How to prevent users from logging into personal ChatGPT/Claude accounts on corporate devices using Microsoft Security Stack?

Question

How to prevent users from logging into personal ChatGPT/Claude accounts on corporate devices using Microsoft Security Stack?

DAVAADEMBEREL PU 5

Hi everyone,

I am looking for a robust way to enforce Corporate-only access to Generative AI platforms (specifically ChatGPT and Claude) across our organization.

The Goal: Users should be able to log in using their Corporate Entra ID (SSO), but they must be blocked from using personal accounts (Google, Apple, or personal email) while on corporate-managed devices or the corporate network.

The Challenge: Standard MDCA (Defender for Cloud Apps) Session Policies only trigger if the user initiates login via Entra ID. If they go directly to chatgpt.com and use "Continue with Google," they bypass our Conditional Access policies entirely.

I am looking for the best Microsoft-native approach to solve this. Which of the following is recommended, or is there another way?

Microsoft Global Secure Access (SSE): Can it perform "Tenant Restrictions" or HTTP Header Injection for non-Microsoft apps like OpenAI/Claude?

Microsoft Purview / Endpoint DLP: Is it possible to block the login page itself or restrict authentication to specific domains?

Microsoft Edge Management: Can we use "Site Permissions" or "Managed Preferences" to restrict the OAuth providers allowed on these sites?

Defender for Endpoint (MDE): Can "Custom Indicators" or "Web Content Filtering" be granular enough to distinguish between login types?

I want to avoid a "cat and mouse" game with URLs. What is the official Microsoft "Best Practice" for preventing "Personal AI Account" usage while allowing Corporate usage?

Thank you in advance for your guidance!

Mark Sculthorpe 5 Reputation points

2026-03-10T15:43:21.37+00:00

We have the exact same question, and suspect it isn't possible. We ultimately want to control access to an AI platform via a security group. e.g. if you have access to GPT Enterprise via SSO/SCIM then Defender allows you to access the URL. If you are not in the group that provisions you an Enterprise GPT account the url is completely blocked.

1 answer

Your answer

Mark Sculthorpe 5 Reputation points

2026-03-10T15:43:21.37+00:00

We have the exact same question, and suspect it isn't possible. We ultimately want to control access to an AI platform via a security group. e.g. if you have access to GPT Enterprise via SSO/SCIM then Defender allows you to access the URL. If you are not in the group that provisions you an Enterprise GPT account the url is completely blocked.

Answer 1

JimmySalian-2011 45,231

Hi,

As this is a wide topic for discussion, I would suggest you start with Defender for Cloud as this can allow you to block custom domain names and IPs based on the requirement. This is the article you can review and see if it helps - https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain

Microsoft Purview will allow you to implement DLP and Label policy to control leakage of the data.

So you can have multiple solutions provide coverage.

Hope this helps.

JS

==

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

DAVAADEMBEREL PU 5 Reputation points

2026-03-05T08:30:24.76+00:00

Just to clarify, when you say domain, do you mean a website domain such as chatgpt.com, or an email domain like laki.homes (from user@laki.homes)?

Share via

How to prevent users from logging into personal ChatGPT/Claude accounts on corporate devices using Microsoft Security Stack?

1 answer

Your answer