First Steps: The Proper Care and Feeding of Your Microsoft Account

Posted on January 3, 2017 by Paul Thurrott in Cloud, Skype, OneDrive,, Bing + MSN, Office 365, Microsoft Consumer Services, Games, Xbox 360, Xbox One, Mobile, iOS, Android, Windows Phones, Music + Videos, Microsoft Movies & TV, Groove Music, Office, Windows, Windows 8.1, Windows 10 with 21 Comments

First Steps: The Proper Care and Feeding of Your Microsoft Account

If you’re anything like me, your Microsoft account is the core of your online identity. It’s time for a check-up.

I’ve been meaning to write about maintaining a Microsoft account (MSA) for years. Indeed, almost every time I update the Windows 10 Field Guide, I am reminded of the need for a “Chapter 0”-type manual to creating, securing, and properly maintaining an MSA. It’s just so core to everything else in the Microsoft ecosystem: Windows 10, of course, but also Office 365,, OneDrive, OneNote, Cortana, Skype, and so much more.

So consider this a first step in that direction. Here, I will assume you already have an MSA, and that you have basically ignored its configuration and maintenance for some period time. It’s OK, we all do it. But going forward, you should resolve to revisit this account and its configuration from time to time.

And that is my first tip:

Set calendar reminders for MSA checkups. Frankly, you should do this for all of your online accounts. But for MSA specifically, you should consider quarterly/bi-annual checks of your security settings and devices, at the least. (We’ll look at both in a moment, but because I test so many PCs, I actually examine and prune my device lists monthly.)


Know where to go. The Microsoft account website can be found at Here, you can properly configure your Microsoft account. Everything else we discuss here will happen at that website.

Review and edit MSA settings

There are a few non-security settings you should examine immediately.

Personal information. From the Your Info link, you can review and edit your personal info, meaning your birth date, address, phone number, and so on. Make sure it’s all correct. (This part of the site mentions “billing info,” but that’s not the same as “payment options.” See below.)

Payment options. Navigate to Payment & Billing, Payment Options to review and edit the credit cards and other payment methods (PayPal, gift cards, more) that are associated with your account. Make sure the cards are up-to-date, and remove those that are no longer needed. Note that this page will also show you which credit card(s) are tied to subscriptions (like Xbox Live Gold, Office 365, or Groove Music Pass). Take time to review your order history as well, to make sure there aren’t any suspicious purchases.

Subscriptions. On the Services & Subscriptions page, you can review your current and past subscriptions and configure auto-renew, where available, and which payment method is used for auto-renew.

Devices. The Microsoft account website maintains your device association lists, of which there are four: Your devices (all devices, including PCs, phones of all kinds, and Xbox consoles), apps & games devices (for Windows Store purchases), music devices (for Groove Music Pass), and movies & TV devices (for content rented or purchased from Windows Store/Xbox Store). Note that each has different limitations. You can have any number of devices in the Your devices list, and can remove devices at will. The apps & games list is limited to 10 devices, and you can remove devices at will. The music devices list can have only four devices, and you can only remove one per 30-day period. And the movies & TV devices list can contain an unlimited number of devices, I believe. But you can only remove one per month.

Family settings. Using Microsoft’s parental controls service, called Microsoft Family? Then you can use the Family link to manage the adults and kids in that family, and the settings for each.

Privacy. Use the new Privacy dashboard to manage your privacy settings and, if needed, delete private information that Microsoft has stored in the cloud.

Security. Finally, and perhaps most important, you can use the Security link to review and edit your security settings. This is a big topic, so it gets its own section…

Review and edit MSA security features

From the Security link, consider reviewing the following security features:

Password. Use the Change password link to change your password and, optionally, configure a 72-day reminder to change it again. If you are not using a password manager correctly, that latter option is a good idea. (If you have not already done so, the site will also prompt you to merge your Skype and Microsoft accounts.)

Security settings. On the Security Settings page (click “More security settings from the Security Settings page), you can configure a list of alternate email addresses and phone numbers that Microsoft can use to ensure that you are you when your security information changes. This is very important: Make sure you have at least two other email accounts that you control configured here, and at least one phone number. And then make sure this information is accurately on a regular basis.

Sign-in preferences. Click “Change sign-in preferences” on the Security Settings page to access the Sign-in Preferences page. Here, you can configure which email aliases (which you configure in and phone numbers can be used to sign-in to the main account. My advice is to turn them all off and reduce the attack surface on your account.

Two-Step verification The two-step verification section on the Security Settings page is used to set-up and configure two-factor authentication (2FA). You must protect your Microsoft account with 2FA, so I will be writing about this functionality soon. In the meantime, you can read my 2015 post, Tip: Protect Your Online Accounts with Two-Factor Authentication.

Identity verification. The Identity verification section on the Security Settings page is used to set-up and configure the authenticator app(s) you use for 2FA (above). If you switch phones, for example, you can turn off your previous app and enable a new one on the new phone.

App passwords. The App passwords section on the Security Settings page is used to set-up and configure app passwords for legacy devices and services (like Xbox 360) that do not support 2FA. So instead of entering a password and then a phone app-generated code, you can just enter an app password. (There’s no real app password management per se, though you can remove the full list if you want. App passwords are basically used for one-off purposes and aren’t individually accessible later.)

Recovery code. Using the Recovery code section on the Security Settings page, you can create or replace your recovery code, which is a sort of analog recovery method: The idea is that you’ll print out this code and keep it in a safe place like a safe or safety deposit box, and then use it if your account is ever compromised and none of the other recovery methods—your alternate email addresses or phone numbers, and so on—work. Obviously, physical security is a concern here, but you could also store this code in another secure account, I suppose.

Trusted devices. Microsoft lets you access sensitive personal information like credit card data on so-called trusted devices without needing to enter a security code. Don’t do this: Click “Remove all the trusted devices associated with my account” under Trusted devices on the Security Settings page.

Once you get through all this, consider what I mentioned up front and configure recurring calendar events on the schedule that makes sense for you. That way, your MSA will never be out of date.


Tagged with , ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (21)

21 responses to “First Steps: The Proper Care and Feeding of Your Microsoft Account”

  1. 442

    I'm still amazed at how many folks are unaware, or worse are aware and don't use 2FA. 

    • 5639

      In reply to Narg:

      What is the point?  It makes life more complicated and with app passwords and recovery codes you can still log in with only one factor.  Its security theater.  Not to mention it has made it harder to log in when the device containing my second factor is lost or malfunctions. 

      It offers marginal improvements with larger headaches later.    I personally just pick a more complicated 20 character password with more complexity than the app password.  It sucks but I can remember it.


      Arguably the best thing done has been notifications identifying when access from new devices has occurred.  That is the most useful thing to securing an account. 


  2. 9562

    The proper care of your Microsoft Account is not to have one.

  3. 4727

    Incredible. What drives me nuts about Microsoft is bizarre cross-linking on their sites. I went to "Security & Privacy" then under Account Settings I clicked on "More security settings" I finally get to a page called Security settings (note that it is the third page deep from default MSA page). Under Trusted Devices, I clicked on "Learn more about trusted devices." and go to a Windows 7 Help page?!?!?!

    How do I see a list of Trusted Devices (or confirmation that I have NO trusted devices)???

  4. 4836

    Nice summary Paul. One thing I'd add is that the backup email address should be a completely separate account (not an alias) to the email address you signed up with, which may mean opening a second Gmail/Outlook account for that purpose. No point getting locked out of your account only to find out you're really locked out!

  5. 6358

    Rule #1: Don't store your credit card information online.
    Rule #2: Don't store your credit card information online.
    Rule #3: Don't store your credit card information online.
    Rule #4: Don't store your credit card information online.
    Rule #5: Don't store your credit card information online.

    No, seriously. Just don't do it. Every account is compromised sooner or later and companies have shown time and time again that they can't keep our data safe. A lot of sites don't bother even encrypting the credit card info. So don't take any chances, just don't put it online. Seriously.

  6. 8665

    Paul, I've used Microsoft products for decades and never had a security issue.  Never had a security issue that is until I was migrated over to the new Outlook Mail that automatically signs you into a Skype account by default. My MSA is my Hotmail email address, which of course is now Outlook Mail.  I have never had a Skype account.  I personally didn't migrate my Windows Live Messenger into Skype when Microsoft closed WLM.  Microsoft said at the time that your WL Messenger would no longer be in effect/work if you didn't migrate over to Skype, but that doesn't appear to be the case.  

    I saw the "Messenger" icon on my account page, but didn't think anything of it since I assumed it was dead (I know I shouldn't assume, lol), and I saw the Skype icon and didn't make anything of that either since I never had of my own volition signed up for a Skype account.  In fact, on my laptop I have Skype, and Skype Preview uninstalled, and on my android phone as well.  

    To make a long story short, after much investigation and research as to why I was seeing such a massive increase in spam after the migration to Outlook Mail, I discovered that I was being automatically signed into a Skype account by default.  So I clicked on the Skype icon one day and there were all my contacts from WLM that I haven't used since it was killed by Microsoft.  I was shocked.  There was also an unknown contact there as well, that I've never heard of in my life.  I promptly blocked and deleted that unknown contact. I googled this unknown contact and found from the Skype Community forum this was a porn spambot that had inundated Skype members with this hack, which evidently was way before the Baidu hacking incident of this past Nov.  

    When I deleted this unknown contact my spam in the new Outlook Mail went from over 200 per day to less than 20 per day.  I can't believe that I had to suffer through weeks of that spam debacle, all because Microsoft automatically signs me into a Skype account that I don't use or want.  If Microsoft killed WLM, and I never chose to migrate my stuff over to Skype how did it make its way into my Outlook Mail? Why is "Messenger" still listed on my security page if it no longer exists?  Why are these email, messenger, MSN, hotmail,, outlook, skype things so convoluted?  

    Is this Microsoft's idea of securing my MSA? 

    Currently there isn't any way to disable this Skype on by default with Outlook Mail and God knows I have looked and inquired to anyone who would listen, and Microsoft has stopped allowing users from unlinking Skype from your which I wouldn't have to unlink if Microsoft hadn't automatically signed me into one in the first place! This just blows my mind.

    After months I finally got an answer from Microsoft's Skype support on Twitter, if you want to call it that, lol.  

    "Hello. We are working on the feature to to turn off the integration between Skype and Outlook. Here is a link to follow to see when the change is implemented. … ^B"  

    I didn't know whether to laugh or cry!  I know users have been asking for this for quite sometime and yet no solution.

    Possible solution:  Why can't Microsoft add on its another page that would allow its users a checklist where they can decide which apps and services they wish to have associated to their MSA rather than forcing them by default?  They did this with Windows Live Essentials 2012 where you could check which services you wanted to download. (Bye bye WLE, soon.)   Do we not have any control over our own devices any more? 


  7. 5836

    Two factor is broken using Outlook on an iPhone. I've set it up in my Microsoft account, and now I have to enter both my password and get a code from Authy (or some other code generator) EVERY TIME I OPEN THE APP to look at a new email. That's just nuts. I'm not doing that. And it doesn't work that way when in the Outlook app with my Google account. So I've had to turn it off again for my Microsoft account. I hope someone can point out that I'm doing something wrong, but I think I've been here before....

    • 5615

      In reply to JBerls:

      Yeah, 2FA (and password management, in general) is still too clunky and disjointed, imo, which is probably why so many people still eschew using unique long passwords and 2FA. Some accounts require use of an authentication app (which is fun when you get a new device and have to re-install the app) while others (like Yahoo) still send text messages with a one-time code (which is a problem when companies, like Yahoo, don't accept VOIP numbers as valid phone numbers). I cringe every time I read an article that says "to be safe, change the passwords on all of your accounts." Even using a password manager, it is a major PITA to change multiple passwords, especially if 2FA is used. Many devices and apps still don't work well with 2FA, so you have to use one-off app passwords; and even then, as you've found out, some apps just don't work at all with 2FA.

      Things have gotten more complicated, but have they really gotten more secure? There's got to be a better, simpler way, or else nothing is going to change from a security point of view. 

  8. 9797

    Maybe someone here can help me with a MS security issue. I used to use OneNote. Actually, I love the app. Recently I lost my job. I was using many devices to access my OneNote account, including a company supplied laptop and a personal iPad. I changed my MS password but found that I can still sync my iPad with OneNote, which means that the company owned laptop I left behind can also still access my OneNote account. What do I need to do to prohibit that laptop from accessing my OneNote account?

  9. 217

    Good article. Microsoft has laid out their account settings well, but one area where I always run into issues is with product keys, they ARE NEVER in the order details. Perhaps it's intentional, but it's nonsense, it's so difficult to find them and I always wind up digging through emails to find the original order with it attached. 

    • 4836

      In reply to dcdevito:

      Yeah, lots of companies have this issue. Actually, lots of companies rely on Digital River for software purchasing/ delivery so maybe it's their fault!

      I (try to) add them to a spreadsheet as soon as they arrive so in three years when I need it again I can find it. LastPass or similar would be useful here too. 

  10. 790

    Two things.

    1. Set calendar to change PW.  In the article you posted (Microsoft upends traditional password recommendations...) includes:  Eliminate mandatory periodic password resets for user accounts. 

    2.  Sign-in Preferences - you suggest to turn off all aliases.  So you MSA account ID is NOT your primary alias or the one you sign-in with? 



    • 486

      In reply to jim.mcintosh:

      I may have read it incorrectly, but I don't think Paul was suggesting that we not use aliases in general. I think he suggests not using an email that is an alias for your MSA as the email at which you are notified if there are changes or logins from new devices for your MSA.

    • 1139

      In reply to jim.mcintosh:

      2. It's impossible to remove your main account as a valid login. Paul is suggesting you turn off all aliases. For example I have my name and vuppe123 as aliases with vuppe as my main login. I disabled vuppe123 and my name as valid logins. However I can still send mail with these aliases, as well as receive it.

      If you never set up any aliases, this probably doesn't apply. But check anyway.

  11. 5456

    LOL i wonder what kind of beast my MSA is :-D

  12. phil_adcock

    Is there a newer update to this?