Feb 20 2021 09:49 AM
Hi,
We are able to sign up Microsoft Tech Community using personal Microsoft Account and Microsoft tenant like Microsoft365 Azure and so on. The issue is when you login with tenant account and for any reason like change your company, then you will lose access to your Microsoft tenant account. However, when you sign up with Microsoft Account, then you could always keep that account and you may add tenant account and remove it later like when you change tenant and so on.
Personally, I believe it is recommended to sign up with Microsoft Account to Microsoft Tech Community, so you could keep your account forever.
What do you think ?
Feb 20 2021 03:07 PM
@Reza_Ameri you are correct, don't use your work account to join communities like this.
Feb 21 2021 05:17 AM - edited Feb 21 2021 05:18 AM
I think it's better to use personal account if the things you want to talk about is personal, but work accounts can be setup too for organizations if the person is acting on behalf of a company.
so it's not like never use work account, it all depends on the situation.
Feb 21 2021 08:15 AM - edited Feb 21 2021 08:16 AM
Thank you for sharing your thoughts on this.
Here is the situation I observed, when you sign-in with the work account , then you are unable to switch to MSA or personal account and when you leave the company or you are moving to another company then practically you will lose your account.
However, in case you sign up with a personal account or MSA, when you join a company you could still add the tenant account and you may use it. Then once you left the company , you could just remove that account.
Feb 21 2021 08:18 AM
Agreed, I believe the team need to change the design like ask users to sign up with Microsoft Account and add their personal account later on. It is common for people to join and leave companies and therefore their Azure AD will change and imagine they had participations in the forum and they have to start from the scratch.
Feb 21 2021 08:30 AM
Feb 22 2021 08:55 AM
One issue I noticed is like someone is working at a company which is part of Microsoft tenant and then join another company with another Microsoft tenant or no Microsoft tenant and in this case, doing so would cause losing the account. Consider the case user want to continue participating in this forum and in this case, they have to start from the scratch.
Feb 22 2021 11:55 AM
Feb 23 2021 08:04 AM
True, however here is the case:
Let say I sign up with Microsoft Account and start participating this forum. Then I am joined a company and in that case, I am able to add the Microsoft tenant account and access other resources. Then when I left the company or join another company, I will lose access to my Microsoft tenant but since I still have access to the Microsoft Account, then I won't lose access to this network and I only lose access to some private resources here.
However, in case I sign up with tenant account. There is no possibility to add Microsoft Account and once you lose the tenant , you will lose your access to Microsoft Technical Community.
My purpose design is like having ability to add Microsoft Account to the tenant and let say consider a Microsoft employee (the example you mentioned) will leave this Microsoft and lose access to the tenant. In this case, if they could add access to Microsoft Account as additional account to their tenant and once left the Microsoft, the Microsoft tenant will be expired and therefore access to private resources here will be revoked but since they have personal account, they would be able to continue using this website (while they lost access to private resources associated with Microsoft Account) and in this case, they won't lose access to their contributions and badges in this community.
This is look like role-based access control.
I am wondering what do you think about this?
The problem here is when you have Microsoft tenant you couldn't switch to Microsoft Account but when you are Microsoft Account, you could add Microsoft tenant and then remove it.
Feb 23 2021 08:08 AM
Feb 23 2021 08:13 AM
Thank you for clarification and I got you point.
So I am wondering about the other part, let say someone login with tenant account and leaving the company but want to keep using Microsoft Technical Community. I agreed with the point where leaving company means removing account but how about user wanted to continue using Microsoft Technical Community:
1) Create a new account and start again
2) Add Microsoft Account and remove tenant account
Other websites supports this behavior so you could add multiple accounts and you could login with both and once you lose access to one , then you could delete it but your access to account will remains.
Thank you for contributing to this discussion, I appreciate it.
Feb 23 2021 08:25 AM
Feb 23 2021 08:33 AM
Not sure it depends.
Let say user sign up with the company account and also add the personal account, then like you said user has been blocked from removing the tenant account. However once user left the company, the admin will remove the account but user would be able to access those account using the secondary email, however resources to the company will be removed (e.g. badge private forum and so on).
I have seen this behavior in other websites.
I believe, I need to check this with Microsoft Tech Community and see how their architecture works.
Feb 23 2021 12:28 PM
Feb 24 2021 08:15 AM
Thank you,
The architecture I have in mind is a bit complex and I also need to do some research on that.
I have a model to explain it but I need to review more and I have to ask around.
I will update this post once I done.
Mar 02 2021 10:25 AM
@HotCakeX @Reza_Ameri @Dean_Gross
Thank you all for the robust discussion and I think you're all talking about the correct issues, let me take a moment to explain why things are the way they are (without making an argument for them continue to be that way).
The Microsoft Tech Community grew out of the old Office 365 Network Yammer group, back then we focused exclusively on products that were in the Office 365 Product group and at products aimed entirely at enterprise. Indeed even today I work for the Office Marketing team.
When you're focused on Enterprise you quickly learn that some employers want you to conduct business, i.e. speak to partners and stakeholders, on accounts that they own (indeed some employers have it in their terms of employment that you must). This means if you are given access to a special area through your work or sent documentation that might be privileged or confidential and then leave the company you will lose access to this information / data. This is why we support login via Azure Active Directory.
So all that said why can you not take your account with you? well its because the account, created via AAD and your employer, doesn't actually belong to you and we can't give you access to it because it does not belong to us either. In data protection speak we are merely the 'data processors'(1) if we migrated that data to your personal account we could be seen as stealing data from your former company.
So why support it? simply put we want to ensure that people can engage on the Microsoft Tech Community via their work account if they have to and their personal account if they want to. In this way those that have to use work accounts can, while those who wish to use personal accounts can do so as well. We have, in recent months, considered if we need to enable login with Social Media / Git Hub but the jury is still out on that one.
Could we hybrid login? where by a user can connect a AAD account and a Personal account? possibly but this becomes very complex, i.e. we would need to find a way to sanitize this hybrid account of anything that belonged or could be seen to belong to the employer. This could include Private message, Subscriptions and even posts. Needless to say all this would require infrastructure for those companies to notify us, manually or via AAD Signals, of users leaving so that the appropriate updates could be made and then some sort of review done to make sure all appropriate data was removed. Also what happens if we remove something that you think belongs to you but your employer feels it belongs to them? In my mind a hybrid account is veritable minefield of complexity, the overhead for which probably means it isn't worth what would be left of the account afterwards.
Today if you leave a company you only lose access to the account purely because you can no longer login with it, assuming you or someone authorized by your company does not come and manually close the account, the account itself still exists in our system.
I am not sure what the 'solution' needs to be for this but I hope from my intervention today you have gained some understanding into why its the way it is.
Happy to continue to engage with this discussion as I do understand the frustration users have when this happens to them.
Allen
Mar 02 2021 11:58 AM
Thanks for the thorough explanation,
I totally understood this and the reason why it is how it is.
employees, students of a university, college etc. they all know that the account they receive, is only for the duration of their job, education etc.
it's not permanent, it's not their personal account.
if they want to use something that they wish to keep even after that contract, course, job is finished, they should use their personal Microsoft account.
Microsoft Tech Community is only one of them, there are many more.
Mar 03 2021 08:04 AM
I would like thank you for your comprehensive and valuable explanation.
There is an option to manage multiple accounts in some platforms like LinkedIn. For example, someone is signing up with company's account and then they could just add their own personal account and remove the company's one while keeping their actual LinkedIn account.
I am wondering do we consider this forum as a public forum for everyone?
For example consider someone is working in a company and has his/her own Yammer in the company and once left the company the user will lose access to the Yammer and in new company should create a new one. However, for public forum, I believe users is the owner of the account.
A policy should set like if like domain==Microsoft , then grant some rules like access to private forums and once user is no longer in Microsoft meaning domain has been expired, then these accesses will be revoke but user would be able to participate in public forums with the same account.
I got the idea and I will think more about it and try to share a solution and hope continue discussion. May be we could come up with some design to resolve this issue 🙂
Mar 03 2021 09:23 AM
Happy to explore it but in our current setup it just wouldn't work. Each account is connected to the creating credentials via an SSO id which we receive from the oAuth authentication endpoint. Each account can only have one SSO id which means you wouldn't be able to use more than one account to login unless that login occurred at the authentication provider stage, i.e. in the Microsoft Login backend systems.
This leaves one of three options:
1) We overhaul the login experience for the community to allow the storage of more than one SSO ID
2) We overhaul the Microsoft Login backend system to allow user to connect their personal and work accounts together
3) we detach the community login from the Microsoft Authentication entirely and allow users to create non SSO accounts which they can then use to connect their respective Microsoft accounts.
1) is problematic as it would require you to login to two accounts at the one time, which is problematic as anyone who has ever tried to use an AAD account and a Microsoft account at the same time, in the same browser can attest to.
2) I think is unlikely because literally no other Microsoft product is asking for this.
3) I suspect would be an undesirable experience for end users as they now have up to 3 accounts to maintain.
And none of these three options would ultimately address the issue of how we remove PMs that belong to the company and or subscriptions to content that was only possible as an employee of that company, especially since none of these are connected by a role or permission on the backend that's bound by a domain.
I genuinely love the exchange of ideas, I just do not see a way at the moment to resolve what your trying to resolve - if I did we would clearly have resolved it by now.
Allen