons:
- Legacy Accounts: Personal accounts created before your domain was verified in Microsoft 365 are not automatically blocked or deleted. These "grandfathered" accounts can continue to exist and be used, leading to security risks (e.g., offboarded employees retaining access to personal services tied to your domain). If employees created such accounts in the past, they might still be using them.
- Account Confusion: Sometimes, users might sign in with a personal account that shares the same email but was converted or conflicted during domain verification. This can cause sign-in prompts asking "Which account do you want to use?" (personal vs. work).
- Aliases on Non-Blocked Domains: If employees use a personal email (e.g., @gmail.com) to create an account and attempt workarounds, but as noted, direct alias addition is blocked.
- Subscription-Specific Notes: Microsoft 365 Business Basic includes domain verification via Entra ID (formerly Azure AD), so the block should be active. However, if your domain was added recently, older accounts won't be affected retroactively.
You could follow these steps to troubleshoot it:
Confirm Domain Verification:
- Log in to the Microsoft 365 admin center (admin.microsoft.com) as a global admin.
- Go to Settings > Domains.
- Check that contoso.com is listed as "Healthy" and verified (via TXT or MX DNS records). If not, follow the prompts to verify it—this activates the block.
Check for Existing Personal Accounts:
- Use the Entra ID portal (entra.microsoft.com) to review if any personal accounts are associated with your domain.
- Go to Identity > Users > All users and filter for external or guest users. Look for any that use @contoso.com but aren't managed by your tenant.
Block or Reclaim Legacy Accounts:
Microsoft doesn't provide a self-service tool to automatically delete or capture existing personal accounts, but you can request assistance:
- Contact Microsoft Support through the Microsoft 365 admin center (under Support > New service request) and describe the issue, referencing "domain capture" or "reclaim unmanaged personal accounts for verified domain." They may help migrate or block them.
- For offboarded employees, revoke their work account access immediately via the admin center (Users > Active users > Block sign-in), but this won't affect personal accounts.
- Educate employees via company policy to avoid using work emails for personal services.
Additional Security Measures:
- Conditional Access Policies: In Entra ID, create policies to block sign-ins from personal accounts or unmanaged devices to your tenant's resources (e.g., Exchange Online). Go to Identity > Protection > Conditional access > New policy, target "Office 365" or "Exchange Online," and require compliant devices or block personal sign-ins.
- Outlook Restrictions: Use PowerShell to prevent adding personal accounts to the Outlook app: Connect to Exchange Online.
Run:
Set-OrganizationConfig -PersonalAccountsEnabled $false -PersonalAccountsCalendarEnabled $false.
This blocks non-work accounts in Outlook clients.
- Data Loss Prevention (DLP): In the Microsoft Purview compliance portal, set up DLP policies to monitor and block sensitive data sharing via personal accounts.
- User Education: Remind employees that using work emails for personal purposes violates security policies and can lead to data breaches.
If your domain isn't fully verified or you're still seeing new personal account creations, it's recommended to double-check your Azure AD setup or contact Microsoft Support for assistance. This approach can help resolve most data security concerns related to the misuse of corporate email addresses for personal accounts.
Please understand that our initial reply may not always immediately resolve the issue. However, with your help and more detailed information, we can work together to find a solution.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.