This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.
Microsoft provides three main Identity services - Active Directory, Azure Active Directory and Microsoft Accounts. In this article, we'll explore the differences between Azure Active Directory and Microsoft Accounts.
Interested in the difference between Active Directory and Azure Active Directory? Check out this article I wrote for A Cloud Guru.
What is a Microsoft Account?
A Microsoft Account is the modern name given to the Identity system that provides authentication and authorization to Microsoft's consumer services. It's had other former names, like Microsoft Passport or a Microsoft Live Account and is sometimes referred to as a personal account. A Microsoft Account can be used to sign in to Outlook.com, Office subscriptions, Skype, OneDrive, XBox Live, Bing, the Microsoft Store, Windows and MSN:
Here are some common scenarios:
A Microsoft Account can be created with a new email address and mailbox at Outlook.com. You can even choose Hotmail.com as a valid domain name for this service.
A Microsoft Account can be created when you sign into a new Windows 10 computer for the first time.
A Microsoft Account can be used to sign into Microsoft 365 home plans such as Microsoft 365 Personal, for access to Office applications, including the consumer version of OneDrive.
With a Microsoft Account, Microsoft controls and manages all of the configuration and settings of the Identity platform. It's designed to scale to a broad base of consumer users across the globe, all in the one system. So, you will have a conflict if you try and create a Microsoft Account with a username that has already been taken.
You don't need to create a new email account or use the outlook.com or hotmail.com domains for your new Microsoft Account. In fact, you can even use a Gmail address to register for a Microsoft Account:
You used to be able to create a Microsoft Account using the same email address as your work or school account, but Microsoft have now blocked this to stop confusion between the two different identity services. There is no organizational-level management of user accounts for creating and viewing users, resetting passwords etc.
What is a work or school account with Azure Active Directory?
A work or school account is created by an organization using a business service that has Azure Active Directory as the authentication and authorization platform. This includes business plans for Microsoft 365 including Outlook Web Access and OneDrive for Business, Microsoft Intune and Windows 10 devices that are connected to your organization's Azure Active Directory domain, as well as Microsoft Azure resources.
With Azure Active Directory, Microsoft provides the identity platform as a service but you can modify some of the configuration and settings, such as adding your own custom domain name (to get @yourorg.com) or requiring multi-factor authentication. Your Azure Active Directory instance is available via the Azure Portal and other management tools like PowerShell, the Azure CLI and the REST API. And you can also monitor and investigate advanced security events with integration into tools like Azure Sentinel.
The sign-in experience
Previously, the Microsoft sign-in interface would get you to choose personal account or a work or school account before entering your details. Now the sign-in screen detects the account type for you, presenting you with an agnostic sign-in window:
If you visit Outlook.com and sign in with your work account that has an Exchange Online mailbox via Microsoft 365, you'll automatically be redirected to the outlook.office365.com mailbox.
And if you try to sign into a business service that needs a work or school account (like portal.office.com), you'll receive an error:
Lets look at some difference scenarios that might involve these two services together.
There is no synchronization of user account information between Microsoft Accounts and Azure Active Directory, like you can achieve with Active Directory and Azure Active Directory. This is due to the separation of that consumer versus business identity platform.
Even though you can't synchronize Microsoft accounts into your Azure AD (or vice versa), you can invite someone as a guest user into Azure with their Microsoft Account email address. They'll appear in your directory with Microsoft Account listed at the source and you won't be able to perform any user administration on their account such as renaming them or resetting their password. This is useful though for inviting external people to collaborate and is the method behind the scenes if someone's Microsoft Account is invited to be a guest in Microsoft 365 services like Teams.
Azure AD B2C
In addition, Microsoft provides a service called Azure Active Directory B2C which DOES support using Microsoft Accounts as an authentication source for access to your applications, as well as other consumer identity directories like Facebook, Twitter, Google, Amazon and OIDC compliant business and government identity providers. For more information, visit What is Azure Active Directory B2C?
Azure service errors
I've recently become aware of errors like this example, accessing Azure Key Vault with Visual Studio, that may indicate a conflict between a Microsoft Account and an Azure Active Directory account: "Azure Key Vault is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request." It is possible to create a new Azure tenancy and have a Microsoft Account as the login.
In fact, that's a common process when you set up Azure for the first time:
From Azure, create a Free or Pay as you Go account using your Outlook.com email address (such as email@example.com).
This creates an Azure subscription with a new Azure Active Directory and your account as the first user. Note it takes your email address to form the new directory's default domain name (personal0321outlook.onmicrosoft.com) and you can add a custom domain name next.
Note the Source is listed as Microsoft Account.
In this case, it's recommended that you create a new user in Azure Active Directory and grant them the Owner role to the subscription, and use that identity to authenticate with. In this example, I've also made them a Global Administrator for Azure Active Directory. For more information visit Add or change Azure subscription administrators.