Azure, Office 365 go super-secure: Multi-factor auth borked in Europe, Asia, USA
Microsoft's cloudy service finds Mondays just as hard as the rest of us
Updated Happy Monday, everyone! Azure Multi-Factor Authentication is struggling, meaning that some users with the functionality enabled are now super secure. And, er, locked out.
Microsoft confirmed that there were problems from 04:39 UTC with a subset of customers in Europe, the Americas, and Asia-Pacific experiencing "difficulties signing into Azure resources" such as the, er, little used Azure Active Directory, when Multi-Factor Authentication (MFA) is enabled.
Six hours later, and the problems are continuing.
The Office 365 health status page has reported that: "Affected users may be unable to sign in using MFA" and Azure's own status page confirmed that there are "issues connecting to Azure resources" thanks to the borked MFA.
Microsoft is keen that users adopt an MFA approach as a way of bolstering security beyond simple passwords. The system works by requiring two or more of the following means of authentication: a password (or similar), a trusted device (such as a phone) and perhaps some biometrics (like a thumbprint.)
So far, so secure. Up until the service drops over and users cannot be authenticated, and thus get to enjoy - or not - a late start to the working week.
Azure MFA comes in two flavours, as an on-premises server or as a cloud service. It is the latter service that appears to be struggling.
As one would expect, users took to Twitter to castigate the software giant for the failure.
Hey @AzureSupport . Our 2FA authentication doesnt work anymore. We can't login to any MS services (including Azure and Devops)— bastien soria (@Blastt65) November 19, 2018
The silence from the gang at Redmond has been the source of most distress. The support page currently promises an update within 60 minutes "or as events warrant". Since the outage kicked off over six hours ago, one would have expected something from the MFA team.
Clearly users being unable to connect to Azure resources is not an event to warrant an update.
The Register contacted Microsoft to find out what is happening, and will update if a response is forthcoming.
In the meantime, as users become progressively more desperate to access rarely used services such as, er, email, helpful advice is being directed at the BOFHs in Azure.
Have you tried turning it off and on again?— Simon Jones (@SimonDestrier) November 19, 2018
Sometimes the simplest solutions are the best. ®
Updated to add at 12:47 UTC, 19 November
While Azure's support orifices continue to maintain a dignified silence on the issues, the Azure status page has had an update: "Engineers have explored mitigating a back-end service via deploying a code hotfix, and this is currently being validated in a staging environment to verify before potential roll-out to production."
Azure is back on its feet, while Office 364 is still borked for multi-factor auth.
Sponsored: Becoming a Pragmatic Security Leader