Firmly agree with other posters that Microsoft's identity services leave a lot to be desired... but Jeff is being a bit sensationalist here.
The school did not "take over" his MS account. At some point (likely amidst a mountain of other onboarding tasks for his daughter's enrollment) he would have received an invitation to join the school's Azure AD tenant as a guest/external user. In this case, he chose to join using his Microsoft account, rather than create a new email-based guest account.
"Leaving" the school's org only breaks one side of the federation, and the guest account and it's association to the school's Azure tenant still remains.
To resolve, he'll need contact the school and have them delete the account. Meanwhile, it probably would have been better to create the app beneath an Azure AD tenant belonging to the non-profit org in the first place.
And some people speculate my daughter may have logged into an account on my computer—there is no possible way, and at home she only uses one of two other devices (and at her school they don't have students log in off premises anyways), and my two computers are locked at all times when I'm not around.
In addition, assuming she were able to get access to one of my computers, the password manager is behind face/Touch ID and locks automatically after each use.
I spent a couple hours digging through all the emails we got from her school too, for the month preceding her entry into the school, and I saw nothing about any online logins, not even a link to any kind of portals or anything like that... just consent forms, welcome messages, and the like.
I've been racking my brain for a logical explanation as to why my personal email (and the password associated with my personal Microsoft account—which has been used to login to Azure in 2020, years before this mess) has been associated with the school's tenant. I can't find any.
That posture is exactly why it could become so messy.
People learn how to navigate a shit system and them become complacent with it, blaming the less experienced with their "errors", when the system itself is wrong for being shitty.
This is just a convoluted why of me saying: don't blame the user
I was thinking along the same lines. Could it be that all his Azure activities to date has happened under this federated account, and he no longer have the Azure access he is expecting (if in this case, he never signed up for Azure outside of his guest account at the school)
The school did not "take over" his MS account. At some point (likely amidst a mountain of other onboarding tasks for his daughter's enrollment) he would have received an invitation to join the school's Azure AD tenant as a guest/external user. In this case, he chose to join using his Microsoft account, rather than create a new email-based guest account.
"Leaving" the school's org only breaks one side of the federation, and the guest account and it's association to the school's Azure tenant still remains.
To resolve, he'll need contact the school and have them delete the account. Meanwhile, it probably would have been better to create the app beneath an Azure AD tenant belonging to the non-profit org in the first place.