Here is the general user explanation (which addresses more of the question as to why they can't change their password):
For administrators, the reasons we do this are multifold:
- Ease of use for users - if Google or MS 365 is completely unmanaged by us, we can't help users reset (or synchronize) passwords.
- Security - if an employee leaves your organization, you really don't want them having random cloud accounts tied to "user@myorg.com".
- Security - if we don't manage the domain credentials at MS or Google, then we can't enforce security protocols to protect you (2 factor authentication, for example).
- Single-sign on - increasingly, cloud services are able to utilize "single-sign on" where a single site (usually Google and/or Microsoft) can be used to access 3rd party services. By controlling those logins, we can help ensure that those cloud services are both easy to access and secure.
- Data Exfiltration - it's generally a bad idea to have users storing bookmarks, web history, passwords, etc., in an account you don't control. For this reason, we will often move customers to REQUIRE domain-based logins to Chrome and/or Microsoft Edge on a Pinnacle-managed computer.
- Backups - since we don't back up local computers, most users prefer to have their bookmarks backed up to the cloud, so we can make sure that happens for ease of transition between computers