If you’re using Microsoft’s online services, you might reasonably expect to authenticate against some form of directory service. And, if you have your own directory service (like Active Directory), you might reasonably expect to be able to synchronise it with your cloud identity to provide a holistic view to end users. Unfortunately, whilst both of these things are possible, the end result can be really confusing and I’ve just had to explain it for one of my customers.
You see, a “Microsoft account” is not what you use to log on to Office 365 (or Intune, Azure, etc.) – for that you need an “Organizational account” (which is held in Microsoft Azure Active Directory) – although you might have logged on to your Windows PC, phone or tablet with a Microsoft account.
Still with me? No! Well, let me quote from an MSDN article:
“Q. What is the difference between “Organizational account” and “Microsoft account”?
Organizational account is an account created by an organization’s administrator to enable a member of the organization access to all Microsoft cloud services such as Microsoft Azure, Windows Intune or Office 365. An Organizational account can take the form of a user’s organizational email address, such as username@orgname.com, when an organization federates or synchronizes its Active Directory accounts with Azure Active Directory. […]Microsoft account, created by user for personal use, is the new name for what used to be called “Windows Live ID”. The Microsoft account is the combination of an email address and a password that a user uses to sign in to all consumer-oriented Microsoft products and cloud services such as Outlook (Hotmail), Messenger, OneDrive, MSN, Windows Phone or Xbox LIVE. If a user uses an email address and password to sign in to these or other services, then the user already has a Microsoft account—but the user can also sign up for a new one at any time.”
Right. Hopefully that’s a bit clearer? Unfortunately the whole thing gets really messy when you have multiple browser tabs connected to different services and I often find I have different browsers (or InPrivate/Incognito browser sessions) running in parallel to access services. One approach, although probably not recommended, is to manually synchronise the passwords between a Microsoft account and an Organizational account that have the same email address to give the illusion of single sign-on.
Maybe one day all of the consumer services will move to Azure Active Directory and we can just have a single identity. Probably not though… that’s what Microsoft Passport (Windows Live ID’s predecessor) was trying to do back in 2001 and it felt a bit “big brother” to some people (although today we seem quite happy to have Google and Facebook act as identity providers for multiple services).
Post Script
Since I wrote this post, “organizational accounts” have become known as “work or school accounts”, which I guess makes things a little clearer, even if the phase is a touch unwieldy!
I’ve noticed a change of language recently – Microsoft now seem to refer to “organizational accounts” as “work or school accounts”.
I think they’ve created a mess here that they will never be able to clean up.
A mess indeed. I find MS’ terminology is becoming more and more vague, not to say patronising, as they continue to think that they know the context of EVERY single user everywhere. There was a time when an important technical term could be traced to a definition e.g. “domain user”, but now we have (for now) “work and school” – what about the self-employed, those who study or work at a university, etc etc – the term is far too narrow, and tells you almost nothing about its actual meaning. What about a “personal work account” – a reasonable expression, but which seems totally at odds with MS terms. Similarly, this new action to “refresh” Windows, which will leave “your documents” intact. Yeah right – so any document I created, copied, edited, anywhere, will remain there? – by what magic does that work? I once tried to find out what “refresh” actually meant, or what “your documents/files” really meant, and drew a blank. So now we have a Windows action that is not even properly defined. And so on….