Trying to be actively signed out is also a mess. You can use the teams app to join teams meetings others have setup and invited you too without teams access yourself. Though of course if you have an MS account teams can see it ends up trying to use it and then saying you don't get teams access via that account and trying to sign out and join the meeting with an account associated with it often just doesn't work. A colleague actually ended up requesting he got an o365 account with teams associated with his corp email because of this issue as he had occasional meetings with external people over teams. We have a corp o365 setup for our ops/admin team that engineering normally doesn't touch but because he had a teams invite sent to his corp email he got dragged into it.
If he would have graduated or otherwise no longer have access to his school account, he would never have been able to recover the drive. Of course he has his important files in cloud storage anyway but it’s very annoying nonetheless
>>Of course he has his important files in cloud storage anyway
So MS's defective key system is pushing people to keep their files in the MS cloud? When a defect in one product pushes users towards are more profitable/addictive product, that isn't a defect. It sound like the plan to keep users hooked into the MS ecosystem is progressing nicely. Once upon a time it was Apple getting its hooks into users while at school. Now it is MS.
Does one still need an MS account to play minecraft?
they tried to simplify it by tying everything to yubi keys, but just this week some things stopped going to the yubikey and wanted me to auth on my phone like we used to instead.
ugh
That doesn't sound reassuring if the cloud storage is, itself, Microsoft connected ... or even using auth/login mechanisms that connect to the Microsoft account.
And then you get the people asking naively "why are you getting so mad at them"...
I just want to point out that this entire described scenario, by a company with decades and decades of security products being shoehorned into "just good enough" cloud infrastructure....
Sure the security folks will say hardened infrastructure with fine grained least privilege is doable ... if you're at greenfield ... maybe. But the issue with lots of IT orgs is that they are MESSY, and fine grained least privilege is fragile. Messy + fragile = not good things.
I agree with least privilege as an aspiration, but security is a top-down authoritarian entity in organizations, and fundamentally they don't care if their policies disrupt your daily work process. IMO this is because most security orgs don't provide solutions.
Specifically, by solution I do not mean "picked an enterprise security product bam we have a solution", I mean you have a security architecture and then have the people with bandwidth to help boots on ground devs get the job done quickly so security isn't a blocker).
If you use firefox, you can use each other the container types to host different login accounts, it makes it easier than switching between private windows and doesn't require you to enable extensions on your private tabs
It is indeed a giant mess.
If you go to live.com and click on the hamburger icon at the top, then under 'Apps' click on the "To-Do" app, you will be asked to enter the password for your work account, even though you are on live.com, not on office.com, and you are currently logged in with your personal account.
The only way to get past this is to click "use another account" then log in again with your personal account (even though you are already logged in!!).
This bug has been present for months now.
They’re actively enabling phishing because they choose to rollback standards support.
https://www.brightball.com/articles/how-microsoft-became-phi...
The many standards around identity management makes the web more complex. Most of us have many identities and we end up with a multidimensional web of tokens and cookies.
I think at some point something will have to give. This seems like a space where some more provider consolidation or collaboration would help.
Security is so important to get right, yet too easy to get wrong.
Doing the same thing with MS accounts has been an utter nightmare by comparison.
For that reason I never use MS online apps on my private devices and whenever I need to sign in online, I always use the private mode or a dedicated Firefox container.
It looks like generations of implementations (and likely generations of product management and development teams) layering on top of each other, "replacing" the "old" systems only to do the half of it, and integrating with acquired products.
Seen from outside, it just doesn't look like there exists a single team that understands the authentication and permission system end-to-end.
In my case, my personal and professional Microsoft addresses are the same (same email, different accounts) which means that in many cases I end up in impossible situations when the login screen doesn’t correctly guess if I want to sign in personal or with my “work” account. I also do client work for organisations where I need to sign into their O365 and honestly the only way to manage all that is to keep a dedicated browser “per account”.
Teams is a different story, I avoid account switching because exactly like you describe, sometimes I need to uninstall it in order to sign out.
It's the only way I can keep my personal, work, and alma mater email separate and not falling into login loops.
Basically when we login we need to use the "personal account" but sometimes it will not ask what account to use and automatically choose the wrong one, and once it gets stuck in this state i didn't find a way to fix it.
Arguably, if you're one of the 85% of SMBs in O365/M365 instead of Google Workspaces, or if your "Login with..." personal account is Microsoft instead of Google or Apple, you should be using Edge.
I agree. It is surprising that we don't see similar issues more often. It is *so* confusing to both users and the developers, to the point where it's too easy to make some naive mistakes. And it is one of most critical parts of the systems!
- Use different browser profile for each account
- 2nd and subsequent account - use Teams in the browser - in the respective browser profile (teams.office.com).
Teams in the browser is not substantially different than the desktop app.
Apple is not really any better. God help you if you accidentally lock your Apple ID, you will be subject to a month-long wait before it can be fixed. Why that long? No idea. Nobody at Apple has any idea why it couldn't just be 2 days, and they will frankly admit to you that it makes no sense, then spout some meaningless 'because of GDPR regulations' nonsense that has absolutely nothing to do with GDPR regulation.
Even worse, Microsoft is now trying to force online accounts onto Windows machines.
Google already does it with Android. Which means for some reason if you lose access to your email, you are locked out of not only your online accounts but your local devices also.
We really need to separate authentication from services and devices. With strong safe guards around that account and an actually support system.
That's the kind of results Google should be surfacing, but it lost the game, it is so useless now for precision searching.
You can buy a good mini-pc for a couple hundred bucks and its much more powerful and flexible. You can run windows or linux etc and hook up any keyboard, controller, remote, and do whatever you like.
Nvidia Shield was great, but they upgraded the user interface and shat ads all over it.
This is not true if it is a Google Workspace (or whatever they are calling it now) account. Learned this the hard way when getting YouTubeTV. To be fair, it was just a couple of hours of frustration and annoyance but still, for whatever reason, the workspace accounts that you pay for are second class citizens.
I have seen this on HackerNews multiple times. I bought a Google Pixel this past week and set it up. I have not logged into a Google Account. Maybe if you give the phone internet access during setup, it doesn't give you the local account option. But I can attest that Google has not (yet?) closed the "offline account" loophole.
How was this missed when designing the security and authentication systems?? This is basic foundational stuff!
Product A adds a sign in. Product B from another team adds another sign in. Product C,D,E do the same. Each team has some special magic sauce that makes their system work better with their product, but worse with all others.
Now the corporate infighting starts, as management squeezes all these sign-in systems together, and everyone looses if any other but their system wins. So some compromise is created, based more on political prowess than technical requirements. The result is an API from hell, taking fragments from everyone, even if they conflict. Everyone pushes and pulls their existing systems until it fits in the compromise, trying to minimizing damage. Weird cracks appear everywhere.
we've all seen the organizational charts meme:
https://www.euroresidentes.com/tecnologia/noticias-internet/...
Remember how each organization builds a solution based on their organogram. Look at microsoft in the meme. Look at the sign in mess. Understand.
I predict strange, probably exploitable and surely unsolvable problems in the MS sign-in system for at least the next decade, just like their programming practices of the '90s had entirely predictable security consequences for a decade when the internet appeared.
Typical for Microsoft, reportedly: https://bonkersworld.net/organizational-charts
I’ve been in similar scenarios — the switch directory or switch organisation technique usually worked for me - but wasn’t enough for this person.
They never really give you enough information to tell what’s going on… maybe it’s a security risk to have consumers who are anything other than bewildered Kafkerian characters struggling against a faceless bureaucracy? I suppose we should not question their wisdom and be thankful that we can log in at all.
Atlassian manage to make it even more confusing than Microsoft. So there’s that.
Realms is still in some kind of half subscribed, half not subscribed state and it still asks for my account's PIN for purchases but actually only accepts my kid's PIN. And every game warns me that my setup is questionable (store account doesn't match game account) even though it's exactly what Microsoft tells parents to do. Even Microsoft's own Minecraft app complains every 30 days!
I suggest this area for any web2 bug bounty hunters looking to make a fortune.
And MS login for work is a complete shambles. I have to do a tactical login to Outlook with a different work account to switch login when I try to use Azure as that's the only obvious way to move to a different org account. It's horrible.
Wrong!
It's even worse! You still have to log in with some MS account, but on top it's buggy, slow, laggy, and crashed a few times on me generating the world. What a disaster.
Also parental controls seems to suck in general on most services. Nintendo Switch seems to get it right for the most part.
this keeps everything from being comingled at the expense of maintaining all of those credentials
also, as a bonus, if you organize this by subdomain you can sort your email by it automatically since most emails from this stuff don't really need to hit your inbox
“Warning: You are about to login to Microsoft Atlassian Fogbugz Trello. Have you cleared sufficient space in your calendar, notified your next of kin, put your affairs in order, and taken your sedatives?”
It's once your sessions start expiring or you're trying to use the other services in meaningful ways that the journey begins.
We, as an Atlassian plugin maker, chose GitLab internally, and Notion, both because at least it was properly integrated and didn’t have the awful Atlassian ID and switch between apps…
It was something like two accounts existed in the system with the same email address and one of them had permissions, but we couldn’t sign in to it and the other we could sign in to, but didn’t have permissions and there was no way to grant it permissions.
I spent several hours with MS support over a few days while they tried to sort it out, reset passwords, sign in via different systems, etc. Eventually they recommend we create a new account.
I stopped working with Azure clients, instead.
I didn't bother porting my Mojang account to Microsoft, it was too stressful to use.
I'm skeptical of the suggestion that the school admins were able to do this with no input, but I'm absolutely willing to entertain the idea that:
a) AD login is a complete mess, and
b) the UI is utterly misleading and near-unusable.
IMO, The main issue in here is BigTech obsession with a single login. One single credentials give you access to everything, from entertainment to professional services.
People do share their credentials with family, specially if involves subscription and payment. BigTech try so hard to push for not sharing, but they fail to understand (or don’t care) that most people, specially non American, don’t have the budget to subscribe multiple time. Family accounts are non existent, lacking management options, and also more expensive.
The UI of this is just as bad as the one that asks you to sign into MS account and upload all files to OneDrive when setting up Windows. It even comes back after some time if you deny it!
AD login is something that used to work well (10-20 years ago) but is now a complete clusterf*k. What was designed for logging into Windows NT workstations isn't what most users nowadays are expecting when logging onto web apps. Plus the UI full of antipatterns. Yet it's still the easiest for IT folks to manage.
I don’t mean to solely focus on Microsoft, but they are the dominant example in their domain and the biggest example in tech.
As a society it should have never been allowed to even be possible that things like the government, including public schools, become so captured by Microsoft’s disastrous ecosystem. People give Apple some justified flak for lock-in issues, but at least there it feels more like Apple trying to keep the horrors of especially Microsoft and Google at bay … formal dress required for entry.
My personal account was tied to that tenant, and whenever I tried to register an app - it was access denied. They even give you an option in the app registration interface in Azure: whether you want it to be in the company tenant or linked to your personal account. Regardless of what I tried, access denied. After a few weeks of this, I attempted to “Leave” the proof of concept tenant.
Yes, I clicked the scary leave button that tells you your data will be deleted. Access denied.
One of the options Microsoft suggests is to get in contact with the global admins to help out. Considering that tenant was abandoned 8 years ago, it was going to be difficult to get in contact with the global admins. I even contacted my former employer and requested they remove me. Their response? “We abandoned that tenant years ago, no one can access it”.
I created a support case with Microsoft for their Azure AD service requesting they remove my account from the tenant.
After some back and forth, repeating myself a few times, trying to explain what I save wanted to do in multiple different ways, and a screen share, I still wasn’t able to leave the organization. The case was escalated, and eventually I got on a call with the support rep and a manager.
We went through the “leave the organization” process together, and miraculously, it allowed me to leave. This was several months ago, by the way, and no data loss with my personal account that I can tell (so far), although I can’t guarantee when you click that scary button, your data will be safe.
I’m not sure what technical witchcraft took place for this to happen, because it was the exact same set of steps I had tried 25 times before. My only point in this story is to say it would probably be worth a shot creating a support case with their Azure team, and being a squeaky wheel, in the behemoth cog that is Microsoft, that gets the grease.
First customer service will be automated or even non existant, and very poor. Secondly the product will have been 'tweaked' so many times for new markets and product extensions that it will be very fragile when you do something at the edges of its functionality (not what the other hundreds of millions are doing).
It shouldn't really be this way - it tells a lot about software engineering that a product run by a few enthused people alone can often (but by no means must) have better support and service than a product with huge resources.
Also, a software engineering product run by a large organization is going to have tons more functionality under its much bigger umbrella compared to a small team with a much smaller product. Consider AWS vs Digital Ocean. Both great companies, but AWS's umbrella of offerings is vast compare to Digital Ocean.
No, but something unusual went wrong and getting it fixed will be harder at MS than a smaller company. There probably isn't a single person who understands why without a fair amount of research. Without the publicity, MS would be inclined not to spend the effort to fix.
> Also, a software engineering product run by a large organization is going to have tons more functionality
This was exactly my point - the large product with tons more functionality will likely be more brittle, harder to use, and get support for if something breaks. If you aren't using that functionality, you often won't be well served by the company. I had this experience with EverNote. I'm also a very happy AWS customer, but I think that is because their products are a set of (fairly) independent products, rather than one huge system.
Take but one bad example. If you look carefully, the sign in page for OneDrive is slightly different to the sign in page for other Microsoft services. It has functional differences too, namely, OneDrive's login page doesn't offer you FIDO2 passwordless authentication. Meanwhile, over on Google, everything goes through a unified login screen (accounts.google.com).
They’re better at offering a switch account ui in some places but definitely not most.
So instead of:
https://mail.google.com/mail/u/1/#starred
bookmark:
https://mail.google.com/mail/?authuser=foo@bar.com#starred
The URL will be immediately rewritten as the proper /u/# for that user (which, as you say, depends on login order).
Not sure why it's like this, but I could see it being related to not wanting PII in the URL.
Better then ms teams mess, but then again, it would be hard to make it worst then that.
I so regret converting my Minecraft account. The old Mojang stuff was so much more reliable.
In what way? Does the microsoft.com login system go down often?
The worst part is that some bot years ago signed up for the X-Box account using the same email I used for the Mojang account so converting the account first required me to take over the bot account with a password reset. But the bot set the account in up German and it's apparently impossible to switch the language settings for everything. I got most of it switched over (across four completely different configuration pages), but stuff like the emails are still sent in German. I'm pretty sure my account is going to be locked sometime in the future once they figure out that it was originally a bot account and there is no chance I'm going to be able to get my alpha Minecraft account back when that happens.
I guess it also doesn't make sense for them to maintain a parallel login system when the Microsoft one gets (presumably) millions of dollars of investment every year. Though Microsoft accounts are more complicated to use, with configuration being split across Microsoft, Xbox, and Mojang/Minecraft itself. And it seems they like locking people out for opaque reasons.
What freaking organisation is always my response; I've never been able to figure it out.
Very random example: SharePoint has a MS Word integration - you can open a .docx file from there, it opens in Word and you are actually able to edit the file on the server as if it was on your computer. At least in the older on-prem versions, this actually used the Word installed on your computer, not some web version. If you used a custom authentication provider, a little browser opened within Word and you had to log in there. But Word needed to "trust" the domain. On a personal computer, you could just edit the trust settings in some Word menu, yet the error message still said "your organization..." if you didn't.
Additionally, go to Accounts in Settings and double-check that you're not logged into any "work or school" accounts.
The one thing I can't stand is that if you log into a non-personal Microsoft account in an app, there's a dialog that is very confusing[1]. It asks if you want to use that account everywhere on your device, but there's a box checked by default to let the organization manage your device, a button that says "Yes", and what looks like a hyperlink that says "This app only". I always uncheck the box before clicking "This app only", but I wonder if keeping that box checked would still enable organizational device administration. It screams "dark pattern" to me.
1: https://i.stack.imgur.com/gmp00.png
---
Just to add a tip for others: If you want to use Edge for the Windows optimizations and PlayReady support for streaming services, but don't want to deal with all the annoyances, you can disable many of them via Group Policy[2]. For example, you can disable the "Search Bing in sidebar" option that shows up in context menus[3] that I always seem to accidentally click when I'm trying to search for something I highlighted. I also use Group Policy to set the default search and homescreen settings because then it won't annoy you with the recommendation to set it to Microsoft defaults every time it updates.
Firefox is my main browser, but I use Edge for streaming Netflix and the like because I don't get 4K playback via Widevine. It annoys me because Edge would actually be a great browser if the Bing folks weren't constantly trying to shove things down my throat and filling it with dark patterns.
2: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-...
3: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-...
Whenever I see such a serious warning, I will almost always take a long period of consideration before proceeding. Remember that you're dealing with a company which acts like they believe you shouldn't own your computer. If a company with that attitude believes they should warn you about something, it's certainly serious.
Also, Microsoft's UIs are filled with misused terminology. They use create, open, add, (delete, close, remove) etc. interchangeably. For example, in the OWA the process for removing a calendar you don't own is called delete.
Dont forget the og domain, hotmail.com
1drv.ms (OneDrive file sharing)
microsoftonline.com (something to do with Azure)
b2clogin.com (replacement for microsoftonline.com)
Later, I filled out my taxes in Excel and saved them.
It had uploaded them to my school's default OneDrive shared folder. It never asked me if I wanted to use that account as my default, and never told me it had changed accounts. It took me 10 minutes of non-sensical "file is locked" messages before I could delete my private data from my school's drive.
Some apps such as Microsoft Authenticator won't even let me remove the account.
In Chrome you just create a new profile for each identity you have. If you're opening random incognito windows or using different browsers all the time to log in with different identities, you should be creating profiles instead. Everything is separate including bookmarks, sessions, cookies, extensions, etc.
https://addons.mozilla.org/en-GB/firefox/addon/multi-account...
It's just easier for me to manage that way. That being said, my work google account is connected to my personal phone which is probably gonna mess me up at some point.
Yes, even if work doesn't provide a laptop for work purposes and you need to furnish your own. Same goes for phones, etc.
It might be expensive to maintain dedicated hardware to cordon off work from everything else, but it's still cheaper than if you hadn't and the inevitable biological waste impacts the aerodynamic wake generator.
Also, Google tracks you across all websites once you login to the browser (even if you don't use google login on them). If they weren't tracking you, using the browser profiles would be great.
Hoping this raised issue helps cleaning up some of the mess, I find it fascinating how bizantine microsoft have become.
I also have a skype account that became some other other account, but was using the same email as my mojang account that got ported to live accounts. I kinda hope everything is neatly bound in the backend as I login through the live.com portal, but it feels like a miracle that it still works at all.
It was the same kind of fun trying to log to flickr with a old converted yahoo account. Or dealing with amazon after merging multi-coutry accounts.
Amazon used to allow having multiple accounts with the same email, but different passwords. And don’t ask what happens to personal accounts that get accidentally invited to corporate accounts via email adresses formerly used for the personal account.
I made a point to separate mail addresses by country to avoid getting hosed, but I'd imagine the fun trying to access Prime or kindle purchases from an account that has them in multiple national stores.
This is a great thing for small startups, else we would only have a single huge corporate conglomerate doing everything with cutthroat efficiency.
Add to that various attempts at fixing problems, adding features, partially removing unsuccessful features, supporting old systems, framework/library migrations in various states of completeness, different developer's ideas of how to do things, and that rockstar developer who wrote really obscure code and then left to grow pomelos, and you have an incredible mess without even having to bring in company bureaucracy.
WTF kinda power trip are they on when they let domain admins just pwn accounts like that? How did OP end up in this situation? Was his email just on a distribution list and usurped that way? I don't get it. And I find it kinda freaky.
In general, be careful what you click agree to (I know, I know)
If you have your daughter login to her school account, and remove your email from her account. Your account will revert to a normal microsoft account.
You will however have very limited access to azure with a personal account, and doing things like registering an app is going to be unlikely unless you have your own tenant, or added to some other tenant.
Just accepting every horrible thing in the world must be so sad.
So usually pressing the wrong option while logging with a new one and existing cookies from another one can land on this mess.
Usually the only way out of the mess is somehow via Microsoft support, which I only saw being successful via MSDN sales contacts.
Some years ago, my android tablet could only read my work's office365 mail if I allowed a microsoft app to reconfigure the security. Next thing I know, I can only log in on it with my work AD account. But the WIFI is disabled, I can't enable WIFI without logging in, and WIFI is required for the AD logon process. It took a factory reset and complete erasure to pull it out of that one. Lost a good (paid) app in the process. I also learned the corporation can remotely erase the tabled whenever they like, and neither their security nor their hardware team were good thinking trough the consequences of their actions.
Second was a teams install used by me and some other people to videochat each other. One day, the school invites us to a meeting, after which teams decided the account now belongs to the school. Meetings with another institute were now impossible, as team's tiny brain could not allow the school and the institute to mix. For now, I deal by creating a new microsoft account for each meeting, and nuking the teams install afterwards.
My general attitude with microsoft is now: On non-MS browsers, delete all caches and settings when done, or use a different profile. On non-MS OSes, delete any login account they touched. When using any MS system like edge or windows, require different physical or virtual computers for each identity, they will leak into each other.
Nonetheless, I would have expected MS to ensure that the process includes clearer guidance for the account owner, and for deliberate decisions to be made by the school to enable this type of action.
They did a very good job of providing clear advice to BYOD users during the MDM onboarding process in InTune, and it’s confusing that this didn’t occur in this case.
No matter how inexperienced they are, it shouldn’t be possible to put an external Microsoft account into this weird state without the account holder’s permission. And the “leave organisation” button shouldn’t leave the account in some weird unrecoverable state.
This all reeks of sloppy product design on Microsoft’s part. Is my Microsoft account one bad domain administrator away from being taken from me? That’s unacceptable.
The school's IT team should never have had the means to do that.
It's a long time pattern of behavior from Microsoft about their utter lack of any care or thought for how to manage their MS Accounts system.
Giving such permissions to a 3rd party could be just a gross incompetence instead of malice. Yet, it should never happen.
And then Jeff is confused about the state of his account. Keep in mind that he's using a developer tool (the Azure portal) and account federation is not a beginner-level feature of Azure AD. There are sharp edges. He just jumped to a lot of conclusions and wow the Fud level on this comments thread is off the charts.
I know this because I set up an OAuth2 based web portal for my friends to access my Minecraft server using Azure AD B2C and by god the hardest part was figuring out how to explain the login experience to users, and disable the secondary 2FA requirements for MSA/Gmail users (because I know my friends are smart enough to use 2FA)
That is a personal account shouldn't even be possibly converted into an AzureAD one: if you want it's another account, with another email and another password. This possibility of mistake should never happen.
The trial ended, Microsoft start charging my credit card, and it was literally impossible to stop it without access to the account that was managed by the now defunct company. While it was pretty hard to talk to an actual person, I did twice, and after months of back and forth via email, I was advised to just do a charge back with my credit card company. Microsoft (probably automatically) disputed the chargeback, and I spent many more weeks disputing the dispute, having to prove to my credit card there was no way to cancel and Microsoft actually told me to do a chargeback. I'm sure I'm somehow banned from Microsoft accounts using that credit card, although I've never tried.
I told him that good luck coming all the way from India to wrestle my laptop from my hands. Don’t know if this will end with me looking for a new job, but what I know is that I won’t be installing whatever rap they are pushing. I am an adult and know how to admin my own computer
Try and see it from their perspective.
Is it ecological? No. But the compliance beast must be fed. So fine.
I'm usually pretty positive about Msft but their identity stuff is a mess.
[1] except that I have two OneDrives that appear to form a Venn diagram with a partial intersection that i can never quite figure out....
I’d be curious about a follow up if the author ever figures out how the account takeover happened. I wonder if logging into the account on a school device resulted in automatic enrollment or something.
Our team has a Google sheet with some scripting that uses the data in the sheet to generate data to another system. This needs to be run using the company Google account.
Now someone opens the sheet, runs the script and it just doesn't work.
Why? Google just randomly decides to pick one of these:
- The personal Google account the user has logged in to - The account used by Chrome - The company account
We haven't found a pattern to this yet. It works better for some people and worse for some depending on the time of the day, position of the planets and maybe a third unknown factor.
It took a lot of back and forth with the schools admin to figure out what happened. I was able to get my account released, but I wasn’t brave enough to try what Jeff did.
Like Jeff, this did not leave me impressed with MS Azure at all. How could joining (or being added) to a mailing list imply you are now part of an organization? How does one go from LDAP to that hosted AD mess?
It brings plenty of other headaches though.
What has happened here is that you have essentially two accounts: One is your consumer MSA, and the other is an account in the school's Azure AD instance that uses federated sign-in with an external account (your MSA). Except, the real mess comes from the fact that there's one login page for both, and sites such as the Azure portal that support both identities and can't really tell which one you expect to assume. Plus, the Azure portal lets you switch between Directories at any time.
You can:
* Sign out completely (login.microsoftonline.com/logout.srf) and sign back in. The reason the sign-in page asks for your sign-in email first is because then it uses that to decide which directory (MSA or someone's AAD) to sign you into
* Change directories - (in fact I'd recommend creating your own Directory instead of using the one that was automatically created for you from your MSA name)
* Create a consumer MSA based on a Gmail account
* Invite that MSA into an AzureAD directory
* Try to sign in as that user to that directory.
Good luck!
I have 2 Microsoft accounts on the same email address, one is a personal account I created ~ 10 years ago and one that appeared out of the blue a few years ago. The second one seems to be created by my employer, when I try to login it is rerouting me to the job 2FA. The weirdest thing was when I tried to schedule an exam with Microsoft and it appears as free on the work account, for some reason, but not free on my personal account.
I also had OneDrive set up on my personal desktop. After years of working well, one day I got an error and I had a look: it merged my personal OneDrive with the work one, so my Witcher 3 saved games were on my company's storage. I guess this happened because I tried to add my work account in Outlook to read email on that computer too. Since then, I am doing all the work related tasks in a Virtual Machine with a local Windows account and no email, no Teams, no OneDrive, etc.
Worked on a project for a big bank. My work email was given access to their Active Directory or whatever for certain sharepoint folder access.
My work machine is signed into my /personal/ microsoft account for login, and then also signed into my work-personal account (i.e. MS account with my work email, but a self created personal one - we're not an MS company).
At some point I was kicked off my Xbox, had to do a password reset dance to get access again, all because Big Bank's password expiry policy somehow leaked into my personal MS account thanks to being signed into both accounts on the same pc.
And now, my company got an Active Directory for us, purely to make interfacing with other MS-powered clients easier. Imagine the nightmare of my work account, originally created by myself, and the conflicts with my new "work or school" AD account. It's such a mess.
It appears that someone was able to link an MS account to my email with no verification, then rename the account, again with no verification.
Best case is that it's someone who used my email as a recovery email for their MS account and changed it. But with the mess of MS accounts, I'm always nervous they've got some residual control of my real account which is also linked to that email.
Unfortunately I've never been able to get confirmation from MS that things are OK. There are plenty of questions about this particular renaming issue on the web, but no answers.
And also this is why I don’t use Ubuntu anymore.
I know this because I have one of each running in my home with no associated cloud accounts whatsoever.
They do nag you a bit (not aggressively like Microsoft, who is like "are you sure you want a terrible experience using this computer?"), but it is entirely possible to be productive outside of the iOS ecosystem, which does require an account to load apps.
Microsoft Office is a big deal. It's where the worker lives.
This is because Google didn't spend the money to make workplace software better than Office, only clunky web apps; while Microsoft spent the money to make web apps (nearly) as good as the workplace software everyone uses.
Google chose not to displace 80% of features of the incumbent, while the incumbent added the 20% Google had thought was enough.
So 85% of business workplaces and workplace users are O365/M365 workplaces and users.
Btw, if you make SaaS and don't support "Login with Microsoft..." or their (very easy to integrate) SAML SSO, you're leaving 85% of your TAM on the bench.
See https://www.xsplit.com/user/auth as an example of a sign-in that enables every workplace and identity.
At the end of the day its something I'm more disappointed than upset about. Its scammy, gross, and reflective of a company playing catchup by force.
It’s funny because Azure seems like it’s just a hacky scaled up version of what MSPs we’re doing with hosted exchange 15 years ago.
It's a pain in the tail to resolve, but it can at least be resolved without calling the school.
The thing about the Trello account is that I used a non-school email account for that. I never at any point gave them information about my school account. I opened the account on the day Trello was announced, when they didn't even have paid plans. I'm guessing they were able to link me somehow, and they used that information to give my account away.
Clearly Atlassian is not a company that should ever be trusted with important data. In my case, if I had any information about grades in my account, it would have been a violation of FERPA. You can't casually hand out that information to random strangers.
HOWEVER, the article glosses over the real story: a child obtained complete, unsupervised access to the author's computer, and wouldn't you know it, they broke something.
I suspect there would be far less interest if the headline read "my kid ordered $20k worth of Robux and I can't get a refund".
Given the advent of and ease of use of password managers, I'd rather just have another set of credentials than risk the inconvenience.
It's strange to me to take the discussion like this to public forums before talking to the people involved. It could be his daughter "gave" it to the school as an act of generosity for example.
In short - you are missing a lot.
But the fact that it's even possible to reach a failure state like this is still worth public discussion. You're probably right, odds are his daughter hit "okay" on some screen... but it shouldn't even be possible to irrevocably hand over the keys to a private account.
That shouldn't possible in the first place.
Too bad that they didn't let you make a copy of what you had - mistakenly - stored on that account though.
PS - Suggest you don't make the mistake of replacing that with a personal Google account.
In this case, is there another company with a similarly old and complex auth system that does exemplary work?
Some kind of Stockholm syndrom.
Here in the Netherlands they somehow have convinced local governments (like cities & provinces) that working with them is still GDPR compliant, even thought they should only work with EU based companies to store data. But other companies like DigitalOcean, AWS and Google cloud (especially Google is evil) are not GDPR compliant
As a dev learning web development when IE was still a thing I still have horrible experiences with them
100% pure regression with account management.
About 10 years ago I created an Azure account with my normal email and my US address. I did some stuff but never had a reason to use Azure in a situation where I’d pay for resources. Some years later I wanted to check out Azure for a small project. I go to log in and it tells me I need to add billing or something. I enter my credit card info and get to the address section. My zip code won’t validate. That’s odd. It’s saying it wants numbers and letters. Wait why does it think I’m in Canada? I’m in California. CA? Hmm. Anyway should be easy let me fix the Country. Oh it’s greyed out. YOU CAN’T CHANGE THE COUNTRY?!
Surely this must be a bug. File a support request. Nope can’t change country. Escalate and explain that I can’t add a credit card because I am not a CA resident and don’t have a Canadian payment method. They tell me they can’t change for tax reasons. But they never took my money because I can’t pay them… I go on to tell them I never even selected Canada there must be some UI bug when they first rolled out the new account format. They said theres a known issue where this can happen. I ask them to fix. They can’t because taxes. They tell me I have to create a new email if I want to use Azure. I wont do that because I have virtue.
I try two more times over the course of 6 or so years. Both times I’m escalated to someone who thinks they can fix the problem for me. I think at one point there was a technical work order put in to delete my Azure account so I could try again. But somehow it always gets thwarted.
So what happened? I’ve been able to piece together that Azure transitioned to a new account model between when I first created my account and when I tried again the first time. The old model was independent of your MS account. The new one not so much. Somehow Azure migrated my legacy account with a US address and morphed it into an account with a Canadian country set. This Canadian account is intimately linked to my normal MS live account which has a US address and payment info nonetheless. An early version of the Azure account migration UI locked in your country before verifying your payment/address. For “tax reasons” you cant change but it’s totally fine that my US live account has a Canadian Azure account and that, if I was able to do things as MS wants, I’d be paying for MS apps and services with a US card and Azure resources with a Canadian one. Because that’s better for taxes?!
So to this day I can’t use Azure because I’m not willing to change my live account login email address, my main email address, to something else just to work around MS’s bullshit. Because yes, now it’s all the same and your azure account is your live account.
That’s a known issue and we have a simple workaround: just kindly make a new email address…
The school did not "take over" his MS account. At some point (likely amidst a mountain of other onboarding tasks for his daughter's enrollment) he would have received an invitation to join the school's Azure AD tenant as a guest/external user. In this case, he chose to join using his Microsoft account, rather than create a new email-based guest account.
"Leaving" the school's org only breaks one side of the federation, and the guest account and it's association to the school's Azure tenant still remains.
To resolve, he'll need contact the school and have them delete the account. Meanwhile, it probably would have been better to create the app beneath an Azure AD tenant belonging to the non-profit org in the first place.
He explicitly claims he didn’t, by the way.
Speculation.
And even if he received such a mail, were the consequences made obvious to the user?
People learn how to navigate a shit system and them become complacent with it, blaming the less experienced with their "errors", when the system itself is wrong for being shitty.
This is just a convoluted why of me saying: don't blame the user
Anything that gains such traction gets fixed eventually, but I want them to fix the root cause, not just this instance of it.
1. My son's school MS account took over his private account, only because he linked the two accounts.
2. Suddenly my son's Windows said it was un-authorized.
3. We called Microsoft, they could not fix it.
4. We called the manufacturer of the machine (they shipped Windows as OEM). They could not fix it.
5. Called MS again. They gave us a new activation code. Did not fix it.
6. Called MS again, this time they said to reinstall Windows (This is not a joke).
7. Upon re-installing, Windows would not activate. No error message, no nothing it would just hang in the activation loop.
8. Called MS. They had no clue. Claimed H/W issues.
9. Called manufacturer again. Also claimed H/W issues. I said that I can access the internet from the machine while it was hanging in activation, so network was not the problem.
10. Manufacturer sent someone out (I had bought warranty). He switched the SSD with a new version of Windows... The did exactly what I did. Same problem, would not activate.
11. Some back and forth with MS and the manufacturer involving many reboot and (I kid you not) turning off all wireless routers... MS still would not activate. Manufacturer (and MS) did not believe me. So they sent someone again. Did the same thing, again. Did not work.
12. Manufacturer said I needed to send in the machine. So I did. I included a note about what the problem and to please not just re-install Windows, because the activation was the problem.
13. Got the machine back... They had just re-installed Windows. Would not activate.
14. Started to get upset. After some pressing manufacturer agreed to send a new machine.
15. First they sent someone out again. Did the same thing again. Forced me, again, to turn all wireless routers off, so that (he claimed) Windows would activate without network. Again... Did not work. Activation just hung.
16. Eight weeks into this we ended up getting a new machine (yes, not kidding) from the manufacturer and now the same version of Windows (from the same memory stick) on the same hardware, same drivers, all the same, would happily register.
I cannot even begin to express how annoying and useless this was. And MS and manufacturer were helpless and useless.
Personally I have stopped use Windows over 2 decades ago - only using Linux, but my son wanted a gaming machine, and so I relented. :)
It might not work for some of the multiplayer games that youngins play although it might work.
Microsoft bought Github in 2018. We'll see what happens in 2025...
Is it possible to convert that to a local login?
Take comfort that some things never change!
