If you’re using Microsoft’s online services, you might reasonably expect to authenticate against some form of directory service. And, if you have your own directory service (like Active Directory), you might reasonably expect to be able to synchronise it with your cloud identity to provide a holistic view to end users. Unfortunately, whilst both of these things are possible, the end result can be really confusing and I’ve just had to explain it for one of my customers.
You see, a “Microsoft account” is not what you use to log on to Office 365 (or Intune, Azure, etc.) – for that you need an “Organizational account” (which is held in Microsoft Azure Active Directory) – although you might have logged on to your Windows PC, phone or tablet with a Microsoft account.
Still with me? No! Well, let me quote from an MSDN article:
“Q. What is the difference between “Organizational account” and “Microsoft account”?
Organizational account is an account created by an organization’s administrator to enable a member of the organization access to all Microsoft cloud services such as Microsoft Azure, Windows Intune or Office 365. An Organizational account can take the form of a user’s organizational email address, such as firstname.lastname@example.org, when an organization federates or synchronizes its Active Directory accounts with Azure Active Directory. […]
Microsoft account, created by user for personal use, is the new name for what used to be called “Windows Live ID”. The Microsoft account is the combination of an email address and a password that a user uses to sign in to all consumer-oriented Microsoft products and cloud services such as Outlook (Hotmail), Messenger, OneDrive, MSN, Windows Phone or Xbox LIVE. If a user uses an email address and password to sign in to these or other services, then the user already has a Microsoft account—but the user can also sign up for a new one at any time.”
Right. Hopefully that’s a bit clearer? Unfortunately the whole thing gets really messy when you have multiple browser tabs connected to different services and I often find I have different browsers (or InPrivate/Incognito browser sessions) running in parallel to access services. One approach, although probably not recommended, is to manually synchronise the passwords between a Microsoft account and an Organizational account that have the same email address to give the illusion of single sign-on.
Maybe one day all of the consumer services will move to Azure Active Directory and we can just have a single identity. Probably not though… that’s what Microsoft Passport (Windows Live ID’s predecessor) was trying to do back in 2001 and it felt a bit “big brother” to some people (although today we seem quite happy to have Google and Facebook act as identity providers for multiple services).