Anyone else spend the day locked out of their Office 365 account yesterday (19 November) thanks to a global update-gone-wrong in Microsoft’s cloud-based multi-factor authentication?
We did and of course assumed “it’s us, not you” so battled to resolve the issue until around 4pm GMT, when Microsoft confirmed that affected users may be unable to sign in using MFA and may also be unable to carry out self-service password resets – as most will know, multi-factor authentication secures an account with an additional piece of information such as a code sent to the user.
The root cause identified was a recent update to the MFA service that introduced a coding issue that prevented users from signing in or carrying out self-service password resets, which are typically sent via text messages or push notifications.
In a statement, Microsoft said: “Europe, Asia-Pacific and the Americas regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy.
“Engineers have deployed the hotfix which eliminated a connection between Azure Identity Multi-Factor Authentication Service and a backend Service.
“The deployment of this Hotfix took some time to take effect across the impacted regions. Engineers are continuing to monitor for a reduction in user authentication errors as a result of this hotfix. Engineers are exploring additional workstreams to fully mitigate this issue.’
Not all the Legal IT Insider team were affected and sadly we didn’t go to the pub, but had very constructive meetings about our CIO conference in Gleneagles among other things, set against a backdrop of commercial director/IT director Jeremy Hill swearing at computers and, on the odd occasion, threatening to smash them.
Let us know if you were affected.