Is it possible to convert that to a local login?

Take comfort that some things never change!

It's a pain in the tail to resolve, but it can at least be resolved without calling the school.

HOWEVER, the article glosses over the real story: a child obtained complete, unsupervised access to the author's computer, and wouldn't you know it, they broke something.

I suspect there would be far less interest if the headline read "my kid ordered $20k worth of Robux and I can't get a refund".

Given the advent of and ease of use of password managers, I'd rather just have another set of credentials than risk the inconvenience.

It's strange to me to take the discussion like this to public forums before talking to the people involved. It could be his daughter "gave" it to the school as an act of generosity for example.

Too bad that they didn't let you make a copy of what you had - mistakenly - stored on that account though.

PS - Suggest you don't make the mistake of replacing that with a personal Google account.

In this case, is there another company with a similarly old and complex auth system that does exemplary work?

Some kind of Stockholm syndrom.

Here in the Netherlands they somehow have convinced local governments (like cities & provinces) that working with them is still GDPR compliant, even thought they should only work with EU based companies to store data. But other companies like DigitalOcean, AWS and Google cloud (especially Google is evil) are not GDPR compliant

As a dev learning web development when IE was still a thing I still have horrible experiences with them

100% pure regression with account management.

About 10 years ago I created an Azure account with my normal email and my US address. I did some stuff but never had a reason to use Azure in a situation where I’d pay for resources. Some years later I wanted to check out Azure for a small project. I go to log in and it tells me I need to add billing or something. I enter my credit card info and get to the address section. My zip code won’t validate. That’s odd. It’s saying it wants numbers and letters. Wait why does it think I’m in Canada? I’m in California. CA? Hmm. Anyway should be easy let me fix the Country. Oh it’s greyed out. YOU CAN’T CHANGE THE COUNTRY?!

Surely this must be a bug. File a support request. Nope can’t change country. Escalate and explain that I can’t add a credit card because I am not a CA resident and don’t have a Canadian payment method. They tell me they can’t change for tax reasons. But they never took my money because I can’t pay them… I go on to tell them I never even selected Canada there must be some UI bug when they first rolled out the new account format. They said theres a known issue where this can happen. I ask them to fix. They can’t because taxes. They tell me I have to create a new email if I want to use Azure. I wont do that because I have virtue.

I try two more times over the course of 6 or so years. Both times I’m escalated to someone who thinks they can fix the problem for me. I think at one point there was a technical work order put in to delete my Azure account so I could try again. But somehow it always gets thwarted.

So what happened? I’ve been able to piece together that Azure transitioned to a new account model between when I first created my account and when I tried again the first time. The old model was independent of your MS account. The new one not so much. Somehow Azure migrated my legacy account with a US address and morphed it into an account with a Canadian country set. This Canadian account is intimately linked to my normal MS live account which has a US address and payment info nonetheless. An early version of the Azure account migration UI locked in your country before verifying your payment/address. For “tax reasons” you cant change but it’s totally fine that my US live account has a Canadian Azure account and that, if I was able to do things as MS wants, I’d be paying for MS apps and services with a US card and Azure resources with a Canadian one. Because that’s better for taxes?!

So to this day I can’t use Azure because I’m not willing to change my live account login email address, my main email address, to something else just to work around MS’s bullshit. Because yes, now it’s all the same and your azure account is your live account.

That’s a known issue and we have a simple workaround: just kindly make a new email address…

The school did not "take over" his MS account. At some point (likely amidst a mountain of other onboarding tasks for his daughter's enrollment) he would have received an invitation to join the school's Azure AD tenant as a guest/external user. In this case, he chose to join using his Microsoft account, rather than create a new email-based guest account.

"Leaving" the school's org only breaks one side of the federation, and the guest account and it's association to the school's Azure tenant still remains.

To resolve, he'll need contact the school and have them delete the account. Meanwhile, it probably would have been better to create the app beneath an Azure AD tenant belonging to the non-profit org in the first place.

Anything that gains such traction gets fixed eventually, but I want them to fix the root cause, not just this instance of it.

1. My son's school MS account took over his private account, only because he linked the two accounts.

2. Suddenly my son's Windows said it was un-authorized.

3. We called Microsoft, they could not fix it.

4. We called the manufacturer of the machine (they shipped Windows as OEM). They could not fix it.

5. Called MS again. They gave us a new activation code. Did not fix it.

6. Called MS again, this time they said to reinstall Windows (This is not a joke).

7. Upon re-installing, Windows would not activate. No error message, no nothing it would just hang in the activation loop.

8. Called MS. They had no clue. Claimed H/W issues.

9. Called manufacturer again. Also claimed H/W issues. I said that I can access the internet from the machine while it was hanging in activation, so network was not the problem.

10. Manufacturer sent someone out (I had bought warranty). He switched the SSD with a new version of Windows... The did exactly what I did. Same problem, would not activate.

11. Some back and forth with MS and the manufacturer involving many reboot and (I kid you not) turning off all wireless routers... MS still would not activate. Manufacturer (and MS) did not believe me. So they sent someone again. Did the same thing, again. Did not work.

12. Manufacturer said I needed to send in the machine. So I did. I included a note about what the problem and to please not just re-install Windows, because the activation was the problem.

13. Got the machine back... They had just re-installed Windows. Would not activate.

14. Started to get upset. After some pressing manufacturer agreed to send a new machine.

15. First they sent someone out again. Did the same thing again. Forced me, again, to turn all wireless routers off, so that (he claimed) Windows would activate without network. Again... Did not work. Activation just hung.

16. Eight weeks into this we ended up getting a new machine (yes, not kidding) from the manufacturer and now the same version of Windows (from the same memory stick) on the same hardware, same drivers, all the same, would happily register.

I cannot even begin to express how annoying and useless this was. And MS and manufacturer were helpless and useless.

Personally I have stopped use Windows over 2 decades ago - only using Linux, but my son wanted a gaming machine, and so I relented. :)

Microsoft bought Github in 2018. We'll see what happens in 2025...

Nonetheless, I would have expected MS to ensure that the process includes clearer guidance for the account owner, and for deliberate decisions to be made by the school to enable this type of action.

They did a very good job of providing clear advice to BYOD users during the MDM onboarding process in InTune, and it’s confusing that this didn’t occur in this case.

The trial ended, Microsoft start charging my credit card, and it was literally impossible to stop it without access to the account that was managed by the now defunct company. While it was pretty hard to talk to an actual person, I did twice, and after months of back and forth via email, I was advised to just do a charge back with my credit card company. Microsoft (probably automatically) disputed the chargeback, and I spent many more weeks disputing the dispute, having to prove to my credit card there was no way to cancel and Microsoft actually told me to do a chargeback. I'm sure I'm somehow banned from Microsoft accounts using that credit card, although I've never tried.

I told him that good luck coming all the way from India to wrestle my laptop from my hands. Don’t know if this will end with me looking for a new job, but what I know is that I won’t be installing whatever rap they are pushing. I am an adult and know how to admin my own computer

I'm usually pretty positive about Msft but their identity stuff is a mess.

[1] except that I have two OneDrives that appear to form a Venn diagram with a partial intersection that i can never quite figure out....

I’d be curious about a follow up if the author ever figures out how the account takeover happened. I wonder if logging into the account on a school device resulted in automatic enrollment or something.

Our team has a Google sheet with some scripting that uses the data in the sheet to generate data to another system. This needs to be run using the company Google account.

Now someone opens the sheet, runs the script and it just doesn't work.

Why? Google just randomly decides to pick one of these:

- The personal Google account the user has logged in to - The account used by Chrome - The company account

We haven't found a pattern to this yet. It works better for some people and worse for some depending on the time of the day, position of the planets and maybe a third unknown factor.

It took a lot of back and forth with the schools admin to figure out what happened. I was able to get my account released, but I wasn’t brave enough to try what Jeff did.

Like Jeff, this did not leave me impressed with MS Azure at all. How could joining (or being added) to a mailing list imply you are now part of an organization? How does one go from LDAP to that hosted AD mess?

What has happened here is that you have essentially two accounts: One is your consumer MSA, and the other is an account in the school's Azure AD instance that uses federated sign-in with an external account (your MSA). Except, the real mess comes from the fact that there's one login page for both, and sites such as the Azure portal that support both identities and can't really tell which one you expect to assume. Plus, the Azure portal lets you switch between Directories at any time.

You can:

* Sign out completely (login.microsoftonline.com/logout.srf) and sign back in. The reason the sign-in page asks for your sign-in email first is because then it uses that to decide which directory (MSA or someone's AAD) to sign you into

* Change directories - (in fact I'd recommend creating your own Directory instead of using the one that was automatically created for you from your MSA name)

I have 2 Microsoft accounts on the same email address, one is a personal account I created ~ 10 years ago and one that appeared out of the blue a few years ago. The second one seems to be created by my employer, when I try to login it is rerouting me to the job 2FA. The weirdest thing was when I tried to schedule an exam with Microsoft and it appears as free on the work account, for some reason, but not free on my personal account.

I also had OneDrive set up on my personal desktop. After years of working well, one day I got an error and I had a look: it merged my personal OneDrive with the work one, so my Witcher 3 saved games were on my company's storage. I guess this happened because I tried to add my work account in Outlook to read email on that computer too. Since then, I am doing all the work related tasks in a Virtual Machine with a local Windows account and no email, no Teams, no OneDrive, etc.

Worked on a project for a big bank. My work email was given access to their Active Directory or whatever for certain sharepoint folder access.

My work machine is signed into my /personal/ microsoft account for login, and then also signed into my work-personal account (i.e. MS account with my work email, but a self created personal one - we're not an MS company).

At some point I was kicked off my Xbox, had to do a password reset dance to get access again, all because Big Bank's password expiry policy somehow leaked into my personal MS account thanks to being signed into both accounts on the same pc.

And now, my company got an Active Directory for us, purely to make interfacing with other MS-powered clients easier. Imagine the nightmare of my work account, originally created by myself, and the conflicts with my new "work or school" AD account. It's such a mess.

It appears that someone was able to link an MS account to my email with no verification, then rename the account, again with no verification.

Best case is that it's someone who used my email as a recovery email for their MS account and changed it. But with the mess of MS accounts, I'm always nervous they've got some residual control of my real account which is also linked to that email.

Unfortunately I've never been able to get confirmation from MS that things are OK. There are plenty of questions about this particular renaming issue on the web, but no answers.

And also this is why I don’t use Ubuntu anymore.

At the end of the day its something I'm more disappointed than upset about. Its scammy, gross, and reflective of a company playing catchup by force.

It’s funny because Azure seems like it’s just a hacky scaled up version of what MSPs we’re doing with hosted exchange 15 years ago.

> malice is a condition of the mind which shows a heart regardless of social duty and fatally bent on mischief, the existence of which is inferred from acts committed or words spoken.

Negligence and recklessness are often considered acts of malice, especially when stemming from wilful blindness.

The mischief here is the problem with the account, we (those commenting on this page) have no confidence in Microsoft to improve it (they are fatally bent), as they clearly don't consider it a social duty and are surely wilfully blind to it. Does anyone here think they want to know, let alone care?

[1] https://thelawdictionary.org/malice/

One wonders why one would pretend not to know this.

This is exactly the kind of waste we should get rid of, but sadly this is exactly what we get by offshoring IT into India where people just do exactly what some consultant tells them to do without any critical thought if it is appropriate or not.

The UI of this is just as bad as the one that asks you to sign into MS account and upload all files to OneDrive when setting up Windows. It even comes back after some time if you deny it!

AD login is something that used to work well (10-20 years ago) but is now a complete clusterf*k. What was designed for logging into Windows NT workstations isn't what most users nowadays are expecting when logging onto web apps. Plus the UI full of antipatterns. Yet it's still the easiest for IT folks to manage.

Also, Google tracks you across all websites once you login to the browser (even if you don't use google login on them). If they weren't tracking you, using the browser profiles would be great.

outlook.com

Windows Store

xbox

Skype

Families

Office 365

I can't downgrade it to a personal account without deleting the account and recreating it, but there's not even a guarantee that will work. Deleting the account will also mess up family photo albums and other items. Photo storage is full but I'm also unable to pay for storage without adding a subscription to the account. It's so risky to try and fix it that I just had to migrate to a new google account, re-purchase all my android apps, and just ignore that account forever.

It was in fact super easy to just search my email Inbox for emails from Mojand and find the proof or purchase.

With MS I have 3 fucking accounts and not by choice, they bought Skype and Mojand and forced me into their super shitty system, I spent 30 minutes 1 year ago to migrate the Minecrtaft accoutn and more then 30 minutes a few weeks back to login back into Minecraft because I needed to detective my way to figureout what Microsoft account they connected to my Mojang purchase.

I hope in a few years someone leaks what greedy motives were behind this forced migrations, probably to sell more shit.

I don't understand why people think a microsoft account could ever possibly be more secure.

With smaller outfit's the L2 tech support might actually be having a line of communication directly to engineering, where in large companies there might be an L3-6 plus different product owners and escalation managers involved before a case gets in front of the engineering team.

Or maybe the bug's just going to languish and our friend Jeff here is going to be forced to create a new Microsoft account.

--

As far as AWS' products being independent products. I have the opposite view, as their products would be rather useless if they didn't interoperate with each other. How useless S3 would be if it couldn't talk to anything else!

Microsoft has been dealing with online identity almost since the consumer web exists. MSN launched in 1995, Outlook was the poster child of webmail, ActiveDirectory is the behemoth of enterprise user management.

I don’t see Hanlon’s razor relevant when it’s on one of their core competency. They at least committed to throw part of their users under the bus to pursue their goals.

I think some people are mixing up Hanlon's razor with "if it is bad, the malice part can't be on purpose".

Now, 4 years later I still get to choose wether I want to login in their tenant or mine everytime.

Microsoft solution? Change my email on the personal account.

Not kidding.

I have no idea where to report the issue to (Microsoft store? Minecraft support? Microsoft Windows support?), and having dealt with Microsoft support in a professional capacity I know that even if I do figure out where to report it that they will waste weeks of my time asking me to explain the issue and then claim it's working as designed without understanding the problem at all.

This sort of scenario. Or a million others.

Windows is full of dark patterns, so I don't really know why I had even a modicum of doubt.

To any MS/Mojang folks lurking,- great game but the authentication merge was an unforced error.

I would frequently have to reinstall on PS5 to get it to boot, it would lose purchases constantly, and there is no cross play for mac hilariously because Mac doesn’t have a bedrock port, despite it having “Minecraft for education” which is based on bedrock.

Microsoft turned Minecraft into a steaming pile of garbage.

This is pretty much just best practice. When's the last time you could change your password without entering the original, short of a re-verification via email? Same idea here.

I held out for a really long time, but a friend wanted to play minecraft with me so I finally caved. If they ask me to add a phone number I'll probably just abandon the account though, and look into piracy of the game I purchased.

Teams is written using web technologies so you're getting the same experience as the app.

Better solution: don't use M$ product, if you can. Despite the efforts and resources Microsoft spends in improving its products, languages, tools, they are just an enterprise company: very expensive buggy products.

Indeed and when I try it, it does surface it when I search for Does Nvidia Shield require an Android account? [1] For comparison, ChatGPT also gets it right. [2]

--

[1] https://imgur.com/a/cLpFj6i

[2] https://imgur.com/a/x6AP0jf

I strictly use the local-only setup. I'm sort of OK if they still leave a relatively trivial backdoor to do this, but if they ever flat require an online account, I'm out, hard.

This is partially due to wanting to avoid the hassle and management of yet-another-forking-online-acct-IDGAF-about, but also because I have some machines controlling industrial processes (CNC machines, custom cutting machines, etc.) that I keep entirely off any network for security & safety reasons (yes, moving anything to/from those machines is all sneaker-net; simple, works, and my shop doesn't yet have the scale to justify that kind of networking/security/admin overhead).

I just hope that MS engineering is not stupid or powerless enough to allow MS marketing & MBAs to fully kill off the local account.

This entire attitude of exploiting customers by requiring spurious internet accounts & connections is making me start to think that the Internet is all a huge mistake. If that approach takes over, the world will literally be worse than before the Internet in every important way (and there are some solid arguments that it already is worse).

They are pushing more and more people into the perception of renting a experience rather then owning a device. Its great money for me to help people figure all this out though.

[1]: https://www.scottrlarson.com/publications/publication-transi...

They can either remove that policy from their azure AD, or remove the machine from the azure ad.

Or update their policies to allow for azureAD joined machines.

If I could make one law get passed, I would outlaw algorithms on social media feeds (edit: and search engine results). Let them collect the data, let them target ads. I don't think those things are inherently harmful, or at least, no moreso than the old ads and surveillance.

But the seizing and algorithmic manipulation of the feeds, with the accompanying incentive that the whole thing fails if it doesn't turn a profit, is far more toxic than the gatekeeping of the old media emperors. The great promise of the internet in the 90s was that consumers of internet media would have complete control over our feeds, and get only the things we want and demand.

We have received the exact opposite, because people with money want to put their money to work, rather than work.

More flexible, yes, but are you really getting more powerful than an A15 for that price, especially when running a general purpose OS?

That last point is really hurting why media PCs disappeared: you’re paying considerably more - a whole number multiple - for an experience which isn’t designed for a TV, and in return you get the fun of playing sysadmin when you’re trying to relax. Most people are not going to pay a significant premium so they can deal with drivers and trying to figure out why their HDR isn’t working. Device lifetime theoretically could counter that out but I’m skeptical that hardware won’t be what sets the timing for that in either case, and the dollars per year metric isn’t favorable there.

Setting that all up on PC is much more of a chore.

Having to use a mouse and keyboard is a pain point for me when I use my desktop on my TV from the couch. For the mouse I use the trackpad on a ps5 controller, so the mouse isn't so bad.

Possibly you could: * Not require passwords for everyday operation of your computer * Boot into some sort of launcher designed for televisions * Have a fairly narrow set of apps and services that work well with your setup. For example I don't know how you'd use Netflix or Disney plus with a remote on Linux.

That’s about it though.

Only "proper" solution is to /not/ sign into your MS account when seeting up the new machine for the first time. Create a local account with the name as you want it, and then only afterwards link it with your MS account (if you have to).

Only problem is, latest Win11 installer does not allow you to create a local account anymore at all. So you need to install Win10, do the work-around-dance, and then upgrade to Win11. I only relaized this after halway through my most recent format.

Every time when I ssh into one of my other boxen, I have to remember now to go 'SSH myname@ip' else windows helpfully defaults to 'mynam@IP'

Install flight simulator on a Win10 PC with local login only and launch -> sign into an xbox account -> after you enter your name and password, you get a dialog box where you have to agree to sign your Microsoft Account on that PC with two dark pattern options that lead to the same result.

I couldn't find any combination of group policy editor, registry, and services.msc around it. You can either close it and lose access to the game you just paid for, or proceed and then you get your account signed into email and a bunch of other crap you dont want and have to spend hours getting rid of all traces of that account in your system(but it's never 100% gone). Only way to bypass it is to buy the game through Steam.

Between MacOs Linux and Microsoft, Microsoft has the last respect for you as a user and nobody should use it if they don't have to.

You're welcome.

My Kodi box boots straight into Kodi. I have a mini wireless keyboard on it (Rii X8?), but the alphanumeric functionality isn't particularly used and it could just as easily be a video game controller or even an IR remote.

There is no "situation which requires more work to sort out via the CLI", beyond when I deliberately choose to make changes to the system. If I ever did want to pop out of Kodi and run a general desktop + browser - say for sports streams - then the additional input hassle would be due to doing something I couldn't do with an appliance anyway. You can't really characterize this as a drawback.

And sure if some driver functionality doesn't exist, then obviously you can't use it - you set your expectations to what is available and how much you want to tinker. And the real answer to "angry rants" is to use an operating system with reliable change control, so that if you start tinkering with something, it cannot end up in a broken state when you want to use it to relax.

I have looked into buying LTSC. Apparently you need a business (I own a “shelf” company which has never done anything, but legally it counts), and a Microsoft volume license agreement. I looked into the later. Supposedly there is this trick where you order all these useless-but-cheap Identity Manager CALs to cheaply meet the minimum order requirement for a volume license. But I got a bit stuck working out what to order (or even if it was still available through resellers in my country). I lost interest at that point.

Also I find it a bit disingenuous when people argue for the "less expensive" options that put you at the mercy of streaming companies. My amd64+Kodi+zfs+VPN setup certainly isn't the cheapest, but neither is a corporate puck with several monthly fees for streaming services. If one wanted to be entertained for the least money possible, I suspect that would just consist of using your current laptop/computer running a general purpose OS to play dodgy streaming sites. But most people seemingly want something more than that (which ties back in to my first paragraph).

> dont see the benefit of these android based TV devices or Apple TV anymore.

My point was simply that an Apple TV is significantly cheaper ($100-120 vs. the $200+ PCs people mentioned) and it has roughly a factor of two better performance. Now, it’s inarguably less flexible but most of that flexibility doesn’t help with things many people want to do, which was the original point: people buy these because “spend less, everything you actually use just works” is actually a pretty good sales pitch.

This info is publicly available so more detailed info should be easy to find.

Enterprise IT is conservative and full of strange politics that make it really dangerous for an admin team or it department to stick their head out and do something independent other then follow the "mythical industry best practice" and MS is extremely good at manipulating what gets considered "industry best practice" to their advantage and then give just enough discount on the more visible parts of the costs to look cheaper.

And it's a open secret that individual employee productivity don't matter all that much in the kind of back end work where a PC was ever a feasible tool, as what really counts for profitability is the non-pc using frontline staff's productivity, who is far more likely to be issued either no computers or mobile phones or tablet then wintel laptops.

They now are giving teams (slack knockoff) a free dialing number so it now can be used for phone conferencing without non-organizational people.

Onedrive gives you 1Tb of syncable storage per user, and 1TB per user pool for shared office resources.

I spent years as a google apps advocate, but seriously for the money, no one touchs what MS is offering right now. Google had MS hands down 10 years ago, and let google apps die on the vine. It is a damn shame too, because they were the only ones that have anything comparable.

For all it's terrible bugs and login issues, is there even alterative with similar functionality that would be as "user friendly" (as in: non-tech people would know how to use it as well as they use Microsoft garbage?).

I literally can't think of any alternatives that comes close in functionality OR has the same ease of use for non tech people and wouldn't waste even more time.

you can try to find as many edge cases,

but at the end of the day I just log into the account that's inside domain and everything:

email, teams, network accesses, auth thru web apps goes thru that domain account

You can also use any of various other products that compete with them (Google Apps, iWork, Zoom, etc).

Just because MS makes a specific package that businesses like doesn't mean that they can't use something else if MS is becoming more of a problem than they're worth.

Source: https://lazyadmin.nl/it/how-to-stop-automatic-restart-win-10...

Maybe they all need nonstandard software? God forbid, maybe they need administration permissions, but the org doesn’t want to give it to them, so they end up calling in every other day to get something unlocked (I know that’d be true for me).

Maybe it’s the problem solving skills of the IT team when it comes to mac, so people keep coming back with the same issues (good ones are Outlook/Teams being permanently broken, or VPN not connecting).

On the whole, I’d steer away from any explanation that would require all 500 mac users to be idiots.

And everything just works out of the box with like... 3 lines of PowerShell.

You can replicate some of it with Ansible, sticky tape and a few spare weeks, but it's not the same at all.

I'm actually Linux admin, grew up with open source and spent my career serving pages and automating myself out of a job. I dislike Microsoft as much as the next guy, but for enterprise use they are _next fucking level_.