The way Microsoft accounts work is almost completely opaque to users.
I’ve been in similar scenarios — the switch directory or switch organisation technique usually worked for me - but wasn’t enough for this person.
They never really give you enough information to tell what’s going on… maybe it’s a security risk to have consumers who are anything other than bewildered Kafkerian characters struggling against a faceless bureaucracy? I suppose we should not question their wisdom and be thankful that we can log in at all.
Atlassian manage to make it even more confusing than Microsoft. So there’s that.
Try having a kid and segregating funds for them while paying for their Xbox Game Pass and a Minecraft Realm with your account. I have 25 years of Windows software development experience and I was almost reduced to tears just trying to understand what I'm even trying to accomplish.
Realms is still in some kind of half subscribed, half not subscribed state and it still asks for my account's PIN for purchases but actually only accepts my kid's PIN. And every game warns me that my setup is questionable (store account doesn't match game account) even though it's exactly what Microsoft tells parents to do. Even Microsoft's own Minecraft app complains every 30 days!
I suggest this area for any web2 bug bounty hunters looking to make a fortune.
The switch over the Microsoft login for Minecraft was so bad that I just gave up and got the kids using MineTest instead.
And MS login for work is a complete shambles. I have to do a tactical login to Outlook with a different work account to switch login when I try to use Azure as that's the only obvious way to move to a different org account. It's horrible.
I had 2 mojang accounts for my kids, attached to 2 separate Java game licenses (because i couldn't buy 2 licenses for 1 account) used on Linux. When Microsoft forced the authentication conversion, I had to disassociate 1 of the 2 emails from the combined MS account (that I had worked really hard to combine in 2020) reincarnate that email as a separate MS account, associate it with the separate Mojang account (because MS also has no way of supporting 2 licenses on 1 MS account, even if the account listed multiple emails) and then I was promptly banned by Microsoft for breach of TOS, whatever that might have been. 12 hours later and a dozen support contacts to Mojang, I was unbanned... but my kids didn't play Minecraft that day.
To any MS/Mojang folks lurking,- great game but the authentication merge was an unforced error.
MS also banned me from playing Halo Infinite after a few days due to "Fraud (please insert phone number)" even though I'd done absolutely nothing suspicious --just played the game. So, naturally I deleted it and haven't looked back.
Minecraft is so broken that I’ve removed it from all family devices.
I would frequently have to reinstall on PS5 to get it to boot, it would lose purchases constantly, and there is no cross play for mac hilariously because Mac doesn’t have a bedrock port, despite it having “Minecraft for education” which is based on bedrock.
Microsoft turned Minecraft into a steaming pile of garbage.
I witnessed an egregious bug once - where logging in with one users name and a different users 2FA let me in. I just looked for my notes on it and can’t find them. I’m happy for you not to take my word on it other than to say — I concur that there are some egregious bugs in this area!
I completely believe you - I have performed this setup twice, on different machines, and in both cases the end result is that it uses the kids PIN to authenticate despite requesting the adult's PIN.
I have no idea where to report the issue to (Microsoft store? Minecraft support? Microsoft Windows support?), and having dealt with Microsoft support in a professional capacity I know that even if I do figure out where to report it that they will waste weeks of my time asking me to explain the issue and then claim it's working as designed without understanding the problem at all.
> result is that it uses the kids PIN to authenticate despite requesting the adult's PIN
That's been a thing for a long time. I hit it when trying to share games with child accounts. IIRC, the high level process was:
- Set up child computer with a child account.
- Add parent account as family member on child computer.
- Set up a PIN for the parent account on the child computer.
- On the child OS account, open the Windows Store and log in as the parent.
- Log back in to the Windows Store using the child account.
At that point when the child tries to buy something via the Windows Store it should be asking for the parent's PIN, but accepts the child PIN. As far as I could tell it was authenticating the parent account with the child's PIN.
When I ran into the issue, I could buy anything I wanted with the child PIN and it bypassed all restrictions.
I was so surprised by the way it worked that I spent an entire afternoon testing it. I got a prepaid credit card, set up fresh MS accounts for the parent + child, set up a clean OS install, and recorded everything using VirtualBox by using the on-screen keyboard to show the PINs.
At the time there was a bug in VirtualBox's video recording that caused it to record random garbage and I got so frustrated that I set it aside and never went back to it.
It seems like an auth bypass issue to me and it's been a problem for over 7 years. It's been around so long it's even made it's way from an unofficial blog into official MS docs [1]:
> As of Dec 25 2015, there seems to be a bug in the Windows Store sign in process as it may ask for your PIN code but it actually wants your family member’s PIN code. That is, at least at the time of this writing, use the PIN of the signed in family member even though it asks for your PIN!
Ok - that sounds like the exact thing. It was so very odd when it happened. I’m sure I tweeted about it at the time, or put it on mastodon if it was more recent.
When I saw Minecraft for the Nintendo Switch I bought it, thinking it'd be a solution for the MS login madness and my kid could play easily with it.
Wrong!
It's even worse! You still have to log in with some MS account, but on top it's buggy, slow, laggy, and crashed a few times on me generating the world. What a disaster.
Same story here. Thought it would be great for kids to play. Takes 30 minutes of me screwing with it every time they want to play it. I gave up and put linux on an old laptop and them bought another copy of minecraft for it.
Setting up my kids to play on a realms account is horrid experience! And nevermind explaining how to do it to the parents of my kids' friends. Most of the kids still haven't managed to get on.
Also parental controls seems to suck in general on most services. Nintendo Switch seems to get it right for the most part.
my general approach to this garbage is to just keep making new accounts/email addresses (on my domain) for each purpose
this keeps everything from being comingled at the expense of maintaining all of those credentials
also, as a bonus, if you organize this by subdomain you can sort your email by it automatically since most emails from this stuff don't really need to hit your inbox
Until they ban all of your alts when some obscure ToS sentence about creating multiple accounts starts being enforced (or one of them gets taken over when you don't pay close enough attention) and if you happen to use any of them for anything critical you come to HN complaining how MS just killed your life or business. I truly think that's what happens behind the scenes of half of those cry for help posts
Couldn't you buy Microsoft Store gift cards so you can use your kid's account to keep the subscription active while not using your credit card directly?
Now, if Microsoft bought Atlassian — that would be absolute theoretical maximum limit of peak confusion when logging into an app.
“Warning: You are about to login to Microsoft Atlassian Fogbugz Trello. Have you cleared sufficient space in your calendar, notified your next of kin, put your affairs in order, and taken your sedatives?”
Atlassian ID was a negative point when choosing software.
We, as an Atlassian plugin maker, chose GitLab internally, and Notion, both because at least it was properly integrated and didn’t have the awful Atlassian ID and switch between apps…
Ha. You have two factor on MS, main atlassian, and former bitbucket?
Prepare for peak confusion. Three different MFAs will be needed but we wont tell you which one is for which step. Oh and if you make a mistake you get to start all over!
We took on a client on Azure 4-5 years ago. something happened to my MS account at that time, that made it impossible to sign in to a random subset of MS services (it would either report that the pw was invalid, or I didn’t have permissions).
It was something like two accounts existed in the system with the same email address and one of them had permissions, but we couldn’t sign in to it and the other we could sign in to, but didn’t have permissions and there was no way to grant it permissions.
I spent several hours with MS support over a few days while they tried to sort it out, reset passwords, sign in via different systems, etc. Eventually they recommend we create a new account.
Arghhh... I swear I only have one Microsoft account, but it randomly seems to use either one password or an older one. I've been round loops several times resetting the password and all seems well, until it seems to want an older one again.
I didn't bother porting my Mojang account to Microsoft, it was too stressful to use.
I’ve been in similar scenarios — the switch directory or switch organisation technique usually worked for me - but wasn’t enough for this person.
They never really give you enough information to tell what’s going on… maybe it’s a security risk to have consumers who are anything other than bewildered Kafkerian characters struggling against a faceless bureaucracy? I suppose we should not question their wisdom and be thankful that we can log in at all.
Atlassian manage to make it even more confusing than Microsoft. So there’s that.