back to article Microsoft breaks Office 365 sign-in pages ahead of surprise update

Some Office 365 customers can't use Office, thanks to a login portal redesign. For the "last few weeks", Microsoft has been quietly rolling out an opt-in redesign for login pages. The change for accessing Azure Active Directory, a cloud service that manages users for Office 365, also started Tuesday for coherency. In addition …

  1. Pirate Dave
    Pirate

    Yeah...

    ""The dev team surprised us by getting the changes up and running a few days earlier than planned and we had to scramble to get the blog post up as fast as possible."

    Yeah, this is why you don't let the programmers anywhere near the live servers...

    1. Captain Scarlet Silver badge
      Mushroom

      Re: Yeah...

      Or the departments can you know communicate with each other?

      1. Anonymous Coward
        Anonymous Coward

        Re: Yeah...

        Nope that'll never happen, even in mid-size companies.

      2. handleoclast
        Coat

        Re: Inter-departmental communication

        @Captain Scarlet

        The departments concerned do know that they can communicate with each other. And they attempt to do so.

        Unfortunately, company policy mandates that they use Skype for Business to communicate, and that is so crap they just don't bother.

        1. Captain Scarlet Silver badge

          Re: Inter-departmental communication

          "they use Skype for Business to communicate"

          But its just an instant messenger (Lync with Skype buttons plastered on), even when Outlook explodes in flames (80GB ost I cba to maintain) it works fine

      3. CrazyOldCatMan

        Re: Yeah...

        Or the departments can you know communicate with each other?

        This is Microsoft - where the departments are famously hostile to each other since, in the bad old days, their group income depended on just their stuff and would be harmed if another department does better than them.

        How much that's changed I don't know - probably not much.

        1. Anonymous Coward
          Anonymous Coward

          Re: Yeah...

          It's totally changed. The old "stack ranking" system went out with the Ballmer era

    2. Steve Davies 3 Silver badge

      Re: Yeah...

      Nah, that's DevOps in all its glory in action.

      Code it, release it and to hang with the fallout, the Surf is Up!

    3. phuzz Silver badge

      Re: Yeah...

      Just add the communication to the login page, "hey, blog team, we're ahead of schedule so you can put that post live now! thanks, the dev team"

    4. bombastic bob Silver badge
      Thumb Up

      Re: Yeah...

      "Yeah, this is why you don't let the programmers anywhere near the live servers..."

      many thumbs up for that bit of advice!

      [I currently find myself in the (somewhat necessary, regrettably) position of web development, server admin, AND system integrator, with a bozillian low-level fixes and necessary changes just WAITING to be implemented on the production side, and I have to CONSTANTLY resist the temptation to just put it into production anyway (since I have a 'development' site running in parallel, migrated from the production system's everything, and without any major problems) while I wait for the slow-moving wheels of but-if's and uncertainty on the "customer" end, until they finally say "go for it"]

      So yeah, don't @#$% with the production system until the P.R. and non-IT people get their schtuff in one sock...

  2. Robin

    Paginated

    In addition to some basic UI tweaks, the updated design comes with a paginated sign-in where you enter your username on the first page and a credential (password, probably) on the second.

    "We've done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach," Microsoft notes.

    Wait, so it's: type username ... wait for page to reload ... type password?

    I don't get how that would yield such a supposed improvement in sign-in success?

    1. Anonymous Coward
      Anonymous Coward

      Re: Paginated

      It's debatable, but the usual reasons are:

      1) Split account selection from account authentication, enabling different mechanisms to be used for either

      2) Ensure there is one and only one field on offer, stopping people slinging usernames and/or passwords into insecure fields

      3) Allows for arbitrary intermediate steps to be injected more cleanly into the process. This is particularly important for complex SAML setups where you might be bounced to an external (i.e. not microsoft) 2FA page depending on which identity you provide

      Or put in other words, step 1 might not always be "enter your username" and step 2 might not always be "enter your password", so it makes sense to have a common experience that supports all workflows rather than a single workflow that you modify by exception, breaking user expectations.

      Google do the same thing.

      1. Ken Moorhouse Silver badge

        Re: Allows for arbitrary intermediate steps to be injected more cleanly into the process.

        Surely that gives hackers insight as to whether they have hit a valid username?

        Question: Does the entire login process "bind" into one "session"? If it doesn't, then is there not the possibility that the Username and Password could be submitted using different IP addresses, which must be rejected for security reasons? If so, this would be frustrating when trying to login using a mobile device, when on the move.

        1. Anonymous Coward
          Anonymous Coward

          Re: Allows for arbitrary intermediate steps to be injected more cleanly into the process.

          'Surely that gives hackers insight as to whether they have hit a valid username?"

          Yes, but using the obscurity of the (usually public) account identifier to further secure authentication should not be relied upon in any way shape or form in this age of routine dumps of $very_large_number of usernames and email addresses. Throttle repeated login requests and require 2FA.

        2. I am the liquor Silver badge

          Re: Surely that gives hackers insight as to whether they have hit a valid username?

          @Ken Moorhouse: no, not necessarily. If the designers are sensible, the user name won't be validated until both the user name and password have been entered. Whether you enter them on one page or two, there's no need for that to change.

    2. I am the liquor Silver badge

      Re: Paginated

      There are all sorts of errors people make on login pages that might be affected by this design. Like forgetting to fill in one or other field; typing the password in the user name field; tabbing too many times and trying to type the password while the login button is highlighted instead of the password field; I'm sure there are many others. I'd be interested to see the research. It seems to be an increasingly popular model for login pages.

    3. Anonymous Coward
      Anonymous Coward

      Re: Paginated

      The are not alone in this, some of our own kit does it.

      Buggers up browser based password management on about 50% of them.

    4. James 51

      Re: Paginated

      Yahoo do the same. I always thought it was so they could show twice as many ads.

    5. Ken Moorhouse Silver badge

      Re: Wait, so it's: type username ... wait for page to reload ... type password?

      Yes, it's very helpful for hackers, as they can type username, find that that doesn't exist, then try another username.

      That's where they are getting this statistic from:-

      "We've done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach,"

      1. Anonymous Coward
        Holmes

        Re: Wait, so it's: type username ... wait for page to reload ... type password?

        "Yes, it's very helpful for hackers, as they can type username, find that that doesn't exist, then try another username."

        But it's 2017. Why in the world would someone NOT be using 2FA if they were using it for important work???

        1. Ken Moorhouse Silver badge

          Re: But it's 2017.

          "Why in the world would someone NOT be using 2FA if they were using it for important work???"

          I suspect a significant number of people disable 2FA if they are working on a pc they trust.

          Where is that "trust" stored? I suspect due to the variety of elements involved it will be some kind of Cookie on the user's pc. If so, does that sound secure?

    6. bombastic bob Silver badge
      Coat

      Re: Paginated

      "I don't get how that would yield such a supposed improvement in sign-in success?"

      until they put different click-through ads on EACH PAGE that you're forced to re-load...

      WAIT until "they" put "that" as the NEW LOGIN for WIN-10-NIC

      /me heads for the door, dodging the rotting veggies and other flying objects. yeah, "don't give them any ideas"

    7. Nick Ryan Silver badge

      Re: Paginated

      It's probably put in specifically to piss off people who use secure passwords and password managers. That's how it feels anyway, because there in my experience there are almost zero real world (tm) advantages to making the login process more tedious and annoying than previously. Bullshit about allowing different authentication systems is just that - it's not hard, or even remotely difficult, to have different pages or options for logins with unique URLs for each (rather than Javascript non-page UI accessibility failures embedded everywhere).

      Part of it stems from the changes that Microsoft themselves made when moving to a GUI... as in the hijacking of the Enter key for form submit (win16 "OK" button) rather than "next field" which is what it always was on every other system and how many users still treat it (yes, even in 2017). So this split page login rubbish gets around this fundamental design failure by treating the username and then the password as two separate form submissions...

  3. Mephistro
    Angel

    "...we had to scramble to get the blog post up as fast as possible."

    If typing a fecking blog post takes them longer than massively modifying their login page, perhaps they should hire a professional typist. Just saying.

    1. Anonymous Coward
      Anonymous Coward

      Re: "...we had to scramble to get the blog post up as fast as possible."

      I don't know, we all know the quality of code they throw out sometimes. Maybe it does take longer to type a blog.

      1. Alistair
        Windows

        Re: "...we had to scramble to get the blog post up as fast as possible."

        "we all know the quality of code they throw out sometimes. "

        ---- Yes, we just need to encourage MS to throw out more code. And more code, and like, dumpsterfire truckloads of code. Hell, they'll need a new dump in Redmond.

  4. Craig 2

    "an exciting future of innovation in the sign-in space."

    I can hardly contain my excitement :)

    1. Rich 11 Silver badge

      The synergistic modularity of your post is mission-critical.

    2. Paul Crawford Silver badge

      I could hardly contain my excrement

    3. bombastic bob Silver badge
      Trollface

      "I can hardly contain my excitement :)"

      sounds best when voiced by the actor that did Eeyore, or maybe (the late) Alan Rickman

      1. Doctor Syntax Silver badge

        "sounds best when voiced by the actor that did Eeyore"

        Or Marvin.

  5. Anonymous Coward
    Anonymous Coward

    Tried it. Meh.

  6. Your alien overlord - fear me

    Or just use the Office 365 Admin program from the Store - no change that I can see and it stores the admin user/password so you don't need 2 pages to enter it !!!!

    1. Anonymous Coward
      Anonymous Coward

      That's a great idea. I didn't even know there was one in Store - I'll check it out.

      Personally, I've seen several of these Reg stories the past 18 months talking about users locked out of Office 365 services, and have experienced zero interruption myself. I think that making articles out of random user comments on bug forums may not be the best way to determine if there's a real problem with the service or not.

      1. Kiwi
        Linux

        and have experienced zero interruption myself.

        Same. With good reason!

  7. Warm Braw Silver badge

    Automation seems wonky.

    If you've got a MITM in your logon process, wonky isn't the word that springs most immediately to mind.

  8. ColonelClaw

    Am I missing something here?

    "We've done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach,"

    Typos and forgotten passwords aside, shouldn't sign-in pages always have a 100% success rate by default? Doesn't really seem like something I'd be boasting about if I was in charge.

    1. Anonymous Coward
      Anonymous Coward

      Re: Am I missing something here?

      They are on about the users I believe.

  9. TRT Silver badge

    It would be nice if...

    instead of arseing around with UI, they'd fix some basic stuff like Apple Mail's Exchange Connector not working properly anymore. And before anyone says that's Apple, not MS, I'm reliably informed that it was MS wot broke it and it's them wot's gotta fix it. You just don't know how important it is to be able to ditch as much MS crap as possible. I've had to revert to using Outlook for Mac, and it's pants, or OWA, which is also pants, but the UI is slightly more fun to play "guess the hyperlink / interactive region" on.

  10. Jim McCafferty

    Unique Identifier

    I still have moments of irrational rage when I enter my email address, and then the second dialog asks me what type of email address is this? An email address is recognised throughout the internet as a unique user identifier, but Microsoft have managed to turn it into a combined key - inside its own network?

    One suggestion - how about MS mothballs the 15,000 disconnected servers in it's infrastructure, and has a single point of authentication with the email address as the identifier? Then have permissions hang off that login which dictate which services the user currently has live roles in? It's what they've been preaching in their training courses...

    1. TonyJ Silver badge

      Re: Unique Identifier

      Apparently it's because we were allowed to sign up to O365 & Outlook.com or some such craziness.

      It bugs me too, to be honest "Is this work or personal".

    2. CrazyOldCatMan

      Re: Unique Identifier

      and has a single point of authentication with the email address as the identifier

      The phrase that springs to mind is "single point of failure/pwnage".

      It's not like email addresses are not easily forgable.. Or webmail systems can't be fooled into allowing other people access.

      1. Solmyr ibn Wali Barad

        Re: Unique Identifier

        "The phrase that springs to mind is "single point of failure/pwnage"."

        It had a name, too. MS Passport. Fortunately this service was too short-lived to be properly pwned.

  11. Doctor Syntax Silver badge

    Hot/Live/OutMail has had this for some time now. It's combined with an animation of dots crawling across the bottom of the name box just before the password dialog is shown. I wondered if this was some kind of mechanism to defeat bots attempting logins.

    1. Kiwi
      Trollface

      ...animation of dots crawling across the bottom...

      Perhaps it's supposed to be a visual representation of their system speed (ref BOFH "so slow you can watch the bytes traveling" 1

      1 Slightly paraphrased.

  12. Herby

    "Is this work or personal"

    This sounds to me like the question should be:

    Can we really fleece you (business), or just mildly fleece you (personal).

    Sorry, I don't use such products, I prefer to be divorced from the "cloud" as much as possible.

  13. ma1010
    Holmes

    Business as usual, then

    You guys again are making changes without telling anyone ahead of time and breaking things.

    But isn't that Microsoft's new business model? It's certainly what they've been doing with Win X.

  14. Wensleydale Cheese
    Happy

    Microsoft recommended users update documentation

    Hahahahahahahahahahahaha!

    a) What documentation?

    b) You mean users actually read documentation?

  15. Anonymous Coward
    Anonymous Coward

    "We've done a lot of testing..."

    Quite pointless if your so-called testing is done by focus groups and Insider fanboys, instead of professional testers.

  16. Anonymous Coward
    Anonymous Coward

    Good

    Ideal for my company as we use ADFS and users were confused by seeing a password box when they'd already authenticated to Windows with a smart card and PIN

    1. CrazyOldCatMan

      Re: Good

      as we use ADFS

      Old GB-type people like me see that and think "what does the old BBC Micro disk format have to do with it?"

      Ah - I remember my dual, double-sided disk drives controlled by the advanced Watford ADFS card..

  17. Mike Shepherd
    Meh

    MBA talk?

    ...we believe that this sets us up for an exciting future of innovation in the sign-in space

    When you read this kind of drivel, expect trouble.

  18. Anonymous Coward
    Anonymous Coward

    Notable high success rate????

    "We've done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach," Microsoft notes.

    Speaking as a user I'd hope that the success rate is, oh, say 100%?

    Would this include the Azure 2FA that isn't supported on my Windows phone????

  19. MachDiamond Silver badge

    The cloud

    When you move to a Cloud based application, you get what you deserve… a complete lack of control. If your company is tied to an outside controlled product or service, you have to adapt to whatever changes they implement, when they implement them and if their service goes offline, you are offline until it's fixed. How is this an improvement?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021