What are the changes in allowed email addresses in MSAs?

You may or may not have noticed that there has been a recent change in LiveID (or Microsoft Account MSA as they are now called). In the past you could create a MSA using an existing email address e.g. richard@mydomain.co.uk . This is no longer an option. If you try to create a new MSA with a non Microsoft (outlook.com/hotmal.com) email they are blocked saying ‘This email is part of a reserved domain. Please enter a different email address’.

image

This limitation is actually a bit more complex than you might initially think, as it is not just your primary corporate work email it checks, it also checks any aliases you have. So in my case it would give the same error for richard@mydomain.com as well as richard@mydomain.co.uk because they are both valid non Microsoft domains even though one is really only used as an email alias for the other.

So if creating a new MSA you will need to create a user@outlook.com style address. This is something all our new staff need to do as at present you need an MSA to associate with your MSDN subscription.

In the past we asked them to create this MSA with their email user@mydomain.co.uk alias. This email address is an alias for their primary work email account, not their primary work account address user@mydomain.com itself. We encouraged them to not use their primary email address as it gets confusing as to which type of account (MSA or work account)  is in use at any given login screen if their login name is the same for both (their primary email address). We now we have to ask them to create one in the form bm-user@outlook.com to associate their MSDN subscription with.

So that is all good, but that about any existing accounts?

I think the best option is to update any existing to use new user@outlook.com addresses. I have found if you don’t do this you get into a place where the Azure/VSTS/O365 etc. login get confused as to whether your account is MSA or a Work Account. I actually managed to get to the point where I suddenly could not login to an Azure Active Directory (AAD) backed VSTS instance due to this confusion (the fix was to remove my ‘confused’ MSA and re-add my actual corporate AAD work account)

How do I fix that then?

To try to forestall this problem on other services I decided to update my old MSA email adress by do the following

  1. Login as my old MSA
  2. Go to https://account.microsoft.com
  3. Select ‘Info’
  4. Select ‘Manage how you sign in to Microsoft’
  5. Select ‘Add a new email address’
  6. Create a new @outlook.com email address (this will create a new email/Outlook inbox, but note that this seems to take a few minutes, or it did for me)
  7. Once the new email alias is created you can choose to make it your primary login address
  8. Finally you can delete your old address from the MSA

And your are done, you now can login with your new user@outlook.com with your existing password and any 2FA settings  you have to any services you would previously login to e.g MSDN web site, VSTS etc.

The one extra step I did was to go into https://outlook.live.com , one the new email inbox was created, to access the new Inbox and setup an email forward to my old richard@mydomain.co.uk email address. This was just to make sure any email notifications sent to the MSAs new Inbox end up somewhere I will actually see them, last think I wanted was a new Inbox to monitor

Summary

So I have migrated the primary email address for my MSA and all is good. You might not need this today, but I suspect it is something most people with MSAs using a work email as their primary login address are going to have to address at some point in the future.