Complications Caused By MicrosoftAccount Identity Provider

Question

Hello

Two questions:

I am going around and around in circles trying to figure out the best way to manage my user identity on Azure. I signed up using my MS account (which uses a gmail username). When creating an Active Directory domain, I have found that I get caught up in some complications which I haven't been about to resolve. My user has two identity per active directory domain (federated, from MicrosoftAccount and userPrincipalName, from the Active Directory domain). Each identity has a different password, which is fine, but I am not able to revoke the Active Directory password (using another admin user). The only way to create and change the password is through the login screen.

Is there a way to be able to be able to revoke the Active Directory domain provided identity password (as I can for the other users whose only identity is provided by the Active Domain)?

In fiddling around with the previous question I got into Cross-Tenant Access Settings in the External Identities section of the Active Directory and blocked everything - after which I was no longer able to log in with my MicrosoftAccount identity. But my user is not cross tenant. I am the primary administrator of my domain! I would love for someone to help me get my head around this...

Is there any other way to manage which Identity Providers my domain will allow user to use to login with (other than Cross-Tenant Access Settings in the External Identities section of the Active Directory, which seems like the wrong place...)?

Finally, a bonus question... what is the best practice??? What should I be doing? What identity should the creator/admins of an Active Directory use to manage the Active Directory?

Answer 1

Hello @Guy de Winton

Thank you for posting your query on Microsoft Q&A. I was able to review this and here is my understanding about the background,

You have setup an Azure AD domain via your personal/Microsoft Account (Gmail account username). This has led your Microsoft Account UPN to be global administrator. You are not able to reset the password for GA account from your tenant.

Please correct me in comments section if you find difference in my understanding

PFB answers to the questions:

-Is there a way to be able to be able to revoke the Active Directory domain provided identity password (as I can for the other users whose only identity is provided by the Active Domain)?

You could only change or reset password only for Azure AD users from Azure AD admin console. Any user entity created via external source such as MSA account or on-prem could be changed from on-prem AD (Until you have SSPR enabled for the user)

-In fiddling around with the previous question, I got into Cross-Tenant Access Settings in the External Identities section of the Active Directory and blocked everything - after which I was no longer able to log in with my MicrosoftAccount identity. But my user is not cross tenant. I am the primary administrator of my domain! I would love for someone to help me get my head around this...

This is because your MSA account is considered as an external B2B user. Kindly use an Azure AD user account as a tenant administrator.

-Finally, a bonus question... what is the best practice??? What should I be doing? What identity should the creator/admins of an Active Directory use to manage the Active Directory?

Once an Azure AD domain is setup, you should create an Azure AD domain admin account within your tenant. As B2B and synced users (on-prem users) would be managed via end users' options or on-prem domain admins respectively.

Please do let me know if you have any queries or suggestion in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.