Disambiguate MSA and AAD accounts

2018-03-17

Microsoft is finally closing the loophole that allowed you to create an MSA account (LiveId) with the same unique name as your AAD (Azure Active Directory) account. While it has been very useful in many cases to use the same ID for both the MSA and the AAD account, most services that relied on only MSA are finally shipping updates to also support AAD.

I've always had my MSA and AAD account share the same identity ever since I created my Microsoft Account almost 15 years ago. And every since Microsoft introduced Azure Active Directory I've had to choose between a "work and school account" or a "personal account". It helps that I have a pretty good understanding of the difference, so for me it never really posed more than a minor inconvenience, but I see a lot of clients confused and frustrated by the, in their eyes, useless question:


Because of it's age a lot of profiles were associated to it, and changing the sign-in address of my MSA felt a bit scary. Just to give you an idea of the services linked to my MSA (jhouwing@xpirit.com):

  • Microsoft Certification Portal
  • Microsoft Most Valuable Professional Portal
  • Microsoft Partner Portal and Partner link to Xpirit
  • Microsoft Visual Studio Marketplace Publisher account
  • XBox Live account
  • Windows Phone Marketplace
  • Windows Developer Account
  • MSDN subscription (from MVP)
  • Azure Subscription (multiple)
  • Visual Studio Team Services (multiple)
  • Visual Studio Enterprise license in Visual Studio 2017 (through MSDN)
  • Azure AD Guest user in a number of partner directories
  • Windows Store
  • Groove Music
  • Family Office 365 subscription
  • OneDrive
  • Windows Insider
  • Skype
  • My personal laptop
  • My work laptop
  • My personal Xbox
At the same time a number of things were associated to my AAD account sharing the same identity (jhouwing@xpirit.com):
  • Microsoft Visual Studio Marketplace Publisher account
  • MSDN Subscription (from work)
  • Azure Subscription
  • Visual Studio Team Services (access to Microsoft owned accounts)
  • Azure AD Guest in the Microsoft directory
  • Work Office 365 subscription
  • Ondrive for Business
  • Skype for Business
  • Windows Insider
  • My work laptop
I'd switched identities on my Microsoft account before, when I left my previous employer and joined Xpirit, so I was accustomed to the process of re-associating in the Microsoft Partner Portal and switching the primary identity in my MSA account, but I'd always hit a few problems and over the years the number of additional devices and services has steadily grown.

To start the disambigiation process I first added a new secondary identity to my MSA account (jesse.houwing@gmail.com). This option is pretty hard to find if you don't' know what you're looking for. You can find it in the Microsoft Account portal:
Click the "Manage your sign-in email or phone number" link and there you can add additional sign-in addresses to your account. In my case I added a secondary sign-in address for my gmail account:
After confirming you own this address through your chosen method of security, you can now sign in to most services using either address. A few won't work through, as I found out:
  • Visual Studio Team Services won't allow to sign in with a secondary identity. It will however automatically swap you to your new identity once you make it primary. Account ownership will also be updated automatically nowadays. That was a great relief.

Form there I clicked the "Make Primary" link on my new primary identity and after that I checked whether I could still access all my accounts. Switching my primary identity had a few unexpected side-effects:
  • I had to update my MSA account information on my windows devices.
  • I had to sign into my Xbox again
  • I had to restore my Windows Insider details
  • I had to uninstall the Windows Feedback app and install it again (should be fixed in a later version)
  • I had to sign out fo Visual Studio completely and sign in again so refresh my license and to connect to Visual Studio Team Services.

After confirming I could still access all my services I crossed my fingers and went on to remove my old primary identity.

After clearing all cookies in my browsers I am now no longer greeted by disambigution prompts, which makes me very happy. I'd still love it if Microsoft would make this process simpler and if they'd be able to remove the issues I encountered, but the process was a lot easier than I had been dreading.

Ohh and while you're at it, you may as well update your security preferences, enable 2-factor authentication and set a stronger password ;).

If you're wondering whether a company could solve this problem for their users, the answer is no. There is no way for an organisation to query which users have the same ID for their AAD and their MSA account and there is no way for a company to change the primary identity on behalf of their employees. The MSA account is owned by the individual and privacy and legal reasons prevent Microsoft from solvign this on behalf of a company.
 

Most Reading