| Ah yes, good reminder, it also causes IT hell. If you register an AD tenant, you can associate an domain with it, when you do this. It means all your windows accounts are also something@domain.com instead of the azure default of something@tenantname.onmicrosoft.com It is 100% optional to associate a domain and an explicit action. This to me means they are using the domain on azure for Windows AD. Now why is this bad? Well, Microsoft has two types of accounts "Personal" and "Work/School" accounts.
You can create "Personal" accounts against any email address/domain. However, once you register an Azure AD Tenant, the default is to disable registering further personal accounts. The goal is to avoid corporate users leaking work documents to personal non-managed accounts. There is also an option to force merge any existing personal accounts at the verified corporate domain into work accounts. Say tutanota, being the geniuses they are disabled the setting that turns off personal account for their verified domain. Well those IT guys will now have completely worthless audit logs because there'll be constant failed logins from people accidentally selecting "work/school accounts" in the login screen when asked what type of account it is. Not to mention you'll have the reverse of employees accidentally creating personal accounts because some microsoft prompts are weird and may refuse to offer work/school as a login option. |