"Relatively" simple. Save for getting access at different locations where there's no VPN connectivity between. I don't think it's usually recommended to have your LDAP endpoint public. And running an LDAP host is probably beyond most users, but basic home users can easily make a Microsoft or iCloud account.
And yes, using my Microsoft Account gets me pretty easy access to my NAS. I just grant permissions to MicrosoftAccount\me@hotmail.com and I get permissions. I just set it to MicrosoftAccount\my_wife@outlook.com and it works. I just grant it to MicrosoftAccount\my_friend@gmail.com (Microsoft accounts can be tied to any email) and it works.
I don't really experience much baggage though. Running an LDAP server to do it all comes with far more baggage and management woes for a home deployment. Trust me, I did it for many years before Windows 8+ was widespread. Domain trusts to log into friend's and family's computers with my account was pretty complex to manage and maintain along with actually bothering with site to site VPN connectivity. And when that one friend manages to wipe his forest root without backups...oof.
> And yes, using my Microsoft Account gets me pretty easy access to my NAS. I just grant permissions to MicrosoftAccount\me@hotmail.com and I get permissions. I just set it to MicrosoftAccount\my_wife@outlook.com and it works. I just grant it to MicrosoftAccount\my_friend@gmail.com (Microsoft accounts can be tied to any email) and it works.
What NAS, exactly? And how does it handle non-Windows clients?
What you're describing doesn't seem to be something that eg. run of the mill Samba offers, and it's something that Microsoft seems to be changing with every major version of Windows.
> Save for getting access at different locations where there's no VPN connectivity between.
A small low power x86 Windows box. Used to be an older gaming PC, swapped for a lower power CPU with integrated graphics. Runs storage for an array, VMs, containers, video transcoding, etc.
Non-Windows clients can also log in with local accounts or with that same MicrosoftAccount realm login username/password. I've used some Pi's and other Linux boxes mounted that way in the past.
But it seems like it's decently well supported in Samba to auth like this though. I'm not sure what happens when their Microsoft account password changes though.
Getting access to the LDAP server to handle auth. If I hop on my friend's spare computer at his house, how is it going to reach out to my LDAP server at home?
Same thing when I'm hopping on my dad's computer, or if he wants to use mine when he's visiting. This way we can just use our own logins and have access to our own files, resources, settings, etc. Regardless of whatever computer we're using. If I want him to copy his recent trip photos to the archive when.he comes over he can drag and drop them into the network share on the NAS with his own credentials on his own computer, as I've granted his Microsoft account access to write to the family photos. He doesn't need to remember his password to my NAS, his desktop login is his auth. Same when I'm at a friend's house and on his computer. I just want to pull some big file off my laptop over the network, I can just open up my shares on my laptop and grab whatever. I don't need a separate login to manage.
There's so much stuff that's just so smooth and seamless using an external, managed, widely shared IdP to handle identity management. Some negatives and risks, no doubt. But to me, it's a worthwhile trade off given how easy it makes these kinds of workflows I encounter daily.
And yes, using my Microsoft Account gets me pretty easy access to my NAS. I just grant permissions to MicrosoftAccount\me@hotmail.com and I get permissions. I just set it to MicrosoftAccount\my_wife@outlook.com and it works. I just grant it to MicrosoftAccount\my_friend@gmail.com (Microsoft accounts can be tied to any email) and it works.
I don't really experience much baggage though. Running an LDAP server to do it all comes with far more baggage and management woes for a home deployment. Trust me, I did it for many years before Windows 8+ was widespread. Domain trusts to log into friend's and family's computers with my account was pretty complex to manage and maintain along with actually bothering with site to site VPN connectivity. And when that one friend manages to wipe his forest root without backups...oof.