On Oct. 18th, Issues affecting the Azure Active Directory service blocked customers from accessing applications for around 2.5 hours.
The problem was attributed to Microsoft’s multi-factor authentication, known as MFA, challenges not working. MFA is a process in which users validate their identity via another means besides a password. MFA is part of the Azure AD service, which is used for signing into various applications.
Microsoft’s latest Azure page update read:
“Information authentication issues. with Azure MFA
Customers in North America experienced issues with completing MFA challenges from approximately 6:30 AM PST until 9:00 AM PST.
As of now, Our telemetry and customers feedback indicates the issue is mitigated.
We are closely monitoring the situation to ensure this does not recur.”
Earlier, the Azure Status page had described the issue as being under investigation, where Microsoft suspected the issue was associated with “config changes, recent patches and networking issues.” Here’s how it was expressed:
“Information Authentication issues with Azure MFA
We are aware that customers in North America are experiencing issues with completing MFA challenges. This issue started at approximately 6:30 AM PST and is ongoing. We are aware of how critical this is to your business and security. We are actively investigating the issue as our absolute top priority and working for the fastest possible resolution.
At this point, we are investigating potential root causes including but not limited to config changes, recent patches and networking issues, but we have not isolated any root cause or mitigation yet.
We will send out update within the next 60 minutes or as events warrant.”
Apparently, Microsoft thought the issue early on was confined to signing into the Azure Admin Center portal. However, early reports by individuals on Twitter typically stated that the problem wasn’t just with using MFA to access the Azure Admin Center portal but also Office 365. One person commented that the Microsoft 365 Service Health portal “incorrectly labels the issue as related to Admin Center access.” Another person said that his whole organization couldn’t log in to Office 365 services.
One Twitter poster helpfully pointed to this Microsoft document that describes creating an emergency account in Azure AD, which can be used when MFA isn’t working.
More details on this Azure service outage was captured by veteran Microsoft reporter Mary Jo Foley in this ZDNet article.
Organizations with paid Azure AD subscriptions have the ability to claim service-time credits (no cash compensation) for a service outage under the Azure AD service-level agreement. However, they have to be able to demonstrate that they had no alternative means of access, which seems to be true in this case. Also, the credit isn’t automatic. It has to be requested.
Azure AD outages have happened before and can have wide consequences. For instance, last year Microsoft explained a broad Azure AD outage as being due to a lightning strike on a Texas datacenter.