For Microsoft’s purposes a “work email address” is an email (or, since this is an authentication case, a UPN, they say ‘email’ in user-facing UI and documentation because it’s assumed that those will be identical, though that’s not mandatory if you love confusion) associated with an organization that has an Azure AD tenant set up; to which you intend to either ‘register’ or ‘join’ the device you are going through OOBE on.
Fundamentally they’re all Microsoft accounts; it’s just a matter of whether you are a subject of Microsoft directly; or if your service is pledged to one of their vassals.
If you try to use an unrelated email address as a ‘work email address’ the OOBE process will freak out because it will expect to be able to interact with the Azure AD (Sorry, marketing people, I’ll say “Microsoft Entra ID” when I’m dead…) authentication infrastructure by using the domain in the email to locate the AAD tenant for which that’s a registered domain and then attempt to sign in to do device registration; and if there is no such thing it will just be shouting into the void.
(edit: I’m not sure offhand whether the OOBE has any logic, to provide helpful error messages, that distinguishes between addresses that simply don’t correspond to a tenant and ones that do; but are misbehaving for either connectivity/DNS/etc or tenant authentication or device registration policy reasons; in order to provide distinct error messages to people using unrelated emails that aren’t even intended to work and people using emails that are AAD-associated but either running into some sort of mishap or being blocked by a tenant-specific policy. I only touch this stuff at work; and (thankfully) HQ stands fully behind our position that BYOD is the devil’s work; so I’ve never actually seen a wild win11 OOBE, only one that IT, typically me, has either answer-filed into submission for an automated domain join or Autopiloted to the point where it will only accept credentials associated with a specific tenant.)
Did he fire all the people at X capable of answering his question, or finding the answer?
I can’t “upgrade” to Windows 11 because my PC doesn’t have a Trusted Platform Module for Secure Boot. Once I do get another PC, I won’t install Windows on it because I don’t trust Microsoft to not fuck up booting other operating systems. (And running Linux within Windows isn’t an acceptable option.)
At last the long-running dispute will over: I own my computer, and I run Barter Town!
Hopefully they’ve actually fixed this; but until comparatively recently they used supposed to be different authentication systems. As their own studiously understated description has it:
Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook. com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens.
To the best of my knowledge anything behaving as intended does, indeed, follow different paths, hit different endpoints, get tokens signed with different keys, etc. so the Storm-0558 activity was visibly anomalous(once a customer who was paying for access to their logs and reading them closely brought it up); but the episode didn’t suggest entirely rigid boundaries between the two types of authentication.
as much as i dislike elon, i also dislike microsoft’s bullshit move of hiding the way to set up a PC without creating a microsoft account (among many other BS moves by them).
so if elon wants to fight that fight, i say let them fight.
He’d never do it; but I’d love to see Nadella just tell Musk that they both make products that nag you about signing in and have bot problems; but only one of them makes money. Then drop the mic.
