Changing Microsoft Account alias is painful

Access deined for my new alias

A short update: The recent MSDN subscription migration kills my migrated account alias too. After contacting Microsoft support, I removed legacy alias from my account, create a new Microsoft Account using my legacy alias and restored my access to the new Visual Studio Subscription portal. In the same way, I removed legacy Microsoft Account in my Azure AD, linked two separated Microsoft Accounts(legacy and new alias) and resolved my issue accessing Visual Studio Team Services.

Such inconsistency always happens, and usually remove & add will be the universal solution in most cases.

After using legacy alias for almost 7 years, I decided to replace my Microsoft Account alias with a new Outlook.com email address due to increasing security concern of Netease Mail (my previous email service provider). Though I changed alternative recovery email to my domain email after several major security incidents, it looks weird to have an @163.com email alias linked to my Microsoft account.

Okay, I changed my alias the day before yesterday. It works. I didn’t delete the old one because I want to maintain some sort of backward compatibility. It works across my personal devices without any pain.

Annoying things came afterward days later.

Let’s talk about SSO/Federated Logon

Before talking about terrible things after switching to the new alias, let’s talk about Federated Logon. Technically speaking, Federated login is an authentication workflow based on trust relationships. Suppose Identity Provider A and Application B have successfully established two-way trust relationship by service provision. When a new user login attempt occurs, B redirects authentication challenges to Identity Provider A, with necessary metadata, like secure token ID, timestamp, nonce and finally something that validates the request, for example, digital signature, even token encryption. Since Application B has its own approach to understand Identity Provider A’s payload(so does B), the communication will be secured.

When Identity Provider A completes user authentication challenges(password, client certificate, fingerprint, etc.), it signs (encrypts maybe) authenticated user claims (user ID, user name and something else) and posts to B. The workflow image of WS-Federation below represents such workflow. OAuth and OpenID Connect have similar workflow with slight differences(multiple modes to retrieve user claims).

WS-Fed workflow from docs.oasis-open.org
WS-Fed workflow from docs.oasis-open.org

Microsoft Azure, Visual Studio Team Services and most Microsoft services use OpenID Connect. Believe it or not, you use Federated Logon and SSO every day.

Microsoft Account and Azure AD Account

They are two separated systems though they have something in common. Each Microsoft Account has a CID, a unique identifier in Microsoft Account system. All Microsoft Consumer services use CID to recognize your identity. For example, your Outlook.com email account is identified using your CID.

Azure AD Account handles it differently. Each Azure Active Directory have a tenant ID to identify AAD in AAD system. Each AAD contains objects: users, groups, computers, trust relationships….and more. Each AAD user has a unique alias in a specific AAD tenant. So the coexistence of 2ea6c0b4-cc49-42b8-9f1b-3f4aa653c719\imbushuo and b5093785-af31-4819-bf75-728d4474769c\imbushuo is possible.

Microsoft Accounts can be linked into Azure AD too: during the linking procedure, a new external user from Microsoft Account will be created in an AAD tenant, so you may have 2ea6c0b4-cc49-42b8-9f1b-3f4aa653c719\bill@live.com. When Bill wants to access resources in his tenant’s AAD, he will type bill@live.com in AAD Federation Service(Work and school account), a single sign on portal for Azure AD. Later, AAD FS will redirects the authentication challenges to Microsoft Account login portal. If Bill is authenticated in Microsoft Account login portal, he will be redirected back to AAD FS, with claims provided by Microsoft Account. Finally, AAD FS will tell the application that the user is Bill.

My blog uses such login mechanism too. See my management portal to get some idea about this if you don’t understand.

But…there’s no CID in Azure AD

But there’s something just works like CID: user alias. Another mapping! Microsoft Account will be mapped to Azure AD account, then the application will use the Azure AD account identity. After changing my alias in Microsoft Account, my Azure AD user alias remains the same. So I can login into my blog management portal with the same identity:

Logged in with the same ID
Logged in with the same ID

Do you remember that federation logon can carry multiple attributes at one time? So here’s the problem. My team’s source control service, Visual Studio Team Services, seems to use email address (which changes after rotating my primary Microsoft Account alias) to identity user. After logging in with my organization account, I found that my email address didn’t change after the rotation. To make the whole thing worse, I am the account creator, hence I cannot remove my Microsoft Account in VSTS to address the issue.

In short, the primary alias rotation didn’t change my user alias in Azure AD, but applications’ behavior vary based on how they deal with user claims.

 

Seems that I have to change my alias back. Yuck.

“You will pay.”

下午收到朋友消息,让我去看一下萌百讨论版。我一开始觉得应该不是什么特别大的事情吧,但是看看语气又觉得不对劲。翻上去,果然。

可以说对萌百的认识很早之前就停留在更新姬吧,然后不知道为何后来关注到了C君的个人号,再后来是看到了这篇文章。真正开始创建自己的第一个词条也是2015年初的事情了。然而最近最近发生的一系列事情让我对一些事情有所质疑。

写这段文字的时候又在回想某群里某人的一句话(那个时候已经发生过一些事情了)

这个网站看上去挺好的,可是就是感觉有问题,然而也说不出来是什么问题。

在包括之前在好多群里听到的一些私下议论。现在想想,大概更多的问题是在管理层上吧。很早之前逛PCEVA,那时候那还是个小论坛,然后我就看SSD有关的资料。再是后来看到有人抱怨neeyusee(SSD版主)一言堂的问题。那个时候还不是很清楚这个词,然而最近在不间断地感受到一言堂的真实存在和可怕性。

Screenshot (475)

于是今天是动用最终决定权解除一位前辈的管理员权限。给的理由也是很奇怪:“其行为越发偏执,从11月开始计算到2月,四个月间蓝羽是投诉数量最高的管理员(没有之一, 编辑数/投诉量 率也是最低的),也是用户意见最严重的管理员。用户反感主要集中在专行独断不接受他人意见和双重标准上。 ” 然后并没有提供其他的有效证据来支持上述结论。所谓“这个问题已经严重到连萌百管理群体内忆兔等巡查管理都开始受不了其刻薄言辞”也只是一笔带过,并没有其他证据。而且,投诉数量/编辑数这个奇怪的判断方法,真是让人摸不着头脑。现实很简单,小学生确实存在;如果有编辑,必定有投诉。在某些情况下,即使蓝羽有被大量投诉,也应该拿出统计数据来说服人。有没有学过统计学啊……

然后说回UGC的问题。在UGC社区,内容非常重要。UGC社区没了内容,没了用户之间的氛围,那还有什么?用户的贡献是不可以简单归一的,也无法有具体的衡量标准。然而一连串的事情,看上去就是要逼走用户,被迫让元老另立门户。更新姬能有多种不同的和关注者互动的方法,推送词条也并不一定是唯一的事情。而且在公众号,一条一条回复过来也是不容易的事情。

然后这儿又是一言堂了。在动用最终决定权解除前Twitter更新姬的管理权限前,有没有和人好好商议过。还有在事后自己违反原则时让指责自己的人闭嘴又是什么意思。总之看来,只有自己的利益受到了严重影响的时候才会有所反思,修改自己的行为准则。在政治观点上对某些事物的观点太固定,而且代入感又那么强,认为所有人都是这么想的,堵住有不同意见的嘴巴,然后按照自己的认知去做事。而且,在明知道别人的情绪反应可能比较大的情况下,采用极端的手段来处理事情,这个行为也是值得商榷的。你既然知道可能有这个风险,又为什么要去这么做。

空明流转菊苣说得对,团队的事情是不是做得好,大佬能不能make sense确实非常重要。然而在遇到leader一意孤行的情况下,我不看好事情的走向,除非在哪天有了重大事情能让leader突然醒悟过来。大概这就是“头碰圆”吧? 我很少这么写文章,议论别人其实并不是我的一贯作风。But You will pay.

 

Microsoft Band 简单上手

其实Microsoft Band不算是个新鲜产品了,只不过最近到了美帝才入手。嗯……大概就是这么个手环吧。我也不多做介绍了,因为运动类的手环基本上都很相似,只不过MSBand多了很多奇怪的东西而已。

首先是开箱。Amazon上买的S版,含税$141,没有Starbucks的卡。里面包装很简单,USB线,手环,上手指南。

20150926_191313932_iOS

然后开机配对,然后升级,OOBE。

20150926_191629949_iOS

然后就是个能用的手环了……
—————————————————————————

硬件

Microsoft Band是个ARM体系的手环,跑的是Microsoft可穿戴软件平台,有心率传感器,GPS传感器,紫外线传感器等一对传感器。
这个是光学心率传感器。
20150926_200933774_iOS
佩戴舒适度一般。我个人感觉戴在手臂内侧比较舒服一点,特别是看时间的时候。
这张是戴在手臂内侧
20150926_201951798_iOS
这张是戴在手臂外侧
20150926_202014823_iOS
这张是戴在手臂外侧的细节
20150926_202018363_iOS
这个是背面的扣子
20150926_202037611_iOS
总之不是特别舒服,但是一段时间后会习惯……

软件

虽然版本号已经v10.0了,但是上面跑的肯定不是Windows 10。主界面和Windows很像,各种磁贴。
20150926_200747088_iOS
解锁之后是这样。
20150926_200755731_iOS
20150926_200903883_iOS
然后有各种App。
20150926_200824526_iOS
也有手机上的配套软件,不过这个平时看的比较多吧……电脑上也有一个。
MSBandSync
可以管理Band上的磁贴,App以及其他设置。

运动

自带的App提供了很多运动选项,手环也可以跟踪很多数据,然后汇总到云上做分析。

好吧就先这样……