Microsoft Tackles Its Cloud Identity Account Overlap Problem

Microsoft is working to untangle user accounts that straddle both its consumer and corporate cloud services, helping administrators keep a tighter lid on corporate data.

Microsoft Cloud Identity Account

With one foot in the corporate world and another in the consumer realm, Microsoft has developed a problem. And its enterprise customers, by extension, are feeling the effects.

On one side are users that access their consumer services like Xbox Live with their Microsoft Accounts (formerly Live ID). On the other are corporate accounts managed by the company's cloud- based user identity management platform, Azure Active Directory (AD). On occasion, a corporate email address is associated with both, causing problems for security-conscious IT departments.

"Users might think that their personal Microsoft account is business-compliant and that they're in compliance when they save business documents to their OneDrive," Ariel Gordon, a Microsoft Identity principal program manager, wrote in a recent blog post, explaining why creating a personal Microsoft Account with work email is a bad idea.

Additionally, users that change jobs (losing access to their old work email addresses) can find themselves locked out of their personal accounts. Alternately, IT departments gain the ability to reset passwords on personal accounts, sparking privacy concerns.

To address this and other issues stemming from users who have both types of accounts linked to the same email address, the company is working to establish proper boundaries.

Gordon announced that going forward, Microsoft is no longer allowing work or school email addresses belonging to domains configured in Azure AD to create a new Microsoft account. In effect, businesses don't have to worry that their employees signed up for personal Skype or OneDrive accounts using the email addresses reserved for work purposes.

If users attempt to sign up for a personal Microsoft app with an Azure AD identity, they are greeted with an error message suggesting that they sign up with a Gmail, Yahoo or email instead. Some Microsoft apps support both personal and work accounts in which case the app will ask users to sign in with their existing credentials or another user name.

The change only affects newly created accounts. For existing personal Microsoft Accounts that are linked to work email addresses, the company has made it easier to rename accounts Gordon revealed. The process is outlined in this online support document.

"Renaming your personal Microsoft account means changing the username, and does not impact your work email or how you sign in to business services, such as Office 365," he wrote. "It also doesn't impact your personal stuff—it just changes the way you sign in to it. You can use another (personal) email address, get a new email address from Microsoft, or use your phone number as a new username."

Keeping users' private and work lives separate in Azure AD is the latest move by Microsoft to help improve how businesses manage and secure sensitive information. Last month, the company rolled out new device-based conditional access features, allowing administrators to restrict access to business applications and other network resources unless users' devices meet certain requirements.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...