Tutanota Cries Antitrust Foul Over Microsoft Teams Blocking Sign-Ups For Its Email Users

Microsoft is being called out for blocking users of the end-to-end encrypted email service Tutanota from registering an account with its cloud-based collaboration platform, Teams, if they try to do that using a Tutanota email address. TechCrunch reports: The problem, which has been going on unrectified for some time -- with an initial complaint raised with Microsoft support back in January 2021 -- appears to have arisen because it treats Tutanota as a corporate email, rather than what it actually is (and has always been), an email service. This misclassification means that when a Tutanota email user tries to use this email address to register an account with Teams they get a classic "computer says no' response -- with the interface blocking the registration and suggesting the person "contact your admin or try a different email."

"When the first Tutanota user registered a Teams account, they were assigned the domain. That's why now everyone who logs in with Tutanota address should report to their 'admin' (see screenshot)," explains a spokeswoman for Tutanota when asked why they think this is happening. To get past this denial -- and register a Teams account -- the Tutanota user has to enter a non-Tutanota email. (Such as, for example, a Microsoft email address.)

To get past this denial -- and register a Teams account -- the Tutanota user has to enter a non-Tutanota email. (Such as, for example, a Microsoft email address.) In a blog post detailing the saga, Tutanota co-founder, Matthias Pfau, dubs Microsoft's behavior a "severe anti-competitive practice." "Politicians on both sides of the Atlantic are discussing stronger antitrust legislation to regulate Big Tech. These laws are badly needed as the example of Microsoft blocking Tutanota users from registering a Teams account demonstrates," he writes. "The problem: Big Tech companies have the market power to harm smaller competitors with some very easy steps like refusing smaller companies' customers from using their own services." "This is just one example of how Microsoft can and does abuse its dominant market position to harm competitors, which in turn also harms consumers," he adds. [...]

"As earlier discussed, we are unable to make your domain a public domain. The domain has already been used for Microsoft Teams. If teams have been used with a specific domain, it can't work as a vanity/public domain," runs another of Microsoft's support's shrugging-off responses. Tutanota kept on trying to press for a reason why Microsoft could not reclassify the domain for weeks -- but just hit the same brick wall denial. Hence it's going public with its complaint now. "The conversation went back and forth for at lest six weeks until we finally gave up -- due to the repeated response that they would not change this," the spokeswoman added. In an update, a Microsoft spokesperson said: "We are currently looking into the issue raised by Tutanota."

Seems logical to me

[WoodstockJeff]

They need to get the original user of their domain to declare to Microsoft that it's not their domain. Have they done that yet?

Re:

[gurps_npc]

I am sorry, you believe the fix is to have a corporation call up all their clients and ask them "Do you have a Microsoft Team account? If so, could you pretty please tell Microsoft it isn't your domain?"

No. This is not their fault, they are the victim of the problem Microsoft created. Microsoft must contact the single person that has a Team account and verify that it is not their domain.

Re:

[WoodstockJeff]

The problem goes back over a year, per the article. The domain in question is not "obviously" a group account, unless you happen to be a member of that group. So why should it be treated any differently from a random account?

If they know who started the account that has the domain locked, they could have that person explain the situation to Microsoft. Problem is, they need Microsoft to tell them who it was that started it, and that would be a violation of Microsoft policy, most likely. I know that I would p

Re:

[gmack]

Assuming you are correct, the fix is to properly authenticate whether the user in question owns the domain or not before locking it this way. If Microsoft is not doing proper validation, it's on them.

Re:

[vbdasc]

I wonder if in this case the remedy wouldn't prove just as bad as the disease itself. The thing is that Microsoft actually do such validations. I just had to register for some Microsoft cloud service (not Teams) and had to jump through hoops for a week to prove to a bored MS employee that I, in fact, owned the domain for the email address I used to apply for the service.

How does one prove that he owns an Internet domain, anyway? I thought WHOIS dealt with this problem. Can't MS just use WHOIS? Because now t

Re:

[Bert64]

Lots of registrars mask the whois information, even for corporate registrations these days. Often claiming that EU law requires them to do so.

I can understand wanting to mask personal registrations, but it makes no sense for corporate ones. A legitimate company will want potential customers to find them, so a private registration on a corporate domain always looks like something malicious.

Re:

[mysidia]

I thought WHOIS dealt with this problem.

Not any more. Thanks to the GDPR - most domain registrars are required to Redact all personal information from domain registrations... Or rather, they are required to do so for EU residents, and as a matter of practicality they have to adopt the same practices for all customers to mitigate the risk that they accidentally violate the EU regulations.

Re:

[gmack]

The thing is that everyone else seems to do these checks in an automated way. Codes sent to admin email addresses, DNS TXT records, TXT file on the website etc.

Re: Seems logical to me

[sixminuteabs]

Microsoft does this as welll. I set up an Office 365 tenant just last week and I registered and verified my domain with a TXT record. No microsoft employees involved, neither bored nor energetic. vbdasic is spinning a yarn of BS for mod points and should be buried accordingly.

Re:

[mysidia]

Actually.. the ISP probably needs to do this [microsoft.com]. Use their domain ownership to takeover admin access to the tenant which is Automatically created by a `Self-service signup' when an End-User tells Microsoft they're signing up a Work account, but their email domain does not yet exist as an Office365 tenant.

Once the ISP gets Global Admin access on the tenant, they could then add and verify ownership of a junk domain, or perhaps a subdomain. Move All the self-service signed up users to that subdomain,

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Seems logical to me

[thegarbz]

There's absolutely zero reason to assume that because someone registered with an account "first" with a specific domain that the domain belongs to them.

That's not what is going on here, and yes every equivalent service works like that. Someone registered the account which has been incorrectly flagged as a corporate account tied to a domain. This is how federated services work, it's how your Google, Amazon, Slack or O365 account identifies your login as personal or part of a corporate domain. It's how chat services know how to share data (such as contact lists) between them.

The first person who registers something doesn't magically get assigned exclusive use to the domain. MS or the person in question misclassified it.

 

I mean, beyond stupid. It's "How the fuck did anyone at Microsoft ever think this made any sense" stupid.

Quite often ... as it is in this case, if you are asking that question there's a very good chance you don't have all the information.

Re:

[AmiMoJo]

The issue seems to be that Microsoft has no way for the domain owner to flag up this kind of problem, because Microsoft assumed that domain owners wouldn't offer email accounts to anyone but members of their organization.

When you set up with Google using your own domain, either you have to use Google's services to register it and host DNS for it, or you have to prove you control it by one of various different means. They don't just take your word for it.

Re:

[thegarbz]

The issue seems to be that Microsoft has no way for the domain owner to flag up this kind of problem

No the issue here is either user error, human error by Microsoft, or some software error. To tie a domain to an Office365 account you need to at minimum pass a DNS challenge.

Re:

[Pf0tzenpfritz]

Quite often ... as it is in this case, if you are asking that question there's a very good chance you don't have all the information.

Agreed, but even if you have all the information it usually doesn't explain how the fuck anyone at Microsoft did ever think this made any sense.

Re:

[thegarbz]

Again, it's literally the standard way of providing cloud services to organisations. Microsoft didn't invent this, Google did. The rest of the industry adopted it and it makes perfect sense to tie users of corporate accounts to a corporate domain. It's how MS recognises that when I type my.name@my.org.com in that I'm logging into my MS Teams / Office 365 account, and when I'm typing guest123@worley.com I'm logging into their corporate account using my guest credentials to access their MS Teams.

Re:

[mysidia]

There's absolutely zero reason to assume that

They don't assume. It's called Self-Service Signup In an Unamanged Azure AD Organization [microsoft.com].

Of course.. if the owner of the domain changes it to a Managed organization, they can then control access to self-service signup [microsoft.com].

Re:Seems logical to me

[andymadigan]

The first user should never have been assigned the domain without some sort of domain ownership verification process. Claiming ownership for an organization (or, in this case, disclaiming single-organization control) should be equally simple, Microsoft can email a link to the technical contact for the domain, or have them perform DNS verification.

As the article implies, Microsoft has a perverse incentive to make starting public email services more difficult. I have to say though, their management of their own service is absolute trash. I notice that outlook.com's abuse email address no longer works, and about 20% of the emails in my spam folder seem to be coming from outlook.com, onmicrosoft.com domains, or Office 365 tenants. A few phishing emails from Microsoft-controlled servers even manage to make it past GMail's filters.

Microsoft is just never going to be a good corporate citizen. They only seem better by comparison to the "new tech" companies like Meta and Uber.

No doubt of course in a day or so the public attention will have gotten this fixed, but just for this company.

Re:

[Bert64]

Running a large publicly available service with millions of users requires a lot of automation, otherwise it's simply too expensive to maintain.
Automation invariably has flaws, and trips up on corner cases. When everything is too heavily automated, there ends up being no way to speak to someone in order to sort out these corner cases so some people get screwed.

It's exactly the same with google and others, you can trip up their automated systems to get wrong blacklisted and there's no way to get in touch wit

Re:

[andymadigan]

But there is a way to get through to Microsoft support and Tutanota did that, and still was refused a solution. At that point it's a conscious policy decision, though it's hard to believe none of the engineers brought up the problem with domain ownership in the first place, it's an obvious flaw. There's a lot of circumstantial evidence that Microsoft wants to make it hard to start a service that would compete with theirs, and is happy to abuse their market position to do so.

Re:

[mysidia]

They need to get the original user of their domain to declare to Microsoft that it's not their domain.

Well then.. if Microsoft's going to treat them as a corporate domain anyways, then maybe what the ISP should do is signup for Office365, Add the domain, and then execute the Internal Admin Takeover Process [microsoft.com] - "If you're an admin and want to take over an unmanaged account created by a self-service user signup, you can perform an internal admin takeover by following the steps in this article."

Then once th

Good luck with that

[rsilvergun]

We stopped in forcing antitrust laws in the 80s. Over four decades of voting in pro corporate politicians for no good reason other than picking candidates based on who has the best advertisements and rallies has left our regulatory system completely gutted

Re:

[anonymous scaredycat]

in forcing-->enforcing

Odd

[jargonburn]

I'm very curious how this domain was "accidentally" assigned to an O365 tenant without domain verification.

Perhaps they'd have better luck pursuing this as a bad faith actor? File suit against the John Doe that has asserted ownership of their domain, use discovery process to get a court order for the name and contact information of the owner of the offending Microsoft tenant account.
On the other hand, if they're in a rush or deterred by costs and complications, stirring up the public interest might get th

Microsoft just doesnâ(TM)t care.

[homerbrew]

They are an infuriatingly impossible company to deal with. I run a small hosting company and the ONLY company on the planet that seems to treat email coming from my servers as Spam is Microsoft. I have over the past 10 years opened at least 10-15 support tickets to fix the issue and they refuse. They say everything is good (it isnâ(TM)t, emails from my servers always go to the spam box if they are delivered at all), and that there isnâ(TM)t anything they can do. They do say I can sign up for t

Re: Microsoft just doesnâ(TM)t care.

[paravis]

Ya - and Yahoo too. We also run a small hosting business. Oh wait, also some Charter/Roadrunner/Cox/Spectrum/TimeWarner/WhateverThe****ItIs does also. Very annoying.

Cry me a river Tutanota

[nadass]

First, there's the matter of domain ownership verification -- are you implying your DNS was poisoned by bad actors? Because that "first user" excuse works for Discord, not Teams -- GET YOUR STORY STRAIGHT!

Second, you can adopt OAuth2 or whatever authentication methods which Microsoft can integrate with to assert control over users with that domain. Ostensibly, you can stand up your own O365 instance (for free!) for the sole purpose of blocking any of your own customers from doing exactly as you're someho

I'm waiting for the sequel

[Bu11etmagnet]

The sequel should be called "Revenge of Tutanoa"

stupid question

[luttapi]

Its this stupid question that Microsoft asks when we try to login to any of their websites - is it your "work or school account" or "personal account"? Why is it so difficult for them to understand that it could be neither or both? and anyway none of their business - I always end up clicking one of them at random.

Re:

[SilentChasm]

I'm pretty sure that it's not asking what the account is but rather which of the two accounts associated with your email address you are trying to sign into. It's not anything nefarious or an invasion of privacy. Adobe does the same thing when there is a personal account and an company account with the same email address, it gives you the choice of what to sign into. Google handles it differently and just forces the personal account to move to a different email address.

Re:

[mysidia]

Why is it so difficult for them to understand that it could be neither or both

Not really... Always answer Personal if you are the Owner of the email address/account - You own it personally, even if you also use your personal account for work purposes It is a personal account - meaning you keep it even in case you leave your School or Employer.

"Work/School" Means the e-mail account exists on a domain provided by your work or school: if the e-mail address is legally owned by the Work/School, then

Re:

[luttapi]

If I own the company, the domain and the email address and have different accounts for work and personal use - that question really sounds stupid - why can't they ask what they really want to ask - and say exactly why they need to know.

Re:

[SilentChasm]

The question they ask is:

It looks like this email is used with more than one account from Microsoft. Which one do you want to use?

• Work or school account
• Personal account

I'm not sure how they can get much clearer than that without making it more confusing or verbose.

Re:

[beuges]

I own a business, and the business email is hosted on O365. I use my email address for both personal and work stuff. The distinction is meaningless to me.
I just want to use a single email address to login to everything. I don't want to have to think about whether this service used my "Microsoft" account vs my "Work or school" account.
What's even more infuriating is that some MS services will not work with "work/school" accounts, and insist that you must use a "Microsoft" account.
They could solve this stupid

Re:

[mysidia]

I use my email address for both personal and work stuff. The distinction is meaningless to me.
You should already know if you own a business: Legally speaking you HAVE to make that distinction for every single asset - is it YOUR asset, Or does the business own and control that piece of property?

It's not complicated.. Either the domain name and such belong to You, or they are part of the business itself. It is nearly irrelevent whether you also use the thing for work or not.

Anything the business owns is

Same with a personal domain name.

[dargaud]

I tried to use Teams on Linux upon request from clients. As a Linux-only user (and developer) it seemed to be supported, but when I gave it my personal email (my my own domain name), it gave me this bullshit message about having my mail admin contact MS for whatever reasons. Like hell I'm going to spend some more hours (and probably money) to try and figure out. I got everybody to use a more open system, it's not like there's no competition in the field. What are they trying to achieve with that ?!?

Re:

[misnohmer]

They are not trying to achieve anything with that. I wouldn't ascribe malice to something which can be explained by ignorance or incompetence. I have my own family domain using Exchange servers hosted by Microsoft. I cannot sign up for a bunch of their consumer products using that email, including Office for personal usage, because they think it's corporate email. There is a workaround, create a Microsoft personal account with the same email, but that works only some of the time since having the same email

The benefit is you can't use team

[lnx_daemon]

If you try to register for teams with a Tutanota, your request is rejected. This saves you from the shitfest that is MS Teams. This is a win!

Ok, this I understand now

[rickb928]

I had to read through this three times to understand the issue.

Y'all don't know how s^&* works. It's gonna take serious engineering by Microsoft to 'fix' it, but I see the two obvious ways this has happened:

0. The first tutanota user enrolled as a business account - Teams now 'gives' them control of tutanota enrollments, boo. This probably happened because:
a. This user was just the first, and though they could call their Teams enrolment a business use, and boom, busin

Be very careful

[bill_mcgonigle]

Tutanota has been assiduously avoiding setting up a .onion service for at least five years and has ignored offers for help doing so.
They always claim it's "coming soon" but for a week-long project that's obviously not true.
Whoever is running the thing wants to know your IP address. Individuals at risk from state actors should be very wary.

This seems like an intelligence battle between two spy agencies who may not know each others' capabilities.

They could each take obvious steps to dispel that notion by neve