> The devil in the details mean the morons were using the same domain used by public users, for internal corporate usage which is absolutely fucking insecure to the moon.
That’s a great point, but not the point that GP was making. I’d like to learn more about the inherent domain sharing security problem they ranted about.
If you register an AD tenant, you can associate an domain with it, when you do this. It means all your windows accounts are also
something@domain.com
instead of the azure default of
something@tenantname.onmicrosoft.com
It is 100% optional to associate a domain and an explicit action. This to me means they are using the domain on azure for Windows AD.
Now why is this bad?
Well, Microsoft has two types of accounts "Personal" and "Work/School" accounts.
You can create "Personal" accounts against any email address/domain. However, once you register an Azure AD Tenant, the default is to disable registering further personal accounts. The goal is to avoid corporate users leaking work documents to personal non-managed accounts. There is also an option to force merge any existing personal accounts at the verified corporate domain into work accounts.
Say tutanota, being the geniuses they are disabled the setting that turns off personal account for their verified domain.
Well those IT guys will now have completely worthless audit logs because there'll be constant failed logins from people accidentally selecting "work/school accounts" in the login screen when asked what type of account it is. Not to mention you'll have the reverse of employees accidentally creating personal accounts because some microsoft prompts are weird and may refuse to offer work/school as a login option.