Microsoft Rolling Out New Process To Address Account Overlap Confusion
Microsoft today initiated a blocking process to address potential "account overlap" issues when end users sign up to access Microsoft services.
These problems can arise because of the mixing up of personal and work accounts for various reasons. Microsoft currently has two account authentication services. Accounts for personal use are set up as "Microsoft accounts" (formerly known as "Live ID" accounts). Next, there are work accounts known as "Azure Active Directory accounts." Microsoft is currently working on unifying these two account authentication services, but it's been a work in progress so far.
In the meantime, Microsoft will start blocking accounts with overlap issues. Starting today, users will get a new dialog box message when they try to sign up for a new Microsoft account using a work or school e-mail address with a domain that's already been set up in Azure AD. The dialog box gives the end user the following message:
You can't sign up here with a work or school email address. Use a personal email, such as Gmail or Yahoo!, or get a new Outlook email.
This new "sign-up block" approach has been in effect as a limited preview for a while, but it's "now active for all domain names that are configured (DNS-verified) in Azure AD," Microsoft indicated, in an announcement. The block process only affects new account creations, though.
Since Microsoft hasn't moved all of its services over to the new approach, the blocking process might not happen for "a small number of Microsoft business services that don't support Azure AD," Microsoft explained.
The account overlap issue can be a problem because some end users may use a company's domain to sign up for various services. Later, they can get confused and try to use a personal account to sign into business services. Microsoft's example is that end users might try to "save a business document to their OneDrive" storage, when using a personal account. It can be especially problematic when end users have used "the same email address" for a Microsoft account and an Azure AD account, although Microsoft is potentially addressing the confusion with the new sign-up blocking behavior.
With regard to creating personal Microsoft accounts, Microsoft offered the following tips for IT pros:
- If you're an IT pro, do not bulk create personal Microsoft accounts for your employees.
- If you're an IT pro, don't ask your employees to create personal Microsoft accounts with their work email address.
Creating bulk personal Microsoft accounts can lead to "hard usability and security problems," Microsoft's announcement warned. Instead, organizations should use the self-service account sign-up model that's "built into Windows 10 using Azure AD."
On the second point, the practice of asking end users to create personal Microsoft accounts can just lead to "confusion about who owns the associated content and resources," Microsoft cautioned.
Microsoft has already been bringing its new "converged identity service" model to developers. They currently can target an "Azure AD v2 authentication endpoint" that Microsoft rolled out in February. It will help address these account overlap issues.
Developers probably should "support both personal and work accounts from Microsoft" with their code, Microsoft advised. The details on how to do that are described in this Microsoft blog post.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.