Q: What are "connected accounts" in Windows 8 and what are the security implications of this feature for enterprises?
A: Connected accounts is a new consumer-oriented feature of Windows 8 (it's not available in Windows Server 2012) that lets users interactively log on to Windows 8 by using their "connected" online Microsoft account, which is the new name for what we used to call a Windows Live ID or Hotmail account. A connected account can be linked to either a local or domain account. The benefit of using a connected account is that Windows will synchronize parts of your user profile between the different Windows 8 computers you log on to with your connected Microsoft account.
Related: In Praise of the Windows 8 Desktop
The items that can be synchronized include desktop themes, Metro app settings, language preferences, Internet Explorer favorites and history, and web sign-in credentials. When you set up your connected account, Windows prompts you for which settings you want to synchronize between your local or domain account and your Microsoft account. Another advantage of using a connected account is that you get single-sign on to cloud applications such as Microsoft SkyDrive and the Microsoft Store.
But having connected accounts isn't necessarily a feature enterprises want because it creates the possibility that private organizational data -- such as the passwords to internal websites and apps that are kept in the user profile -- will be synchronized to external, non-organizational devices. Another risk is that someone could hack your Microsoft account and change its password. Windows 8 lets you log on to your computer with your old password, but when you do, you'll get a notice to either sign on with your current password or to do a password reset. You'll also be locked out of Microsoft account–based access to online applications until you have successfully reset your password by using the online Microsoft account password reset page. For more guidance from Microsoft about passwords, see "Get back into your Microsoft account if it's been blocked or hacked" and "Passwords in Windows 8: FAQ."
To enable organizations to block their users from using connected accounts to log on to their Windows clients, Microsoft provides a new Group Policy Object (GPO) setting in Windows Server 2012. The new GPO setting is called Accounts: Block Microsoft Accounts, and it's located in the following GPO container: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Learn More: Windows 8 for the Win: Touch + Mobility + Cloud