Accounts Basics (23H2)

Windows 11 supports different types of accounts that can behave differently depending on how they’re configured and used.

For example, you can sign in to Windows using a Microsoft account, a work or school account, or a local account. But you can also add additional online accounts to access email, apps, and other services from within that sign-in. And you can, of course, configure multiple sign-in accounts on the same PC, so that different users can have their own custom environments, apps, and data.

Complicating matters, each sign-in account is assigned a set of permissions that determines whether they have full administrative rights over the PC. And while many users who sign in to Windows 11 will be using an online account, some still use an offline account, which comes with certain limitations.

Understand the different types of accounts

Confused? Let’s step through the various types of accounts you’ll encounter in Windows 11, and see how they interoperate and overlap.

Sign-in accounts

A sign-in account–sometimes called a user account–is an account you use to sign in to Windows 11 on your PC. It can be a Microsoft account, a work or school account, or a local account.

Microsoft accounts are discussed further in Microsoft Accounts. Work or school accounts are discussed further in Work or School Accounts. And local accounts are discussed further in Local Accounts.

When a sign-in account has a password–which it should, though passwords are optional with local accounts only–Windows 11 forces you to create an alphanumeric passcode called a PIN so that you can use it to sign in more easily. Most PINs are just four characters long, but they provide a small additional layer of security by being different from your password. And ideally, you will use a different PIN on each PC you use.

Windows 11 will also recommend that you configure and use other forms of Windows Hello authentication, including facial and fingerprint recognition, depending on the capabilities of your PC. These methods further secure your PC because they are unique to you and hard if not impossible to spoof.

You can learn more about Windows Hello PINs and facial and fingerprint recognition in Windows Hello and Dynamic Lock.

Online and offline accounts

Windows 11 supports both online and offline accounts. You can use either to sign in to Windows 11. But email and app accounts, which are configured from within Windows, are only online accounts.

An online account is an account that can only be created when the PC you’re using is online and connected to the Internet. Microsoft accounts and work or school accounts are both online accounts.

A local account is the only offline account type, and it can only be used to sign in to Windows 11. Unlike online accounts, offline accounts can be created when offline.

Managed and unmanaged accounts

There is also this concept of managed accounts and unmanaged account types.

A managed account is an account that is centrally managed by some commercial entity. Work or school accounts are managed accounts, as are Microsoft accounts, as it turns out.

Microsoft maintains a light touch when it comes to Microsoft account management. But the organizations that own work or school accounts apply management policies to a PC when one is used to sign in. Users with managed work or school accounts can still personalize Windows 11 to some degree, but some aspects of the system can be dictated by the managing organization.

An unmanaged account is an account that is owned and controlled by an individual. A local account is an unmanaged account that exists only on the PC on which it was created, and it’s up to the user who created it to maintain and secure the account.

Administrator and Standard user accounts

Every sign-in account in Windows 11 is assigned a set of permissions that determine which tasks they can complete on the PC.

The first sign-in account on any PC is configured as an Administrator account, meaning that it has administrative privileges and can complete any tasks, including those that may be destructive and could impact other users on the PC. Some destructive tasks will trigger a User Account Control (UAC) prompt so that the Administrator can be sure they wish to continue.

Each subsequent sign-in account that’s created on a PC is configured as a Standard user account by default. Standard users can install some apps and configure the environment to their liking. But they cannot complete tasks that might be destructive or impact other users. When such a task is attempted, Windows 11 will display a different type of UAC prompt so that a user with administrative privileges on the PC can review the task and then approve it, if desired, by entering their sign-in credentials.

Email and app accounts

Anyone with a sign-in account can add one or more email and app accounts to interact with different online services.

Email accounts are used by the Outlook (new) app and can provide email, calendar, and/or contacts services. Supported online accounts include Outlook.com, Office 365/Microsoft 365 commercial, Google/Gmail, Yahoo!, Apple iCloud, POP, and IMAP.

You can learn more about Outlook (new) in the Outlook chapter.

App accounts are Microsoft accounts that are used to sign in to Microsoft Store apps only. You can configure any number of Microsoft accounts for this purpose, and sign in to different apps with different Microsoft accounts if desired.

Email and app accounts are discussed in the Email and Other Accounts chapter.

A few examples

With that out of the way, let’s look at a few quick examples.

Let’s say you buy a new PC and sign in to Windows 11 using a Microsoft account, as most people do. This account is a sign-in account, an online account, and a managed account, and, because it was the first account configured on the PC, it is also an Administrator account.

Now, let’s say that you add a second sign-in account to the PC and that this new account is a local account. It’s a sign-in account, of course. But it’s also an offline account, an unmanaged account, and, by default, a Standard user account (as opposed to an Administrator account).

You can learn more about using Windows 11 with multiple sign-in accounts in Multiple Accounts.

Those using either of these sign-in accounts could also configure two other account types within their sign-in: Email accounts and app accounts.

Email accounts are added to Windows 11 so that their content can be accessed in the Outlook (new) app. An email account is not a sign-in account. It is an online account. And because it won’t be used to sign in, it is not granted Administrator or Standard user permissions. Because it’s an online account, it’s also technically a managed account, though that doesn’t impact Windows 11 in any way.

App accounts are Microsoft accounts that are added to Windows 11 so that they can be used to sign in to Microsoft Store apps. An app account is not a sign-in account. It is an online account. It is a managed account. And because it is not used to sign in, it is not granted Administrator or Standard user permissions.

Still confused? Hopefully, the next other chapters in this section will help.