Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Overview
Microsoft plans to retire the ability for enterprise support customers to sign in to Services Hub and Microsoft Engage Center using personal Microsoft Accounts (MSA) directly. This change is part of our broader Secure Futures Initiative (SFI). The primary goal is to ensure that all user sign-ins use managed, enterprise-controlled identities. For more information on account types, see What's the difference between a Microsoft account and a work or school account?
Users who still want to use a personal Microsoft Account can access Microsoft Engage Center as guest users through Microsoft Entra External Identities, rather than using MSAs as direct sign-ins. This document outlines what's changing and describes a phased transition plan for the retirement process.
Phased retirement plan
Because we recognize that many customers need time to transition off direct sign-ins using MSAs, we're implementing this change in phases. This phased approach minimizes disruptions and makes sure customers have time to make the necessary adjustments.
The following table provides an overview of each retirement plan phase and what it entails.
| Phase | Key Actions & Changes | Target Date |
|---|---|---|
| Phase 1 - Announcement | Plan Initiation: We're officially announcing the retirement plan. Microsoft is updating documentation and communicating this change. Customer Guidance Available: Administrators now have access to optional guidance on how to remove MSA users from their workspaces and disable MSA invitations. |
Announced on 08/19/2025 |
| Phase 2a - Partial Removal | No New MSA Enablement: For existing customers, any workspace that doesn't have MSA sign-in enabled can no longer invite MSA users to their workspace. New customers have no option to enable MSA: Any new enterprise support customers can't enable MSA as a means of accessing Services Hub. Active MSA Users: Any workspace actively using MSA isn't affected and retains access to MSA during this time. |
Completed on 10/13/2025 |
| Phase 2b - Disable Unused MSA | Turn off Unused MSA Authentication: If a workspace has MSA authentication enabled but has no registered MSA users, MSA authentication will be deactivated for that workspace. Active MSA Users: Any workspace actively using MSA isn't affected and retains access to MSA during this time. |
This phase is no longer in scope and will be skipped |
| Phase 3 - Access Management Migration | Complete transition to Microsoft Engage Center Access Management capability: Access management is migrated from Services Hub to the Engage Center platform. As Engage Center supports Microsoft Entra External Identities, all customers can use Microsoft Entra B2B for collaborating with MSA users during this time. Begin customer migration: Once your workspace is migrated to Engage Center for access management, you need to begin moving any remaining MSA users to the Entra-based B2B model. NOTE: New MSA users can only be added by using Entra-based B2B. NOTE: Existing MSA users aren't able to invite new users or manage existing users. |
Beginning March 2026 |
| Phase 4 - Full Removal | Announcement of cut-off date: Microsoft will enable existing MSA users to continue signing in to Enage Center for 120 days after the completion of the Access Management capabilities. Once this migration is complete, a frim date will be shared for when access will be limited to Entra External Identities users. Removal of MSA authentication: On the set date, the ability to sign in with MSA directly is fully removed from Engage Center for enterprise customers. MSA access using B2B becomes the only way for an MSA user to access Engage Center from this point forward. |
120 days after the completion of Access Management capability for all customers |
Move to managed identities with Microsoft Entra External ID
After you're transitioned to Microsoft Engage Center for access management, you'll be able to take advantage of a more secure alternative for scenarios where MSAs were used: Microsoft Entra External Identities (formerly Azure AD B2B collaboration). If you have users who prefer to sign in with an MSA, add them to your tenant as guest users instead of directly signing in to Engage Center using MSA.
Microsoft Entra External ID Support in Engage Center: In this model, MSA functions as the authentication identity, but only after it is invited and managed through your organization's Entra ID tenant as a guest account. Each user authenticates with their identity provider (in this case, their personal MSA sign-in), and your organization's Microsoft Entra ID tenant then checks and controls that user's access as a guest. This approach allows the continued use of MSAs without the security downsides--revoke or monitor access at any time with your Microsoft Entra tenant, and all access complies with the organization's security policies.
After Phase 4, all users will sign in with either:
- Entra ID work accounts or
- Entra ID guest accounts (for external collaborators, using MSAs or other accounts)
Direct use of MSAs as a sign-in type in Services Hub won't be available, but those users with those acounts instead smoothly transition to guest accounts. From an end-user perspective, they still use their MSA email to sign in--the difference lies in how the account is provisioned and managed on the backend.
How to prepare
We recommend removing any MSA users that are not needed. If you must continue to use MSA users at this time, please note that if they are setup as administrators in Services Hub, they will lose the ability to manage users after access management is migrated to Engage Center in Phase 3. We therefor recommend confirming that there is at least one Entra user setup as an administrator for any workspace that has MSA users.
For detailed steps on removing MSA users, refer to our support documentation on removing MSA authentication from Services Hub. This guide walks you through disabling the MSA switch and deleting MSA user accounts from a workspace, with screenshots and instructions.
By proactively cleaning up MSA usage now, you ensure a smooth transition ahead of the enforcement. Many customers have already begun this process following our best practices guidance.
FAQs and additional information
I'm seeing a user with my organization's domain being marked as an MSA user. Is that possible?
Yes, in the past users were allowed to create personal accounts using a work email address. This is a very common scenario for organizations who have had support for a long time. These accounts are still personal accounts. Review the following list of articles for more information. The guidance in this situation is to remove these users and re-invite them so they can login with their Entra accounts.
- Additional details about blocking Personal Accounts that are also Entra accounts
- How to rename a personal account
- How to manage aliases
I've turned off the MSA exception, that's all I need to do to disable it in my workspace, right?
Unfortunately, turning off the exception only stops new users from being added using MSA. Existing users will still be able to login. To fully remove MSA from your workspace, you need to disable the exception and remove any user that is logging in using MSA. For details on how to identify these users, see Best practices guidance - Remove MSA authentication from Services Hub.
Can I start using Entra B2B today in Services Hub?
Servcies Hub doesn't support Entra B2B. Once the access management capabilities are migrated from the Services Hub platform to the Engage Center platform, you'll be able to begin using Microsoft Entra B2B for collaborating with MSA users.
What if my organization only uses MSAs because we don’t have Microsoft Entra ID?
After Phase 4, Microsoft Entra ID will be required to use Services Hub/Microsoft Engage Center. If you don’t have a Microsoft Entra tenant, reach out to your Microsoft account team to learn more about setting up Microsoft Entra for your organization’s use.
We operate in a National cloud. How do these changes affect us?
We recognize the unique scenario for national cloud customers. By the end of Phase 3, our goal is for national cloud identities be supported for Services Hub/Microsoft Engage Center access (or have an equivalent solution in place).
Does this change affect any other Microsoft services, or just Services Hub/Microsoft Engage Center?
This plan is specific to Services Hub and Engage Center for enterprise support. It doesn't directly change anything about Microsoft accounts in other contexts. MSAs continue to work for personal services and other Microsoft offerings.
Microsoft Support for Business customers aren't affected by this change.
After this retirement, does a person still have the ability to use their personal Microsoft account (MSA) email to sign in?
Yes, but not directly. After the retirement, if someone attempts to sign in to Engage Center with an MSA, that sign in attempt won't be accepted unless that MSA was set up as a guest in a Microsoft Entra tenant.
If you invite that MSA as a guest to your directory, the user can sign in by entering that same email, but behind the scenes the authentication is happening via Microsoft Entra’s B2B guest mechanism. In summary, users continue to use the same email address, though you must configure them as external users rather than relying on the legacy direct sign-in method.
What about Microsoft Account users in Microsoft Entra B2B? Is that different?
Microsoft Entra B2B use is exactly what we encourage as the alternative starting in Phase 3. Microsoft Entra B2B allows a Microsoft Account to be used for guest sign-in in a controlled way. This change doesn’t block MSAs from being used in Microsoft Entra; it only removes the legacy, unmanaged approach of using MSAs straight in Services Hub.
Will Microsoft provide tools to help us identify MSA users or automate the transition?
We've provided guidance for identifying MSA users and identifying if invitations using MSA are enabled for your workspace.
I'd like to remove MSA from my setup today, what should I do?
Review your Services Hub configuration and our best practices guidance for removing MSA authentication from Services Hub. If the MSA exception is enabled on your workspace or if you have individuals set up as MSA users, follow the instructions remove those users and disable the MSA exception.
Conclusion
Microsoft is committed to helping you secure your support experience. Retiring direct MSA sign-ins in favor of Microsoft Entra ID authentication is an important step to ensure that access to support resources is managed and auditable. Although change is sometimes inconvenient, this transition will significantly improve the security posture for Services Hub users by eliminating a vector of risk (unmanaged personal accounts).
We're rolling out the change in phases to give you time to adapt, and we'll support you throughout the process. Begin reviewing your users and planning for this change now. Addressing it early allows you to avoid any last-minute issues when the cut-off date arrives (to be announced in the future).
We'll continue to update our documentation with the latest information. Thanks for your cooperation in making Services Hub more secure for everyone.
More Resources:
- Best Practices Guidance: Removing MSA Authentication from Services Hub – Detailed steps for identifying and removing MSA users and inviting guest users
- What is a Microsoft account vs. Work account? - Explains the differences between MSAs and work accounts
- External Identities Overview – Introduction to B2B collaboration using guest accounts