Why is Microsoft is transitioning to managed Work or School Accounts for VLSC Sign in
Microsoft is increasingly transitioning volume licensing capabilities to modern platforms such as M365 Admin Center that require Work or School Accounts. Transitioning to Work or School Accounts means users can have a single Log In ID to manage on-premises software, on-line services and subscriptions such as Visual Studio on the Volume Licensing Service Center and other Microsoft sites.
Other benefits of Work or School Accounts include:
- Best-in-class user authentication and authorization, and are the best option to protect the enterprise assets that are acquired through the Microsoft Volume License programs
- Accounts are more secure because individual users are more readily identifiable as belonging to an organization and users’ access is removed once they are no longer part of their organization’s active directory.
- Forgotten passwords can be reset by the organization’s global administrator, or by self-service password reset if the Global Admin allows it.
What is a Work or School Accounts for VLSC Sign in
A Work or School Account typically takes the form of email@example.com or firstname.lastname@example.org (where orgname is their employer's email domain name). This helps customers and Microsoft alike to validate the user's assigned permissions are accurately and securely affiliated with the licensed organization.
The purpose of the Work or School Account is for authenticating a user's relationship with an organization and does not require that user or organization to consume Microsoft Services such as Office 365. However, if you do use one of those services you already have a work account. Sign in with the same account you use to access that service.
I already have a Work or School Account for VLSC but I am being prompted to take over my unmanaged directory as an administrator.
Before September 2021, VLSC users could sign in with a form of Work or School Account based on an email domain such as @fourthcoffee.xyz where there was no assigned administrator. This is known as an unmanaged or viral tenant. This type of account is insufficient for other platforms. To ensure that users can use the same log in ID on all sites where volume licensing capabilities are being enabled and to align to best practice, VLSC will require users within unmanaged tenants to verify their ownership of their email domain by taking over their viral tenant.
If you log into VLSC with an unmanaged account you are prompted to take over the account. However, you are given a number of remaining logs ins on VLSC to allow you the time to convert your unmanaged account to a managed one by assigning an administrator.
Your Work or School Account was created using self-service signup for Azure Active Directory (also known as a "viral tenant"). To continue using the Volume Licensing Service Center, you must take over your unmanaged directory as an administrator.
If you see this message, it means Microsoft needs your organization to verify it owns the email domain used to create the VLSC Log In. For example, a VSLC Admin signs in with email@example.com and Microsoft need to verify that the organization owns the domain @fourthcoffee.xyz.
Here is how you may proceed.
Option 1 - sign in with email domain specific to your organization by taking over a viral tenant. To sign into VLSC with an email address specific to your organization, (for example, firstname.lastname@example.org), you or your organization’s Network Administrator can verify ownership of that email domain. To do this, your organization’s IT Administrator or Network Administrator will need to confirm the domain’s DNS TXT records. (These are available from the domain name registrar, such as GoDaddy). Your IT or Network Administrator may provide you with the DNS TXT details so that you can complete these steps or may prefer to become the Global Administrator of your organization’s Work or School Account themselves – (doing so does not mean they need to manage licenses in the VLSC).
For step-by-step instructions see How to takeover over an unmanaged directory If you are not ready to take this step just yet, and still have remaining logs in sessions, you may choose Skip and sign into the VLSC with your existing account. If have zero remaining Log Ins and need more time, please submit a request to VSLC Support specifying the email address you use to sign in to the VLSC and asking for extra log in sessions to be added to your account.
When you choose Skip you can continue to sign in to VLSC with your existing VLSC login ID at this time.
- This is a good option if you need more time to complete the process of taking over your unmanaged account or to identify someone in your organization who can do so.
- Note that you have a limited number of remaining logins before you, or someone in your organization, must become an administrator for the account you sign in with.
Option 2 – Create a new user ID not matched to your organization’s email domain.
This may be a good option for you if you only need to use this account to login to VLSC.
If a VLSC log in format that does not match your organization’s email domain is acceptable to you or you are unable to prove ownership of your organization’s email domain at this time, it may be as easy to create a new work or school account (in a format such as email@example.com) that you manage independently of your IT or Network Administrator.
You will be able to complete this process without needing to phone VLSC Support. The individual steps will take you just minutes. However, you may need to wait up to 2 business days before you can log back into the VLSC with a new account.
- Step 1. Submit a web form request to VLSC Support to disassociate your current VLSC account from your email address and to invite you to register again. -- (For Canada and USA, use N.America MAK ADD Web Form)
Do NOT log into VLSC until after VSLC Support has confirmed the disassociation of your account is completed.
- Step 2. Go to Sign Up to create a new Work or School Account (such as firstname.lastname@example.org with yourself as the Administrator (you don’t need to confirm DNS TXT details for this type of domain). Be sure to write down your user ID as you will need it later.
- Step 3. After VLSC Support confirm your account has been disassociated, return to the VLSC, chose Sign In with a Work or School Account. Input the new work or school account that you created in step 1 (such as email@example.com).
It is highly recommended that prior to deploying any online services such as Office 365, your organization take over this new Work or School Account and link it to the organizations own custom domain.
Why am I getting a limited number of sign-in opportunities using a Microsoft Account
We allow VLSC users still using personal Microsoft Accounts a limited number of remaining logins so that you have enough time to convert to to the required Work or School Account. You should start using a Work or School Account as soon as possible. If you don’t yet have one, you go to Sign Up to create a new Work or School Account
How do I sign up for a new Work or School Account
If your work or school uses Microsoft 365 or any Microsoft online service, it is likely you already have a Work or School Account. Try using the user ID and password you use to log in at work to log into the Volume License Service Center.
If you or your organization are currently not using online services like Microsoft 365, you can still get a Work or School Account at Sign Up.
You are not required to sign up for any online services to get a Work or School Account for use on the VLSC. However, you can add services to this same tenant at a later date if you so choose.
Your new Work or School Account may look a bit different from what you are used to. After you complete your setup, your account may look something like "firstname.lastname@example.org". If you have your own domain name (like "yourcompany.com"), you can add it at a later time through the Admin console.
What is an unmanaged tenant
An Unmanaged Azure AD Tenant (sometimes referred to as "viral tenant") is a tenant with no global administrator, and can arise where users sign up for a cloud service and have an identity automatically created for them in Azure AD based on their email domain.
The Volume License Service Center used to allow users to sign in with an unmanaged tenant, but now requires managed tenants. This is because we are migrating volume licensing capabilities onto more modern platforms and will make it possible to use the same user ID and password to access Microsoft products are and services purchased in different ways, including via Volume Licensing Solution Providers, Cloud Service Providers and/or directly from Microsoft on the Microsoft 365 Administration Center.
For more about viral tenants, please see Self-service sign-up for email-verified users.
How do I know if I have an unmanaged tenant account
- If you try to log into the Volume License Service Center using an unmanaged or "viral tenant" account, the site will inform you accordingly.
- Or sign into Portal.Office.com (or other online service) and if you see an Admin tile in the App Picker, the tenant is Unmanaged
- Or for the IT Pro determine whether you have a viral tenant account without having to log into VLSC.
What is a viral tenant takeover
A viral tenant takeover, also known as a takeover of an unmanaged tenant, is the process by which a user becomes the administrator of an unmanaged tenant. Once the tenant has an admin, it can be used for a wide variety of purposes like adding other users to the same organization, add various online services and continuing to use resources like the Volume License Service Center.
Reasons that might prevent you from completing a takeover include:
- Unable to identify your IT Administrator -- (For large organizations this is typically a Help Desk number, but smaller organizations may outsource this to an IT provider).
- Inability to prove domain ownership -- (Your IT Administrators will know this or have access to the information - which is sourced from your Internet Service Provider)
- Your account belongs to a restricted or reclaimed domain. -- (This setting is determined by your organization's Administrator. A work account separate to your orgnanizations tenant may be needed).
In these instances you may want to create a new user ID (see option 2 above).
How do I perform a viral tenant takeover
A viral tenant takeover is a multi-step process that requires you, or someone in your organization, to prove ownership of your intended domain. For example, VSLC user email@example.com, or someone in that user's organization, needs to become the Global Administrator of the @fourthcoffee.xyz account (or Tenant) with Microsoft by verifying ownership of that domain.
You will likely need time to review the available resources and you may need to consult other people in your organization before completing the takeover, so you may want to continue to sign in with your existing account to complete any urgent task you may need to do in the the VLSC first.
You may want to request your IT Administrator or Network Administrator (the person who administers your organization's domain) complete the takeover rather than proceed yourself. This will not mean the IT Administrator has to administer VLSC or require the purchase of a subscription.
To make an unmanaged Tenant into a managed tenant, you can do an "internal" admin takeover where you become the global administrator, but no users, domains, or service plans are migrated to any other directory you administer. Alternatively, a Global Administrator of an existing managed tenant can perform an "external" admin takeover by adding the domain name and mapping users to resources.
For a step-by-step guide on this process, see Takeover Unmanaged Directory.
Note that Volume License Service Center Support teams are unable to make changes to your tenant on your behalf.
Contact Assisted Support
VLSC customers may also Contact Us by phone or by Web Form. Microsoft will respond to Web Form submissions within 24 hours.