Microsoft Offers One Sign-In Experience to Rule Them All

Posted on August 3, 2017 by Paul Thurrott in Cloud, Microsoft Consumer Services, Office 365, Mobile, Windows 10 with 19 Comments

Microsoft Offers One Sign-In Experience to Rule Them All

Microsoft is redesigning its account sign-on experiences for both consumers and businesses in an effort to make them more efficient and consistent.

“We’re continuing to make progress on converging the Azure AD and Microsoft account identity systems,” Microsoft’s Alex Simmons explains. “One of the big steps on this journey is to redesign the sign-in UI so both systems look consistent. Today I’m happy to announce that this updated design is in public preview.”

As you may know, Microsoft offers separate cloud-based account types for individuals and for businesses. Individuals can utilize a Microsoft account (MSA), while businesses users have Azure Active Directory (AD). These account types are, in fact, completely separate. But both account types are designed to provide similar services, such as cross-device settings sync and repositories for apps, games, media content, file storage, and more. Also, you can link an MSA to an Azure AD account, and you can sign-in to Windows 10 with either type of account.

To date, Microsoft has provided different experiences when you sign-in to an MSA or Azure AD account on the web. So this week’s preview is a final step towards a consolidated sign-in experience that will be consistent between both account types. So those who have both—virtually all Azure AD account holders will also have an MSA for their personal use—will see a more consistent experience going forward.

As an individual, you can now see this new sign-in experience by visiting any Microsoft site online and signing in with your MSA. For example, the image at the top of this article is from today.

For Azure AD users, the new sign-in experience is now in preview. So you will need to opt-in to the preview the first time you are asked for your credentials.

Either way, the new sign-in experience provides a new “paginated” experience, meaning that you enter your account ID (email address) first and then some credential—a password, an app-based authentication, or whatever—separately, on a second screen. This change seems to have rankled some users on my Twitter stream, but as Microsoft explains, it’s more secure and has a higher sign-in success rate.

The new UI works on both desktop PCs and mobile, and it will be brought to all Microsoft online sites, including the multi-factor authentication experience—in the coming weeks. Microsoft plans to complete the shift to this new experience by the last week of September.


Tagged with , ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (19)

19 responses to “Microsoft Offers One Sign-In Experience to Rule Them All”

  1. rameshthanikodi

    I swear this is like the fourth or fifth time they've done something like this.

  2. skane2600

    UWP Passport? In the spirit of the equally silly .NET Passport.

  3. johnbaxter

    The old rule was to never tell the person trying to log in (i.e., the attacker) whether it is the username or the password that is wrong. The paginated method breaks that, admitting that the username (email, phone, etc) is wrong before asking for the password.

    Perhaps the new method is enough more secure to overcome that information leak.

  4. valisystem

    The existence of two different Microsoft identity systems is extraordinarily confusing for non-tech users. For this article, you've adopted "Azure AD" and "Microsoft account" to refer to the two systems. That's a recent development. Microsoft still uses "work or school" and "personal" on its dialogs.

    So I'm not sure whether it's helpful that the login screen will now be identical for sign-ins to both identity services. It removes a visual indicator that could help people stay oriented. Another example: the visual similarity of OneDrive and OneDrive for Business is a real problem for non-tech people trying to find files.

    I dream of a truly unified system where a personal account can be linked to an Azure AD account, allowing single sign-on and access to all MS services. If this screen helps get closer to that goal, great. But by itself, I'm worried that this increases confusion instead of simplifying things.

  5. Roger Ramjet

    hmm. Unified log in to the One cloud. The final conflict can't be far off. Perhaps, "The War of the Edges"?

  6. m_p_w_84

    Looks like the google sign in

  7. Waethorn

    So why do they still insist on asking for the email address first, and then clicking "Next" before having to type the password and clicking Next again?

    Microsoft, do you not think computer users have their big-boy pants on? You can put both fields on a single screen, for crying out loud!

    • rameshthanikodi

      In reply to Waethorn:

      Google is doing this too. Apparently it's a security thing, and also a 2FA thing. I wouldn't say it's poor UX.

    • skippu

      In reply to Waethorn:

      It's because if there is an alternate authentication provider involved (e.g. Ping, Okta) then the authentication request is then transferred to that provider. There's no point in accepting a password if Microsoft isn't handling the authentication.

      Microsoft has created a quite elegant solution for enterprise complexity.

    • NazmusLabs

      In reply to Waethorn:

      In order to determine if you are logging in with msa or ad. Not possible to have both fields in one page.

      • Waethorn

        In reply to NazmusLabs:

        And that's not possible by having the password on the same screen?

        Think about that for a second. It's simple to just do a conditional statement to search both providers for a valid login and redirect to the proper provider AFTER the fact. Even if you had an MSA and Azure account with the same email address and password, they only need to prompt AFTER inputting both fields and submitting the previous password to the chosen provider.

  8. lefffen1

    Still doesn't allow me to copy and paste in my 2FA code from my authenticator app (unless I type in a random number first, then paste and then remove the random number). Every other site lets me do this.

  9. Tony Barrett

    I hope Enterprises have full control over what syncs, because with a single signon for consumers and businesses, there's a lot of crap that could come down to the corporate PC (if you're running Win10 that is, which most aren't)

  10. IanYates82

    I've had this two page login process for months. I put in my address and then before I can type my password (and sometimes that doesn't even show - I guess that's what this article is about) I then get asked if I want my msa or office 365 account (since both have the same address).

    Works quite well. Can't see why people are cranky about it.

    • skippu

      In reply to IanYates82:

      Precisely why Microsoft now prohibits the creation of an MSA UPN that matches an existing Azure AD UPN.

      It actually is rather confusing for not-well-informed users.

    • RamblingGeek

      In reply to IanYates82:

      I separated mine out because it was causing issues.. This makes me think I can have them both using the address again....

    • DaveHelps

      In reply to IanYates82:

      Agreed. On my home PC, if I enter my address it proceeds to auto signin, as the account is linked to Windows and the device is trusted. If I enter my Office 365 account address it goes to a password screen (which LastPass auto fills) and then my phone dings with a 2FA alert.

      Seems pretty much perfect to me.

  11. Maxpayne

    Well, this is great change. If they are to make these things to a single one, it would save us some time and avoid the hassle of signing in on every other tool we are accessing. This was something they should have done long ago.

    Big Apple Medical Drainable Pouch