Microsoft@Vladimír Mach No new MSAs, however, there's no good story for the existing MSAs which got created in the past. This leads to customer confusion and loss of data.
I recently had a scenario where the customer got locked out of their device due to bitlocker, and didn't realize they needed to check their MSA for the recovery key because they understandably thought they would have only a single "Microsoft" account with a given UPN and checking Azure AD for the recovery key was the only place to look. They ended up reformatting the device, losing data, only to learn after the fact that the recovery key was available in their MSA. This was preventable, if only we had a good option to get customers to rename their MSAs with a UPN in our domain.
I understand that Microsoft no longer has the "eviction" option which it provided ~8 years ago for this scenario, due to legal reasons. However, I can imagine other engineering approaches which would be similar but not run afoul of the legal issues. Why not allow an organization to trigger a one-time notice at next sign in which informs owners of MSAs with a UPN in their domain that there are significant risks due to confusion and they should strongly consider renaming their account, along with an easy process to do that? In that solution, the owner of the MSA has a choice, but they are presented with a strong recommendation which is clearly from a trusted source embedded in the sign in process.
Brian Arkills
University of Washington
