If you’re anything like me, your Microsoft account is the core of your online identity. It’s time for a check-up.
I’ve been meaning to write about maintaining a Microsoft account (MSA) for years. Indeed, almost every time I update the Windows 10 Field Guide, I am reminded of the need for a “Chapter 0”-type manual to creating, securing, and properly maintaining an MSA. It’s just so core to everything else in the Microsoft ecosystem: Windows 10, of course, but also Office 365, Outlook.com, OneDrive, OneNote, Cortana, Skype, and so much more.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
So consider this a first step in that direction. Here, I will assume you already have an MSA, and that you have basically ignored its configuration and maintenance for some period time. It’s OK, we all do it. But going forward, you should resolve to revisit this account and its configuration from time to time.
And that is my first tip:
Set calendar reminders for MSA checkups. Frankly, you should do this for all of your online accounts. But for MSA specifically, you should consider quarterly/bi-annual checks of your security settings and devices, at the least. (We’ll look at both in a moment, but because I test so many PCs, I actually examine and prune my device lists monthly.)
Also:
Know where to go. The Microsoft account website can be found at account.microsoft.com. Here, you can properly configure your Microsoft account. Everything else we discuss here will happen at that website.
There are a few non-security settings you should examine immediately.
Personal information. From the Your Info link, you can review and edit your personal info, meaning your birth date, address, phone number, and so on. Make sure it’s all correct. (This part of the site mentions “billing info,” but that’s not the same as “payment options.” See below.)
Payment options. Navigate to Payment & Billing, Payment Options to review and edit the credit cards and other payment methods (PayPal, gift cards, more) that are associated with your account. Make sure the cards are up-to-date, and remove those that are no longer needed. Note that this page will also show you which credit card(s) are tied to subscriptions (like Xbox Live Gold, Office 365, or Groove Music Pass). Take time to review your order history as well, to make sure there aren’t any suspicious purchases.
Subscriptions. On the Services & Subscriptions page, you can review your current and past subscriptions and configure auto-renew, where available, and which payment method is used for auto-renew.
Devices. The Microsoft account website maintains your device association lists, of which there are four: Your devices (all devices, including PCs, phones of all kinds, and Xbox consoles), apps & games devices (for Windows Store purchases), music devices (for Groove Music Pass), and movies & TV devices (for content rented or purchased from Windows Store/Xbox Store). Note that each has different limitations. You can have any number of devices in the Your devices list, and can remove devices at will. The apps & games list is limited to 10 devices, and you can remove devices at will. The music devices list can have only four devices, and you can only remove one per 30-day period. And the movies & TV devices list can contain an unlimited number of devices, I believe. But you can only remove one per month.
Family settings. Using Microsoft’s parental controls service, called Microsoft Family? Then you can use the Family link to manage the adults and kids in that family, and the settings for each.
Privacy. Use the new Privacy dashboard to manage your privacy settings and, if needed, delete private information that Microsoft has stored in the cloud.
Security. Finally, and perhaps most important, you can use the Security link to review and edit your security settings. This is a big topic, so it gets its own section…
From the Security link, consider reviewing the following security features:
Password. Use the Change password link to change your password and, optionally, configure a 72-day reminder to change it again. If you are not using a password manager correctly, that latter option is a good idea. (If you have not already done so, the site will also prompt you to merge your Skype and Microsoft accounts.)
Security settings. On the Security Settings page (click “More security settings from the Security Settings page), you can configure a list of alternate email addresses and phone numbers that Microsoft can use to ensure that you are you when your security information changes. This is very important: Make sure you have at least two other email accounts that you control configured here, and at least one phone number. And then make sure this information is accurately on a regular basis.
Sign-in preferences. Click “Change sign-in preferences” on the Security Settings page to access the Sign-in Preferences page. Here, you can configure which email aliases (which you configure in Outlook.com) and phone numbers can be used to sign-in to the main account. My advice is to turn them all off and reduce the attack surface on your account.
Two-Step verification The two-step verification section on the Security Settings page is used to set-up and configure two-factor authentication (2FA). You must protect your Microsoft account with 2FA, so I will be writing about this functionality soon. In the meantime, you can read my 2015 post, Tip: Protect Your Online Accounts with Two-Factor Authentication.
Identity verification. The Identity verification section on the Security Settings page is used to set-up and configure the authenticator app(s) you use for 2FA (above). If you switch phones, for example, you can turn off your previous app and enable a new one on the new phone.
App passwords. The App passwords section on the Security Settings page is used to set-up and configure app passwords for legacy devices and services (like Xbox 360) that do not support 2FA. So instead of entering a password and then a phone app-generated code, you can just enter an app password. (There’s no real app password management per se, though you can remove the full list if you want. App passwords are basically used for one-off purposes and aren’t individually accessible later.)
Recovery code. Using the Recovery code section on the Security Settings page, you can create or replace your recovery code, which is a sort of analog recovery method: The idea is that you’ll print out this code and keep it in a safe place like a safe or safety deposit box, and then use it if your account is ever compromised and none of the other recovery methods—your alternate email addresses or phone numbers, and so on—work. Obviously, physical security is a concern here, but you could also store this code in another secure account, I suppose.
Trusted devices. Microsoft lets you access sensitive personal information like credit card data on so-called trusted devices without needing to enter a security code. Don’t do this: Click “Remove all the trusted devices associated with my account” under Trusted devices on the Security Settings page.
Once you get through all this, consider what I mentioned up front and configure recurring calendar events on the schedule that makes sense for you. That way, your MSA will never be out of date.
4836
Premium Member<blockquote><em><a href="#33387">In reply to </a><a href="../../users/dcdevito">dcdevito</a><a href="#33387">:</a></em></blockquote>
<p>Yeah, lots of companies have this issue. Actually, lots of companies rely on Digital River for software purchasing/ delivery so maybe it’s their fault!</p>
<p>I (try to) add them to a spreadsheet as soon as they arrive so in three years when I need it again I can find it. LastPass or similar would be useful here too. </p>
4836
Premium Member<p>Nice summary Paul. One thing I’d add is that the backup email address should be a completely separate account (not an alias) to the email address you signed up with, which may mean opening a second Gmail/Outlook account for that purpose. No point getting locked out of your account only to find out you’re really locked out!</p>