Auth with MS accounts is a giant mess. When I was a city councillor I had a corporate O365 account from the council (used for council email and virtual meetings over teams) and simply trying to sign out of the thing or switch to another account was always fraught (I've got a personal account that's basically just to associate my windows license with and a work account used for azure access). You'd often end up in a state where teams would just refuse to sign in and you'd need to reinstall it to get it to work again.
Trying to be actively signed out is also a mess. You can use the teams app to join teams meetings others have setup and invited you too without teams access yourself. Though of course if you have an MS account teams can see it ends up trying to use it and then saying you don't get teams access via that account and trying to sign out and join the meeting with an account associated with it often just doesn't work. A colleague actually ended up requesting he got an o365 account with teams associated with his corp email because of this issue as he had occasional meetings with external people over teams. We have a corp o365 setup for our ops/admin team that engineering normally doesn't touch but because he had a teams invite sent to his corp email he got dragged into it.
My son has a personal Windows 11 Lenovo laptop and he is signed in with his personal Microsoft account. The laptop went away for repairs because the touchpad no longer worked. When it returned, it turned out they replaced the main board so the bit locker keys needed to be entered again. These are typically stored in your Micsosoft account only they were nowhere to be found. Some help article on the MS website explained that sometimes it could happen that the keys are migrated to a school account. He only ever used his school account from the Teams app. Sure enough, the bit locker keys were there!!
If he would have graduated or otherwise no longer have access to his school account, he would never have been able to recover the drive. Of course he has his important files in cloud storage anyway but it’s very annoying nonetheless
All this discussion makes me glad I'm sticking to local logins for the Windows devices I still have to use. Once that option is gone, I guess that's the end of Windows on my devices.
Yup, Microsoft can't even keep straight their account management, yet they are insisting on depreciating the local-only accounts.
I strictly use the local-only setup. I'm sort of OK if they still leave a relatively trivial backdoor to do this, but if they ever flat require an online account, I'm out, hard.
This is partially due to wanting to avoid the hassle and management of yet-another-forking-online-acct-IDGAF-about, but also because I have some machines controlling industrial processes (CNC machines, custom cutting machines, etc.) that I keep entirely off any network for security & safety reasons (yes, moving anything to/from those machines is all sneaker-net; simple, works, and my shop doesn't yet have the scale to justify that kind of networking/security/admin overhead).
I just hope that MS engineering is not stupid or powerless enough to allow MS marketing & MBAs to fully kill off the local account.
This entire attitude of exploiting customers by requiring spurious internet accounts & connections is making me start to think that the Internet is all a huge mistake. If that approach takes over, the world will literally be worse than before the Internet in every important way (and there are some solid arguments that it already is worse).
You already need to open the command line and disconnect the internet at just the right moment to be able to install windows 11 without an account. You can't start without an online connection, so it's not as as easy as just airgapping the install from the get go (at least on the normal ISO provided by microsoft). I like windows but that was extremely annoying when I needed Win11 in a VM.
Primarily because the CAD app I use (Rhino3D) doesn't have a native Linux version ('tho it supposedly runs on WINE), and the CAM software doesn't seem to have anyone running it on Linux.
Plus, at the outset of another startup, we decided to go Open-Source everything, and tried to setup a real-time version of Linux and the CNC control software. All of it supposedly up and running with only a few dozen steps to setup in the people supposedly running it. Despite decades in networking and a bit of Linux experience, I quickly got swamped in the massive undocumented bugs in setup/config/complile, and brought in a guy who had a full-time Linux shop, and who I knew from working with him previously that he was very good. He thought 'it's a new version, but no problem'. A month later, we still had nothing running and the investor/partner pulled the plug. So the swamp of poorly-documented / undocumented / mis-documented hiccoughs literally killed that startup — death by 1000 cuts.
Sure, it is probably better now, 15 years later. But so is this environment, UNLESS they tie it to another online acct.
So, basically, I'm pretty much now in the business of slinging atoms instead of bits, and the overhead is no fun, and just not worth it (yet). Plus, the overhead of working around the MS carp turned out to be pretty small. Just disable the Wireless at the right time in the W11Pro install (I think it is worse in teh Home version).
Games are the main reason for me. I want max performance on my high end gaming pc and I want all the things to just work, including 7.1 surround sound (and atmos later) and HDR and gsync and all my accessories and all the anticheat etc.
I know valve have done great stuff but is it good enough yet to run everything on a AAA game on 4k ultra with hdr, gsync and 144hz?
HDR no (although it's progressing). 4K Ultra, gsync and 144Hz on a AAA game, yes. Anti-cheat is going to continue being a problem so long as Microsoft allows these kernel level things and devs keep doing it.
I left windows for ps4/5 and mac a decade ago but have been toying with the idea of a beefy proxmox server with pci passthrough for a nice windows gaming setup which going by LTT videos is more then capable enough to run AAA game. It’s still windows but at least it’s a vm and your hardware can be shared with a primary Linux desktop vm etc
Not yet at all anticheet just working but you may be surprised. Where Wine works it can even give higher framerates; rarly lower. Whilst I am sure some accessories are better in windows; an old gameport Sidewinder (ms hardware) works better in Linux.
The internet was not designed to deal with money, or security. The internet is designed strictly for information transfer from one place to another with extreme efficiency.
At that, it still excels and is no mistake. The problem is all the people using it for money.
Someone said a long time ago that "The love of money is the root of all evil".
I'm not a follower of any particular religion, but that guy sure got it right on that point! Also, the only time he was recorded being violent was when he kicked the money-changers out of the temple.
How do we kick out the money-changers from the Internet?
Back to the roots of info transfer... it seems the tagging devices+apps tell us that we have achieved critical mass of node/relay density for an underground mesh network to work, if we can get enough people to run it . . .
I have no solutions, I'm not even convinced that my statement really encapsulates the problem in a real way. Humans are very difficult. I'm reminded of that speech made by Hugo Weaving's character in The Matrix, about how the original matrix had been very utopian, with everyone living happy and harmonious lives, and the subjects rejected the illusion on a deep enough level to break it. I don't think one should look to Hollywood for good philosophical thinking, but I think he was onto something there.
If I could make one law get passed, I would outlaw algorithms on social media feeds (edit: and search engine results). Let them collect the data, let them target ads. I don't think those things are inherently harmful, or at least, no moreso than the old ads and surveillance.
But the seizing and algorithmic manipulation of the feeds, with the accompanying incentive that the whole thing fails if it doesn't turn a profit, is far more toxic than the gatekeeping of the old media emperors. The great promise of the internet in the 90s was that consumers of internet media would have complete control over our feeds, and get only the things we want and demand.
We have received the exact opposite, because people with money want to put their money to work, rather than work.
This is the main reason I switched to Linux[1]. Online accounts, that are not in your direct control, shouldn't be connected directly to device sign-ins. Changes to the account, or the details of the account can cause loss of data and the ability to sign-in to your own device.
They are pushing more and more people into the perception of renting a experience rather then owning a device. Its great money for me to help people figure all this out though.
Your article resonated with me. The last straw for me was when MS Edge signed me into itself without my input or permission. I don’t know why that was the last straw but I just felt really violated by that. Thankfully Linux on the desktop has come really far. It truly is a breath of fresh air.
It makes me glad I fled to Linux years ago (after a Windows 10 forced, behind-your-back-after-you-locked-your-computer-and-walked-away-thinking-you-wouldn't-notice update restart made me lose some homework) and never looked back. ¦)
That happened to me as well[1]. Exact same reason why I switched to Linux. It took Windows 11 forced online accounts and an integrating one-drive into the OOBE experience to finally wake me up.
>>Of course he has his important files in cloud storage anyway
So MS's defective key system is pushing people to keep their files in the MS cloud? When a defect in one product pushes users towards are more profitable/addictive product, that isn't a defect. It sound like the plan to keep users hooked into the MS ecosystem is progressing nicely. Once upon a time it was Apple getting its hooks into users while at school. Now it is MS.
Does one still need an MS account to play minecraft?
You can also backup your Bitlocker key to an USB-Stick or external HDD. When installing Win11 they even ask you if you want to back it up on your MS-Account or an external device.
security is getting to be worse than what is protects against. its a daily bane, especially for work stuff as everything is locked down extra hard
they tried to simplify it by tying everything to yubi keys, but just this week some things stopped going to the yubikey and wanted me to auth on my phone like we used to instead.
Letting an organization grab control of resources that do not belong to it, without the consent of the actual owners of those resources, is not "security".
"... Of course he has his important files in cloud storage anyway but it’s very annoying nonetheless ..."
That doesn't sound reassuring if the cloud storage is, itself, Microsoft connected ... or even using auth/login mechanisms that connect to the Microsoft account.
So good luck with Google customer support when Google's algorithms decide that your login attempt is suspect or your usage violated whatever terms of services they might have buried in their legalize.
Bitlocker is such a freaking user-hostile mess. I know what I'm doing with it and I still screw it up - I have no idea how non-technical people are supposed to have any idea what's going on. They're either totally unprotected or constantly at risk of losing everything even with professional help.
Yeah, the identity side of MS products is really dysfunctional. Every time I try to use teams or azure it ends up in hours of finding out the right procedure to log in or switch an account effectively.
And then you get the people asking naively "why are you getting so mad at them"...
Solution: run Windows in a VM, one machine per account, nuke it from orbit when-not-if something goes awry. Hundreds of hours of frustration prevented from a system that is not even able to have the same UI across all its windows.
The problem is that Windows 11 and above (try very hard to) require a Microsoft account, because these orcas of computing want to remind you with every step that you don't own the device you bought. Hence it's simpler/better to just virtualize everything.
Besides, there is a very satisfactory feeling when something doesn't work for whatever reason, you do a quick search and see that apparently you must edit some awfully named HKEY_LOCAL_MACHINE register or rename some <username>/AppData to .old (just had to do this yesterday, wild), and then, when the quick fix doesn't work, instead of trying to look for more fixes you just give up and start cussing until the VM is restored to a working backup.
> The problem is that Windows 11 and above (try very hard to) require a Microsoft account, because these orcas of computing want to remind you with every step that you don't own the device you bought. Hence it's simpler/better to just virtualize everything.
Then they do absolutely crazy weird things!
I recently got a new laptop. My account is `adavis@<domain>.com`, my user name on my old laptop using that account is `adavis`.
What did Windows 11 do when I create my user on laptop. Oh it makes my user name `adavi`, yes it truncated my username.
After scouring the internet, trying a few different things to rename my account to no avail, nothing worked! Until I found a command to bring up an account management window that looked dated to the win 2k era ish (and can't be found via any settings window). It allowed me to create a local account with the name `adavis`. I then logged into it, deleted my `adavi` account then was able to associate my new local account with my Microsoft account.
I once tried doing the prudent thing and give them an individualized email address on a catchall subdomain, now my user name on Windows 11 is "win10". Because why ask for a username if you have an email address, right? Might get interesting when your email is administrator@ or guest@, I don't get the impression that anyone at Microsoft has even the slightest idea what actually goes on in their schizophrenic SSO multiverse.
Only "proper" solution is to /not/ sign into your MS account when seeting up the new machine for the first time. Create a local account with the name as you want it, and then only afterwards link it with your MS account (if you have to).
Only problem is, latest Win11 installer does not allow you to create a local account anymore at all. So you need to install Win10, do the work-around-dance, and then upgrade to Win11. I only relaized this after halway through my most recent format.
Every time when I ssh into one of my other boxen, I have to remember now to go 'SSH myname@ip' else windows helpfully defaults to 'mynam@IP'
You can create a file ".ssh/config" in your user directory, just like under linux, and inside of it put "User myname", and ssh will use that as a default and you won't have to specify it with @ everytime.
Well I still have a non-signed-in local account on my Windows 11 Pro install, but of course every time I boot up I get a full screen “finish setting up your device” before I’m allowed to sign in. The only options are “continue” and “remind me in three days”. Better yet, I once clicked on continue by accident and the computer hang for three minutes before I shut it down. Now I only reboot when the machine BSODs, which (I kid you not) happens every three to five days.
Thankfully I only use it for some cross-platform testing and occasional gaming.
That, and the opposite of 'continue' (making this permanent change) being 'remind me in three days' or Google's 'not now' comes with this nasty implication that we're all just foolish users who don't know what's best for us and that we'll eventually come around to what we really want to do.
I have the same issue with "finish setting up your device". I don't understand how this can be legal. In the early 2000 MS got fined for bundling IE as default, but I seriously think they have even more evil patterns now baked into Windows and all it's entangling into 365 etc.
I was thinking the same thing. I heard somewhere that nobody wants to prosecute Microsoft now because their systems are so tied into our our financial and political infrastructure that nobody wants to rock the boat. I also heard that Microsoft uses this as leverage against business that want to speak out against the dark patterns and deceptive practices Microsoft is involved in.
"The New Goliaths: How Corporations Use Software to Dominate Industries, Kill Innovation, and Undermine Regulation"[1] looks like a good book on the subject that I plan on reading.
I absolutely detest Microsoft, but I think that same argument could be made for most of big tech but especially Google, Microsoft, Apple, Oracle or even the link you provided there selling the book, Amazon.
Yes thats true. I think Microsoft is in a special position though because the have the dominate share in the business market. I'm not too interested in focusing on the "Other the bad apples to" as it distracts from the actual problem: "Dark Patterns" and our allowing of them as a society. I take the approach that external manifestations come from our inner states of being from every human on the planet. We allow these things to happen because of where we are at as humans in society, at this current state of our evolution. Maybe it will change someday, maybe not.
> The problem is that Windows 11 and above require a Microsoft account
It is not quite a requirement, I have my Windows 11 Pro running just fine with no Microsoft account. They do attempt really hard to make it look like it's required though. Even going as far as showing a fullscreen app after Windows update that only has options for registering or login, but luckily Alt+F4 closes that abomination.
The last time I tried to do this it was impossible to sign into Office or Xbox on that same PC without logging into a Microsoft Account which subsequently takes over your local login. No way around it other than to not use those apps at all or only running office through a browser. It went like:
Install flight simulator on a Win10 PC with local login only and launch -> sign into an xbox account -> after you enter your name and password, you get a dialog box where you have to agree to sign your Microsoft Account on that PC with two dark pattern options that lead to the same result.
I couldn't find any combination of group policy editor, registry, and services.msc around it. You can either close it and lose access to the game you just paid for, or proceed and then you get your account signed into email and a bunch of other crap you dont want and have to spend hours getting rid of all traces of that account in your system(but it's never 100% gone). Only way to bypass it is to buy the game through Steam.
Between MacOs Linux and Microsoft, Microsoft has the last respect for you as a user and nobody should use it if they don't have to.
They can never “close the loopholes” entirely, because there are customers that want machines with zero access to public Internet (embedded systems, national security, etc), where a Microsoft account is an absolute non-starter. Closing all the loopholes would be abandoning those market segments (many of which are already trending towards Linux/etc anyway)
I suppose they might make it mandatory unless you have some special version of Windows which is hard to buy (like LTSC). But make it too hard they risk that market. Anyway, now bypassing it involves opening a command prompt window, only the more technical users will do so, and that’s a small enough minority they probably aren’t missing much.
They actually already make a special version of windows for those purposes and it isn't available to the open market. Government editions that have no telemetry, advertising, or integrated cloud products at all.
I know it is a pipe dream but I wish they could be forced to sell this to the general public.
I have looked into buying LTSC. Apparently you need a business (I own a “shelf” company which has never done anything, but legally it counts), and a Microsoft volume license agreement. I looked into the later. Supposedly there is this trick where you order all these useless-but-cheap Identity Manager CALs to cheaply meet the minimum order requirement for a volume license. But I got a bit stuck working out what to order (or even if it was still available through resellers in my country). I lost interest at that point.
Yes it is different, and the difference between gov edition and ltsc is that. The gov edition isn't designed for long term support without change, but to increase security of windows and remove all the telemry and forced integrated services from Microsoft.
This info is publicly available so more detailed info should be easy to find.
All the sources I can find say that Enterprise G is China-only. The US Government (among others) doesn’t use it, even for classified stuff.
Telemetry is a bit of a non-issue for many national security applications-they run on special air-gapped networks with zero direct access to the public Internet, Windows can try to phone home to Microsoft all day long, it’ll never get through.
And disabling telemetry doesn’t require LTSC or Enterprise G. All Enterprise, Education and Server editions support “Diagnostic data off” telemetry level. Even if that’s not the default, most enterprises who want that will build their own install images with that setting configured.
> The problem is that Windows 11 and above (try very hard to) require a Microsoft account, because these orcas of computing want to remind you with every step that you don't own the device you bought. Hence it's simpler/better to just virtualize everything.
During the pandemic, a key security component of our remote work architecture was to use Azure AD Conditional Access to restrict users to login in M365 apps from AD joined laptops + some Inutne compliance rules.
A weird situation was that, for a new laptop, we could not login using a domain account, as it was not joined in our domain. We also could not create a local account to join it. Not sure how IT solved that.
Windows 11 allows for the creation of local accounts, it sounds like someone signed in with a azureAD account (work email) joining the azure AD basically drops a lot of default policies on the machine, one of those is disabling local admin.
They can either remove that policy from their azure AD, or remove the machine from the azure ad.
Or update their policies to allow for azureAD joined machines.
I haven't used windows for 20 years and yesterday I had a teams teleconference using Firefox on Linux. It works noticeably more poorly than most similar systems (jit.si for the win) but it works.
It actually worked decently once I used wired networking. Probably gobbles up bandwidth, typical Microsoft :D
The main problem is that randomly, Teams invite end in some "an unkown error occurred" and when this happens there's no recourse. It never happened with Zoom, Jit.si, Goto Meeting, Google Meet or whatever else I've used.
The absolutely worst of all is WebEx, fortunately it's rapidly disappearing.
As someone who has to do that (one work account with my company, one with our customer) the UX is miserable. Notifications work sometimes, delay can be significant and I don’t trust the auto-away feature when Teams run in a browser.
Multi-accounts are really painful with most chat clients I have encountered. It sometimes makes me miss e-mail where the inside/outside distinction doesn’t exist.
This doesn't work perfectly well if you are on multiple calls at the same time.
Desktop Teams allows you to join multiple calls at once, and switch between them is easy.
Web browser teams disconnects you from one meeting to join another. The only solution is to open multiple browser profiles, each for different call, and then manage the 'mute tab' manually. Additionally, web browser edition has something to detect if tab is active, and will downscale / delay video stream if tab is not active. This is extremely annoying when you have meeting active on one monitor, and want to double check what is being discussed on another.
Saying all this, web browser teams at least works. Desktop one stops working because as the whole discussion here points out, accounts get mixed up. I can't join team meetings anonymously because desktop edition thinks I have an account, but when I try to login it tells me my account doesn't have Teams enabled.
Browsers have come a long way in this regard, you are right. Even before containers, I love having a ff profile for work and one for personal stuff, they are ultra portable too.
No, you're not. Specifically, unless you configure things juuuust right, then the alt-tab behavior and the taskbar/dock behavior is different. Not a show stopping "bug", but let's not pretend it's entirely workflow transparent to use it from Chrome.
> Solution: run Windows in a VM, one machine per account, nuke it from orbit when-not-if something goes awry. Hundreds of hours of frustration prevented from a system that is not even able to have the same UI across all its windows.
Better solution: don't use M$ product, if you can. Despite the efforts and resources Microsoft spends in improving its products, languages, tools, they are just an enterprise company: very expensive buggy products.
Yeah, this would be my preffered way as well. I dont use any MS products any more in my personal life or my own ventures but if I would, that would be the way. But this is not a global cure. This probably will work fine in a household or small business environment but there are tons of reasons why it most probably probably will not work in a corporate environment.
Of course, the problem is that in the last 38 years [1] plenty of programs have been developed for Windows-only, especially when you have to interact with the state [2]: there are still tutorials out there that require you open a website in Internet Explorer (!) if you want to validate a tax form or whatever other trivial task.
So you think Azure is the only "cloud"-platform that can run windows? I talked about Azure not an OS, this has nothing todo with Windows, DOS or Xenix.
Enterprise IT is conservative and full of strange politics that make it really dangerous for an admin team or it department to stick their head out and do something independent other then follow the "mythical industry best practice" and MS is extremely good at manipulating what gets considered "industry best practice" to their advantage and then give just enough discount on the more visible parts of the costs to look cheaper.
And it's a open secret that individual employee productivity don't matter all that much in the kind of back end work where a PC was ever a feasible tool, as what really counts for profitability is the non-pc using frontline staff's productivity, who is far more likely to be issued either no computers or mobile phones or tablet then wintel laptops.
Have you tried the competing software in a business environment, it is pretty easy to see why MS productivity software dominates.
For like $12/u/month you get full web and desktop office software, MFA, and AzureAD, which you can use as a SSO indentity provider for free, for one lisc that cost $4/m you can then make use of conditional access policies that give you massive options over how you manage an access all aspects of the tenant.
They now are giving teams (slack knockoff) a free dialing number so it now can be used for phone conferencing without non-organizational people.
Onedrive gives you 1Tb of syncable storage per user, and 1TB per user pool for shared office resources.
I spent years as a google apps advocate, but seriously for the money, no one touchs what MS is offering right now.
Google had MS hands down 10 years ago, and let google apps die on the vine. It is a damn shame too, because they were the only ones that have anything comparable.
Having just been put through the switch from google apps + slack to the full ms365 suite including teams I have to agree and disagree.
On paper microsoft absolutely has the best offering. The ms365 suite has everything anyone could ever need. But, in practice it feels more like a downgrade than an upgrade. Teams does everything, and all of it just as poorly. Office does everything, but the web version and collaboration features are so far behind google they are not comparable. Sharepoint and onedrive seem superior to google drive, but in practice there are many papercuts and people struggle to understand where to put documents and how to properly share them.
What microsoft seems to lack is caring about user experience as they slather feature layer after feature layer on top of their products. What google seems to lack is incentive to actually meaningfully improve their product, because I couldn‘t tell you a single meaningful feature they added to g suite over the last five years.
> What microsoft seems to lack is caring about user experience as they slather feature layer after feature layer on top of their products.
That's the problem of selling something to the supervisor and not the actual user. MS has had that corporate world as a cash cow for three decades now. They don't care about the end user they just care that their product looks better in the slide that compares it to the best alternative.
> but seriously for the money, no one touchs what MS is offering right now. Google had MS hands down 10 years ago, and let google apps die on the vine
You're right, for the money MS gives the user a lot of fairly crappy products (other than the office desktop suite). Google was positioned to own this, and they let is drop. It shows what it means to be a product driven company (MS) vs. whatever Google does nowadays (milk search ads?).
There are teams of people in MS whose only job is to think about how to package something for sale. If Google had a single person doing that they would have beat Slack before it got huge, and could have owned office collaboration software as it all moved to the web.
Can you give more details on the "1 TB per user pool for shared office resources"? I always thought there was a user-level limit of 1 TB for OneDrive, and a organization-level limit of 1 TB + (10 GB)*(number of users) for Sharepoint.[0]
And I've never found any documentation as to whether shared OneDrive folders count against the owner's quota, all of the users with permissions quota, or the sharepoint quota.
Firstly this is complex, it depends on what plans and tiers you have, your resell partner, and what region you are in.
But the basics each user gets their own quota of 1 to 5tb,then there is also a shared quota (share point, Ms group storage, powershell online environment, dataverse, etc... ) of 1 to 25tb + (x size per user) the size per user depends on a multitude of factors.
I did not mean to imply that users limits are connected to the shared pool, it is in addition to the user quotas.
I am in a position at $dayjob where I have been mandated to find savings wherever possible. Currently a Google workspace company, I absolutely loathe Microsoft's offerings but after doing my due diligence there is no way I can avoid recommending migration. The pricing is just too good even with the warts, and the extra features are things we already need.
Fuck teams, though. I will leave this company before migrating Slack into teams. Actively recommending that product is nothing short of professional negligence.
The lost hours are totally invisible (most companies wouldn't even allow you to report them. they don't WANT to see them) and the alternative world without lost hours with more productivity can also not be imagined by those in charge.
For all it's terrible bugs and login issues, is there even alterative with similar functionality that would be as "user friendly" (as in: non-tech people would know how to use it as well as they use Microsoft garbage?).
I literally can't think of any alternatives that comes close in functionality OR has the same ease of use for non tech people and wouldn't waste even more time.
I am a linux guy, always have been. But when I went from a Windows environment company to a Mac company I was absolutely shocked by how much less work I had to do with Mac to get everything working. Authentication, logging in, slack vs teams, just everything worked so much better.
Mac is not an alternative functionality to: Teams, Outlook, MS Office, etc? It doesn't solve the MS crappy auth system, it doesn't give (large) businesses the same functionality that MS is giving them.
On the Mac, you can use those MS products without it taking over your user account.
You can also use any of various other products that compete with them (Google Apps, iWork, Zoom, etc).
Just because MS makes a specific package that businesses like doesn't mean that they can't use something else if MS is becoming more of a problem than they're worth.
I think Linux + Wine should be fine for most people (with a little guidance, of course).
ReactOS isn't stable enough even in a VM right now – but the progress is nice, and I hope it will be a viable alternative for embedded applications (like ATMs or factory automation stuff). Maybe consumer use one day, too?
I’m blown away by this. I’ve come back to a full MS stack after years away and it’s grim. Machine shave to be restarted once or more times per day. My personal MacBook is restarted every month or two. I used to moan about Apple’s software quality, but maybe we are actually in Isaac Asimov’s accelerating decline to a dark age.
Not to support Windows, but what are you doing that requires restarts multiple times per day?
I leave my personal Windows 10 desktop running for about a month at a time so I don't have to reopen 5 different windows and arrange them across three screens for uni work every evening. It works fine.
Mind you, if it was a Mac I'd not even have to reopen or arrange them after restarting the machine - they'd still be there. Although my work Mac loves to randomise which display gets which windows and desktop background... And randomly pan all bluetooth audio to the left ear once a week. I guess all OS's have their issues.
> I leave my personal Windows 10 desktop running for about a month at a time
My Win10 Home desktop downloads updates when I'm not looking - and sometimes when I'm actually using the thing - and then reboots all on its own. I have no control over this; there have been occasions when the reboot has happened while I was working.
I've been using this method for years and it works great. It uses a windows debug feature to launch cmd instead of the reboot scheduler. You never see the cmd window, as it's launched by SYSTEM. This prevents Windows update from scheduling a reboot, otherwise the system function as normal. You do need to reboot periodically, but now it's on your schedule.
> what are you doing that requires restarts multiple times per day?
Outlook, Teams, Chrome, COMRAD (radiology RIS), Spotify and InteleViewer (DICOM viewer). Without restarts Spotify stops working, the software loses track of what day it is (it assumes the day prior) and things get slow or unresponsive.
Maybe it’s the software and not the OS. I run all those except COMRAD on a Mac ok though.
Mac and multi display and window location is a special hell. My father is a heavy Photohop user and palette organisation is a daily battle with multi screen. When screens wake up windows and palettes reorganise if the system detects one screen and not two briefly. It’s a big drain on productivity.
Yea I dont support Microsoft either but I do have to run it on multipule machines for work and I don't need to restart unless to switch into Linux. It sounds like one of your apps has a memory leak or something. Do you check task manager for resource hogging?
We have 80k Windows users we have to force to reboot every couple of weeks to make sure updates to all the software take (yeah...that's a problem but a different problem). If you're rebooting once a day, you have problems other than Microsoft.
Because as someone who has done support for a 28000 person organisation, 27500 of which are using mostly Microsoft products on windows for 90% of the time and 500 of which are using Mac or Linux and doing other stuff I can tell you that at least 50% of the security incidents and second line support issues came from those 500 users.
This seems like a clear case of selection bias. People with Linux and Mac are probably devs and technical people who will obviously utilize a much broader range of functionality of their machines and thus encounter more edge cases.
A few years ago, there was a video game developer who pointed out the disproportionate number of bug reports that came from their Linux players, and how grateful they were for it. The majority of the bugs reported by Linux users were not Linux-specific, and frequently had detailed descriptions of expected via observed behavior, exact steps to reproduce, core dumps, etc. Because the bug reports were coming from a group who is used to making effective bug reports, they could be used more effectively.
As I said they took up about 50% of the second line support capacity for the entire organisation. So yes they were properly supported, unless you want a dedicated tech to hold the hand of every exec, dev and bioinformatician.
While it is entirely possible the problem here is those execs, devs and bioinformaticians. There do seem to be many other common factors than the macs here.
Maybe they all need nonstandard software? God forbid, maybe they need administration permissions, but the org doesn’t want to give it to them, so they end up calling in every other day to get something unlocked (I know that’d be true for me).
Maybe it’s the problem solving skills of the IT team when it comes to mac, so people keep coming back with the same issues (good ones are Outlook/Teams being permanently broken, or VPN not connecting).
On the whole, I’d steer away from any explanation that would require all 500 mac users to be idiots.
Or the technical infrastructure doesn’t support them well. Or the support team doesn’t know MacOS or Linux, so it becomes a lot harder to provide support. There could be many reasons.
MS makes it very easy to secure and admin at massive scale. You can roll out policies and updates to hundreds of thousands of machines with like 1-2 admins, and the other 8 IT people manage 200 Linux and Mac machines.
Oh, so it's not the users at all, it's that you have tools to manage Windows and didn't set up tools to manage anything else even though they exist; like a Linux admin complaining that Windows is unmanageable because ansible doesn't work well on it.
You're maliciously misunderstanding. The tools available to manage Windows are simply either much, much better, or much better value.
And everything just works out of the box with like... 3 lines of PowerShell.
You can replicate some of it with Ansible, sticky tape and a few spare weeks, but it's not the same at all.
I'm actually Linux admin, grew up with open source and spent my career serving pages and automating myself out of a job. I dislike Microsoft as much as the next guy, but for enterprise use they are _next fucking level_.
They also make it really easy to screw things up. I work at Microsoft, and a few weeks ago they rolled out a botched group policy change for our whole org that somehow deleted all O365 apps and Docker from most people’s machines. The best part is you’d try to launch, say, Excel and you’d get an error about it being removed for being possibly malicious.
This statement says next to nothing but may give the impression that it does to anyone who doesn't think twice on what it actually says. OS X and OS Y both have their good and bad sides but not necessarily near similar in terms of features and execution.
It's not an argument not should it be used as such.
Microsoft's dark patterns philosophy and how that translates into real-world user experiences is the worst I have ever seen. And since they are implementing these dark patterns into the OS it has the potential to make using Windows very difficult. I understand that, with knowledge, you can get around that.. But I dont see why anyone would want to any more.
Apple is really bad too, but there not as bad in the dark patterns market at least in the OS. But they are way strict with their walled garden approach to everything so I wont support them either.
Linux can be buggy at times, but I feel much safer using this OS then I do Windows or MacOS because Microsoft and Apple don't really seem to care to much about the ramifications of their end-user hostile decisions.
What are the ramifications of apples “end-user hostile decisions” aside from the walled garden on iOS? And having to click security -> run anyway for unsigned apps?
I think how their approach to usability and security actually translates to a lack of user-freedom. We had a discussion recently about activation lock on hackernews. On paper and in the world of security, its a great mechanism to prevent theft. But it also causes friction for device re-use with people that don't understand they need to decouple their online identity from their device, this has a negative impact on recycling. It also seems like Apple wants to herd people into purchasing new devices sooner than they should, when the should be doing all they can to make devices last.
This is also related to trying to control the circulation of replacement parts by attempting to force independent repair centers to regulate how parts are distributed. Apple takes more of a "You don't know what you are doing, so we have to guide you in the right direction" approach that doesn't sit too well with me. Apple can be wrong, a lot, about how their decisions effects people's freedom to decide how to implement there own security and ways of retiring devices. Apple should be in the business of making hardware and making it usable. Not being a parent, deciding how people are going to use and secure their devices. Maybe leaving that to an impartial organization that works with apple. Too many conflicts of interest for me.
Try and talk the C-suite and Accounts people at $NonTechBusiness into using LibreOffice or Google Docs instead of Excel and Outlook and let me know how you go.
Linux was not and is not cheap at all. Downloading it might be free, but the initial price doesn't matter compared the cost of running it for a whole organization.
We are literally in a threat complaining that the cost of Windows is wildly higher than the cost of buying a box copy of the software. So yeah, in this context Linux is free.
this is true; they look at dollar amounts first and do not look at quality; repeated over and over by people .. and it feels nobody seems to even care.
Is moving a personal account to a different country an insanely obscure edge case?
Because I tried to do that recently with O365 and I literally couldn't move my subscription without killing the old one and creating a new one.
Every other software service I use somehow managed to make it easy: fill in the new billing details. Done.
But not Microsoft. Billing and fulfilment details are on different pages, there's no obvious way to get from one to the other, and if you want to change country you can't.
I have literally received (temporary) work visas for other countries, travelled, etc etc with greater ease than moving some online accounts I have (Apple).
Even having physical copies of The Economist follow me, with the same subscription, was easier.
I just want to point out that this entire described scenario, by a company with decades and decades of security products being shoehorned into "just good enough" cloud infrastructure....
Sure the security folks will say hardened infrastructure with fine grained least privilege is doable ... if you're at greenfield ... maybe. But the issue with lots of IT orgs is that they are MESSY, and fine grained least privilege is fragile. Messy + fragile = not good things.
I agree with least privilege as an aspiration, but security is a top-down authoritarian entity in organizations, and fundamentally they don't care if their policies disrupt your daily work process. IMO this is because most security orgs don't provide solutions.
Specifically, by solution I do not mean "picked an enterprise security product bam we have a solution", I mean you have a security architecture and then have the people with bandwidth to help boots on ground devs get the job done quickly so security isn't a blocker).
They have actually made a lot of improvements to this process recently allowing for multi tenant login in a single browser.
If you use firefox, you can use each other the container types to host different login accounts, it makes it easier than switching between private windows and doesn't require you to enable extensions on your private tabs
If you go to live.com and click on the hamburger icon at the top, then under 'Apps' click on the "To-Do" app, you will be asked to enter the password for your work account, even though you are on live.com, not on office.com, and you are currently logged in with your personal account.
The only way to get past this is to click "use another account" then log in again with your personal account (even though you are already logged in!!).
First mistake is using any of the Microsoft knock off services whose primary purpose is to trick “deciders” in the C-suits and in halls of bureaucratic hell that can confirm that the box for things like “to do” functionality is checked on their list. Every single Microsoft service, including email, several decades later, is still deep into subpar.
Same on Gmail. I’m not logged in on my private account as I don’t use it anymore, but it always suggests to log me in on the private account when accessing, even though I am logged in on a corporate account, which is the only one I’m actively using at the moment. Silly.
I don't get your scenario but I have to say I never had any issue with using multiple Google accounts on the same browser. I used to have 5+ accounts logged in at once (personal + work + school) and it always worked flawlessly, switching between accounts was always a breeze using the drop down menu on the top right, and not just for Gmail but any Google apps. Microsoft on the other hand gave me endless issues when trying to use just 1 personal account and 1 work account on the same browser.
It’s much worse than just auth too. Microsoft’s security policy around email is so bad that using Office 365 email should be considered a security problem.
They’re actively enabling phishing because they choose to rollback standards support.
It’s not just MS, auth is a mess everywhere. Everyone wants to own your identity and we’ve ended up with an insane web of trust.
The many standards around identity management makes the web more complex. Most of us have many identities and we end up with a multidimensional web of tokens and cookies.
I think at some point something will have to give. This seems like a space where some more provider consolidation or collaboration would help.
Security is so important to get right, yet too easy to get wrong.
Because of a quirk of my employment, my AAD account was deleted and recreated, which means I now have two Azure DevOps accounts with the same email, one of which is unlicensed (and not attached to an AAD identity). It is fairly random which one it tries to sign me in with, and every once in a while clicking on a link in ADO will sign me out because it got confused about who I was. It’s insane, and there’s no way to nuke the old account.
I have the same issue. I’ve had a support call with an engineer about this and they have no idea how to fix this. If you sort the user list ascending it lists the one account and if you sort descending it lists the other. So changing the sorting should at least show _some_ license.
I mean, this sounds to me exactly like what happens when trying to mix normal Google accounts and Google Workspace ones, especially if the admin enabling all the service is not yourself. It's not just Microsoft, this is a problem all these service providers have because they can't cope with hybrid use
I've got a number of Google accounts, two work ones (associated with different domains with distinct permissions and access to things, using drive, gdocs, Gmail and GCP with both) and a number of personal ones (some of which are associated with a Google workspace that I use for email under my personal domain) and it all works just fine for the most part. Groups and GCP console can sometimes get stuck on one account but Chrome with profiles can side step that one.
Doing the same thing with MS accounts has been an utter nightmare by comparison.
With Google you change the ID in the URL and you're in whatever account you want. All the urls usually have /u/<id> where ID starts at 0 with the first account you're logged in into, 1 the second etc.
This is obviously done on purpose. In the same way that Google ties users to Android devices when you add a Gmail account, MS takes every opportunity to assign their online account whenever they catch you off guard (installing a local Teams app instead of joining through the browser, signing into Minecraft at your school etc.). At this point you need to go through all the steps of dissociating your account from these devices. Sometimes they will reassign them after an update, so you need to watch out.
For that reason I never use MS online apps on my private devices and whenever I need to sign in online, I always use the private mode or a dedicated Firefox container.
Although I agree that companies (Microsoft, Google, etc.) deliberately seek to authenticate you across the web, I do not think that the general mess with Microsoft authentication is on purpose.
It looks like generations of implementations (and likely generations of product management and development teams) layering on top of each other, "replacing" the "old" systems only to do the half of it, and integrating with acquired products.
Seen from outside, it just doesn't look like there exists a single team that understands the authentication and permission system end-to-end.
> I do not think that the general mess with Microsoft authentication is on purpose.
Microsoft has been dealing with online identity almost since the consumer web exists. MSN launched in 1995, Outlook was the poster child of webmail, ActiveDirectory is the behemoth of enterprise user management.
I don’t see Hanlon’s razor relevant when it’s on one of their core competency. They at least committed to throw part of their users under the bus to pursue their goals.
In my case, my personal and professional Microsoft addresses are the same (same email, different accounts) which means that in many cases I end up in impossible situations when the login screen doesn’t correctly guess if I want to sign in personal or with my “work” account. I also do client work for organisations where I need to sign into their O365 and honestly the only way to manage all that is to keep a dedicated browser “per account”.
Teams is a different story, I avoid account switching because exactly like you describe, sometimes I need to uninstall it in order to sign out.
You have only seen the tip of an iceberg. Try working as an IT-consultant. You have a half trillion different accounts. You can't work in multiple spaces while using the app. So you have to use a browser. Then, the problem is that you get logged off more or less instantly if the tab is not active.
We also have some (a lot) problem with Teams, to the point that I started recommending my colleagues to use it from a browser and nuke cookie and other data every time the authentication stopped working.
Basically when we login we need to use the "personal account" but sometimes it will not ask what account to use and automatically choose the wrong one, and once it gets stuck in this state i didn't find a way to fix it.
Using Edge (Microsoft flavored Chrome) and the account personas will let you keep these M365/O365/Live identities separate, in the same way Chrome does a first class job of keeping Google Accounts separate.
Arguably, if you're one of the 85% of SMBs in O365/M365 instead of Google Workspaces, or if your "Login with..." personal account is Microsoft instead of Google or Apple, you should be using Edge.
I agree. It is surprising that we don't see similar issues more often. It is *so* confusing to both users and the developers, to the point where it's too easy to make some naive mistakes. And it is one of most critical parts of the systems!
Unfortunate, it sounds like a mess and a half. Does any one know. If I found myself in the same situation would creating different windows accounts, one for each teams/azureAD account help keep them separate?
This gave me flashbacks I was happy to forget about. Microsoft's SSO is nuts, at least with the browsers I used at the time. Might work better with Edge.
After spending three months trying to migrate legit accounts to MSFT Auth, I agree with this comment completely. Their account migration approach is broken from the start, but more importantly, there is absolutely no customer support. What should have been a 5 minute phone call turned into a 3 month long chat and email nightmare, with multiple support reps telling me there was nothing they could do.
Apple is not really any better. God help you if you accidentally lock your Apple ID, you will be subject to a month-long wait before it can be fixed. Why that long? No idea. Nobody at Apple has any idea why it couldn't just be 2 days, and they will frankly admit to you that it makes no sense, then spout some meaningless 'because of GDPR regulations' nonsense that has absolutely nothing to do with GDPR regulation.
This really goes to show what depending on online authentication from a large corp can do.
Even worse, Microsoft is now trying to force online accounts onto Windows machines.
Google already does it with Android. Which means for some reason if you lose access to your email, you are locked out of not only your online accounts but your local devices also.
We really need to separate authentication from services and devices. With strong safe guards around that account and an actually support system.
Yeah, that shit is why I took a brand-new NVIDIA Shield back to the store immediately after getting it home - it literally cannot be used without signing into a Google account. I bought it thinking, "hey nice, I can use this 4K Android home theatre device without Google being involved, since it's from NVIDIA and thus hopefully free of all that crap". I even did my homework on this: no material included with the product, nor NVIDIA's online product page, indicated that an Android account is strictly required to actually use the product. I ended up doing some more searching after returning the product, and finally found a singular customer support page that happens to mention it. Gotta love it...
> That's the kind of results Google should be surfacing
Indeed and when I try it, it does surface it when I search for Does Nvidia Shield require an Android account? [1] For comparison, ChatGPT also gets it right. [2]
It does.
"Google search sucks" returns what you'd expect.
What GP is getting at is that Google Search breaks down often when you're looking for a very specific result, but one that is uncommon enough. Instead, you're often diverted to a "related" query result without them telling you.
If you search "What is the world record for crossing the English Channel entirely on foot?" Google would respond with swimming, boats, pedalling etc but miss the ones where people crossed on foot through the Channel Tunnel.
An improbable search is almost impossible to do on Google. They will replace it with unrelated but similar results. Even when you specify a strong condition, it will just ignore it and return the exact opposite. It's no better than LLM hallucination.
There are pairs of words that are very similar, but semantically different. Like "latitude" and "longitude" or "first name" and "last name". Google's model can't make fine distinctions between related (like latitude and longitude) and semantically equivalent (like last_name and family_name). You search for a semantic match, it will give you a related result that is exactly not matching your search.
Google should be surfacing what its policies actually are, period. If those policies paint Google in a bad light, it should reconsider them, not be coy about them.
Why does an Android TV device requiring a Google account paint Google in a bad light?
If I’m all-in on the Google/Android ecosystem, this is a positive! It works even better!
The alternative is that the people behind the Nvidia Shield are intentionally user hostile / acting with malice, in cooperation with Google?
The idea that the account requirement is positive or negative is a hugely subjective one. The fact is it’s needed. Whether it’s positive or negative is largely irrelevant. The fact should be surfaced.
I was looking at a media center/gaming emulation device and to be honest i dont see the benefit of these android based TV devices or Apple TV anymore.
You can buy a good mini-pc for a couple hundred bucks and its much more powerful and flexible. You can run windows or linux etc and hook up any keyboard, controller, remote, and do whatever you like.
> You can buy a good mini-pc for a couple hundred bucks and its much more powerful and flexible. You can run windows or linux etc and hook up any keyboard, controller, remote, and do whatever you like.
More flexible, yes, but are you really getting more powerful than an A15 for that price, especially when running a general purpose OS?
That last point is really hurting why media PCs disappeared: you’re paying considerably more - a whole number multiple - for an experience which isn’t designed for a TV, and in return you get the fun of playing sysadmin when you’re trying to relax. Most people are not going to pay a significant premium so they can deal with drivers and trying to figure out why their HDR isn’t working. Device lifetime theoretically could counter that out but I’m skeptical that hardware won’t be what sets the timing for that in either case, and the dollars per year metric isn’t favorable there.
Performance-wise? Yeah, I bet you could. A Ryzen 5 mini PC is well under $200 and will probably have hardware acceleration for 4k60. If you're the sort of person that already has SFTP plugged into your "media backup drive", Kodi on a cheap low-power box is kinda a no-brainer.
There are certainly better push-button solutions on the market, but arguing in the AppleTV's favor for performance is probably a phyrric victory at-best. If you want an AppleTV, get an AppleTV - if you want a streaming box for your ripped Blu-Rays and legally-dumped retrogames, you can build it yourself for roughly the same price.
> Ryzen 5 mini PC is well under $200 and will probably have hardware acceleration for 4k60.
The cheapest one Google knows about is an AliExpress no-name brand at $159 and that’s because it includes no storage or RAM, and uses a 3750H which benchmarks at less than half the speed. Once you add memory, it’s over $200. It does match the Apple TV on 4K@60 HDR support so I’d assume it must have hardware support.
Amazon has a couple of off-brand Intel devices, also around $200 for around half the Apple device’s performance.
Again, if you really want a PC you certainly can make it work but the reason it’s unpopular is that you’re paying a lot more – this is starting at 150% for hardware which is unlikely to last as long – and you then have to support a full PC, buy remotes, etc. If you enjoy that as a hobby, sure, but it’s hardly surprising that most people buy something which just works out of the box.
There exist general purposes OSes that don't just fall apart randomly, you know. For instance if I have a problem with my Kodi box, I just reboot and choose the previous generation in the NixOS boot menu.
Judging by the threads on those proprietary embedded devices, I think my setup passes the "just works when you want it to" test even better than those appliance things, which market an illusion of stability but are doing the same mutable update dance behind the scenes (with the added complication of corporate whims).
> There exist general purposes OSes that don't just fall apart randomly, you know. For instance if I have a problem with my Kodi box, I just reboot and choose the previous generation in the NixOS boot menu.
As someone who started using desktop Linux and supported it professionally before the turn of the century, yes, I’m aware and you’ll note that I never claimed otherwise. The reason I mentioned general purpose operating systems is that they’re not optimized for non-keyboard/mouse UI and you’re more likely to get in a situation which requires more work to sort out via the CLI.
The other concern I raised was drivers. Support for hardware video decoding, colorspaces & depth, high-quality sound, etc. is certainly technically possible but also something which not-uncommonly ends with angry rants. If you are passionate about open source and eager to take on that responsibility, great, but it’s not a popular choice.
The focus of those points feels completely irrelevant to the reality of my using a general PC to drive my TV. They seem to simultaneously assume the use of a generic point and click operating environment, while rejecting the additional functionality that would necessitate doing so.
My Kodi box boots straight into Kodi. I have a mini wireless keyboard on it (Rii X8?), but the alphanumeric functionality isn't particularly used and it could just as easily be a video game controller or even an IR remote.
There is no "situation which requires more work to sort out via the CLI", beyond when I deliberately choose to make changes to the system. If I ever did want to pop out of Kodi and run a general desktop + browser - say for sports streams - then the additional input hassle would be due to doing something I couldn't do with an appliance anyway. You can't really characterize this as a drawback.
And sure if some driver functionality doesn't exist, then obviously you can't use it - you set your expectations to what is available and how much you want to tinker. And the real answer to "angry rants" is to use an operating system with reliable change control, so that if you start tinkering with something, it cannot end up in a broken state when you want to use it to relax.
Look, I’m not saying you can’t use a PC for a TV if you want. I was specifically responding to the assertion that it was both cost-competitive and better performing when neither is true. It certainly allows you to do different things but it’s unclear how many people care about those more than the extra cash.
IMO there's this weird tendency for technologists to create a model of "normies" with no bespoke interests or self-actualization, and then argue that they're following fully-fleshed-out "normie" incentives rather than the actuality of advertising and product placement.
Also I find it a bit disingenuous when people argue for the "less expensive" options that put you at the mercy of streaming companies. My amd64+Kodi+zfs+VPN setup certainly isn't the cheapest, but neither is a corporate puck with several monthly fees for streaming services. If one wanted to be entertained for the least money possible, I suspect that would just consist of using your current laptop/computer running a general purpose OS to play dodgy streaming sites. But most people seemingly want something more than that (which ties back in to my first paragraph).
As a technologist who’s run a fully fledged media PC since the days of Xbox Media Centre (before XBMC or Kodi or even Plex I think) with both Windows and Linux flavours, along with a USB IR remote control and wireless keyboard options… I simply got fed up of things randomly not working every year or two when a major upgrade was required, and the amount of effort that typically became required at the exact point that I was exhausted and just wanted to relax.
So I gave in, switched to Plex, paid for a Plexpass lifetime account, and bought embedded devices that could stream content off my server.
I have way less flexibility now that I’m on an AppleTV 4K. I also continue to get occasional headaches (e.g. recently the remote control randomly stops being able to control the volume), but the size of the headache is limited to pulling out a different remote control / turning all the things off and on again. Mental effort not required.
I have a laptop that goes into the 4x2 HDMI splitter, and I occasionally whip that out if there’s a real desperate need. But it’s the absolute last resort. It’s just easier to use the ATV.
It’s not that I lack the ability to produce a better PC based solution today, it’s that I lack the interest, and the $200 ATV is good enough that I’d rather throw money at the problem than time.
> dont see the benefit of these android based TV devices or Apple TV anymore.
My point was simply that an Apple TV is significantly cheaper ($100-120 vs. the $200+ PCs people mentioned) and it has roughly a factor of two better performance. Now, it’s inarguably less flexible but most of that flexibility doesn’t help with things many people want to do, which was the original point: people buy these because “spend less, everything you actually use just works” is actually a pretty good sales pitch.
You can get a streaming stick with the remote for like $50. It will come with all the stupid DRM in place required to stream 1080p/4K/HDR whatever and it'll be designed to be used from 10 feet away with a remote. Plus it'll use like 3W of power.
Setting that all up on PC is much more of a chore.
I'd be interested to hear how you'd get the usability to be as good as an operating system designed to be used with a remote running apps designed to be run with a remote.
Having to use a mouse and keyboard is a pain point for me when I use my desktop on my TV from the couch. For the mouse I use the trackpad on a ps5 controller, so the mouse isn't so bad.
Possibly you could:
* Not require passwords for everyday operation of your computer
* Boot into some sort of launcher designed for televisions
* Have a fairly narrow set of apps and services that work well with your setup. For example I don't know how you'd use Netflix or Disney plus with a remote on Linux.
I've been running Kodi for over a decade now. It starts on boot, so all I have to do is start the desktop. Remote works with an open source Anroid app, it also allows streaming from Kodi to your phone and vice versa. Youtube works fine, never tried Disney+/Netflix, I'm not sure that's possible.
Kodi has YouTube? YT was the only reason I didn't just set up a Pi 4 or whatever. Already got one LibreELEC system for the home theatre, but wanted YT for the "daily driver" TV display. I assumed any YT plugin for Kodi would be persistently behind API changes and often not working, etc... is my assumption wrong? Would be great to hear if so haha
You need to setup your own set of API keys (fairly easy) but it canl break for a week or so at a time when YT make changes that need updates for but it's reasonably rare (one every couple of years).
I've never added API keys and it mostly works fine, need to retry a link sometimes (youtube a/b testing things I guess?) and I imagine it can't play age-gated videos.
You can configure linux to directly boot into Kodi with zero interaction very easily[1]. If you pickup a machine with an IR sensor (some Intel NUCs for example) then you can configure it to use a remote[2]. RPis have HDMI-CEC which mean you can use your TV remote[3]. With that said I just use a mini keyboard[4] as it's the easiest and moat versatile for me, definitely not the most user friendly for people who don't know the keys though!).
Admittedly I only have local media and YouTube (via a Kodi Plugin)and don't use any streaming services so Kodi fulfils my needs perfectly.
There exist a couple of wireless media keyboards with integrated trackpads like a large one from logitech or microsoft or some small ones from obscure chinese companies on amazon. There are also remotes that you can connect over bluetooth.
The obvious response to this is that the non-techy family members wouldn't be able to use it, but honestly most home entertainment setups are already crazy complicated, whereas everyone knows how to use a PC (for now)
Mash any of the four buttons on the Apple TV remote until the TV turns on, then use the top third of the remote as a touch surface to pick the app logo you want (Netflix, Youtube, etc.). If your iPhone is in the same wifi, a notification will tell you you can use it to type instead of the on-screen keyboard if you get into a free text field like for search. Apple products have their faults, and they are expensive, but that experience is as simple and smooth as it gets.
We also have an old laptop attached to the TV. We set that up in the lockdowns so we could use a webcam on the TV and a wired microphone on the coffee table to "get together" with friends and family, still use it occasionally for Dungeons & Dragons with friends who live too far away to visit often. The Apple TV doesn't support webcams, but wins at everything else, hands down. Even for desktop-y stuff, streaming my Macbook or my girlfriend's iPad to the Apple TV is less hassle.
Desktop ergonomics just don't work on the couch, at least for us, even with a nice-ish wireless keyboard with touchpad. Having a touchpad remote with just four buttons that have very predictable functions and a simple mobile-ish UI is nice, even to me, and I'm a desktop power user otherwise. Desktop OSes are for work, school or uni, most people aren't inclined, encouraged and/or enabled to explore and play in those, so they don't get them the way desktop power users do and tend to expect everyone else to, or the way people get mobile UX.
If you want something nearly everyone can pick up quickly, even older children and some seniors, make it touch-based, responsive, give it proper apps and the same core animations mobile phones have and you're 80% there.
This is probably not a helpful answer for most people, but the Shield has an unlocked bootloader, and it's popular enough to have lots of custom ROMs that you could flash that don't have that problem.
Don't mix up poop and chocolate - while Google's accounts aren't really that great (the whole GSuite mish-mash of nonsense doesn't really help), they are several orders of magnitude better than whatever MS is trying to do here. You have a million different ways to permanently screw yourself with a MS account, especially since they basically kept all the "account types" hidden while applying over them a veneer of homogeneity. You can basically use any Google account everywhere a Google account is required, but personal and corporate MS accounts are basically two different things that reuse some infrastructure while not being compatible the slightest. Even when logging in in Windows, there are a dozen ways to enroll a MS account, and most if not all of them are not compatible with each other. There's always a very high chance of getting your Windows account messed up, not accessible, or impossible to log in to.
> You can basically use any Google account everywhere a Google account is required
This is not true if it is a Google Workspace (or whatever they are calling it now) account. Learned this the hard way when getting YouTubeTV. To be fair, it was just a couple of hours of frustration and annoyance but still, for whatever reason, the workspace accounts that you pay for are second class citizens.
I had to abandon my Google workspace account with my main email domain after they booted the free GSuite status (I migrated before they changed their mind unfortunately). Not only is that account gimped because it is a Google Workspace account (with little things all over that refuse to work with those style accounts at all) now it's even more gimped because it has no active subscription tied to it.
I can't downgrade it to a personal account without deleting the account and recreating it, but there's not even a guarantee that will work. Deleting the account will also mess up family photo albums and other items. Photo storage is full but I'm also unable to pay for storage without adding a subscription to the account. It's so risky to try and fix it that I just had to migrate to a new google account, re-purchase all my android apps, and just ignore that account forever.
A Google Workspace account does not work for Nest. I signed up for the free Google-email-but-with-your-domain thing more than a decade ago. A bit more recently but back when I was still a Google fanboy I bought a Nest thermostat and was astonished that my account could not be used for Nest.
I have seen this on HackerNews multiple times. I bought a Google Pixel this past week and set it up. I have not logged into a Google Account. Maybe if you give the phone internet access during setup, it doesn't give you the local account option. But I can attest that Google has not (yet?) closed the "offline account" loophole.
Do you mean when using Google email? I don't see how being locked out of my personal email would lead to me being locked out of my Android, even if I would log into Google Play Services with an account (which I have not but let's go with the common lay person scenario).
Its honestly shocking to me how fragmented Microsoft's authentication system can be and how many quirks it has. Knowing how enterprise software is built, you know under the hood their auth system is complete fragmented mess. Every login looks the same but is subtly different so you can literally log into one service if your account is setup a certain way and that would instantly screw you when it comes to logging into 5+ other services.
This is a giant mess. Frankly, i don't understand how they architected it. If i open a word, excel or ppt document from another companies SharePoint because they added me as a guest, Microsoft promptly signs me out of the desktop office 365 apps and then says that i am using unlicensed office365.
How was this missed when designing the security and authentication systems?? This is basic foundational stuff!
That's easy to answer: It is not architected, it is organically grown.
Product A adds a sign in. Product B from another team adds another sign in. Product C,D,E do the same. Each team has some special magic sauce that makes their system work better with their product, but worse with all others.
Now the corporate infighting starts, as management squeezes all these sign-in systems together, and everyone looses if any other but their system wins. So some compromise is created, based more on political prowess than technical requirements. The result is an API from hell, taking fragments from everyone, even if they conflict. Everyone pushes and pulls their existing systems until it fits in the compromise, trying to minimizing damage. Weird cracks appear everywhere.
Remember how each organization builds a solution based on their organogram. Look at microsoft in the meme. Look at the sign in mess. Understand.
I predict strange, probably exploitable and surely unsolvable problems in the MS sign-in system for at least the next decade, just like their programming practices of the '90s had entirely predictable security consequences for a decade when the internet appeared.
And it's crucial to understand we're well past the point where any one (or likely even a small team) knows all the places that Microsoft auth is entangled with. Thus unknown, undesirable interactions occur just because it's too big for someone to know that the interaction would occur.
I have found guest accounts in general to be barely supported. I can’t manage my 2FA for my guest account in other organizations, can’t control which account to log in with (MS seems to decide based on which resource I’m navigating to), and anytime I have an issue it pretty much takes the AAD admin removing and re-adding me to fix it. It was clearly an afterthought feature.
The way Microsoft accounts work is almost completely opaque to users.
I’ve been in similar scenarios — the switch directory or switch organisation technique usually worked for me - but wasn’t enough for this person.
They never really give you enough information to tell what’s going on… maybe it’s a security risk to have consumers who are anything other than bewildered Kafkerian characters struggling against a faceless bureaucracy? I suppose we should not question their wisdom and be thankful that we can log in at all.
Atlassian manage to make it even more confusing than Microsoft. So there’s that.
Try having a kid and segregating funds for them while paying for their Xbox Game Pass and a Minecraft Realm with your account. I have 25 years of Windows software development experience and I was almost reduced to tears just trying to understand what I'm even trying to accomplish.
Realms is still in some kind of half subscribed, half not subscribed state and it still asks for my account's PIN for purchases but actually only accepts my kid's PIN. And every game warns me that my setup is questionable (store account doesn't match game account) even though it's exactly what Microsoft tells parents to do. Even Microsoft's own Minecraft app complains every 30 days!
I suggest this area for any web2 bug bounty hunters looking to make a fortune.
The switch over the Microsoft login for Minecraft was so bad that I just gave up and got the kids using MineTest instead.
And MS login for work is a complete shambles. I have to do a tactical login to Outlook with a different work account to switch login when I try to use Azure as that's the only obvious way to move to a different org account. It's horrible.
I had 2 mojang accounts for my kids, attached to 2 separate Java game licenses (because i couldn't buy 2 licenses for 1 account) used on Linux. When Microsoft forced the authentication conversion, I had to disassociate 1 of the 2 emails from the combined MS account (that I had worked really hard to combine in 2020) reincarnate that email as a separate MS account, associate it with the separate Mojang account (because MS also has no way of supporting 2 licenses on 1 MS account, even if the account listed multiple emails) and then I was promptly banned by Microsoft for breach of TOS, whatever that might have been. 12 hours later and a dozen support contacts to Mojang, I was unbanned... but my kids didn't play Minecraft that day.
To any MS/Mojang folks lurking,- great game but the authentication merge was an unforced error.
MS also banned me from playing Halo Infinite after a few days due to "Fraud (please insert phone number)" even though I'd done absolutely nothing suspicious --just played the game. So, naturally I deleted it and haven't looked back.
Minecraft is so broken that I’ve removed it from all family devices.
I would frequently have to reinstall on PS5 to get it to boot, it would lose purchases constantly, and there is no cross play for mac hilariously because Mac doesn’t have a bedrock port, despite it having “Minecraft for education” which is based on bedrock.
Microsoft turned Minecraft into a steaming pile of garbage.
I witnessed an egregious bug once - where logging in with one users name and a different users 2FA let me in. I just looked for my notes on it and can’t find them. I’m happy for you not to take my word on it other than to say — I concur that there are some egregious bugs in this area!
I completely believe you - I have performed this setup twice, on different machines, and in both cases the end result is that it uses the kids PIN to authenticate despite requesting the adult's PIN.
I have no idea where to report the issue to (Microsoft store? Minecraft support? Microsoft Windows support?), and having dealt with Microsoft support in a professional capacity I know that even if I do figure out where to report it that they will waste weeks of my time asking me to explain the issue and then claim it's working as designed without understanding the problem at all.
> result is that it uses the kids PIN to authenticate despite requesting the adult's PIN
That's been a thing for a long time. I hit it when trying to share games with child accounts. IIRC, the high level process was:
- Set up child computer with a child account.
- Add parent account as family member on child computer.
- Set up a PIN for the parent account on the child computer.
- On the child OS account, open the Windows Store and log in as the parent.
- Log back in to the Windows Store using the child account.
At that point when the child tries to buy something via the Windows Store it should be asking for the parent's PIN, but accepts the child PIN. As far as I could tell it was authenticating the parent account with the child's PIN.
When I ran into the issue, I could buy anything I wanted with the child PIN and it bypassed all restrictions.
I was so surprised by the way it worked that I spent an entire afternoon testing it. I got a prepaid credit card, set up fresh MS accounts for the parent + child, set up a clean OS install, and recorded everything using VirtualBox by using the on-screen keyboard to show the PINs.
At the time there was a bug in VirtualBox's video recording that caused it to record random garbage and I got so frustrated that I set it aside and never went back to it.
It seems like an auth bypass issue to me and it's been a problem for over 7 years. It's been around so long it's even made it's way from an unofficial blog into official MS docs [1]:
> As of Dec 25 2015, there seems to be a bug in the Windows Store sign in process as it may ask for your PIN code but it actually wants your family member’s PIN code. That is, at least at the time of this writing, use the PIN of the signed in family member even though it asks for your PIN!
Ok - that sounds like the exact thing. It was so very odd when it happened. I’m sure I tweeted about it at the time, or put it on mastodon if it was more recent.
When I saw Minecraft for the Nintendo Switch I bought it, thinking it'd be a solution for the MS login madness and my kid could play easily with it.
Wrong!
It's even worse! You still have to log in with some MS account, but on top it's buggy, slow, laggy, and crashed a few times on me generating the world. What a disaster.
Same story here. Thought it would be great for kids to play. Takes 30 minutes of me screwing with it every time they want to play it. I gave up and put linux on an old laptop and them bought another copy of minecraft for it.
Setting up my kids to play on a realms account is horrid experience! And nevermind explaining how to do it to the parents of my kids' friends. Most of the kids still haven't managed to get on.
Also parental controls seems to suck in general on most services. Nintendo Switch seems to get it right for the most part.
my general approach to this garbage is to just keep making new accounts/email addresses (on my domain) for each purpose
this keeps everything from being comingled at the expense of maintaining all of those credentials
also, as a bonus, if you organize this by subdomain you can sort your email by it automatically since most emails from this stuff don't really need to hit your inbox
Until they ban all of your alts when some obscure ToS sentence about creating multiple accounts starts being enforced (or one of them gets taken over when you don't pay close enough attention) and if you happen to use any of them for anything critical you come to HN complaining how MS just killed your life or business. I truly think that's what happens behind the scenes of half of those cry for help posts
Couldn't you buy Microsoft Store gift cards so you can use your kid's account to keep the subscription active while not using your credit card directly?
Now, if Microsoft bought Atlassian — that would be absolute theoretical maximum limit of peak confusion when logging into an app.
“Warning: You are about to login to Microsoft Atlassian Fogbugz Trello. Have you cleared sufficient space in your calendar, notified your next of kin, put your affairs in order, and taken your sedatives?”
Atlassian ID was a negative point when choosing software.
We, as an Atlassian plugin maker, chose GitLab internally, and Notion, both because at least it was properly integrated and didn’t have the awful Atlassian ID and switch between apps…
Ha. You have two factor on MS, main atlassian, and former bitbucket?
Prepare for peak confusion. Three different MFAs will be needed but we wont tell you which one is for which step. Oh and if you make a mistake you get to start all over!
We took on a client on Azure 4-5 years ago. something happened to my MS account at that time, that made it impossible to sign in to a random subset of MS services (it would either report that the pw was invalid, or I didn’t have permissions).
It was something like two accounts existed in the system with the same email address and one of them had permissions, but we couldn’t sign in to it and the other we could sign in to, but didn’t have permissions and there was no way to grant it permissions.
I spent several hours with MS support over a few days while they tried to sort it out, reset passwords, sign in via different systems, etc. Eventually they recommend we create a new account.
Arghhh... I swear I only have one Microsoft account, but it randomly seems to use either one password or an older one. I've been round loops several times resetting the password and all seems well, until it seems to want an older one again.
I didn't bother porting my Mojang account to Microsoft, it was too stressful to use.
My suspicion is that what's happened here is that Jeff's daughter has used his laptop for something from school and clicked straight through an overly-inviting message that asked to join the account to the school's domain.
I'm skeptical of the suggestion that the school admins were able to do this with no input, but I'm absolutely willing to entertain the idea that:
a) AD login is a complete mess, and
b) the UI is utterly misleading and near-unusable.
This makes sense, but this should had ask the account password to confirm, which Jeff’s daughter may know and typed.
IMO, The main issue in here is BigTech obsession with a single login. One single credentials give you access to everything, from entertainment to professional services.
People do share their credentials with family, specially if involves subscription and payment. BigTech try so hard to push for not sharing, but they fail to understand (or don’t care) that most people, specially non American, don’t have the budget to subscribe multiple time. Family accounts are non existent, lacking management options, and also more expensive.
It would be interesting if there were auth standards related to linking family accounts or different identities. OIDC tries to extend OAuth to human identity characteristics but doesn’t quite get there. Maybe you could hack it in with custom claims, but first class support for codifying relations between users would be neat, instead of having every auth provider roll their own half broken implementation.
> an overly-inviting message that asked to join the account to the school's domain
The UI of this is just as bad as the one that asks you to sign into MS account and upload all files to OneDrive when setting up Windows. It even comes back after some time if you deny it!
AD login is something that used to work well (10-20 years ago) but is now a complete clusterf*k. What was designed for logging into Windows NT workstations isn't what most users nowadays are expecting when logging onto web apps. Plus the UI full of antipatterns. Yet it's still the easiest for IT folks to manage.
Yeah, I realize it was just a continued session, but that's exactly what I mean. For things like password changes or privilege changes, there should always be a mandatory re-auth to make sure it's not someone else at keys.
This is pretty much just best practice. When's the last time you could change your password without entering the original, short of a re-verification via email? Same idea here.
Oh, I misunderstood what you meant as the session token still being active.
I got you now. I've been using 3rd party password managers (with a timeout for a forced reauth) long enough that I forgot when you let the browser do it it's not nearly so locked down.
I'm pretty sure I did the same thing accidentally when trying to use my university's provided Office365. It bonded onto my personal Live account and was hard and annoying to figure out how to remove.
Same with my spouse when she took a couple of college classes. Which was annoying but whatever until she was done. Then it was annoying pop-ups and alerts every single day because her account at the school was deactivated.
I’m not sure what people expect from anything associated with Microsoft. After literally many decades now of horrible Microsoft products and services that never ever reach the threshold (excel possibly being the lone exception), why would anyone expect anything other than abysmal things from Microsoft. It’s what happens when you let a robber Baron type corporation seize monopolistic control and there is effectively not real pressure to compete and get their things in order because there is a cultural assumption based on corruption/lobbying and the monopolistic lock-in will resolve any slight challenges.
I don’t mean to solely focus on Microsoft, but they are the dominant example in their domain and the biggest example in tech.
As a society it should have never been allowed to even be possible that things like the government, including public schools, become so captured by Microsoft’s disastrous ecosystem. People give Apple some justified flak for lock-in issues, but at least there it feels more like Apple trying to keep the horrors of especially Microsoft and Google at bay … formal dress required for entry.
MS fired all the MSR programming language people working on F# and C# a few years ago, so you can probably expect the trend of C# and F# improvement to taper off.
I had a very similar experience with my former employer and the proof of concept tenant they setup for Office 365.
My personal account was tied to that tenant, and whenever I tried to register an app - it was access denied. They even give you an option in the app registration interface in Azure: whether you want it to be in the company tenant or linked to your personal account. Regardless of what I tried, access denied. After a few weeks of this, I attempted to “Leave” the proof of concept tenant.
Yes, I clicked the scary leave button that tells you your data will be deleted. Access denied.
One of the options Microsoft suggests is to get in contact with the global admins to help out. Considering that tenant was abandoned 8 years ago, it was going to be difficult to get in contact with the global admins. I even contacted my former employer and requested they remove me. Their response? “We abandoned that tenant years ago, no one can access it”.
I created a support case with Microsoft for their Azure AD service requesting they remove my account from the tenant.
After some back and forth, repeating myself a few times, trying to explain what I save wanted to do in multiple different ways, and a screen share, I still wasn’t able to leave the organization. The case was escalated, and eventually I got on a call with the support rep and a manager.
We went through the “leave the organization” process together, and miraculously, it allowed me to leave. This was several months ago, by the way, and no data loss with my personal account that I can tell (so far), although I can’t guarantee when you click that scary button, your data will be safe.
I’m not sure what technical witchcraft took place for this to happen, because it was the exact same set of steps I had tried 25 times before. My only point in this story is to say it would probably be worth a shot creating a support case with their Azure team, and being a squeaky wheel, in the behemoth cog that is Microsoft, that gets the grease.
I'm realizing more and more that relying on a large organization for a service where you are 1 of hundreds of millions of customers is a bad idea.
First customer service will be automated or even non existant, and very poor. Secondly the product will have been 'tweaked' so many times for new markets and product extensions that it will be very fragile when you do something at the edges of its functionality (not what the other hundreds of millions are doing).
It shouldn't really be this way - it tells a lot about software engineering that a product run by a few enthused people alone can often (but by no means must) have better support and service than a product with huge resources.
A father with a daughter that goes to a school, and the father has a Microsoft account, is nowhere near an "edge of functionality". Sounds more like Microsoft has a too-complex login system on their hands, one that needs a ton of backend rework to happen in order to simplify the system for the user (and the developer)'s sanity.
Also, a software engineering product run by a large organization is going to have tons more functionality under its much bigger umbrella compared to a small team with a much smaller product. Consider AWS vs Digital Ocean. Both great companies, but AWS's umbrella of offerings is vast compare to Digital Ocean.
No, but something unusual went wrong and getting it fixed will be harder at MS than a smaller company. There probably isn't a single person who understands why without a fair amount of research. Without the publicity, MS would be inclined not to spend the effort to fix.
> Also, a software engineering product run by a large organization is going to have tons more functionality
This was exactly my point - the large product with tons more functionality will likely be more brittle, harder to use, and get support for if something breaks. If you aren't using that functionality, you often won't be well served by the company. I had this experience with EverNote. I'm also a very happy AWS customer, but I think that is because their products are a set of (fairly) independent products, rather than one huge system.
The problem is not that there is no one person it's that the team that knows the details are insulated from end users by layers of layers of bureaucracy needed to keep them from being flooded in identical/trivial tickets to the point where they never get to look at the actual product they are developing.
With smaller outfit's the L2 tech support might actually be having a line of communication directly to engineering, where in large companies there might be an L3-6 plus different product owners and escalation managers involved before a case gets in front of the engineering team.
Even in large companies it depends a lot on the product. For Microsoft, if something has an issue tracker on GitHub (e.g. VSCode, C#, Windows Terminal), the bugs that get filed there are usually looked at directly by the team that owns it.
Ah. It's because it's nowhere near the edge of functionality, I don't think something particularly unusual actually went wrong here. Mr Jeff just hit a bug. But because Microsoft is such a huge company, and fathers with daughters who go to a school is such a large segment of users (and because Microsoft is not as obtuse as Apple, where Apple pretends their software has no bugs), I bet there's already a product manager spinning up a customer service bulletin going out to reps to school IT departments and a team of developers to add the fix to a roadmap and fix the problem globally.
Or maybe the bug's just going to languish and our friend Jeff here is going to be forced to create a new Microsoft account.
--
As far as AWS' products being independent products. I have the opposite view, as their products would be rather useless if they didn't interoperate with each other. How useless S3 would be if it couldn't talk to anything else!
Google and Microsoft couldn't be further apart in their login architecture, and their distinguishing of personal and work accounts. Google does an excellent job, everything is unified and sensible. Microsoft, on the other hand, is a mess. It looks like everything is mishmashed together. Sometimes logins will fail completely and you get weird error messages which look out of place in a production environment.
Take but one bad example. If you look carefully, the sign in page for OneDrive is slightly different to the sign in page for other Microsoft services. It has functional differences too, namely, OneDrive's login page doesn't offer you FIDO2 passwordless authentication. Meanwhile, over on Google, everything goes through a unified login screen (accounts.google.com).
Google’s handing of multiple accounts is still terrible though since everything is based off an index in order of sign in. Share or bookmark a work link? /u/2 is embedded in it. If later the personal account was the second login, you’d get access denied.
They’re better at offering a switch account ui in some places but definitely not most.
This is one of the main reasons I love Firefox’s “Multi Account Containers” extension. I can easily keep logins segregated and don’t need to worry about whether any given part of Google’s ecosystem plays nicely with their account picker.
Correct. If you didn't mind having a Mojang account (small, indie, Swedish company; respectable privacy policy) but would prefer not to create a Microsoft account, your money is as good as gone and there is no way to play the game officially.
if you just want to play offline, the prism launcher still lets you authenticate using the old mojang accounts. (which is not to contradict your claim, as it's not an official launcher).
I held out for a really long time, but a friend wanted to play minecraft with me so I finally caved. If they ask me to add a phone number I'll probably just abandon the account though, and look into piracy of the game I purchased.
After converting, my brand new MS account got locked for 'suspicious activity' within minutes. To get back access to the game I had paid money for, I had to... you guessed it: add my phone number.
Really makes me consider just not playing anymore.
Reliability is probably about the same, but the Microsoft account signup process is a nightmare compared to the old Mojang system. There's like 4 different X-Box or Game like websites with slightly different usernames and they don't talk with one another and various features are scattered across all of them. Even flipping the switch that lets you join an online game is buried half a dozen menus deep in the bowels of the system and is labeled in a way that you'll never find it if you didn't Google for the instructions first. It's so unnecessarily complex and confusing.
The worst part is that some bot years ago signed up for the X-Box account using the same email I used for the Mojang account so converting the account first required me to take over the bot account with a password reset. But the bot set the account in up German and it's apparently impossible to switch the language settings for everything. I got most of it switched over (across four completely different configuration pages), but stuff like the emails are still sent in German. I'm pretty sure my account is going to be locked sometime in the future once they figure out that it was originally a bot account and there is no chance I'm going to be able to get my alpha Minecraft account back when that happens.
The Mojang accounts weren't great for security. No 2FA or anything (just security questions), and if you lost your account / it was stolen, you were pretty stuffed. The only way to recover it was to present the transaction ID of your purchase of the game to support, which most people don't have and you were never told to keep. I saw lots of people get permanently locked out of their accounts.
I guess it also doesn't make sense for them to maintain a parallel login system when the Microsoft one gets (presumably) millions of dollars of investment every year. Though Microsoft accounts are more complicated to use, with configuration being split across Microsoft, Xbox, and Mojang/Minecraft itself. And it seems they like locking people out for opaque reasons.
>The Mojang accounts weren't great for security. No 2FA or anything (just security questions), and if you lost your account / it was stolen, you were pretty stuffed. The only way to recover it was to present the transaction ID of your purchase of the game to support, which most people don't have and you were never told to keep. I saw lots of people get permanently locked out of their accounts.
It was in fact super easy to just search my email Inbox for emails from Mojand and find the proof or purchase.
With MS I have 3 fucking accounts and not by choice, they bought Skype and Mojand and forced me into their super shitty system, I spent 30 minutes 1 year ago to migrate the Minecrtaft accoutn and more then 30 minutes a few weeks back to login back into Minecraft because I needed to detective my way to figureout what Microsoft account they connected to my Mojang purchase.
I hope in a few years someone leaks what greedy motives were behind this forced migrations, probably to sell more shit.
The mojang accounts were superior in every way in terms of security. Hahha, microsoft is a huge attack surface. And with microsoft, you also need to secure your account against microsoft itself, which isn't easy, they will randomly extort previously unknown personal information like phone numbers to access your account. If you only have 1 number, and its linked to a different account, you just lost your account.
I don't understand why people think a microsoft account could ever possibly be more secure.
As a random example, if your Microsoft account is OAuthed to a GitHub login, and you log in through that, the popup browser just takes you back to a Microsoft account settings page instead of handing the OAuth flow back to Minecraft
Microsoft's organisation vs use of accounts is certainly a hot mess.. I'll be watching responses here and hopefully find out why my personal account sometimes says certain settings are managed by "my organisation".
What freaking organisation is always my response; I've never been able to figure it out.
It probably isn't actually "your organization". Some MS products just use that as a generic "this is disabled in some config or the other", (perhaps correctly) assuming that in most cases, it actually is turned off by the organization.
Very random example: SharePoint has a MS Word integration - you can open a .docx file from there, it opens in Word and you are actually able to edit the file on the server as if it was on your computer. At least in the older on-prem versions, this actually used the Word installed on your computer, not some web version.
If you used a custom authentication provider, a little browser opened within Word and you had to log in there. But Word needed to "trust" the domain. On a personal computer, you could just edit the trust settings in some Word menu, yet the error message still said "your organization..." if you didn't.
By the way if you are installing google chrome with linux packages, it says the same. It frightened me at first I was like, whose organization is managing my "google-chrome" install? Then realized my organization was just the root account on my linux vs installing chrome a different way (flatpak, manual install in homedir).
I've changed things in Group Policy (e.g., disable Bing/web search in Windows search) because there's no user-facing setting to disable some things and mine says the same. If you've done similar or used any debloat/privacy tools/scripts, that's probably the cause.
Additionally, go to Accounts in Settings and double-check that you're not logged into any "work or school" accounts.
The one thing I can't stand is that if you log into a non-personal Microsoft account in an app, there's a dialog that is very confusing[1]. It asks if you want to use that account everywhere on your device, but there's a box checked by default to let the organization manage your device, a button that says "Yes", and what looks like a hyperlink that says "This app only". I always uncheck the box before clicking "This app only", but I wonder if keeping that box checked would still enable organizational device administration. It screams "dark pattern" to me.
Just to add a tip for others: If you want to use Edge for the Windows optimizations and PlayReady support for streaming services, but don't want to deal with all the annoyances, you can disable many of them via Group Policy[2]. For example, you can disable the "Search Bing in sidebar" option that shows up in context menus[3] that I always seem to accidentally click when I'm trying to search for something I highlighted. I also use Group Policy to set the default search and homescreen settings because then it won't annoy you with the recommendation to set it to Microsoft defaults every time it updates.
Firefox is my main browser, but I use Edge for streaming Netflix and the like because I don't get 4K playback via Widevine. It annoys me because Edge would actually be a great browser if the Bing folks weren't constantly trying to shove things down my throat and filling it with dark patterns.
I didn't even notice that the dialog title, "Use this account everywhere on this device", isn't really presented as a question. Thanks for pointing that out.
Windows is full of dark patterns, so I don't really know why I had even a modicum of doubt.
That's not even the title either --- it's just bigger text within the dialog. The actual dialog title in the titlebar is blank!
Between the aforementioned dark pattern with the buttons/not-buttons (they didn't even bother to vertically align "This app only" and the button), the not-a-question "do what we tell you" phrasing, the blank title, and a dialog that's overall around twice as tall as it needs to be, it seems recent Windows is unfortunately full of user-hostile and also disgustingly amateurish WTFs like this.
I'm assuming "deletion of your data" only includes any information that might be associated with the school... hopefully not the rest of my Microsoft account!
Whenever I see such a serious warning, I will almost always take a long period of consideration before proceeding. Remember that you're dealing with a company which acts like they believe you shouldn't own your computer. If a company with that attitude believes they should warn you about something, it's certainly serious.
It's infuriating too because they're foisting the burden of queuing / testing a backup onto the user and across the entire user base it's probably a massive amount of wasted time.
Also, Microsoft's UIs are filled with misused terminology. They use create, open, add, (delete, close, remove) etc. interchangeably. For example, in the OWA the process for removing a calendar you don't own is called delete.
Over the years, an overwhelming number of services have been consolidated together. Whenever I require access to Office365 or Outlook, I find myself being redirected to numerous domains including msn, microsoft, live.com, and others that I cannot recall. The entire situation is chaotic and disorganized. And then, god forbid you have a problem.
I added my daughter's school account in Teams on my phone so I could submit her homework.
Later, I filled out my taxes in Excel and saved them.
It had uploaded them to my school's default OneDrive shared folder. It never asked me if I wanted to use that account as my default, and never told me it had changed accounts. It took me 10 minutes of non-sensical "file is locked" messages before I could delete my private data from my school's drive.
Some apps such as Microsoft Authenticator won't even let me remove the account.
If you're on Android, Microsoft Authenticator shows accounts that are registered with the Android system. To remove one, in Android itself go to Settings / Passwords & accounts.
Am I the only one who uses browser profiles to separate my personal browsing from work or other organizations I'm a part of? When I mention this approach to people they give me a strange look like I'm crazy.
In Chrome you just create a new profile for each identity you have. If you're opening random incognito windows or using different browsers all the time to log in with different identities, you should be creating profiles instead. Everything is separate including bookmarks, sessions, cookies, extensions, etc.
I use separate browsers for work and personal. On a work machine, my personal stuff will be in Firefox and my work stuff in Chrome/Safari/whatever.
It's just easier for me to manage that way. That being said, my work google account is connected to my personal phone which is probably gonna mess me up at some point.
A dedicated laptop solely for work is basic CYA and good practice, everyone should do it.
Yes, even if work doesn't provide a laptop for work purposes and you need to furnish your own. Same goes for phones, etc.
It might be expensive to maintain dedicated hardware to cordon off work from everything else, but it's still cheaper than if you hadn't and the inevitable biological waste impacts the aerodynamic wake generator.
I used to run Qubes on my laptop with one dedicated VM for school. However, I had to change to Windows for a mutlitude of reasons. Might work for some though, and certainly cheaper than dedicated devices.
Not far enough. I have a dedicated internet provider subscribed to a place I rent specifically for work whose address I only use for work purposes, 3 states over. THAT is the way.
We don't know exactly why the account got taken over, but I doubt using the browser login would have prevented this (school azure taking over whatever microsoft account was logged in).
Also, Google tracks you across all websites once you login to the browser (even if you don't use google login on them). If they weren't tracking you, using the browser profiles would be great.
> It was created when I transitioned my Xbox LIVE account to a Microsoft account on 2014-03-07 (the LIVE account was created back in 2006, and neither it nor my Microsoft account were ever joined to any other domains).
Hoping this raised issue helps cleaning up some of the mess, I find it fascinating how bizantine microsoft have become.
I also have a skype account that became some other other account, but was using the same email as my mojang account that got ported to live accounts. I kinda hope everything is neatly bound in the backend as I login through the live.com portal, but it feels like a miracle that it still works at all.
It was the same kind of fun trying to log to flickr with a old converted yahoo account. Or dealing with amazon after merging multi-coutry accounts.
Amazon used to allow having multiple accounts with the same email, but different passwords.
And don’t ask what happens to personal accounts that get accidentally invited to corporate accounts via email adresses formerly used for the personal account.
Yeah, at some stage I had accounts on Amazon.de, Amazon.co.uk and Amazon.com with the same email. My .de and .co.uk accounts eventually got merged (no notification, just found one day I needed to start using my .co.uk password to log into .de), but my .com one is still semi-seperate and I need to go to amazon.com to manage my kindle ebooks still.
I think it's still complicated. I wouldn't try to play too much with it, but you can use the "same" account across each of their national portals except parts of it seem to be local to the country, and many amazon apps don't have a notion of country (e.g. when logging to the prime app you only use the email and password, and it guesses from there. It actually finds the right item from an app downloaded from a different country's app store).
I made a point to separate mail addresses by country to avoid getting hosed, but I'd imagine the fun trying to access Prime or kindle purchases from an account that has them in multiple national stores.
Large corporations with a captive market inevitably reach the digital bureaucracy stage, where the exaggerated mass of their workforce breaks under its own weight, and they become inept at doing basic things.
This is a great thing for small startups, else we would only have a single huge corporate conglomerate doing everything with cutthroat efficiency.
It's not just the company bureaucracy, it's also laws and regulations. It's great to be a startup in the US where you have a large and fairly rich customer base. But when you go international and have to deal with all the myriad laws there, often contradictory or poorly defined, your code will be messy. Very messy. Plus these laws keep changing and your customers keep moving to different jurisdictions or giving you wrong information.
Add to that various attempts at fixing problems, adding features, partially removing unsuccessful features, supporting old systems, framework/library migrations in various states of completeness, different developer's ideas of how to do things, and that rockstar developer who wrote really obscure code and then left to grow pomelos, and you have an incredible mess without even having to bring in company bureaucracy.
That is absolutely insane and one of many reasons I hate microsoft with a passion.
WTF kinda power trip are they on when they let domain admins just pwn accounts like that? How did OP end up in this situation? Was his email just on a distribution list and usurped that way? I don't get it. And I find it kinda freaky.
My kids' school and high school use Teams for some stuff. I have to use it occasionally for work too. The thing is that's nigh impossible to simply log out as one user and back in as another, so we have to take a lot of care of who used this or that device last.
And don't get me started on the nightmare that is dealing with Minecraft accounts older than the Mojang acquisition.
It's not only Microsoft. Trying to subscribe to third party stuff like Just Dance on the Switch is a kafkian experience that I couldn't solve. My daughter is angry with me for giving up.
My son gave me a hard time for Valorant secure boot requirement on Windows 11 (but not 10). As a triple boot user (Haiku and Linux), secure boot is a no go on my box, since I reboot frequently.
I assume most anti-cheat systems will sooner or later require Secure Boot and TPM, which makes a lot of sense. Additionally, it's more secure to have them enabled, and similar solutions have been used on iOS/Android/macOS for a long time now.
Many Linux distributions have signed bootloader and kernel, to support secure boot, but otherwise I think you could either add your own signing keys for the Secure Boot, or chain either Linux or Haiku from a signed grub bootloader.
Some company that offered services to us used Azure AD for their authentication into their portal, so when you registered with them it actually created an Azure AD tenant. The user was not aware of this, but this started to become a real headache not only because users could apparently create Azure AD tenants out of nowhere, in some weird way I still don't understand, but certainly through user interaction, other users that had nothing to do with that portal also got added into this Azure AD! It took some shady workarounds to get control over this rogue Azure AD tenant and clean up the mess it caused. At this point we keep the Azure AD around not because we want to use it, but to stop anyone else from creating one with one of our domain names.
I dodged a somewhat similar experience with Zoom. Took a contract with a company, and they tried to adopt my personal zoom account into their organisation (I was a contractor, so I was using my own email address while working for them). Fortunately I realised this might be annoying down the road and sent them an alias to use instead, but I imagine other people could get into strife - not that a Zoom account is a big deal and they seem to have better processes in place so it's possible it's easy to resolve, but it could easily cause a headache for a less tech savvy user.
In general, be careful what you click agree to (I know, I know)
I can say for sure your issue, but I have seen very similar before, and what has likely happened is that your personal email was added as an alternate email in their tenant, sometimes this is for account recovery or MFA.
If you have your daughter login to her school account, and remove your email from her account. Your account will revert to a normal microsoft account.
You will however have very limited access to azure with a personal account, and doing things like registering an app is going to be unlikely unless you have your own tenant, or added to some other tenant.
Is this a surprise? I assumed everyone's experience of Microsoft accounts was something like this. Every single detail seems designed by someone who read Kafka and took the wrong lesson out of it.
You don't need to accept it. Just don't use Microsoft. (If your school forces you to, create a throwaway account for that, and let the principal know that you are not a happy customer)
And then your child has a Mojang account, and then you can't use Minecraft because the throwaway account is associated with your phone number, and it's tied into the Active Directory of .....
Having an account for your child schools is kind of a necessity. Using Minecraft is not. It seems to be a nice game and children like it; it sucks that Microsoft bought it. Still not a good enough reason to use Microsoft.
That's why my kids now play MineTest. Despite having bought them Java Minecraft before that was an issue. Shame the money was wasted. Product changed. Ought to be able to get our money back.
You jump to questionable conclusions here. They just meant that Microsoft messing something up to this degree is not a big shock to people who already had MS related issues.
Some of their designs are downright malicious (like locking the email account until you give them your phone number), more often it's amazingly bad software/UI, and sometimes they'll ruin your weekend by rolling out a Windows update without asking which wipes your partitions or throws bluescreens on boot.
I decided a while ago it's not worth it for me and stopped using as much MS related stuff as possible, and I'm glad I did.
Some years ago, my android tablet could only read my work's office365 mail if I allowed a microsoft app to reconfigure the security. Next thing I know, I can only log in on it with my work AD account. But the WIFI is disabled, I can't enable WIFI without logging in, and WIFI is required for the AD logon process. It took a factory reset and complete erasure to pull it out of that one. Lost a good (paid) app in the process. I also learned the corporation can remotely erase the tabled whenever they like, and neither their security nor their hardware team were good thinking trough the consequences of their actions.
Second was a teams install used by me and some other people to videochat each other. One day, the school invites us to a meeting, after which teams decided the account now belongs to the school. Meetings with another institute were now impossible, as team's tiny brain could not allow the school and the institute to mix. For now, I deal by creating a new microsoft account for each meeting, and nuking the teams install afterwards.
My general attitude with microsoft is now: On non-MS browsers, delete all caches and settings when done, or use a different profile. On non-MS OSes, delete any login account they touched. When using any MS system like edge or windows, require different physical or virtual computers for each identity, they will leak into each other.
Despite the implication of malice that other comments seem to be directing at Microsoft, this just seems like a bit of an oversight (i.e. inexperience) on behalf of the school’s IT team.
Nonetheless, I would have expected MS to ensure that the process includes clearer guidance for the account owner, and for deliberate decisions to be made by the school to enable this type of action.
They did a very good job of providing clear advice to BYOD users during the MDM onboarding process in InTune, and it’s confusing that this didn’t occur in this case.
> this just seems like a bit of an oversight (i.e. inexperience) on behalf of the school’s IT team.
No matter how inexperienced they are, it shouldn’t be possible to put an external Microsoft account into this weird state without the account holder’s permission. And the “leave organisation” button shouldn’t leave the account in some weird unrecoverable state.
This all reeks of sloppy product design on Microsoft’s part. Is my Microsoft account one bad domain administrator away from being taken from me? That’s unacceptable.
But the schools IT team shouldn't have been able to do this! I don't ascribe malice to them, but if, in the regular course of me doing my every day normal business at my bank, their website ended up with me taking your money out of your account somehow, the blame wouldn't lie with me or you, it would be the bank's fuckup.
How does that work? Is there some evil villian at Microsoft, twirling his mustache maniacally laughing himself to sleep because Mr Jeff here can't create an Azure app? This is a case for Hanlon's razor.
If we take the legal definition of malice then it might. I like this definition of malice[1]:
> malice is a condition of the mind which shows a heart regardless of social duty and fatally bent on mischief, the existence of which is inferred from acts committed or words spoken.
Negligence and recklessness are often considered acts of malice, especially when stemming from wilful blindness.
The mischief here is the problem with the account, we (those commenting on this page) have no confidence in Microsoft to improve it (they are fatally bent), as they clearly don't consider it a social duty and are surely wilfully blind to it. Does anyone here think they want to know, let alone care?
For every policy and priority there is one or more humans somewhere who decided them. They aren't sourceless and ineffectable natural phenomenon like the weather. A person somewhere knowingly decided them, and continued to do so in the face of plenty of argument. It doesn't require Ming the Merciless mustaches, it only requires normal differences in priorities.
One wonders why one would pretend not to know this.
Yes, it's confusing that the UI doesn't highlight that "Jeff's MSA" and "Jeff's MSA at This School" are different accounts when it makes statements about the school owning the account. By adding him, the school set up a "Jeff at This School" account (a unique ID inside their Azure Active Directory) which Jeff can access using his MSA account. They didn't take any ownership over his MSA, but they do control the data for his school account (i.e. anything he creates in their Azure Portal, SharePoint, etc.)
And then Jeff is confused about the state of his account. Keep in mind that he's using a developer tool (the Azure portal) and account federation is not a beginner-level feature of Azure AD. There are sharp edges. He just jumped to a lot of conclusions and wow the Fud level on this comments thread is off the charts.
I know this because I set up an OAuth2 based web portal for my friends to access my Minecraft server using Azure AD B2C and by god the hardest part was figuring out how to explain the login experience to users, and disable the secondary 2FA requirements for MSA/Gmail users (because I know my friends are smart enough to use 2FA)
Maybe, but it's a behaviour that shouldn't be possible to happen. If I have a personal account it's my account, and should be considered distinct from the account of a school/organization, there shouldn't be the possibility that joining one of them will limit what my account could do.
That is a personal account shouldn't even be possibly converted into an AzureAD one: if you want it's another account, with another email and another password. This possibility of mistake should never happen.
Microsoft auth and billing is infuriating. I once made the stupid mistake of signing up for a trail of Office 365 through an account managed by a company I was doing contract work for. We were developing a Team apps. Anyways, I used my personal credit card for the trial, completely forgot about it and finished that contract. After a while, that company was bought and merged with another, basically disappearing as far as their own infrastructure goes.
The trial ended, Microsoft start charging my credit card, and it was literally impossible to stop it without access to the account that was managed by the now defunct company. While it was pretty hard to talk to an actual person, I did twice, and after months of back and forth via email, I was advised to just do a charge back with my credit card company. Microsoft (probably automatically) disputed the chargeback, and I spent many more weeks disputing the dispute, having to prove to my credit card there was no way to cancel and Microsoft actually told me to do a chargeback. I'm sure I'm somehow banned from Microsoft accounts using that credit card, although I've never tried.
I had similar problems with Microsoft's accounts starting with MSDN many years ago. What I do now is creating a new email account when I need to access Azure on behalf of a client.
Some what related just last week someone from my company's IT department contacted me about adding my work MacBook to some Microsoft spyware scheme so they could start administering it and he was very stricken when I didn’t want to do it. At start he tried go get me on board with carrots like being able to print - an activity I haven’t performed in over five years. And it ended with “this is our policy”
I told him that good luck coming all the way from India to wrestle my laptop from my hands. Don’t know if this will end with me looking for a new job, but what I know is that I won’t be installing whatever rap they are pushing. I am an adult and know how to admin my own computer
As somebody who worked in IT before and who had to wrestle a bit with policy in the past - I recommend you don't see your work MacBook as your "own computer". Because it's not.
The company shouldn't restrict you from doing your job and reasonable and competent IT departments know which users needs what access (including root access) to perform their role, but they do also have a duty to the company and its equipment and frankly have the right and resoanable need to install admin tooling.
> I recommend you don't see your work MacBook as your "own computer". Because it's not.
This entirely depends on whether the company supplied or paid for the device. Given they're trying to install MDM after the fact, it sounds more likely to me that they didn't. In which case if they want that level of control they should buy their own company equipment.
Just no. Our IT department is 100% Windows focused. I can't get help to anything that isn't "a Windows problem". I can't get ports open in the network, I can't get simple things like mosh to work, because again it is not "a Windows problem", so I am not going to let them screw my perfectly fine machine with some Windows bloat ware there is a reason why no one is dev is running Windows.
This actually is a hill I am willing to die on. If I can't use my machine how I see best then I can start accepting any of the interview offers my spam folder is full of.
Worker cost 50 money. How company get 50 money? Worker not work so much, maybe? How to quantify? What if spy? Company tell IT monkey to give developer monkey spy. Our computer, company can do a little spy. Company catch smoke break. Company catch walk break. Company give worker "performance improvement plan." Company fire worker. Company now have 100 money. Company smart. Company efficient. Company legally protected from retaliation. Company give executive monkey 30 money as reward for small overhead. Company offer manager monkey 7 money. Company offer IT monkey 3 money. Company brag about in annual report.
It's not merely about who owns the device though. It is also about the environment a person has to work in and that, I would say, is more relevant here. Do I want to be spied upon while working? No. Do I want to feel like in a surveillance state for 8h of my day? Do I need this feeling in my life? No and no.
I had the same problem recently. Just ended up buying a new computer just for work stuff. They pay me a lot so I can afford to buy M1 Air which is still really really fast.
Is it ecological? No. But the compliance beast must be fed. So fine.
Even then what is the purpose? Say IT department closes VPN to some Windows proprietary solution. I am just going to get a laptop from work that only runs the VPN and pipe my actual working machine through that laptop.
This is exactly the kind of waste we should get rid of, but sadly this is exactly what we get by offshoring IT into India where people just do exactly what some consultant tells them to do without any critical thought if it is appropriate or not.
My work laptop has a weird combination of a personal microsoft account that (I think) is linked to the windows licence, and a corporate account that is linked to O365, sharepoint, etc. Office works, as does OneDrive [1], but I've never been able to access SharePoint (probably not a bad thing). Azure just doesn't work for me, and even Microsoft support couldnt figure out why.
I'm usually pretty positive about Msft but their identity stuff is a mess.
[1] except that I have two OneDrives that appear to form a Venn diagram with a partial intersection that i can never quite figure out....
I’d be curious about a follow up if the author ever figures out how the account takeover happened. I wonder if logging into the account on a school device resulted in automatic enrollment or something.
Our team has a Google sheet with some scripting that uses the data in the sheet to generate data to another system. This needs to be run using the company Google account.
Now someone opens the sheet, runs the script and it just doesn't work.
Why? Google just randomly decides to pick one of these:
- The personal Google account the user has logged in to
- The account used by Chrome
- The company account
We haven't found a pattern to this yet. It works better for some people and worse for some depending on the time of the day, position of the planets and maybe a third unknown factor.
Do people bookmark this script with the `/u/0` or `/u/1` URL component that depends on login order? See the comment elsewhere in this post about "authuser" which might help.
I had the same thing happen to me, just because I was added to the parent mailing list for my kids’ school. I wanted to try an Azure service (Codespaces), but was denied.
It took a lot of back and forth with the schools admin to figure out what happened. I was able to get my account released, but I wasn’t brave enough to try what Jeff did.
Like Jeff, this did not leave me impressed with MS Azure at all. How could joining (or being added) to a mailing list imply you are now part of an organization? How does one go from LDAP to that hosted AD mess?
I'm guessing hosted AD saves an organization $X/month in consulting fees with an added promise that "Microsoft will be able to keep this thing online better than a machine in your building."
I can already see a bunch of managers aggressively giving orders to implement account organizations while deflecting all questions from the ones implementing it.
Why didn't you just click Change Directory in the Azure portal and go back to your personal AzureAD where you can create your app registrations?
What has happened here is that you have essentially two accounts: One is your consumer MSA, and the other is an account in the school's Azure AD instance that uses federated sign-in with an external account (your MSA). Except, the real mess comes from the fact that there's one login page for both, and sites such as the Azure portal that support both identities and can't really tell which one you expect to assume. Plus, the Azure portal lets you switch between Directories at any time.
You can:
* Sign out completely (login.microsoftonline.com/logout.srf) and sign back in. The reason the sign-in page asks for your sign-in email first is because then it uses that to decide which directory (MSA or someone's AAD) to sign you into
* Change directories - (in fact I'd recommend creating your own Directory instead of using the one that was automatically created for you from your MSA name)
I have 2 Microsoft accounts on the same email address, one is a personal account I created ~ 10 years ago and one that appeared out of the blue a few years ago. The second one seems to be created by my employer, when I try to login it is rerouting me to the job 2FA. The weirdest thing was when I tried to schedule an exam with Microsoft and it appears as free on the work account, for some reason, but not free on my personal account.
I also had OneDrive set up on my personal desktop. After years of working well, one day I got an error and I had a look: it merged my personal OneDrive with the work one, so my Witcher 3 saved games were on my company's storage. I guess this happened because I tried to add my work account in Outlook to read email on that computer too. Since then, I am doing all the work related tasks in a Virtual Machine with a local Windows account and no email, no Teams, no OneDrive, etc.
Worked on a project for a big bank. My work email was given access to their Active Directory or whatever for certain sharepoint folder access.
My work machine is signed into my /personal/ microsoft account for login, and then also signed into my work-personal account (i.e. MS account with my work email, but a self created personal one - we're not an MS company).
At some point I was kicked off my Xbox, had to do a password reset dance to get access again, all because Big Bank's password expiry policy somehow leaked into my personal MS account thanks to being signed into both accounts on the same pc.
And now, my company got an Active Directory for us, purely to make interfacing with other MS-powered clients easier. Imagine the nightmare of my work account, originally created by myself, and the conflicts with my new "work or school" AD account. It's such a mess.
This is potentially illegal hacking by the letter of the law. You can have a lawyer send a restraining order, and if they don't fix this take it to court. Of course they will then be forced to in turn sue Microsoft, who may discover the court orders all auth turned off until they can fix this.
I think something similar happened to my google cloud account. I’ve used to run some websites and CIs for some small clients then I got a jig for a bigger client and they included my account into their organization. It wasn’t as crippling tho and also easily reversible.
A few years ago I got an email saying that an unknown Microsoft account had been renamed from one of my email addresses to a new email address I don't own.
It appears that someone was able to link an MS account to my email with no verification, then rename the account, again with no verification.
Best case is that it's someone who used my email as a recovery email for their MS account and changed it. But with the mess of MS accounts, I'm always nervous they've got some residual control of my real account which is also linked to that email.
Unfortunately I've never been able to get confirmation from MS that things are OK. There are plenty of questions about this particular renaming issue on the web, but no answers.
At my previous employer, a mid-size company that used a lot of Microsoft products, my team had a developer intern go the ENTIRE SUMMER without access to Azure DevOps (source code, CI/CD, etc...) because he got some weird error when he tried to sign in. His account was cursed or something. Microsoft support apparently couldn't fix it. Our administrators couldn't fix it. Dozens of hours were burned on this issue, and I think he ended up just coding at someone else's computer since we pair programmed most of the time. The funny part is he joined another team full-time later on; they must have finally resolved it somehow.
Well, I found that I am mostly using my Linux desktop specifically because it doesn’t require me to obligatory sign in into the services I don’t want to use. Unlike Apple, Microsoft and Google.
Apple, fortunately, doesn't require any account signins to use anything that comes out of the box on a Mac, iPad, or iPhone.
I know this because I have one of each running in my home with no associated cloud accounts whatsoever.
They do nag you a bit (not aggressively like Microsoft, who is like "are you sure you want a terrible experience using this computer?"), but it is entirely possible to be productive outside of the iOS ecosystem, which does require an account to load apps.
A large number of software engineers, even those at rival companies, actually use Macs for their work. If Apple forces those users to set up an online account for basic functionality, I'm sure Apple would lose so much business, because those companies aren't going to want to deal with iCloud.
I couldn't find the link back to an issue I've filed about auth in Teams, but certain authentication issues are specific to using iOS and do not exist on Windows... Namely, when invited in an organization, I cannot connect because I have a free personal account, but only on iOS. Windows and web are ok. Support tried to sell me a paid account, of course.
As a freelancer I've lost a full day of work at the beggining of the pandemic due to this, thankfully I now have only one client (a school too) using Teams so I don't have to switch accounts.
I had an interesting situation a while back where my then corporate login appeared amongst my personal Microsoft accounts as possible options to log into upon installing Microsoft office iOS apps on a personal device - given that org’s corporate policies don’t allow logging in that way I could fathom how it was appearing (it might have been linked to once trying to use Authenticator for 2FA) but it was a bit odd seeing it as a prompt on downloading a fresh iOS Excel. It seems to have stopped now but was a bit odd!
I've never heard a single person who had positive experiences with Microsoft's cloud services (OneDrive or One*) and yet, every organizations seems to be slowly taken over by it.
> and yet, every organizations seems to be slowly taken over by it
Microsoft Office is a big deal. It's where the worker lives.
This is because Google didn't spend the money to make workplace software better than Office, only clunky web apps; while Microsoft spent the money to make web apps (nearly) as good as the workplace software everyone uses.
Google chose not to displace 80% of features of the incumbent, while the incumbent added the 20% Google had thought was enough.
So 85% of business workplaces and workplace users are O365/M365 workplaces and users.
Btw, if you make SaaS and don't support "Login with Microsoft..." or their (very easy to integrate) SAML SSO, you're leaving 85% of your TAM on the bench.
Microsoft's auth is needlessly aggressive at all edges - I had a Windows 10 gaming PC that I didn't create a live account for. Everything works fine, until I install Halo Infinite via Steam and have to log in with a Microsoft account which then causes the OS to also login with the same account. Absolute insanity that this is even possible.
At the end of the day its something I'm more disappointed than upset about. Its scammy, gross, and reflective of a company playing catchup by force.
This has the feel of a Kafkaesque nightmare with a large serving of incompetence. There are some serious screw-ups going on here. Do they have QAs? What kind of tests do they actually do?
What I find hilarious about this is if you were an Exchange server admin around the time Exchange made the “web” swap from 2007->2010->fully EAS web managed by 2013 the guys like me were following Microsoft MVP articles on re-Hosting exchange for separate orgs on the same active directory infrastructure with UPNs basically the email as the major identifier
It’s funny because Azure seems like it’s just a hacky scaled up version of what MSPs we’re doing with hosted exchange 15 years ago.
Not directly related to account issues, but I have one (and only one) password saved in Microsoft Authenticator and I can't delete it since ~3 years ago, every time it just says "Cannot delete password". I hope one day some engineers at Microsoft will notice this error in their logging system and fix this bug.
I've had coworkers locked out of their personal Google Accounts all because they or their child logged into a school google account on their work laptops while also being logged in on their personal google account on their work laptops.
It's a pain in the tail to resolve, but it can at least be resolved without calling the school.
I gave Atlassian my school email address as verification that I worked at a university to get a free Bitbucket account. Ten years later, they not only locked me out of the Bitbucket account and gave access to someone at the university, and then refused to tell me what they'd done, they also gave my Trello account to them.
The thing about the Trello account is that I used a non-school email account for that. I never at any point gave them information about my school account. I opened the account on the day Trello was announced, when they didn't even have paid plans. I'm guessing they were able to link me somehow, and they used that information to give my account away.
Clearly Atlassian is not a company that should ever be trusted with important data. In my case, if I had any information about grades in my account, it would have been a violation of FERPA. You can't casually hand out that information to random strangers.
My limited personal experience with Microsoft accounts mirrors the anecdotes elsewhere in the thread.
HOWEVER, the article glosses over the real story: a child obtained complete, unsupervised access to the author's computer, and wouldn't you know it, they broke something.
I suspect there would be far less interest if the headline read "my kid ordered $20k worth of Robux and I can't get a refund".
It is for this very reason that I have a half dozen Microsoft accounts, Google accounts and so forth. Using your personal accounts for any business purposes is likely to end up like this either sooner or later (when the provider decides to change some organization schema).
Given the advent of and ease of use of password managers, I'd rather just have another set of credentials than risk the inconvenience.
Since most of the relevant training data is likely to be punters kvetching about Microsoft, it'd be amusing to see if this would propel it into an angry rant about its boss.
Am I missing something or where is the part where he contacted the school or spoke to his daughter about it, _before_ writing blog posts and getting on Twitter?
It's strange to me to take the discussion like this to public forums before talking to the people involved. It could be his daughter "gave" it to the school as an act of generosity for example.
It happened during the weekend, so there is none of the school administrators to help with - but that's not the worst. Such behavior should not be possible and his daughter should not be able to grant such permissions either. The school =should= know it's not a kid's account to begin with. None of the blame should be attributed to the school but Microsoft - there is no feasible way for the person to reclaim his account.
The solution is definitely to find someone in the school IT who can help unravel this mess.
But the fact that it's even possible to reach a failure state like this is still worth public discussion. You're probably right, odds are his daughter hit "okay" on some screen... but it shouldn't even be possible to irrevocably hand over the keys to a private account.
I remember using Outlook on iOS a few years ago. I had an Outlook account that has a secondary address is a Gmail which i can log in with. Now if I log into that account, I cannot use Gmail with that outlook. This is how messy accounts are handled by Microsoft and it’s why i’m not so surprised by the article.
I may have jinxed it; the other day i was thinking how impressive it is that Microsoft handles their decades old AD/azure/live/xbox/etc auth systems and that they all work together well.
In this case, is there another company with a similarly old and complex auth system that does exemplary work?
One of the magical things microsoft has accomplished is that governments and corporates trust them so much.
Some kind of Stockholm syndrom.
Here in the Netherlands they somehow have convinced local governments (like cities & provinces) that working with them is still GDPR compliant, even thought they should only work with EU based companies to store data. But other companies like DigitalOcean, AWS and Google cloud (especially Google is evil) are not GDPR compliant
As a dev learning web development when IE was still a thing I still have horrible experiences with them
Microsoft is well known to not take security serious at all. Some years ago people was able to contact Skype business support and change the password of accounts as long as they could tell them some of the contacts and the email of the account. Absolutely insanely irresponsible.
My wife basically had all the problems you guys are talking about with her Minecraft account. When Mojang was independent none of this stuff was an issue but with MS you're practically pulling your hair out to do really basic stuff.
I can’t give Azure money if I tried. And I have repeatedly.
About 10 years ago I created an Azure account with my normal email and my US address. I did some stuff but never had a reason to use Azure in a situation where I’d pay for resources. Some years later I wanted to check out Azure for a small project. I go to log in and it tells me I need to add billing or something. I enter my credit card info and get to the address section. My zip code won’t validate. That’s odd. It’s saying it wants numbers and letters. Wait why does it think I’m in Canada? I’m in California. CA? Hmm. Anyway should be easy let me fix the Country. Oh it’s greyed out. YOU CAN’T CHANGE THE COUNTRY?!
Surely this must be a bug. File a support request. Nope can’t change country. Escalate and explain that I can’t add a credit card because I am not a CA resident and don’t have a Canadian payment method. They tell me they can’t change for tax reasons. But they never took my money because I can’t pay them… I go on to tell them I never even selected Canada there must be some UI bug when they first rolled out the new account format. They said theres a known issue where this can happen. I ask them to fix. They can’t because taxes. They tell me I have to create a new email if I want to use Azure. I wont do that because I have virtue.
I try two more times over the course of 6 or so years. Both times I’m escalated to someone who thinks they can fix the problem for me. I think at one point there was a technical work order put in to delete my Azure account so I could try again. But somehow it always gets thwarted.
So what happened? I’ve been able to piece together that Azure transitioned to a new account model between when I first created my account and when I tried again the first time. The old model was independent of your MS account. The new one not so much. Somehow Azure migrated my legacy account with a US address and morphed it into an account with a Canadian country set. This Canadian account is intimately linked to my normal MS live account which has a US address and payment info nonetheless. An early version of the Azure account migration UI locked in your country before verifying your payment/address. For “tax reasons” you cant change but it’s totally fine that my US live account has a Canadian Azure account and that, if I was able to do things as MS wants, I’d be paying for MS apps and services with a US card and Azure resources with a Canadian one. Because that’s better for taxes?!
So to this day I can’t use Azure because I’m not willing to change my live account login email address, my main email address, to something else just to work around MS’s bullshit. Because yes, now it’s all the same and your azure account is your live account.
That’s a known issue and we have a simple workaround: just kindly make a new email address…
MS messed up the design of their user and auth system completely. I can't even setup fingerprint for login on my local machine without Windows forces me to connect it to my onedrive account. An account that has nothing to do with my Windows account.
I experienced similar with logging in into outlook.com and the teams app on Mac.
Accounts from different companies were mixed up. If I tried to login with my account from company A I got redirected to the login page of company B. It’s a real mess.
Firmly agree with other posters that Microsoft's identity services leave a lot to be desired... but Jeff is being a bit sensationalist here.
The school did not "take over" his MS account. At some point (likely amidst a mountain of other onboarding tasks for his daughter's enrollment) he would have received an invitation to join the school's Azure AD tenant as a guest/external user. In this case, he chose to join using his Microsoft account, rather than create a new email-based guest account.
"Leaving" the school's org only breaks one side of the federation, and the guest account and it's association to the school's Azure tenant still remains.
To resolve, he'll need contact the school and have them delete the account. Meanwhile, it probably would have been better to create the app beneath an Azure AD tenant belonging to the non-profit org in the first place.
And some people speculate my daughter may have logged into an account on my computer—there is no possible way, and at home she only uses one of two other devices (and at her school they don't have students log in off premises anyways), and my two computers are locked at all times when I'm not around.
In addition, assuming she were able to get access to one of my computers, the password manager is behind face/Touch ID and locks automatically after each use.
I spent a couple hours digging through all the emails we got from her school too, for the month preceding her entry into the school, and I saw nothing about any online logins, not even a link to any kind of portals or anything like that... just consent forms, welcome messages, and the like.
I've been racking my brain for a logical explanation as to why my personal email (and the password associated with my personal Microsoft account—which has been used to login to Azure in 2020, years before this mess) has been associated with the school's tenant. I can't find any.
That posture is exactly why it could become so messy.
People learn how to navigate a shit system and them become complacent with it, blaming the less experienced with their "errors", when the system itself is wrong for being shitty.
This is just a convoluted why of me saying: don't blame the user
I was thinking along the same lines. Could it be that all his Azure activities to date has happened under this federated account, and he no longer have the Azure access he is expecting (if in this case, he never signed up for Azure outside of his guest account at the school)
That happened to us, and what followed was a 8 week nightmare.
1. My son's school MS account took over his private account, only because he linked the two accounts.
2. Suddenly my son's Windows said it was un-authorized.
3. We called Microsoft, they could not fix it.
4. We called the manufacturer of the machine (they shipped Windows as OEM). They could not fix it.
5. Called MS again. They gave us a new activation code. Did not fix it.
6. Called MS again, this time they said to reinstall Windows (This is not a joke).
7. Upon re-installing, Windows would not activate. No error message, no nothing it would just hang in the activation loop.
8. Called MS. They had no clue. Claimed H/W issues.
9. Called manufacturer again. Also claimed H/W issues. I said that I can access the internet from the machine while it was hanging in activation, so network was not the problem.
10. Manufacturer sent someone out (I had bought warranty). He switched the SSD with a new version of Windows... The did exactly what I did. Same problem, would not activate.
11. Some back and forth with MS and the manufacturer involving many reboot and (I kid you not) turning off all wireless routers... MS still would not activate. Manufacturer (and MS) did not believe me. So they sent someone again. Did the same thing, again. Did not work.
12. Manufacturer said I needed to send in the machine. So I did. I included a note about what the problem and to please not just re-install Windows, because the activation was the problem.
13. Got the machine back... They had just re-installed Windows. Would not activate.
14. Started to get upset. After some pressing manufacturer agreed to send a new machine.
15. First they sent someone out again. Did the same thing again. Forced me, again, to turn all wireless routers off, so that (he claimed) Windows would activate without network. Again... Did not work. Activation just hung.
16. Eight weeks into this we ended up getting a new machine (yes, not kidding) from the manufacturer and now the same version of Windows (from the same memory stick) on the same hardware, same drivers, all the same, would happily register.
I cannot even begin to express how annoying and useless this was. And MS and manufacturer were helpless and useless.
Personally I have stopped use Windows over 2 decades ago - only using Linux, but my son wanted a gaming machine, and so I relented. :)
The shitness of MS accounts plus the almost requirement (modulo working around the asshole
design) that you need one for windows means my next driver will be linux.
Done with this shit.
Are you using Windows as your Desktop OS? Go into Settings then Accounts, remove the local copy of your account(s), then try to login to Microsoft the way you want.
Should be under account settings somewhere. Loads of walkthroughs online to consult as well. But depending on your circumstances, like if she doesn't care about being in the Microsoft ecosystem, it might be safer to create a fresh local account and delete the MS account from the laptop, just to prevent any crosstalk.
Trying to be actively signed out is also a mess. You can use the teams app to join teams meetings others have setup and invited you too without teams access yourself. Though of course if you have an MS account teams can see it ends up trying to use it and then saying you don't get teams access via that account and trying to sign out and join the meeting with an account associated with it often just doesn't work. A colleague actually ended up requesting he got an o365 account with teams associated with his corp email because of this issue as he had occasional meetings with external people over teams. We have a corp o365 setup for our ops/admin team that engineering normally doesn't touch but because he had a teams invite sent to his corp email he got dragged into it.