|
For anyone offering X as a service products it absolutely is. Giving contractors/freelancers/etc access to your systems is a common enough thing to do; and Company X is far from the only business with and owner either too busy to make the time to remove access for people who should no longer have it or too clueless to understand why he should take a minute to do so.
While I'm neither stupid or unethical enough to take advantage of the access I theoretically have*; if my pc/MS account ever get hacked whoever pwns me is unlikely to have similar scruples about either ransomwaring X's business or spinning up up $100k/day worth of VMs to mine crypto. Beyond that the steady stream of "you need to X" emails I get represent a low level information disclosure vulnerability into X's current setup.
* Theoretical because I have a vague recollection of needing a different password for X's Azure; if so it (and everything else related to X) has been long since deleted from my saved passwords list. On the gripping hand, I've no idea how hard doing a PW reset would be.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
When a couple split up, the one remaining in the house demands teh key back, or changes the locks to be sure the ex can't get back in.
Failure to get a key back isn't the lock manufacturer's fault - it's "your ex" that has made a mistake and caused a problem.
I'd disagree - it's not MS's problem it's a Company X management problem. Just like when a contractor's contract ends or an employee leaves you revoke their access permissions to the building recover all keys they were issued, they should revoke all permissions to all systems.
MS is right - they can't legitimately revoke permissions as you might be requesting it as a malicious act. Even if they could do it, they don't know that "Joe" has left and "Dan" isn't still an employee you want to make trouble for!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
The account belongs to company X, not MS. It would actually be a crime, I'm sure, if MS helped you get removed from another company's system, without prior written agreement with said company X.
|
|
|
|
|
The actual crime is that by not providing any way for me to stop receiving emails about X's azure, MS is violating the CAN SPAM act.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
You could write a cease and desist letter threatening further legal action, directed toward company X. That would solve your problem, but it would require some effort on your part.
|
|
|
|
|
Slacker007 wrote: You could write a cease and desist letter threatening further legal action, directed toward company X. That would solve your problem, but it would require some effort on your part.
I had a problem with the company that has programmed the web to access my bank.
I wrote them an email saying about a problem and giving them a couple of ideas to resolve it. The ignored me.
I resent the email some days later, they answered me some weeks later with some "off the book" answers that didn't even correlate to my message.
I sent them more or less the same content a third time and told them that it is not about comfort but about security and that they are not following the european privacy act and they might get accountable for any data leak... the answered me the same day (I saw it next day though) that the changes were already being implemented and that it would go live by the next update...
The issue is still active, and I am really thinking on giving a notice to a customer defense organization (I am not going to start something myself alone against them). If they don't learn being nice...
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Dan Neely wrote: They never removed my access to their Azure for some reason though despite multiple emails between me and my boss and X.
Inform them (via email, with your boss CC:ed) that you've reset your password for that account, and that you're going to snail-mail them the new password on a piece of paper, sent via certified mail, and that you won't be keeping any copy of that document once it's been sent.
Point is, you want to get yourself in a situation where, from that point forward, anything that happens from access through that account is no longer your problem because you cannot access it yourself even if you wanted to.
I suppose the problem is proving you won't keep a copy of the new password (beyond your own claim). But I think you get the idea I'm suggesting.
|
|
|
|
|
That plan presupposes that:
1) I still remember how to get from the base me@companyName.tld MS account tied to my MSDN/Outlook/Office subscriptions to where ever it's linked to the company X azure account.
2) That I'm willing to do anything that would involve touching the Company X Azure at all.
The latter is why I've spent several years emailing boss person @ company X and more recently MS; instead of trying to find out if they gave me enough admin rights to their azure to disconnect myself. I want nothing to do with their systems now.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
Dan Neely wrote: I want nothing to do with their systems now
That's why I was suggesting this. If you can't access the system, you can't be blamed for anything bad that might happen to it.
|
|
|
|
|
I'd need to access their system to change my password, and in terms of being able prove I can't login nothing would change. Currently it's only my word that I don't remember the additional password to go from my MS account to their azure; after going in and doing a reset to a new password it'd only be my word that I didn't record whatever I changed it to.
If I could go in and remove myself from their system entirely that would be something else; but the message from Microsoft implies that I can't do it.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
If they changed the password themselves they wouldn't be able to place anything nefarious that happened subsequently on you. IMO, that's the best you can hope for - let them take ownership of the account so you can wash your hands of it. That's all I'm saying. I'd hate to be in that situation.
|
|
|
|
|
MS says they can't do anything, Company X can't be bothered to do anything.
Edit: And because the company X azure is tied to my employer MS account my employer can't do anything until such time as I stop working for them.
I'll admit a degree of curiosity if when that happens I'll disappear from X's azure entirely, or if MS will keep trying to send emails to an account that was deleted from their systems...
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
Dan Neely wrote: I'll admit a degree of curiosity if when that happens I'll disappear from X's azure entirely, or if MS will keep trying to send emails to an account that was deleted from their systems...
Depends on a lot of things.
If the account continues to exist in Azure AD but is marked as inactive, the system should start generating errors whenever someone tries to send an email to the associated mailbox. When happens next is anybody's guess.
|
|
|
|
|
No Azure AD. We were going to but then some bean counter realized it'd cost money and vetoed it.
Just whatever is needed for office/msdn/etc access.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
I had the same problem and it blocked me from using my from using teams. I was able to contact the old company and they did remove me.
But, I think it is Microsoft responsibility to manage this. Microsoft owns azure and they charge a pretty penny to 'use' it. The accounts are for Microsoft security and ability to bill you.
That being said, there needs to be a way I can remove my account from being tied to something I don't want/need/can't use or have.
This is the state of the cloud. Always using someone else' property. Cheaper up front probably. I'd guess not in the long term.
Jack of all trades, master of none, though often times better than master of one.
|
|
|
|
|
I suspect resetting the PWD is not all that hard. It's likely that a reset email will be sent to your listed email address, and clicking a link will take you to the reset page. This is good in general, but not good in your situation.
The danger to you is that if anyone does anything to their materials, you can be a suspect as you have access. Sure, you'll be cleared, but it's a hassle you don't need.
One idea is to identify the old manager's boss, get his/her number, and call. Recommend that they check ALL accounts, as it's highly likely that others have access where they shouldn't. If you haven't, preserve copies of all emails sent to prove you're trying to do the right thing.
If that doesn't get results, start forwarding the Azure emails back to the company with a note at the top that your access needs to be revoked.
|
|
|
|
|
It's a very small company, the person who's ignoring my emails is the owner/ceo/etc. There's no one over him I can talk to. I also CCed the one developer there whose email I had; but either he left, is equally clueless as to why my having access is a problem, or can't convince his boss to do anything either.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
Dan Neely wrote: It's a very small company, the person who's ignoring my emails is the owner/ceo/etc. Reset your PWD, login, delete all files, and add a text file containing, "told ya that ya should have removed me!"?
Nope, don't do that (not that I figure you will) -- it makes for a good joke, but is a truly bad idea.
Given the situation, I see 2 choices: 1) Ignore it. The likelihood of anything bad happening via your account is low. 2) Send him a registered letter requesting that he revoke your access, and that his failure to do so may compromise his systems, and that you are not responsible for his inaction. That may scare him enough to get off his butt and fix it.
In either case, preserve your evidence of trying to do the right thing.
|
|
|
|
|
BryanFazekas wrote: Reset your PWD, login, delete all files, and add a text file containing, "told ya that ya should have removed me!"?
Nope, don't do that (not that I figure you will) -- it makes for a good joke, but is a truly bad idea.
Not even doing the first part. Going from my base Me @ My Company Microsoft account to the linked Me @ Company X azure account in the hope of finding a way to reset that password to line noise or do a self service disconnect is a line I don't feel comfortable crossing. Especially since the MS support person said the only person who could do anything is Owner @ Company X. If they'd said they couldn't do it themselves because reasons, but provided a how-to guide to remove myself I would (after clearing it with my boss) email X saying I was going to follow MS provided instructions to remove myself unless you do it first.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
(I'm going to get to a point using the following as a concrete example, but it's not the central subject)
I moderate comments for a small website that recently experienced growing pains due to an influx of people from a major American political website that shut down their comments section.
The owner and I don't always see eye to eye on what constitutes "toxicity" and it's difficult because I try to respect his website and do things his way, but today I applied a ban on someone I thought wasn't even an edge case, and the owner balked. Isn't the first time it's happened. The commenters appreciate it in every case, but the owner is more lenient than the commentariat is in some ways in terms of what he thinks is toxic. And it's doubly hard because being kind of a close knit warm community before, there was infighting sometimes, but people had boundaries, and those aren't there anymore, so I don't have a metric.
I do it to try to serve the community, but lately I think I want to step down. I don't like banning people, and I don't like upsetting the site owner. I'd rather just observe. Maybe I'll just donate more money instead.
Now, to my point:
I always feel like having authority just paints a target on my back. That's why I didn't like my career trajectory when I was doing the more traditional software development. I don't like being in charge of others. I struggle with hierarchies in general, preferring directed graphs. I even eyed dev lead positions with suspicion. When I discovered being an architect meant also managing people in practice I was done. I was done with the field. I got out for years. I even worked at a gas station, just to be free of the BS. (Actually, that was first job I've ever gotten a paid vacation they *allowed me to take*). That is how averse I am to the whole thing. Now I am the lone person. I have no team, and I prefer it that way, because with my experience, I always end up leading any given team, and you can keep it.
I am probably not alone in terms of hating hierarchies of people. I get the feeling a lot of developers don't like people politics, and everything that goes with it.
My hubby really likes the idea of being in charge of others - he jokes about if he ran the world. I'm over here like "who needs the responsibility?"
To err is human. Fortune favors the monsters.
|
|
|
|
|
I have never been good at managing other people. My one experience taught me that it is one of the many skills I do not possess. Fortunately there are other people who are good at it which means I am free to do the thing(s) that I could (just about) do to earn a living.
|
|
|
|
|
Yes to this. I tend to appreciate good management a lot. Now I just wish there was a way I could be free to set the design trajectory of an application (aka being an software architect, essentially) without the people management part. Like, I need an assistant to deal with the hooomans.
I guess, when it comes to something strictly technical, I don't mind leading. I don't mind mentoring, in fact, that can be rewarding, especially when people have taken the skills I've imbued them with and gone on to be successful with them.
But it's not the same thing. I just feel like as necessary as hierarchies are due to (I think) the primitive mechanics of being a social animal, I much prefer horizontal arrangements.
To err is human. Fortune favors the monsters.
|
|
|
|
|
I was fortunate in that I had exactly the kind of role you described. Setting the design trajectory without having to manage people.
During the time that managing was part of my role, I wasn't good at it. To work for me was usually to be ignored unless you initiated a dialog. That was great for competent self-starters, but that's not everyone. Fortunately, a technical career path got formalized.
No more managing for me. No more time on hiring, buns on seats (do we have a cubicle, account, workstation...for this new hire arriving next week?), project or product management, performance reviews, or dealing with personal issues. Sure, I had to be involved in those things sometimes, but they weren't my responsibility. Being able to focus on where I could add the most value was a godsend.
|
|
|
|
|
I don't know how you managed to avoid it. Maybe it's because I spent so much time as a contractor. Headhunters only called me for more and more senior positions, and those positions eventually all included managing people.
I couldn't even get work as a straight software dev. I had too much experience. I would have to have lied about that.
They basically were trying to force it on me, no matter what agency I went through or who I was going to work for. It was ridiculous. I eventually found I was having a hard time looking for work that I wanted to take, so I got out.
To err is human. Fortune favors the monsters.
|
|
|
|
|
Maybe clueless employers are the norm. To make it work, a larger company needs a formalized technical career path so that it's allowed and becomes part of the culture. Without it, there's an idiotic attitude about pay scales: more senior levels mean managing, and no one at those levels should write code. Small companies aren't nearly as bound stupid rules, so it should be easier there. If you tell recruiters what you're open to, maybe they can bring you the right opportunities.
|
|
|
|
|