This weekend I wanted to create a new App in Azure so I could help a local nonprofit automate one of their donor relations processes via email through Office 365.
So I tried registering an app by visiting the App Registration Portal. I signed in to my personal Microsoft account, clicked 'New registration', then was greeted by this page:
I thought that was a bit strange, since I shouldn't have any restrictions... but then I noticed it listed [redacted] School
as the reason I couldn't do this.
Then I noticed under my username / account info, it had my personal email, but it showed me as being a member of '[redacted] School'.
I guess somehow they threw me into their system, so surely there's a way for me to sign out of that back into my personal account, right?
Wrong.
First I tried going to the My Account portal, as suggested on the support page Manage organizations for a work or school account in the My Account portal. I entered my username and got:
Okay... well this is weird. And yes, this is my personal account. It was created when I transitioned my Xbox LIVE account to a Microsoft account on 2014-03-07 (the LIVE account was created back in 2006, and neither it nor my Microsoft account were ever joined to any other domains).
So I clicked my username and saw it is listing my daughter's school under my account email:
I saw a handy 'Switch directory' link so I clicked that.
Unfortunately, there's only one directory listed... "[redacted] School." So I can't change directories.
Searching around, I also found the URL https://account.activedirectory.windowsazure.com/, so I went there and tried logging in... but got:
So at this point I didn't know what else to do. It's a weekend, so I probably won't get ahold of the school's IT person who could help on their end.
Somehow, the school 'adopted' my personal Microsoft account, and now I can't do anything in Azure with it. At least my Xbox Live account and Windows licenses are still working—but could the school revoke that access too?
I have no clue how I got in this pickle. I certainly don't remember receiving an email saying:
Dear Jeff Geerling, are you okay with [redacted] School taking over control of your Microsoft account and not allowing you to do anything in Azure anymore?
So how did it happen? And is there any way I'll be able to regain control of my own account again?
And the bigger question: does this mean it's possible for any org on Office 365 to forcibly adopt users on the platform who log in with their personal accounts?
I'll update this post if I can figure out a way to regain control of my personal Microsoft account again. I also posted about it on Twitter, and there are others who mention similar stories of woe.
Hopefully [redacted] School
can help here. But they shouldn't be able to do what they did in the first place—Microsoft Azure's insane Active Directory behavior isn't their fault!
Update: Following @NeilTheMann's advice on Twitter, I went to https://myapps.microsoft.com and logged in there. Then I clicked on my 'JG' account info, and at the bottom of that profile pane, it had a link to 'Manage organizations'. On that page, I see:
I clicked 'Leave', then got this nice scary warning page:
I'm assuming "deletion of your data" only includes any information that might be associated with the school... hopefully not the rest of my Microsoft account!
Now if I visit 'Manage organizations' I get an error:
...and now if I try doing anything in Azure I get this warning:
And my account now shows "RESTRICTED TENANT":
So I think I just screwed myself out of even minimal access to Microsoft Azure.
🤷♂️
This experience certainly doesn't recommend Microsoft Azure.
Update 2: It gets better. Now I can't even log into myapps.microsoft.com:
However... I am now able to Register an Application in my personal account—though every page on Azure gives me this big ugly error message:
The rabbit hole goes deeper still...
Comments
Probably you now have two accounts, both using the same email address. One is a personal account, one is an organization account. If Personal doesn't qualify as an alternate directory, then it is not surprising that you can't switch to it. Probably have to sign out, choose to sign in with a personal account, and then sign in.
Here is probably what they did: https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/a…
I might have been a little off with my previous suggestion that you now have a separate organization account.
This almost certainly only added "things" to your personal account. Just a matter of finding the UI to switch between those additions and what you had before.
Lol just loud and wrong, huh?
Lol just loud and stupid huh?
@Aaron Axvig: That's related to Azure DevOps. That has the "Azure" moniker, but is more of a stand alone product. It can use Azure AD for authentication but that's about it. It's more comparable to GitHub.
I had a similar situation which I resolved as was able to get into one account and then change the email address so now have my personal and work accounts on seperate email addresses. It has been a mess for such a long time to have two sets of accounts.
I was pulling my hair out last week with the same problem, albeit two corporate accounts and one personal live.com account with varying subscription to Azure dev ops. And it is not the first time, neither too recent. It is not like the company behind this product has thousands of engineers and billions of dollars... oh wait..
Think so too - in My Little understanding you cant Register Apps ans stuff Like That with an private account- so you Must have another org (tenant) then the schools one to login.
Microsoft would be funny if the consequences for your personal life (of using MS) were not so devastating. I suggest an attitude of detached amusement followed by single shot of your nerve-tonic of choice ;-)
If you don't get anywhere, you can try to reverse engineer what happened yourself by looking at your own user profile in https://developer.microsoft.com/en-us/graph/graph-explorer. The "GET my profile (beta)" endpoint shows a lot of information and you can compare it with different accounts to try to figure out what went wrong.
For an even more high-effort solution, you can give yourself a tenant using the Microsoft 365 developer program (https://developer.microsoft.com/en-us/microsoft-365/dev-program) and try to recreate what happened using some test accounts. That way if you have to get help from the school admins, you could at least give them a start on where to look for what went wrong.
Thanks for the links, looks like I'll be doing some spelunking this weekend!
Looks like you got there in the end - I've been seeing that error message ever since personal accounts were able to register applications (sometime in the last couple years). I haven't seen any further issues with the apps though
shenanigans like that are why I will setup a portable browser installation and try to isolate separate Microsoft accounts to be signed into as much as possible from the browser side of things
Shenanigans like that are why I do my best to avoid anything to do with Microsoft.
I have experienced the similar kind of annoyances again and again. For MS its always the same: the end user gets a polished environment with huge obstacles prepared so that enterprise admins can control and observe the users behavior. My advice: don´t use Azure and also don´t use the other big players cloud solutions.
Try other smaller providers, you will save a lot of money and have a better experience. You won´t get such an ecosystem like with Azure, but you keep much more control.
At least it is how it is here in Europe.
Try an incognito window, to make sure you don't just have something cached.
Clear your cache and cookies. And either use an additional browser or use incognito/in private mode. Doing so will ensure that you are using different memory space so that the auth token doesn't get used for the other tenant. One tenant taking over another tenant like that is not a thing. At least not with the simple click of a yes button.
Jeff,
Have you tried hitting Switch directory in the Azure portal to go back to your own Organization in the Azure Portal?
Had a client org silently uninstall all Microsoft Office installs on all my company machines once. Turns out SMS didn't find the product keys in the client org's SMS database (they were licensed through my company).
So a couple of comments on this. No an organization cannot forcibly join your account to their org unless they own the domain for your account. The issue here is that whenever you go to an organizations stuff though, you may be requested to have your account added as a guest and if you accept that, your account is converted into a split personal and work/school account (they're technically different but linked). That work/school account is now linked to their org and will follow their policies for what you can and cannot do. Normally you shouldn't be accessing a third party domain without having your own org and instead have a seperate account supplied by the school. Worst yet here, had the school wanted, they could have adopted your comp as well. Same system and same dialog. If it's configured, and you just press ok when trying to access their resources, and your local account have access, well congrats your comp is now managed by their intune, and possibly enrolled in the org autopilot such that you can't even reinstall your comp without permission anymore.
Ultimately, it's on whoever clicked that ok that gave you your situation. And this teaches you a valuable lesson. If it was you that clicked it, it teaches you to start reading the dialogs you get, or if it's your daughter, to not share accounts.
I've mentioned multiple times on Twitter, I never authed anyone to take over my account. My daughter has no access to either of my computers, or any device that has access to my password manager. And she doesn't even have an account in their AD that I'm aware of (the school thankfully doesn't give every child a device, and only lets them use shared iPads with limited access).
I also haven't logged into my Microsoft account knowingly in the past year except for once to purchase a Microsoft Windows Dev Kit 2023, and once more to associate a new Windows machine (which my daughter also has no access to) to a Windows 10 Pro license).
Many people assume that I haven't tried things like using an incognito window, separate browsers, etc., but I assure you those were the first troubleshooting steps I tried. My account is my personal "@mac.com" account and I don't know how it got adopted into their system. I did provide my email as a parent of a student, and I receive form letters / newsletters from time to time, so my only theory at this point is they have a mailer setup that integrates with AD or Azure and somehow injects users into their tenancy?
I got an email from a VP at Microsoft Identity services (something like that), hopefully we'll be able to figure out what happened, and how to prevent it from happening in the future.
I'm in a similar situation (except no kids and no school involved). I made an Azure app and can't invite my colleagues to work with it. I get the annoying message with the UUID and the restricted tenant message, too.
If your new friend wants to chat after he sorts out your situation, our small nonprofit would be very grateful. (I'm firstlast@gmail).
Hi,
Did that VP of identity services lead you to any resolution? I am dealing with a similar issue right now and would appreciate any pointers.
thanks.
With the greatest of respect Daniel, that's horseshit.
When registering an app, you must use a corporate account (work or school account). This has to be a member of Azure Ad tenant (and you can be a member of a few).
When you tried to do that at first, you only had the school tenant for which you dont have enough priviliges to create an app (makes sense).
You then left your only organization which means you effectively no longer have a corporate account.
Your personal account is probably still there, under the same email, however, you should not be ablr to access 'azure' services with it.
If you want Azure services, you need to create your own tenant. You can easily register for AzureAd to get one.
You can also re-enroll into the school organization and then you will be able to switch them with the 'switch directory' button.
I hope this explains it.
This is 100% why ALL of the clients we consult no longer use Azure. You were able to create a Microsoft account and an AzureAD account with the same exact email address. They might have fixed it by now, but we had several instances of things like this going sideways behind the scenes. EVERY TIME we called support, it was a non-native English speaker reading a script and some of the issues never got fixed. No exact details, but we even suspect that some actors were actively trying to penetrate one client using the exact method you are dealing with by calling MS support and having them flip switches behind the scenes.
Just FYI, GoogleID is the same. One client’s daughter joined a school ISD on his home computer and somehow gave them admin access to the ID through Google Chrome. She could even access their GCloud through her school Google ID on her school issued Chromebook.
Be careful out there with federated identities.
Hi Jeff, this is super interesting, thanks for posting. Unless I'm misreading a detail of your post, this looks like a zero-click vuln by which an org can restrict the functionality of an arbitrary personal Microsoft account (and possibly additional capabilities, given that this impact was discovered incidentally by attempting to use Azure.) If you haven't already, I would recommend submitting this as a vuln report to Microsoft to see if they can repro, especially given that it is likely a scalable vector for account compromise if so.
Hi Jeff, this is actually a version of a very common problem with Microsoft Infrastructure. Its been known in IT circles for almost a decade and no solid fix has been forthcoming. I ran across your post by accident, I'm a System Administrator who specializes in Exchange.
Depending on the endpoint (url) you are accessing, you may be accessing different backends but since the systems are interconnected, that can cause unpredictable issues. The core of the issue is your email address which MS considers to be a unique identifier suddenly has multiple accounts and its using the first one, and depending on the system you access it from (and a lot of other unknownable factors), it may reference the wrong account.
When you initially log in, sometimes the system may ask you whether this is a work or organizational account, or a personal account. This is the critical part at which these issues start. Depending on your selection, If an account does not already exist, it is created silently on the backend. Depending on the answer it chooses a backend, and that can be somewhat sticky or reverse course.
M365 paid accounts and other MS accounts that are unpaid can conflict from what I've seen it appears they mostly use different infrastructure within MS. The number of interconnected systems and the lack of up-to-date documentation makes this a rabbit hole that almost always requires an organizational Exchange admin to clean up the issue.
In cases of duplicate email addresses like this at an organization, the steps to fix it are usually to log into the personal account, and then change the email address and name to something else. This then fixes the organizational account (not the personal account).
The opposite (Your Case) requires an AAD admin to remove all identity references of your email account in the Azure Active Directory of the organizations tenant, and can sometimes require additional cleanup of properties on the 365 tenant side and other areas as you may get silent intermittent email delivery failures to your mailbox thereafter (which are very common in hybrid setups).
Unfortunately there isn't a good solution, Microsoft support will be unable to assist as they will be unable to verify your identity and will try to transfer you until your line disconnects or you hang up in frustration.
A state-run institutions AAD/Exchange Administrator is no better, typically has no contact information, and their ticket systems are almost unilaterally designed with features that run opposite to best practices, with the effect of spurning their users. A unique issue likely won't be solved.
To go more into the other aspects of cleanup (for your research if you are interested), the cleanup for intermittent delivery issues usually involves previously having captured the original information needed by Exchange internal addressing (which is a property ExchangeLegacyDN iirc), and then adding that X500 address to a property on the newly recreated mailbox in the Exchange Tenant. Its less of an issue between Cloud-Only deployments, being enrolled in a Hybrid tenant is the most common cause, and that doesn't require your interaction as its mostly done automatically after you click the initial prompt.
I hope this provides enough background information on the issue, which is better than nothing. I wish there were a good solution.
This issue is the bane of many System Administrators, and it can also appear with cross-tenant sharing with Sharepoint and other M365 Applications (as an account is automatically added to the underlying Tenant with those Sharepoint share requests when you click the invitation link).
I had added my home machine on my employers domain a number of years ago. Retired 2 years ago, filed help tickets to remove me and my machine from the domain, did the exit domain cpl thing, but still see my Corp ID from time to time. 365 is private license (uninstalled, reinstalled).
The Corp crumbs are still in there... Not in registry, or anywhere else I could search.
I have the same problem. Microsoft doesn't want to fix it. Worst nightmare ever when u know ur personal email is volnurable.
I've had similar issues with Google accounts. My daughter's school account took over her personal account because she logged into her school email on her phone. The school account completely locked everything and I, as the parent on her personal account, couldn't do anything. The unfortunate solution was to graduate her personal account from a kid account to regular one, which resolved the stalemate and gave her access to her phone again.
Hi there. I am a Microsoft 365 administrator and have this problem with guest users all the time.
You need to ask an administrator of the tenant to remove your device from their MDM module and guest users section.
This will then release your account back to a personal account only.
You will have had to accept the invitation to join the organisation in the first place - their is no way of forcing someone's personal account to be linked to an org.
Hope this helps.
Jeff, I suggest you look into what the services are that you are actually using, how they work and where they come from before writing a blog post. A quick Google would have resolved this instantly and the error messages are fairly clear, a organization can not 'hijack' your personal account lol
I recently had same issue when changing employment. I could not remove old works account from my laptop. Went through the same problems you are experiencing.
In the end I transferred all my data from laptop to a hard drive and factory reset the machine, then transferredall data back onto the now clean machine.
Yes it was a bit extreme and a major pain, but it worked.
I now use separate machines for personal and work.
Microsofts account system is SO messed up. Lately im on family security often and i just want to uninstall this shit very fast. I cant remove user, i cant give access to apps often, because they are given in delay. Even installation is just killing me.
Sounds like Microsoft is being a huge pain in the ass, I've had my personal email with Gmail since it was in beta and have never had any problems like that, maybe it's time to switch.
As an Azure Admin, any account can be added as a guest user. In short, what had occurred was they used your personal account so that you can have access to their Azure tenant. This tenant and all subscriptions including apps belong to the schools organization so when you disaassocated your account from their domain, it removes all access rights. You never had Azure under your personal email that's a whole another topic. Anyway, it would be best to contact the schol to have them remove your personal email for clean up. I advise using one of their guest accounts ynder their domain to login for access or another account such as a gmail account to avoid furture confusion.
> I advise using one of their guest accounts ynder their domain to login for access or another account such as a gmail account
You do see the problem with that, right?
Funny enough, had similar issues, this is with a work account that is in 3rd party directories that could not be removed by myself (so not some weird mixture of personal/work, which I've had happen before when both were under the same e-mail address, lead to a massive amount of issues including losing access to our packages on Nuget.org [about to get that resolved])
Microsoft SSO is a mixture of major usability issues and security *NIGHTMARES*, lots of 3rd party Microsoft software can easily become "decoupled" and orphaned from the SSO platform (it's what happened to my Nuget account), 3rd parties are allowed to retain access to things that you cannot revoke their access from unless they willingly do so. It's *INSANE*. I was talking to their techs about how "OAuth was very clear about letting users retain access and control of their own data, Microsoft SSO ignores all of this".
Microsoft really needs to fix it.
Rather, Microsoft need to _scrap it_. They've bodged together this identity platform throughout many years of conflicting priorities and fickle corporate mandates, and left their subscribers with a bloody disaster. They don't need to fix it, they need to bin it and adopt the identity solution of an independent provider with an understanding of security and customer service that Microsoft themselves cannot seem to muster. Tying Windows 11 logons to a Microsoft account has been a usability nightmare for home users and small businesses. Shameful.
Reminds me of that time that a family member couldn't receive emails from the head office (different company) because they had added the subsidiary's domain (country department, but essentially contractor basis)...
Imagine not realizing half of your sent mails aren't arriving because microsoft thought they belonged on your internal mail server :)
Thank you Jeff for this post.
Thanks to all the commenters for their thoughtful replies.
This exchange confirms my belief that avoiding everything Microsoft is the path to sanity and personal freedom.
"Enough is enough and enough is too much!"
Jeff, were you able to find a solution?
He can't even get the permissions needed post a reply comment at this point. 🦆
Heh sorry—I was actually working on a follow up when something pretty big came across my plate and I have been heads-down in it for a week now. Won't be able to finish working on that post until next week at the earliest :(
I'm also curious how this turns/ed out.
Yikes, this gives me PTSD. I have five different Exchange email addresses I must use for various clients (even though I'm freelance, they require it for me to communicate with their customers). If I sign out of Teams or Outlook or Mac Mail on one or another identity, getting back in becomes a nightmare. Add in password managers that think all MS signins are the same, and constant prompts to reset my PWs, and that awful "personal or work account" trick question screen -- it's a horrible waste of time to clean up the many messes and lockouts.
Nextcloud/selfhosting and Samba are the way of the future for anyone who cares about freedom.
Good luck getting support from Microsoft! My dad passed away and I wanted to print off the emails he had sent to my old hotmail account. When I tried to login, it gave me a “you’re logging in from a different location” and wouldn’t let me in. I called Microsoft, told them what I’m trying to do, confirmed with them that the password I was using was correct. They said because I couldn’t ID myself to the account (they asked for the credit card number of a long expired and forgotten card that was used in the Xbox account) that they “couldn’t do anything” and that’s it. Years of emailed from my dad gone. Forever. I’ll never buy another Microsoft product again.
I own a domain that the hosting company allows limited email addresses but unlimited forwards. So, I use microsoft@my-domain for MS, I would use [redacted]school@my-domain for the school etc. Then since the domain is set up to forward *@my-domain to my actual email address everyone has their own email address for me.
It is a bit of a faff having to explain myself at times, but it keeps everyone separate.
Also, if I get an email from someone claiming to be from, say, that is not sent to @my-domain I know it is spam, equally if I get an email from sent to @my-domain then I know either has been hacked or has sold their email address database.
Same issue here, thanks for going in to the details of it. More info and follow up would be great.
I'm assuming you now use Linux?