CIO

Authentication bug locks users out of Azure and Office 365 for a day

  • Liam Tung (CSO Online)
  • 20 November, 2018 04:40
Day long disturbance locks users out of Office 365 and Azure
Day long disturbance locks users out of Office 365 and Azure


Users of Microsoft’s cloud services were struggling to be productive today due to an issue preventing organizations logging if they require Azure multi-factor authentication. 

Microsoft confirmed there was a problem affecting Azure Active Directory (AD) and multi-factor authentication (MFA) on Monday and was fielding complaints from users for at least 10 hours as engineers attempted to resolve the bug.  

Some European customers reported problems signing in for the whole working day on Monday. Unfortunately for customers, there’s also no way to disable MFA to re-enable access. 

The Office 365 status page notes that users might not be able to sign in to Office 365 using MFA and that they might have problems doing self-service password resets. 

The same issue is affecting Azure users in Europe, Asia-Pacific and the Americas regions. Users at any organization with a policy that requires MFA may see difficulties signing in until the issue is fully resolved. 

“Starting at 04:39 UTC on 19 Nov 2018 customers in Europe, Asia-Pacific and the Americas regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy,” Microsoft said.  

Microsoft said engineers had deployed a hot fix which appeared to reduce user authentication errors, however the fix also resulted in some customers not receiving prompts to login via SMS or the Microsoft Authenticator app.  

“Engineers are continuing to explore additional workstreams and potential impact to customers in other Azure regions to fully mitigate this issue,” Microsoft noted. 

Microsoft has been encouraging customers to enable MFA, earlier this year announcing password-less sign in for business apps that connect using Azure AD. As the company noted at the time, using the Authenticator app for multi-factor authentication could drastically reduce compromises. However, today’s outage revealed a weakness in relying on the cloud for authenticating to business software.