How can we improve Azure Active Directory?

Merge office365 and live accounts that use the same email address

I use both Azure/msdn and office 365
I already had an msdn account mvdl@our-company.com ( Windows Live account) and our company recently migrated to Office 365 which resulted in a mvdl@our-company.com Office365 account.

Wich is causing a lot of grieve when switching between asure web portal / msdn web portal / office 365 web portal

Even when I have no portals open, I cant switch accounts. I need to explicity open the portal that I last logged in to. Log out, and then I can switch accounts.

And having both office 365 portal and Azure portal open at the same time is impossible.

1,127 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Marco shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    Folks,

    Thanks for the questions and suggestions. And apologies for not sharing any update on this thread for so long. We’ve been working on this problem and have announced changes on our official team blog (see here: https://cloudblogs.microsoft.com/enterprisemobility/2016/09/15/cleaning-up-the-azure-ad-and-microsoft-account-overlap/).

    First, we are acutely aware of the UX pain this is causing and we are sorry for this. We are trying to undo a decade and a half of systems divergence. There are literally hundreds of different engineering teams across Microsoft involved in this effort. So this is taking time.

    Second, we can’t easily “merge” two accounts, or allow IT to “take over” personal Microsoft accounts. There are two main hurdles: (1) The terms of service are fundamentally different for the two account types and (2) they are based on different technologies with different stacks (different identifiers, SDKs, token formats, etc.). We’re working to converge the two stacks but again this takes time. There are details of this in the blog post linked above.

    Third, in the past year we’ve worked with 70+ teams across Microsoft that operate business services but only supported MSA for historical reason. Our goal is for all of these apps to support Azure AD (work accounts) as well. As of Nov 2017, we’re about half way there. Dev Center and MSDN subscriptions (now called Visual Studio subscriptions) are example of apps that now support Azure AD. Microsoft Payment Central and Invoicing are a few weeks away. Volume Licensing and many others are in progress and a couple months away.

    The best recommendations we can provide right now are:
    1) Use your work account (in Azure AD) to access any work application that supports it.
    2) If you had created a personal Microsoft account to access Microsoft business apps, and no longer need it, close the account. Or rename it (which means chancing the user id) to avoid confusion.

    Please follow our team blog for future updates on this problem.

    Ariel Gordon

    228 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Craig Humphrey commented  ·   ·  Flag as inappropriate

        Yeah, starting to hit this with more frequency.

        We use SPOnline as an Extranet and have a lot of corporate clients using Microsoft Accounts on their business email address.
        Now they're starting to roll out O365 and so they're switching to AzureAD, on the same email address.

        Works great until they try to get into our SPOnline tenant and it tells them they don't exist in our directory...

        Even if you can't merge the accounts, it would be great, from either an AzureAD or SPOnline Admin perspective, to have some mechanism to replace an existing MSA account guest user, with their new O365 account - given they're using the same email address.

      • Dhiren Sham commented  ·   ·  Flag as inappropriate

        Ariel, it's understandable that you can't merge an existing personal MSA with an existing Azure AD account. But it would be stellar if an AAD account could become a superset of an MSA account in the future (or have an MSA attached to it). AAD admin could control if this feature is enabled or not, and if so, the MSA becomes manageable by IT.

        I know you said that you're working to enable AAD support across teams that operate business services, but this still entrenches the separation - non-business services are still going to insist that I use an MSA, which must be different from my work address, but I don't want to keep track of multiple email addresses or accounts.

        For those non-business services that require an MSA but will never support AAD (because they're non-business), please give us the option to allow our AAD account to function as an MSA (not a separate MSA linked to the same address, which is where we started out from).

        This will then allow me to sign into Paint3D, and it would stop the MS Store app from nagging me to sign in with a personal account to sync my apps, even though the AAD login that I'm signed into Windows with has ESR enabled, and I can use my work email for OAUTH SSO on third party sites that only integrate with an MSA and not AAD.

      • WooLand Polanski commented  ·   ·  Flag as inappropriate

        I would be more than happy to close my personal account and solely use my Work account but MPN is linked to my personal account and cannot be connected to an organisational account. This problem need a solution.

      • Anonymous commented  ·   ·  Flag as inappropriate

        With the new 'preview' UI I am constantly challenged to log on (again and again and again and ...) to O365 (web site) and MS apps, and presented ONLY with my Windows login name.
        I go to the O365 web page and see my O365 account. "Hello, Welcome Back funky dude" it welcomes while presenting my O365 account and a Sign In button. I click.
        Then :-(
        The UI presents two options for me to sign in with my windows account and one with my Windows email address. Where is my O365 sign in option. So, then I click and have to key it in to a blank dialogue box (my O365 name is not remembered in spite of being input 2 trillion times! And in spite of it being in the 'Work of School' field of my Windows account).

      • Charli commented  ·   ·  Flag as inappropriate

        In addition to the 3-year-long chain of horror below (I see I'm in good company, here), I have the same issues + 1. I'm a Microsoft Partner who signed up long ago under using my company email id as my PERSONAL Microsoft Account name with LiveId. Later, I developed service for my company on an external domain provider using the same domain and ID listed under the Microsoft Account. I then established service under O365-E3, mapping the external domain to O365 and using, again, my personal identifier, now, as my email addy for O365.

        Being a MSFT Partner, I installed my laptop using the personal account and paid for the O365 accounts used by my company with my Internal Use Rights from my Partner subscription.

        Because of the most recent updates made by MSFT behind the scenes, I've been forced to rename my Personal (Partnter) account. Having done so, this has NOT promulgated to my laptop (I see the same user id as before on my laptop profile), and it has NOT promulgated through to my O365 services (i.e., having deactivated O365 on my laptop, I cannot reactivate it). In particular, MSFT consistently gives me the message, Error. 0xCAA70004, regarding obtaining internet access. This, even though I'm clearly and consistently connected to the internet !

        Please help !

      • Sam DM commented  ·   ·  Flag as inappropriate

        Please permit me a simple question: How do I "discover" which AAD instance has created a work account for me?

        I get the dreaded "It looks like ***@***.com is used with more than one account ..." dialog when signing-in, but we do not have an AAD instance associated with our domain, which means some other domain added my personal account into their AAD system and know I need to figure out how to get me removed.

        IOW ... I cannot follow the "rename personal account" use-case, I just want to leave whatever AAD implementation has hijacked me.

        Thank you.

      • Richard Griffiths commented  ·   ·  Flag as inappropriate

        Right now I have this problem: my work email somehow has personal and a work version.

        We never intended to do this at all. Many resources are setup on the personal account for reasons I do not understand.

        I seriously need to lose the personal one with it's own password and have everything on the work one.

        1) Why is these even possible?
        2) How on earth can I kill this very useless feature and keep the stuff we've paid for on the work account only?

        It's causing a LOT of time cost. Right now I'm writing because I cannot access Azure thanks to this very nasty defect.

        Please give us a mechanism that allows accounts with the same email address to be merged - assuming the user has both passwords/credentials to hand.

        This would definitely fix my problem.

        Thank you.

      • Anonymous commented  ·   ·  Flag as inappropriate

        When my accounts synct together. I had emails today from 2014. . I just want my dead husbands pics. Out of the f..m cloud.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Here is the deal! I have same 2accounts for about 12 yrs or better. I have gmail and outlook. They said don't. Worry the would sync togethey, I think they meant sink.

      • WW commented  ·   ·  Flag as inappropriate

        Back again to say your "solution" is absolutely ridiculous. My password just stopped working while trying to log into Windows and MS Support CHANGED THE EMAIL ADDRESS TO MY MICROSOFT ACCOUNT. They assigned my backup email for my Microsoft Account as my sign in credential because it somehow conflicted with my Office 365 ID. I am having a hard time believing this is going on 5 years later. It is quite silly to honest.

      • Chris commented  ·   ·  Flag as inappropriate

        Your recommendation is to rename the account, yet doing this takes 30-days-per-change (It literally took me 3 months to change an email address, security reset-method, and name)! It is unacceptable that we are treated like criminals throughout this whole process, when it was your screwup in the first place. Give us our Skype credits, Give us our Microsoft Office licenses, Give us our MSDN access!

        At the very least use intelligence that if a passport account has the EXACT email address of one of your client O365 tenants, you can safely assume that it is one that you have tangled up in your garbage personal passports which YOU forced us onto 1-8 years ago... and give them a bit of a break when us SysAdmins try to take back control of them. These lockdowns work exactly against your own tip!!

      • Marc D Anderson commented  ·   ·  Flag as inappropriate

        I'm surprised you'd post a link to a blog post from September, 2016 and say "we’ve been working on this problem and have announced changes on our official team blog" about it. Is there no new news since then? You note some info in your second "STARTED" post above, but people are truly struggling with this stuff at every client I have and organization I know of. External sharing is an embarrassing process - not the beautiful experience demoed at places like Ignite. I'd love to be able to point people to a regular set of updates from you guys showing how you're moving the ball down the field.

      • Richard Griffiths commented  ·   ·  Flag as inappropriate

        Anyway to forbid the creation of a personal account if a work account of the same email already exists in your infrastructure?

        And if a personal account exists, creation of a work one triggers an optional process of migration from the personal one. If the user says No to this, don't create the new work one?

        I'm going to try deleting the personal one and force any resources that use it to accept the work one - as they're both the same email - such a bad idea that was :).

      ← Previous 1 3 4 5 11 12

      Feedback and Knowledge Base