Blog Post

Microsoft Entra Blog

6 MIN READ

Cleaning up the #AzureAD and Microsoft account overlap

Microsoft

Sep 07, 2018

First published on CloudBlogs on Sep, 15 2016
Howdy folks, We receive pretty regular feedback about how the split between our cloud identity systems — work/school accounts in Azure Active Directory and personally owned Microsoft accounts (formerly known as "Live ID" accounts) - can make for some pretty confusing user experiences. In particular, we know many of you have pretty strong feelings about this one particular screen:

Some of the recurring feedback we're hearing:

Developers want to know how to build apps that support both account types.
IT Pro want to know if it's ok to ask employees to create Microsoft accounts using their work email addresses or to bulk provision accounts for them.
Users and employees want to know why they have two accounts with the same email address?

All of these issues are the result of Microsoft having two giant cloud scale identity systems built by different parts of the company. Luckily we've combined those teams and together we are hard at work address these issues. Releasing our new combined Microsoft Authenticator apps for iOS and Android back in August was the first major deliverable from those efforts. This post shares the details of the next set of work we've done to address this confusion. It's written by Ariel Gordon, the PM in my team who's driving the work to converge sign-in/sign-up experiences between our two identity systems. As always, we would love to receive any feedback or suggestions you have! Best regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division ----------- Hi everyone, If you follow this blog you know we're doing a lot of work behind the scenes to build a converged identity service that will bring together Azure AD and Microsoft account. It's a complex area and lots of work remains to be done. Today I'd like to tell you about some of the steps we've taken this week to address the overlap between our consumer and enterprise identity systems.

What do we mean by overlap?

Many users have two or more accounts with Microsoft. A personally-owned Microsoft account (formerly known as Live ID) used to access Skype, Office or OneDrive; and an organizational account (in Azure AD) used to access business services such as Office 365 or Power BI. We know from our telemetry data that just over 4M people have a personal Microsoft account with a work/school email address as a username. Why? Our research shows four main drivers:

Some users prefer to use their work email to sign up for everything, out of convenience. This could be Microsoft apps or services, Amazon, eBay, etc.
A handful of Microsoft business services, like MSDN, don't support Azure AD yet and require the use of personal Microsoft accounts
IT departments are asking employees to create personal Microsoft accounts with their work email addresses, or in some rare cases bulk-create these accounts for the employees.
Some students were given a personal Microsoft account when their school switched from the old live@edu program to Office 365.

And when these users' organization has an Azure AD tenant, they may have two Microsoft identities with the same email address.

Why this is bad

Whatever the cause, having a personal Microsoft account with a work address as a username is fraught with issues for end-users and IT departments alike. For example:

Users might think that their personal Microsoft account is business-compliant and that they're in compliance when they save business document to their OneDrive
Users who leave an organization generally lose access to their work email address. When they do, they may not be able to back into their personal Microsoft account if they forget their password. The flip side is that their IT department could reset their password and get into the personal account of former employees.
IT departments have a false sense of account ownership and security. But users only need to roundtrip a code to their work email address once, and can rename their account at any time in the future.

The situation is particularly confusing for users who have two accounts with the same email address (one in Azure AD & one Microsoft account). For example, they are often confronted with this message:

Based on these learnings we've decided to make an important change to how Microsoft account are created.

Blocking Microsoft account sign-up with work email address

Starting today, we're blocking the ability to create a new personal Microsoft account using a work/school email address, when the email domain is configured in Azure AD. What does this mean? If your organization uses Office 365 or other business services from Microsoft that rely on Azure AD, and if you've added a domain name to your Azure AD tenant, users will no longer be able to create a new personal Microsoft account using an email address in your domain. This sign-up block has been running in limited Preview for a hand full of organizations and is now active for all domains names that are configured (DNS-verified) in Azure AD. No action is necessary to enable the block.

What does experience look like?

If you try to sign up for a Microsoft consumer app with a work or school email address, you'll see the message below.

However, if you try to sign up for a Microsoft app that supports personal and work/school accounts , you should see the message below:

To reiterate, this logic will only trigger for an email address in a domain that's registered in an Azure AD tenant. If you don't get one of the error messages above, it means that the app you're signing up for or the domain name of your email are part of an exception list.

Short term exceptions

Unfortunately, there's still a small number of Microsoft business services that don't support Azure AD. The good news is that we're making good progress. For example, Windows Dev Center finished their integration last winter and now supports both personal Microsoft accounts and Azure AD accounts. We're working with other teams such as MSDN and Brand Central to help them add support for Azure AD. Based on feedback we received during the preview, we will not block the ability to use a work email address to sign up for these business services. This is a short-term compromise that's consistent with our main goal of preventing accidental use of work/school email address to sign up for personal Microsoft account.

What about existing accounts?

The sign-up block described here only prevents the creation of new accounts. It has no impact on users who already have a Microsoft account with a work email address. If you are already in this situation, we've made making it easier to rename a personal Microsoft account. This support article provides simple step-by-step guidance. Renaming your personal Microsoft account means changing the username, and does not impact your work email or how you sign in to business services such as Office 365. It also doesn't impact your personal stuff—it just changes the way you sign in to it. You can use another (personal) email address, get a new @outlook.com email address from Microsoft, or use your phone number as a new username. Note: if your IT department asked you to create a personal Microsoft account with your work/school email, for example to access Microsoft business services like Premier Support, then talk to your admin team before renaming your account.

Conclusion and recommendations

These changes are part of bigger investments we're making to converge our identity systems. We'll share more details later this year. If you're an IT pro , do not bulk create personal Microsoft accounts for your employees. We've helped many customers through hard usability and security problems because they had done this. If you're configuring Windows devices for your employees, you should take advantage of the self-service set up and automatic MDM enrollment we've built into Windows 10 using Azure AD. If you're an IT pro , don't ask your employees to create personal Microsoft accounts with their work email address. It creates confusion about who owns the associated content and resources. We understand that there are still a few Microsoft services that require creating personal accounts with a work email address, and as mentioned above we're working hard to address this and have short-term exceptions in place. If you're an end user who has created a personal Microsoft account using your work email at of convenience, please consider renaming your account . If you're an app developer , you should probably support both personal and work accounts from Microsoft. Check out this post to learn more about the work we're going to converge our identity stack s. As always, keep the feedback coming and let us know about other issues and scenarios you'd like us to address. Thanks Ariel Gordon (Twitter: @askariel ) Principal Program Manager Microsoft Identity Division

Updated Jul 24, 2020

Version 5.0

Product Announcements

Alex_Simons

Microsoft

Joined May 01, 2017

View Profile

Microsoft Entra Blog

Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

37 Comments

MikeLabatt
Brass Contributor
Dec 20, 2024
After eight years of "clean up", this duality is still a monumental fail. One example: as a Microsoft Partner, I am now required to sign up with a "work" account, however when I click the section in the partner portal to access my Windows apps, I have to log out and log in again with a "Microsoft" account (in the past, the same account would work with both). And now my apps won't verify because my email domain does not match the company domain. And I can't set a "personal" account to use the work domain because you blocked this ("Please try another.") De facto, both the Partner portal is broken (some linked pages not only say to log out and in again, but even recommend using private browsing to make things work...), and the Developer experience is similarly broken (there is no such warning when you access the partner portal page with the developer certificates for example, it just gives an error if you use the "wrong" type of account). Can it get any more absurd than this?
MattoNZ
Copper Contributor
Jun 11, 2024
I am trying to unravel this for some Staff / Students at our institute. I have detailed the problem here - https://answers.microsoft.com/en-us/msoffice/forum/all/onedrive-sso-personal-and-business-ms-accounts-on/db7a5a80-b53c-4a16-9882-cbe371714bf1

The problem is essentially, Students / Staff have the duplicate account (unknown to them) they insist they never set this up and we're trying todo the rename or just close the personal account shell so SSO in our Labs works and auto signs them into OneDrive and what not.

When you choose Personal account, type the password of your work or school account it seems to then acknowledge that and link that to the personal shell but now marks it as having 'security info' changed and you are blocked for 30 days from actually being able todo the rename part and seperate the accounts.

Is there some better way to solve this problem for our Staff / Students?

Thanks,
Matt
redflAg84
Copper Contributor
Mar 16, 2024
I remember i had some issues with this in the past, but it seemed to be resolved. Now recently i try to get into Azure DevOps and use ms learn. It seems some services associated with it like the devops demo generator. e.g. still point me to a "microsoft Account" Directory, which it should't as i use only my azure home directory for everything within Azure. This messes up some configuration steps in azuredevops, like mentioned azure demo generator or even pipeline creation when connection to github. this is a major pain in the **bleep** and only workaround so far is signing out and in on all azure services and hoping it associates to the right directory.
maybe someone has a better solution.
abhishek1496
Copper Contributor
Jan 11, 2024
Hello Everyone. My organization also has issues with inviting guest users now. Seems it is related to this article. We are inviting some guest users with different domain to our tenant but when they receive the invitation they always getting the error-"This username may be incorrect. Make sure you typed it correctly. Otherwise, contact your admin."
What could be the solution in this scenario as all the external collaboration settings from Microsoft Entra ID is correct and all domains are allowed.
Please let me know solution for it as slowly slowly this count is increasing.
LeadingEd1517
Copper Contributor
Apr 24, 2023
The whole Teams thing is confusing and frustrating. can't get into it using my own email because 'I don't have permission" need to talk to the IT guy. (me btw) etc. Then there's the personal vs work. Just try to remove your email address from an organization. Good luck.
RickDukane
Copper Contributor
Feb 19, 2023
there is no solution to this, they outright don't care.

Unless your specific problem is that you want move entirely to business for your domain, in which case they can..i believe disable the consumer microsoft account that exists on that email to fix your issue.

Want to have a custom domain on exchange? yeah.. you'll need an outlook.com email address completely separate to register your windows license to, you cant use if for Xbox or anything else considered "for public"... got a problem with this!? sure they'll bounce you round 12 departments who all claim you need to talk to a different one... support is fundamentally broken. After a year of trying to explain the issue and being told to go to user voice, I emailed Sayta Nadella, whoever moderates that email account forwarded me to a complaints exec... who .. essentially told me not to use their business service... so i moved off the platform that day.

Learnt the hard way to stay away from microsoft products... they used to be decent, it used to be that only in development circles you would find difficulties because it was always "follow the shiny thing". I don't know what went wrong, but now support is the same, they dont give you options, they decide the microsoft way to do it, and if you happen to have a common case that doesnt quite fit in their narrow solution you have to just find a workaround. dissapointing to say the least. fortunately they have nothing there isnt an alternative for now that Steam Deck exists.

an extermely bitter former user.
janelotwocent
Copper Contributor
Feb 19, 2023
omfg how can this not be solved. I decided to dive into 365 on all levels, I have set up Teams and Sharepoint Sites for my small business and I am certain my old hotmail account - which I used when I first set up this laptop -- before I set up the Microsoft business account -- is now the culprit for one huge hot mess. Neither I nor my IT guy can sort it. Microsoft owes me so many hours of my time and dollars spent with consultants trying to figure it out.

I feel "Microshafted" indeed.

Is there even a solution yet?

Jane
eug_k
Copper Contributor
Jun 01, 2022
JonasBack Thanks for the reply! They're not using the Windows 10 Home device for work, they want to use the laptop at home for personal home use. They use one email address for everything, and it's hosted on O365.

As a result they cannot use a Windows 11 Home computer.
Absolutely no domain or cloud features whatsoever are needed. A local account like what was possible on Windows 10 and every previous version before that is all that is needed.

Right now as a workaround I have to create a dummy MS account just to get past that requirement, then add a local account. It's an added hassle with Win 11 that's just not needed.

I suggest you look into providing your work users with a Microsoft 365 license that also adds a version of Windows 10 that enables them to sign into the device with their Work account if that is a requirement you have.
Is there a 365 licence that allows an O365 email address to sign in to a Windows 10/11 Home device? Or do I have to buy a Windows 10/11 Pro licence just so I can login to a laptop that has no need for any Pro features whatsoever?

The original behaviour where the user is asked if an email address is work/personal is a terrible user experience, but at least that would allow a user to use the same email address to login to a Windows 11 Home device.
JonasBack
Steel Contributor
Jun 01, 2022
eug_k to be honest, I don't even think this is on their roadmap. Their thought with Windows 10 Home is for Home (Personal) usage, not work. I suggest you look into providing your work users with a Microsoft 365 license that also adds a version of Windows 10 that enables them to sign into the device with their Work account if that is a requirement you have.
eug_k
Copper Contributor
May 31, 2022
It has been 6 years since the original publication of this article and this is still an issue. I cannot sign in to a new Windows 11 Home laptop with any email address that is hosted on O365.

Some staff members use their O365 email address for everything, they're unable to sign in to their own new personal laptops as Win 11 Home requires a Microsoft account, but they can't sign up for a Microsoft account because Microsoft can't get their act together after over half a decade.

It's really embarassing.