Choose the Student Account Type
Applies To: Windows 8.1
For a Windows RT 8.1 deployment in education, there are different account types with various access and management requirements.
When you plan to deploy Windows RT devices in schools, you will encounter four types of accounts:
Local Windows accounts. These accounts are local to the Windows RT device. They are the same as local accounts in earlier Windows operating system versions. In Windows RT, local accounts still have full Internet access and can run some Windows Store apps that do not require a Microsoft account.
Microsoft accounts (previously known as Windows Live ID). These are consumer-oriented, Internet-based accounts that people use to access the Windows Store, OneDrive, and other services that require them. Microsoft accounts are individually owned and cannot be accessed or managed by organizations, such as schools. Schools should not sign students up for Microsoft accounts, nor should they bulk-manage Microsoft accounts for students. For more information about Microsoft accounts, see Microsoft accounts.
Domain Windows accounts. These accounts are in Active Directory Domain Services. You cannot sign in to Windows RT devices by using a domain account, but after students sign in to their devices using a local or Microsoft account, they can authenticate to network resources (for example, network filters, file shares) by using their domain accounts.
Organizational accounts. Also known as Windows Azure Active Directory accounts, these are organization-oriented, Internet-based accounts that people use to access an organization’s subscription services, such as Microsoft Office 365 or Windows Intune. The school owns organizational accounts, and its IT staff manage them. Schools can synchronize their on-premises Active Directory infrastructure with Windows Azure AD.
Note
Microsoft accounts in the United States comply with the Children’s Online Privacy Protection Act (COPPA) regarding online account creation for children under 13 years of age. They require parental consent, which parents give by charging a small amount to their credit card (for a U.S. account). Parental consent is not required to create Windows or organizational accounts, but Microsoft recommends that schools notify parents and obtain their consent before creating such accounts for students. For more information, see Why does Microsoft charge me when I create an account for my child?
Of the four account types, you can only use local Windows accounts or Microsoft accounts to sign in to Windows RT devices. With either type of account, students can subsequently use domain accounts to access network resources or organization accounts to access Office 365.
The choice between local or Microsoft accounts depends largely on your deployment scenario. In shared-device scenarios, schools should use local accounts for device access combined with domain and organizational accounts for resource access. In one-to-one scenarios, schools might consider allowing users to sign in to their devices by using their own Microsoft accounts. They must still comply with COPPA, however, so parents of children under 13 years of age must create their children’s accounts.
Note
Microsoft prevents the creation of more than three Microsoft accounts from a single IP address in a single day. This limitation affects schools in which network address translation or a proxy server provides Internet access. Schools can contact Microsoft Support for an exception to this policy, however. For more information about gaining an exception to this policy, consult your account team.