Microsoft blames MFA issue, scrambling to fix problem
UPDATED 20/11/2018 11:20 GMT: Microsoft says the issue is largely resolved. For the latest and on the cause, see our update here.
Locked out of Microsoft Office 365 or your Azure down today?
You’re not alone.
Users with multi-factor authentification (MFA) set as a policy default are now so secure they can’t even login.
The outage, which has impacted users globally, started 04:39 UTC with Azure Active Directory users struggling to gain access to their accounts when MFA is enabled. The issue has now continued for over seven hours.
#azure #mfa has been broken almost 7 hours. Sounds really unbeliveable – as this locks everybody using MFA out from Azure and #o365. @Microsoft has totally missed basic principle: design for failure. This is totally unacceptable. Full workday wasted in Eastern Europe. #fail
— Petja Venäläinen (@petjaven) November 19, 2018
Azure’s status page said: “Engineers have explored mitigating a back-end service via deploying a code hotfix, and this is currently being validated in a staging environment to verify before potential roll-out to production. Engineers are also continuing to explore additional workstreams to expedite mitigation.”
Microsoft Office 365 users are also affected.
A status update read: “The configuration change hasn’t provided the expected relief within the controlled environment. We’re developing an alternative code update to resolve the connectivity issue between MFA and the cache provider. Scope of impact: Impact is specific to any user who is located in the Europe, Middle East and Africa (EMEA) or Asia Pacific (APAC) regions.”
Azure Down: Users Starting to Look for “Torches and Pitchforks”
Users were not best pleased and are “starting to search for their torches and pitchforks”, one Twitter used noted. Users may also be unable to carry out self-service password resets, Microsoft said, ruling out a potential easy fix.
Any update would be appreciated. Users are starting to search for their torches and pitchforks.
— Thomas H. (@Hoelli4C) November 19, 2018
Pete Banham, cyber resilience expert at Mimecast, said in an emailed statement: “Another day, another Office 365 disruption, and another nuisance for admins and employees alike.
“With less than a month between disruptions, incidents like today’s Azure multi-factor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture.”
He added: “No organisation should trust a single cloud supplier without an independent cyber resilience and continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds.”
RT @R33Dfield: Some serious #MFA troubles @Microsoft. The service is still not recovered since this morning. How to manage this scenario with all #Azure Global Admins MFA enabled? #breakglassprocedure @AzureSupport pic.twitter.com/zgJbyjKnDF
— Andrew James (@vCloud_Storage) November 19, 2018