Now consider the theory.
Your friend's Microsoft account technically has information which will allow login to your wireless network. It's not a token, or a request you can revoke, or a signed key, or anything else. Somewhere, they have a copy of the bytes necessary to send to the SSID of your wireless to get it to grant access. And, likely, on a home network you do not have RADIUS, or client certificates, or MAC filtering, or intrusion detection.
That account - not even a device that has limited physical access, or something in a hidden registry entry on a computer somewhere - has enough details to join your network whenever it likes. Likely you wouldn't even know it was being used. Likely the external IP associated with that account (Windows devices all do something called NCIS that tells it whether it got out to the "real" internet or not on connection to any Ethernet or wireless network) is also available too.
Now they get their Hotmail / Outlook.com account compromised by a virus or similar. Bang, your wifi IP, local location, and wifi password are now in the public domain. Do you know about it? Not necessarily. Do they need to have a device stolen or accessed? No. Do they just need a weak Outlook.com password? Yes. Does it affect just their device that was compromised (e.g. a virus could steal wifi credentials from the registry of the local machine in exactly the same way)? No. And not just you but anyone they've ever joined the network of, while being signed into that Microsoft account. Ever. All just sitting there in the cloud.
People fussed over Microsoft "talking home" from Windows 10 for things like regional preferences. Now you're handing the MS cloud a copy of your local network's access passwords, GPS location, external IP and those of all your friend's.
Defeated for most techy-people? Yes. MAC filtering stops it. Guest wifi that you turn off when not using it is sensible anyway. Etc. etc. But the majority of people just stuck their wifi (and possibly re-used for other services) password in their Microsoft account and then signed into that on the cybercafe on holiday to check their email. And don't even know they did that, to themselves and their friends.
Not the end of the world. But a security mess.
Biting the hand that feeds IT
