I'm still fuzzy on what's going on under the hood for AzureAD accounts and auth flow here, but it seems clear that whatever it is prevents the scenario described in the original article, and that I confirmed for personal accounts.
Comments
Log in with your Bluesky account to leave a comment
I'll also add that password auth for Microsoft accounts is *not* what MS wants you to do. I had to X out of the PIN prompt on initial setup, and every subsequent login.
That means the blessed pathway would *never update your password*.
I also don't buy the argument from Microsoft that this is a "design decision" to prevent account lockouts, as this requires you to store old passwords indefinitely. Some password managers have history but not all, and even at that it seems silly to never update the thing.
Comments
https://learn.microsoft.com/en-us/answers/questions/87978/reset-krbtgt-password
That means the blessed pathway would *never update your password*.
That checkbox for web accounts enables the RDS AAD Auth protocol which uses modern tokens from Entra / Conditional Access
Not sure what it does for consumer though...
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/8f62058b-c7e5-4244-8f14-ed7d76618cb5
Either way, I would have to do some testing to see if there are any corner cases on the work side of things :p