Yesterday ProPublica and ArsTechnica published a takedown of Azure: "Federal cyber experts called Microsoft’s cloud a “pile of shit,” approved it anyway" ...
In which one expert called the documentation provided "a pile of shit", which propublica took the liberty of extending to Azure itself
hsbauauvhabzb•Mar 20, 2026
And they weren’t wrong
bulbar•Mar 20, 2026
They still lied, because they didn't say "X is shit" but "Z said that X is shit", however Z apparently never said that.
I have become very cautious of such stories for this very reason. Who gets how much blame has a lot to do with "culture" or momentum. Bashing Microsoft for example is always super fine, but at multiple occasions I found the facts to be much more nuanced.
hsbauauvhabzb•Mar 20, 2026
If a slop engine calls a slop company slop, has anyone really lost?
lostmsu•Mar 20, 2026
We lost, for one of us got tricked to bring it here.
bigfatkitten•Mar 20, 2026
In this case, it’s just yet another design-level vulnerability in Microsoft cloud’s services. There isn’t much room for nuance.
benterix•Mar 20, 2026
It's true, they lied. But, paradoxically, in this case, while they lied about details, the conclusion is still true: Azure is very far from AWS and GCP as far as security is concerned. I have my own suspicions why it is so, but the reasons are not important, what counts is the final conclusion: if you really care for security, you'd better chose one of the other two.
twoodfin•Mar 20, 2026
“Fake but accurate.”
ProPublica has an agenda, and they slant their reporting to push it.
You can like their agenda and support this effort, but it’s not journalism.
toomuchtodo•Mar 20, 2026
What is their agenda?
twoodfin•Mar 20, 2026
Compare 600+ stories tagged for the Trump administration:
Azure looks worse right now. AWS and GCP still ship plenty of auth bugs, bad defaults, and policy footguns, so if you care about securty the sane move is to assume every cloud will fail in ways the marketing page forgot to mention and build your controls around that, not around a brand ranking.
rithdmc•Mar 20, 2026
Titles are editorialised and space limited. The first couple lines in the article linked above make the nuance pretty clear.
[edit: 'pretty' instead of 'perfectly']
lostmsu•Mar 20, 2026
You are defending not just clickbait, but libelous clickbait.
panzagl•Mar 20, 2026
It's only libelous if it's not true. This vulnerability says otherwise.
lostmsu•Mar 20, 2026
It is libelous because it is a claim that "X said Y", not "Y".
panzagl•Mar 20, 2026
Ah, so you're worried about the review team being misrepresented, not that Azure is shit.
rithdmc•Mar 20, 2026
I doubt this reaches the bar for libel by a long shot.
panzagl•Mar 20, 2026
In those types of reviews/audits, documentation is the first indicator of whether a security organization has their act together. It's about building a trust relationship between the accreditor and contractor that will have to endure for years, as nation-state level actors throw their resources at finding vulnerabilities. MS couldn't do this or couldn't be bothered to do this. So shit documentation -> shit security processes and operations -> shit security -> shit cloud product in a government context. So the title wasn't that much of a stretch.
int0x29•Mar 20, 2026
Ars just republished it under license
DetroitThrow•Mar 20, 2026
Every security engineer I know working at Azure is on the verge of self-harm because of the current situation, or is the dumbest IC I've ever met and somebody I think should have never become a security engineer. Sample size ~12.
jacquesm•Mar 20, 2026
That is quite the indictment.
DetroitThrow•Mar 20, 2026
I am not very close with every one of these engineers, and some no longer work at MSFT, but yes talking to employees in Seattle working on security made me never want to use Azure.
g-b-r•Mar 20, 2026
Bloomberg and CNBC don't seem to have reported about this, maybe someone with contacts could make them aware?
ronbenton•Mar 20, 2026
Bypassing logging feels relatively unimportant compared to some of the recent EntraID vulns we’ve seen
ares623•Mar 20, 2026
It takes a village of exploits to raise a successful and undetected attack.
BoredPositron•Mar 20, 2026
Microsoft standpoint is probably: If it's undetected was there really an attack?
12_throw_away•Mar 20, 2026
I dunno. It seems kinda bad that core auth log - which should be a primary source of truth during, say, a security audit - seems to work on a best-effort basis?
kjellsbells•Mar 20, 2026
Puts me in mind of this scathing report from CISA on how a state-sponsored group broke into Microsoft and then into the State Department and a bunch of other agencies. Reads like a heist movie.
What I found most incredible about the story is that it wasn't Microsoft who found the intrusion. It was some sysadmin at State who saw that some mail logs did not look right and investigated.
int0x29•Mar 20, 2026
Don't worry CISA and any other involved regulator were gutted by DOGE.
It’s true, and briefly made the news at the time[1]. The CSRB was also decimiated, and the current DHS deputy secretary, in his confirmation hearing, called for wrecking the agency, as he disagrees with their efforts to maintain election security.
I definitely remember DOGE gutting CISA. Other cuts were not always due to DOGE. A good chunk of the FBI's computer security and counter intelligence people got reassigned to immigration enforcement. The committee investigating the US cell network hacks got cut extensively but I don't remember who did it.
isodev•Mar 20, 2026
Ah yes, back when the US actually had cyber defence and experts capable of working in their respective fields.
philipallstar•Mar 20, 2026
They're the ones that had the Microsoft tech procured and implemented.
evanjrowley•Mar 20, 2026
This, exactly. There are so many "cyber experts" working for the U.S. government, and the vast majority are just cogs in a machine constructed by executive leadership who will always prefer inertia over radical changes.
philipallstar•Mar 20, 2026
I don't think this is that much to do with executive leadership. Many of those cyber experts only have a job because of Microsoft based tooling and vulnerabilities, and so they will prefer things they know over things they don't know (e.g. implementing permissions across a Linux estate).
ceejayoz•Mar 20, 2026
There's a decent chance they're the ones who said "no!" and got overruled.
(See also: quite a few bits of COVID mitigation)
johnbarron•Mar 20, 2026
Azure security has been a joke since like ever. Its incredible how they managed to start from scratch, and still brought into their Cloud, the same issues they had in Windows since inception. Only Cloud to have not one, but two security events, that broke isolation barriers between tenants...
IIRC, (& I don't remember if I reported it), but Azure's audit logs don't reflect reality when you delete a client secret from the UI, either.
If I remember the issue right, we lost a client secret (it just vanished!) and I went to the audit logs to see who dun it. According to the logs, I had done it. And yet, I also knew that I had not done it.
I eventually reconstructed the bug to an old page load. I had the page loaded when there were just secrets "A" & "B". When I then clicked the delete icon for "B", Azure deleted secrets "B" and "C" … which had been added since the page load. Essentially, the UI said "delete this row" but the API was "set the set of secrets to {A}". The audit log then logged the API "correctly" in the sense of, yes, my credentials did execute that API call, I suppose, but utterly incorrectly in the sense of any reasonable real-world view as to what I had done.
Thankfully we got it sorted, but it sort of shook my faith in Azure's logs in particular, and a little bit of audit logs in general. You have to make sure you've actually audited what the human did. Or, conversely, if you're trying to reason with audit logs, … you'd best understand how they were generated.
I don't think I would ever accept audit logs in court, if I were on a jury. Audit logs being hot lies is within reasonable doubt.
bulbar•Mar 20, 2026
That's crazy and a pretty good point.
The human in the loop doesn't really control what gets done, it only expresses intend to the frontend.
jacquesm•Mar 20, 2026
That's why I'm a great fan of positive confirmation steps before such changes with possibly large implications. The whole change needs to be shown to the user with all changes marked and then you confirm once more that that is what you want and then that and only that gets executed. All these 'video game' interfaces with implicit saves and underwater API calls are super dangerous.
ndespres•Mar 20, 2026
There is so much goofiness happening in those web portals (and also the New Portal, and the Legacy Portal) that issues like this don’t surprise me. Every time I click a button in there I worry that the wrong thing will happen to a different object. Sometimes the display reflects the worst possible outcome, like adding a user to a group will show you the new group membership as just containing that 1 new user and nobody else. Quite a few moments of panic.
alanning•Mar 20, 2026
This is a great example for educating devs on the dangers of “set” operations vs. “pull/delete” in contexts where data can be edited concurrently.
I would say that the audit log was accurate, though, even though the bad UI design caused unintended consequences.
strbean•Mar 20, 2026
Maybe I can use one of these to get in to my organization azure account from my alma mater. The email was deleted right after I graduated, but Microsoft has been trying to bill me (for a reserved IP or something) for close to a decade. Support is useless of course.
fuckinpuppers•Mar 20, 2026
It is shocking how absolutely garbage azure is.
epistasis•Mar 20, 2026
There's a big tradeoff here though: IT admins really love buying Microsoft. And when the dog tries to complain about the dogfood, the dogfood purchaser tends to not understand very well.
marcyb5st•Mar 20, 2026
Isn't it an age thing mostly? Younger admins hate Microsoft with a passion it seems to me. Or is just my circle of acquaintances?
owebmaster•Mar 20, 2026
Well, as far as my experience, we the old generation despise Microsoft even more
AdamN•Mar 20, 2026
I was gonna say people have been hating on M$FT for decades. It started for me 20+ years ago. I'm glad to see that Azure is creating a whole new cohort of haters - just like good ol' Vista.
mapotofu•Mar 20, 2026
Classic to pat yourself on the back, push blame, and have no evidence to show you made any kind of change about it. Classic!
brazukadev•Mar 20, 2026
wtf does this even mean? Did you reply to the correct thread?
jojobas•Mar 20, 2026
You don't get promoted to positions with power to choose for hating Microsoft.
Asmod4n•Mar 20, 2026
Depends on the field you are in. There are jobs where you can’t get apps that run on anything but windows.
raverbashing•Mar 20, 2026
More an issue of procedures and processes, MS selling turn-key solutions and how things work on big companies
Try managing a directory service even on RedHat and see how it goes.
jiggawatts•Mar 20, 2026
Silicon Valley likes to pretend Microsoft doesn't exist.
I... get it.
The FAANGS needed to scale to a level where paying per-core licensing fees for an operating system was simply out of the question, not to mention the lack of customisability.
As a consequence, they all adopted Linux as their core server operating system.
Then, as their devs made millions in share options, they all scattered and made thousands of little startups... each one of which cloned the assumption that only Linux was a viable operating system for servers.
The mistake here is the same one that caused "Only MongoDB is Web Scale" and "Microservices are necessary for two devs and a PC as our server".
Just because a trillion dollar corporation decides on a thing, it does not mean it applies universally.
Outside of this bizarre little bubble, Windows is everywhere and Windows Server is still about 50% of the overall server market.
adrian_b•Mar 20, 2026
That may have been the story, but avoiding paying per-core licensing fees for an operating system is the only sane decision.
Operating systems and other applications that demand per-core licensing fees exist only because the people who buy them do not use their own money for this, so they do not care how much money they are wasting.
Most companies waste huge amounts of money not only for software, but for many other things, because those who have the power to make purchasing decisions have personal interests that are not aligned with what is really optimum for the company, while those who might have the best interests of the company in mind do not have the knowledge that would allow them to evaluate whether such purchasing decisions are correct.
The survival of Windows Server is not justified by any technical advantages. A few such advantages exist, but they do not compensate the huge PITA caused by licensing. I worked at a few companies where Windows Server was used and replacing it with either Linux or FreeBSD was always a great improvement, less by removing the payments for the licensing fees, but by providing complete freedom to make any changes in the environment without the friction caused by the consequences that such changes could have in modified licensing fees.
philipallstar•Mar 20, 2026
This is definitely not it. If you want free use of an OS in CI/CD and testing, use Linux. If you want Docker or Kubernetes, use Linux. No one thinks it's the only option, but you'd have to have a really good reason to pay to use Windows on the server.
CalRobert•Mar 20, 2026
Europeans bizarrely love Azure.
connorgurney•Mar 20, 2026
As a European, you’re on your own there…
CalRobert•Mar 20, 2026
I see azure in more European job ads (and .net) than I ever did in California…
r_lee•Mar 20, 2026
from my experience it's more of a business guy/executive thing, they see Microsoft as a reliable, low-risk vendor which can speak their language. "nobody ever got fired for buying IBM" type thing
CalRobert•Mar 20, 2026
I figured they were risk averse and picking based on name familiarity.
raverbashing•Mar 20, 2026
I guess it's not so much Europe but "non IT-core companies" might prefer it, also the convenience of having everything into the same bill (workstation licenses, cloud, etc)
bell-cot•Mar 20, 2026
You don't get too far up the career ladder if you don't understand "Nobody ever got fired for buying X".
stackskipton•Mar 20, 2026
They don’t LOVE but they don’t have other options.
I’m at some legacy business that depends on some .Net Framework LOB application, some random SaaS web software along with usual office stuff. I need to manage Windows machines, identity for everyone include integration with random SaaS web software and enforce random policies that Security swears if I don’t, we fail PCI audit and that business ending. Oh yea, our funding and salaries for department wouldn’t cover one scrum team at FAANG. What is my solution, go!
For most, they default to Microsoft solution because it works well enough to collect meager paycheck and go home.
dfedbeef•Mar 20, 2026
> It's not often that you see a demo of an actual Azure vulnerability, as they get patched and are gone forever. However, because Microsoft was having trouble replicating this complicated bypass, and asked for a video, I come bearing receipts.
Absolutely savage lol
[If you didn't read the thing, it's one curl command.]
cyberax•Mar 20, 2026
Azure Entra is an example of making a system so complex that nobody can understand it entirely. I'm fairly experienced in access control systems, OIDC, crypto, etc. but I was not able to understand how it all fits together.
Google Cloud is simplistic in comparison. AWS is full of legacy complexity (IAM policies, sigh) but it's fairly self-contained and can be worked around by splitting stuff into accounts.
I have not looked at Oracle cloud yet. Is it any better than MS?
philipallstar•Mar 20, 2026
> I have not looked at Oracle cloud yet. Is it any better than MS?
At last glance it's far more like infrastructure leasing, with some Oracle twists, such as hosted Oracle databases, than it is full on cloud services. But this was a few years ago.
jiggawatts•Mar 20, 2026
Reminds me of an Azure Support ticket I submitted a few years ago when some developer clicked the "Fix this now" button in Application Insights, which then proceeded to double the scale of an already too-large App Service Plan. [1]
The Audit log showed the service identity of Application Insights, not the user that pressed the button! The cloud ops team changed the size back, and then the mysterious anonymous developer... changed it back. We had to have an "all hands" meeting to basically yell at the whole room to cut that out. Nobody fessed up, so we still don't know who it was.
The Azure Support tech argued with me vehemently that this was by design, that Azure purposefully obscures the identity of users in audit logs!!! He mumbled something about GDPR, which is nonsense, because we're on the opposite side of the planet from Europe.
At first I was absolutely flabbergasted that anyone even remotely associated with a security audit log design could be this stupid, but then something clicked for me and it all started making sense:
Entra Id logs are an evolution of Office 365 logs.
Microsoft developed Entra ID (original Azure Active Directory) initially for Microsoft 365, with the Azure Public Cloud platform a mere afterthought.
They have a legitimate need to protect customer PII, hence the logs don't contain their customers' private information when this isn't strictly necessary. I.e.: Microsoft's subcontractors and outsourced support staff don't need and shouldn't see some of this information!
The problem was that they re-used the same code, the same architecture decisions, the same security tradeoffs for what are essentially 100% private systems. We need to see who on our payroll is monkeying around with our servers! There is NO expectation of privacy for staff! GDPR does NOT apply to non-European government departments! Etc...
To this day I still see gaps in their logging where some Microsoft dev just "oops" forgot to log the identity of the account triggering the action. The most frustrating one for me is that Deployments don't log the identity of the user. It's one of only three administrative APIs that they have!
[1] As an aside: The plan had a 3-year Reservation on it, which meant that we were now paying for the original plan and something twice the size and non-Reserved! This was something like 5x the original cost, with no warning and no obvious way to see from the Portal UI that you're changing away from a Reserved size.
Freak_NL•Mar 20, 2026
> He mumbled something about GDPR, which is nonsense, because we're on the opposite side of the planet from Europe.
It was also nonsense because the GDPR is crystal clear about where PII may be used. Audit logs are one of those exceptions where the goal of identifying users simply permits storing usernames and associated attributes (certainly in the case of upgrading a paid plan).
This wasn't about the GDPR; you were being told to sod off.
PunchyHamster•Mar 20, 2026
> This wasn't about the GDPR; you were being told to sod off.
Vast misunderstanding of GDPR by the clowns implementing it is also possible; or just "can't be arsed so hide it all"
jiggawatts•Mar 20, 2026
More generously, they were applying GDPR rules in the correct manner, but to a different scenario: Microsoft customers being supported by Microsoft subcontractors that don't need to know the customer PII to do their job.
Most businesses using a public cloud need to log the activities of their staff accessing their own systems, which has an entirely different set of policies.
A similar example is Azure Application Insights. Microsoft uses it internally, so they keep removing features that log PII to be "GDPR compliant". Again, they're logging the activities of the general public across the entire world population, so GDPR legitimately applies. To them! Not us. Most of our scenarios are internal staff or partner organisations accessing private systems. Not only do we not do business with anyone from Europe, our systems are either privately networked or geo region locked. Europeans can't access anything in our local state government's internal staff portal even if they wanted to! Unless they hack us... but then we would very much like to log that.
Freak_NL•Mar 20, 2026
This has nothing to do with being within the jurisdiction of the GDPR or not. There are a variety of national laws worldwide which effectively overlap with or subset the GDPR (because most governments do seem to find protection of personal data worthwhile for their citizens), and Microsoft has to deal with those (either at the behest of their customers or because they are required to).
But Microsoft can totally handle applying the GDPR correctly. They have a lot of countries as customer which use Azure in some capacity and where the need for comprehensive audit logging exists. What you were seeing is a bug; or rather a design flaw, marked as WONTFIX. Some customer rep was giving you the two-fingered salute by starting with 'but GDPR…'.
PunchyHamster•Mar 20, 2026
> There is NO expectation of privacy for staff! GDPR does NOT apply to non-European government departments! Etc...
There is just... not for this. This is literally the case allowed by GDPR, only thing that GDPR requires is making sure those logs can only be accessed by people designated in organisation to parse it
vaylian•Mar 20, 2026
> Having done a fair bit of logging to databases with various scripts, I believe this was a simple matter of overflowing the SQL column length for a field, causing the entire INSERT to fail. This is a common beginner mistake when you first start to work with databases.
I'm not sure if I understand this part. I'm trying to put it into my own words. Is the following correct? The attacker provided an input that was so long, that it was rejected by the database. And the program that submitted the SQL query to the database did not have any logic for handling a query failure, which is why there is no trace of the login attempt in the log or elsewhere.
mrweasel•Mar 20, 2026
That was my understanding. You have two services, one validates, another logs. The validation triggers a failure, and requests that to be inserted into the audit database, but the audit log services fails and that apparently doesn't block the validator from sending a response back to the attacker.
Reading through the article I can't help but think that many of these authentication/authorization flows are entirely to complex. I understand that they need to be, for some use cases, but those are probably not the majority.
ralferoo•Mar 20, 2026
Only watched a little of the video, until I saw one of the requests returned an access token with lots of repeated data. Was very surprised when I base64 decoded that and found it was just "\uDFFF\uDBFF" repeating over and over. Maybe that was data coming from his exploit, seems a bit weird for that to be in an access token anyway. I had the sound muted, so maybe he mentioned that.
b00ty4breakfast•Mar 20, 2026
The state of cyber-security is a joke given that the entirety of civilization depends on these systems to function. It's like we transferred all our stuff into a boat with a gaping hole in the bilge plugged with a wad of duct tape and started sailing towards the open ocean. Forget putting the cart before the horse, the old mare is still in the barn and cart is about 3 counties over, upended in a ditch.
varjag•Mar 20, 2026
Worse yet the industry insists you can fix the hole by putting more guard towers with machine gun nests on the deck
Smar•Mar 20, 2026
I thought they want to fix these by adding a A4 sheet with text "Do not break!". Surely people won't just walk in, when asked nicely. At least any nice, law abiding people. I guess others are envouraged to walk in, then.
giancarlostoro•Mar 20, 2026
Imagine if Microsoft spend more attention on making Windows suck less and Azure better, because in my eyes it is not as awful as whatever the heck AWS' dashboard is supposed to be. Azure has a rich set of developer libraries for their offerings, and their dashboard isn't nearly as awful as AWS. I've never used GCP so I can't comment on theirs, or their libraries.
It should really horrify everybody that Microsoft is not investing more into Azure considering they host the worlds most known LLM (and used?).
lallysingh•Mar 20, 2026
I don't know why you'd believe they've ever been capable of putting out quality software.
A bug in the software is a bug in the process, and the process is the job of leadership. They've never cared about software quality. They'll put out lots of books about it, lots of talks, lots of claims. But they won't actually put out quality software. It's not in their DNA, never was.
It's not their size nor their age that makes this hard for them. Plenty of larger, older companies put out better product ever day. It's just them. Someone in each size class is the best, and someone else is the worst. MS has been the worst the entire time.
Erndob•Mar 20, 2026
Microsoft managed to introduce a critical vulnerability in Notepad, so this does not surprise me
17 Comments
https://arstechnica.com/information-technology/2026/03/feder...
I have become very cautious of such stories for this very reason. Who gets how much blame has a lot to do with "culture" or momentum. Bashing Microsoft for example is always super fine, but at multiple occasions I found the facts to be much more nuanced.
ProPublica has an agenda, and they slant their reporting to push it.
You can like their agenda and support this effort, but it’s not journalism.
https://www.propublica.org/topics/trump-administration
…with 16(!!) since 2020 on Biden’s term:
https://www.propublica.org/topics/biden-administration
My favorite missing Biden story that should have been right in their wheelhouse: The unprecedented $36 billion bailout of the Teamster’s pension fund.
https://www.statesman.com/story/news/politics/politifact/202...
[edit: 'pretty' instead of 'perfectly']
https://www.cisa.gov/sites/default/files/2024-03/CSRB%20Revi...
What I found most incredible about the story is that it wasn't Microsoft who found the intrusion. It was some sysadmin at State who saw that some mail logs did not look right and investigated.
---
[1] https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...
(See also: quite a few bits of COVID mitigation)
"Azure's Security Vulnerabilities Are Out of Control" - https://www.lastweekinaws.com/blog/azures_vulnerabilities_ar...
"Microsoft comes under blistering criticism for “grossly irresponsible” security" - https://arstechnica.com/security/2023/08/microsoft-cloud-sec...
If I remember the issue right, we lost a client secret (it just vanished!) and I went to the audit logs to see who dun it. According to the logs, I had done it. And yet, I also knew that I had not done it.
I eventually reconstructed the bug to an old page load. I had the page loaded when there were just secrets "A" & "B". When I then clicked the delete icon for "B", Azure deleted secrets "B" and "C" … which had been added since the page load. Essentially, the UI said "delete this row" but the API was "set the set of secrets to {A}". The audit log then logged the API "correctly" in the sense of, yes, my credentials did execute that API call, I suppose, but utterly incorrectly in the sense of any reasonable real-world view as to what I had done.
Thankfully we got it sorted, but it sort of shook my faith in Azure's logs in particular, and a little bit of audit logs in general. You have to make sure you've actually audited what the human did. Or, conversely, if you're trying to reason with audit logs, … you'd best understand how they were generated.
I don't think I would ever accept audit logs in court, if I were on a jury. Audit logs being hot lies is within reasonable doubt.
The human in the loop doesn't really control what gets done, it only expresses intend to the frontend.
I would say that the audit log was accurate, though, even though the bad UI design caused unintended consequences.
Try managing a directory service even on RedHat and see how it goes.
I... get it.
The FAANGS needed to scale to a level where paying per-core licensing fees for an operating system was simply out of the question, not to mention the lack of customisability.
As a consequence, they all adopted Linux as their core server operating system.
Then, as their devs made millions in share options, they all scattered and made thousands of little startups... each one of which cloned the assumption that only Linux was a viable operating system for servers.
The mistake here is the same one that caused "Only MongoDB is Web Scale" and "Microservices are necessary for two devs and a PC as our server".
Just because a trillion dollar corporation decides on a thing, it does not mean it applies universally.
Outside of this bizarre little bubble, Windows is everywhere and Windows Server is still about 50% of the overall server market.
Operating systems and other applications that demand per-core licensing fees exist only because the people who buy them do not use their own money for this, so they do not care how much money they are wasting.
Most companies waste huge amounts of money not only for software, but for many other things, because those who have the power to make purchasing decisions have personal interests that are not aligned with what is really optimum for the company, while those who might have the best interests of the company in mind do not have the knowledge that would allow them to evaluate whether such purchasing decisions are correct.
The survival of Windows Server is not justified by any technical advantages. A few such advantages exist, but they do not compensate the huge PITA caused by licensing. I worked at a few companies where Windows Server was used and replacing it with either Linux or FreeBSD was always a great improvement, less by removing the payments for the licensing fees, but by providing complete freedom to make any changes in the environment without the friction caused by the consequences that such changes could have in modified licensing fees.
I’m at some legacy business that depends on some .Net Framework LOB application, some random SaaS web software along with usual office stuff. I need to manage Windows machines, identity for everyone include integration with random SaaS web software and enforce random policies that Security swears if I don’t, we fail PCI audit and that business ending. Oh yea, our funding and salaries for department wouldn’t cover one scrum team at FAANG. What is my solution, go!
For most, they default to Microsoft solution because it works well enough to collect meager paycheck and go home.
Absolutely savage lol
[If you didn't read the thing, it's one curl command.]
Google Cloud is simplistic in comparison. AWS is full of legacy complexity (IAM policies, sigh) but it's fairly self-contained and can be worked around by splitting stuff into accounts.
I have not looked at Oracle cloud yet. Is it any better than MS?
At last glance it's far more like infrastructure leasing, with some Oracle twists, such as hosted Oracle databases, than it is full on cloud services. But this was a few years ago.
The Audit log showed the service identity of Application Insights, not the user that pressed the button! The cloud ops team changed the size back, and then the mysterious anonymous developer... changed it back. We had to have an "all hands" meeting to basically yell at the whole room to cut that out. Nobody fessed up, so we still don't know who it was.
The Azure Support tech argued with me vehemently that this was by design, that Azure purposefully obscures the identity of users in audit logs!!! He mumbled something about GDPR, which is nonsense, because we're on the opposite side of the planet from Europe.
At first I was absolutely flabbergasted that anyone even remotely associated with a security audit log design could be this stupid, but then something clicked for me and it all started making sense:
Microsoft developed Entra ID (original Azure Active Directory) initially for Microsoft 365, with the Azure Public Cloud platform a mere afterthought.They have a legitimate need to protect customer PII, hence the logs don't contain their customers' private information when this isn't strictly necessary. I.e.: Microsoft's subcontractors and outsourced support staff don't need and shouldn't see some of this information!
The problem was that they re-used the same code, the same architecture decisions, the same security tradeoffs for what are essentially 100% private systems. We need to see who on our payroll is monkeying around with our servers! There is NO expectation of privacy for staff! GDPR does NOT apply to non-European government departments! Etc...
To this day I still see gaps in their logging where some Microsoft dev just "oops" forgot to log the identity of the account triggering the action. The most frustrating one for me is that Deployments don't log the identity of the user. It's one of only three administrative APIs that they have!
[1] As an aside: The plan had a 3-year Reservation on it, which meant that we were now paying for the original plan and something twice the size and non-Reserved! This was something like 5x the original cost, with no warning and no obvious way to see from the Portal UI that you're changing away from a Reserved size.
It was also nonsense because the GDPR is crystal clear about where PII may be used. Audit logs are one of those exceptions where the goal of identifying users simply permits storing usernames and associated attributes (certainly in the case of upgrading a paid plan).
This wasn't about the GDPR; you were being told to sod off.
Vast misunderstanding of GDPR by the clowns implementing it is also possible; or just "can't be arsed so hide it all"
Most businesses using a public cloud need to log the activities of their staff accessing their own systems, which has an entirely different set of policies.
A similar example is Azure Application Insights. Microsoft uses it internally, so they keep removing features that log PII to be "GDPR compliant". Again, they're logging the activities of the general public across the entire world population, so GDPR legitimately applies. To them! Not us. Most of our scenarios are internal staff or partner organisations accessing private systems. Not only do we not do business with anyone from Europe, our systems are either privately networked or geo region locked. Europeans can't access anything in our local state government's internal staff portal even if they wanted to! Unless they hack us... but then we would very much like to log that.
But Microsoft can totally handle applying the GDPR correctly. They have a lot of countries as customer which use Azure in some capacity and where the need for comprehensive audit logging exists. What you were seeing is a bug; or rather a design flaw, marked as WONTFIX. Some customer rep was giving you the two-fingered salute by starting with 'but GDPR…'.
There is just... not for this. This is literally the case allowed by GDPR, only thing that GDPR requires is making sure those logs can only be accessed by people designated in organisation to parse it
I'm not sure if I understand this part. I'm trying to put it into my own words. Is the following correct? The attacker provided an input that was so long, that it was rejected by the database. And the program that submitted the SQL query to the database did not have any logic for handling a query failure, which is why there is no trace of the login attempt in the log or elsewhere.
Reading through the article I can't help but think that many of these authentication/authorization flows are entirely to complex. I understand that they need to be, for some use cases, but those are probably not the majority.
It should really horrify everybody that Microsoft is not investing more into Azure considering they host the worlds most known LLM (and used?).
A bug in the software is a bug in the process, and the process is the job of leadership. They've never cared about software quality. They'll put out lots of books about it, lots of talks, lots of claims. But they won't actually put out quality software. It's not in their DNA, never was.
It's not their size nor their age that makes this hard for them. Plenty of larger, older companies put out better product ever day. It's just them. Someone in each size class is the best, and someone else is the worst. MS has been the worst the entire time.
https://mastodon.social/@azureshit
Is this a bad move? What should I tell them?