Most active commenters
  • velcrovan(3)

←back to thread

Microsoft said it lost weeks of security logs for its customers' cloud products

(techcrunch.com)
285 points alephnerd | 20 comments | 20 Oct 24 21:42 UTC | HN request time: 0.638s | source | bottom
Show context
neya ◴[21 Oct 24 07:28 UTC] No.41901576[source]
If you use Azure in any realistic production environments, then it's on you. Even with $100k in free credits, they couldn't convince me to use it for more than a month. It is expensive, the interface is highly user unfriendly and most important of all, their products don't at all seem reliable for production workloads because of stuff like this. Sorry Microsoft, I think you can do much better.
replies(15): >>41901755 #>>41902286 #>>41902571 #>>41902679 #>>41902715 #>>41903167 #>>41903320 #>>41903580 #>>41903869 #>>41904371 #>>41904976 #>>41905535 #>>41905826 #>>41905858 #>>41907485 #
1. prennert ◴[21 Oct 24 10:43 UTC] No.41902715[source]
When you come from other cloud providers, working with Azure has so many dark-orange flags. It feels totally inconsistent and patched together. This makes it hard for me to believe that anybody can properly audit it for security.

The most uncomfortable part is their log in. The amount of re-directs and glitches there are insane. Its hard to believe that it works as intended.

As an example, for some reason I could not download the BAA because trying to download it lead to a login loop on their trust website, while I was still able to see the Azure console ok in the same browser.

When I signed out of my Azure account to try if a fresh login helped, it did not trigger my 2FA at the next login. In my mind, if I actively logged out from a browser window, I withdraw my trust in that device. So not being triggered for 2FA is a massive red flag.

(no I still could not download the BAA, nor file a ticket for it, but somehow a colleague could download it ok.)

replies(7): >>41902823 #>>41903429 #>>41904108 #>>41904633 #>>41904940 #>>41905080 #>>41909148 #
2. mrweasel ◴[21 Oct 24 11:01 UTC] No.41902823[source]
> It feels totally inconsistent and patched together.

I believe that multiple article, e.g. on The Register, has mentioned that people who have left the Azure team has routinely complained that the pace was to high, and that everything is pretty much duct taped together. This was years ago, so it may have changed.

replies(2): >>41903244 #>>41903436 #
3. m_mueller ◴[21 Oct 24 12:06 UTC] No.41903244[source]
Narrator: It hasn't.
4. stogot ◴[21 Oct 24 12:28 UTC] No.41903429[source]
I have had similar issues. And I know a fair amount about these systems, and still cant figure what the backend mess looks like that results in these problems. I found a reproducible login bug on Teams and spent a while trying to figure out who to report it to and gave up
5. stogot ◴[21 Oct 24 12:28 UTC] No.41903436[source]
I read that recently after their security breaches
6. chrisandchris ◴[21 Oct 24 13:45 UTC] No.41904108[source]
> [...] is their log in.

On every first try, I cannot log in into Azure Portal. I chlick "try again", it works. And it's like that for months, if not years.

IMHO it says a lot of your culture if every first interaction of your customers with your product end with an error - and you simply don't care to fix it.

replies(3): >>41904452 #>>41904654 #>>41907751 #
7. paulryanrogers ◴[21 Oct 24 14:18 UTC] No.41904452[source]
I wonder if things like this are due to testing only on the vendor's own/preferred browser. In this case Edge?
replies(1): >>41904622 #
8. rat9988 ◴[21 Oct 24 14:35 UTC] No.41904622{3}[source]
Almost 0 chance.
9. moi2388 ◴[21 Oct 24 14:36 UTC] No.41904633[source]
It’s not. Their security has known massive issues and security holes, and they consciously do not fix them.

Look at the CVEs for azure, msal and Active Directory for some good laughs.

Now realise most governments, large companies and education works on this

10. velcrovan ◴[21 Oct 24 14:38 UTC] No.41904654[source]
No offense, but consider that there's a chance it's a problem on your end. I have never had this issue, and no one I know has had this issue.
replies(4): >>41904917 #>>41905200 #>>41905375 #>>41905460 #
11. deathanatos ◴[21 Oct 24 14:59 UTC] No.41904917{3}[source]
Every login I've ever done into the Azure portal is like the upstream describes: an absurd number of redirections and refreshes that leave you wondering "is it supposed to work like that?"

I've also encountered strange bugs, like asking to log into tenant A and getting logged into, instead, tenant B. In a loop, effectively locking me out.

The exact quirks and bugs seem to come and go, I presume as the code is changed & updated.

replies(1): >>41907367 #
12. hedora ◴[21 Oct 24 15:01 UTC] No.41904940[source]
I’ve never used Azure, but my kid plays Minecraft (offline), and got forced into using a Microsoft account to login.

From what I can tell, they use it as proving ground for whatever crap they’re going to force on other applications.

After getting it to work on a raspberry pi, I decided I wouldn’t use any logged in Microsoft product in a professional setting.

Anyway, I’m sure they’ll eventually unify GitHub and LinkedIn login the same way they did with Minecraft. At that point, our industry will implode.

13. blitzar ◴[21 Oct 24 15:14 UTC] No.41905080[source]
When you come from bare metal, working with any of the cloud providers feels totally inconsistent and patched together.
14. NBJack ◴[21 Oct 24 15:26 UTC] No.41905200{3}[source]
Will add my anecdotal evidence: I've seen this across the board from Microsoft. I've been a customer for several decades, and it is a bit of a nightmare now.

Logins that redirect to odd places. Jolting issues because you changed a seemingly innocuous security setting (i.e. OneNote refuses to sync on specific versions of the app/software if you don't grant them full access). Or just inconveniences, like having to login multiple times across their own sites when I dive into Office settings management. Seemingly forced use of the Microsoft Authenticator app from time to time.

Multiple computers, multiple devices. I can usually work around it, but it is a pain.

15. chrisandchris ◴[21 Oct 24 15:44 UTC] No.41905375{3}[source]
None taken.

It is probably my "fault" by using Safari (no extensions) and not the all-praised(tm) Edge.

I couldn't add a billing profile to my MPN account the other day - endless loading without any indicator of success. It did work in Chrome though, except the "save" action which resulted in endless loading too, but still saved everything as expected.

16. lukeschlather ◴[21 Oct 24 15:54 UTC] No.41905460{3}[source]
I would guess it is a problem with OP's account. Which is to say it is thoroughly a Microsoft problem, and probably one that could be fixed but would require weeks of back-and-forth until someone with direct access to some number of auth databases corrected the issue.

I will say, they made a change to the auth system recently that made log-in significantly worse. Now several times a day my session expires or something and I go through a 5-10 second redirect flow which visibly jumps between different login APIs to refresh my log in state. (And of course this happens at the start of the day.)

replies(1): >>41907417 #
17. velcrovan ◴[21 Oct 24 19:12 UTC] No.41907367{4}[source]
Sure, but Azure also exposes an extremely large array of knobs and buttons that put the tenant admin squarely in control of what "login" means in the first place: the kinds of authentication allowed or required, by whom, under what risk profiles, for which applications, etc. If you feel like it is screwed up there is, as likely as not, action that it is the tenant admin's — not MS's — responsibility to take, to fix it. I don't know what to tell you about refreshes, that's just how Oauth works mostly. I'm tempted to take a video of myself logging into the Azure portal right now just to ask what about it is so weird.
18. velcrovan ◴[21 Oct 24 19:16 UTC] No.41907417{4}[source]
It's also possible your tenant admin updated Conditional Access rules for some locations or applications. Or maybe they screwed up the Hybrid AAD sync from the on-premise DC. As I've been trying to point out elsewhere, tenant admins have a much higher influence on these outcomes than people are willing to admit, and there are a lot of admins out there who can't be arsed to keep up. I've made some of those mistakes myself.
19. nabbed ◴[21 Oct 24 19:45 UTC] No.41907751[source]
I have a similar (yet different) experience. I rarely (e.g., once every few months) log into the portal and it dies with some impenetrable error if I use the same browser on which I last successfully logged in. So I often find myself firing up an incognito browser so I can log in.

My guess is that some change to the login process is not compatible with the cookies I have sitting around from the last time I logged in.

20. 7bit ◴[21 Oct 24 22:17 UTC] No.41909148[source]
When you promote a Windows server 2016 or higher) to a domain controller, you suddenly get error message when trying to open the network adapter through the "new" settings app. You must open through control.exe, everything else just throws an error.

I opened bug with the Microsoft Premier support and they told me that this works as intended.

So when Microsoft says, it works as intended, it can still be bugged to hell and back. They just don't care.