back to article Microsoft breaks geolocation, locking users out of Azure and M365

Microsoft has found a new and interesting way to break its cloud services: by messing up geolocation services and sending its users to Uzbekistan, which made it impossible for them to log in. The Beast of Redmond let the world know about the mess with this oblique tweet regarding Microsoft 365: We're investigating an issue …

  1. Anonymous Coward
    Anonymous Coward

    Microsoft are terrible at admitting problems. It's not unusual for us to log a support ticket and then shortly after Microsoft announce they've fixed a problem that started many hours ago.

    1. 43300 Silver badge

      Sometimes they fix a problem without ever actually ackowledging that it even existed!

    2. AndrueC Silver badge
      Unhappy

      Across all their product lines. I reported a bug in Visual Studio (a debug window no longer reopening at its last size and position). After asking for more information (which I provided). They changed my report to a feature request. Then they closed it because it was 'out of scope with our general product direction'. Despite requests for more information there have been no further responses.

      No wonder VS is in the state it is.

      1. Anonymous Coward
        Anonymous Coward

        Don't hold you breath.

        When IE11 came out Microsoft wrote a set of group policies for Server 2008 that was incompatible with IE10 and prior, to the extent that installing IE11 would totally overwrite the policies UI for IE10.

        Unfortunately, IE11 didn't run on all versions of Windows, so if you had some legacy machines knocking about you had to go through this crazy process of uninstalling IE11 on your Server 2008 DC (with a subsequent reboot!) to make changes to the IE10 policies (and then reinstalling IE11 and another reboot to make the IE11 policies reappear).

        The fix for this is logged as a support request. To the best of my knowledge, it still hasn't been fixed.

      2. Steve Davies 3 Silver badge

        re: No wonder VS is in the state it is.

        Or THTF

        Too Hard To Fix

        MS are bunch of [redacted]

      3. veti Silver badge

        That actually makes reasonable sense. It's a rather impolite way of communicating, but the burden of it is: "This feature was considered unimportant to our core functionality and has been discontinued, as of a recent change which we might be able to work out if we could be bothered but frankly it sounds like too much work".

      4. AndrueC Silver badge
        Facepalm

        Over the weekend MS appear to have woken up and now my closed 'feature request' has been marked as a duplicate and the original (created a month earlier) is at least still open and being investigated.

        Accurate and effective bug tracking - MS have heard of it.

        1. AndrueC Silver badge
          Meh

          Well what a change. MS are now saying that a fix will be in the next preview release.

          No apology for their response to my ticket though.

  2. plunet

    IPv6 still the poor relation chez Microsoft

    "Making matters worse, the IP addresses in question appear to be IPv4. Shame, Microsoft, get thee to IPv6!"

    That's because last time I checked Microsoft offered no geolocation on IPv6. If you don't offer it you can't break it.

    1. cookieMonster Silver badge
      Joke

      Re: IPv6 still the poor relation chez Microsoft

      Microsoft Dev hears … “ If you don't offer it you can't break it.”

      Hold my beer !!!

    2. MatthewSt Silver badge

      Re: IPv6 still the poor relation chez Microsoft

      Be careful what you wish for - https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/ipv6-coming-to-azure-ad/ba-p/2967451

  3. Coastal cutie

    I've lost count - are we down to M350 yet?

    1. AnotherName

      Perhaps they should start from one on 1st January and count up and see how far they get by the end of the year.

  4. AnotherName

    At least they're professionals

    Just imagine how bad it would be if they were amateurs!

  5. yetanotheraoc Silver badge

    system normal ....

    Just the usual testing in production. Nothing to see here.

  6. Doctor Syntax Silver badge

    Toshkent

    I'd assumed Toshkent was just because their explanation was a load of tosh but it turns out that Toshkent is the area around Tashkent.

    You can always learn something new at elReg

  7. Pascal Monett Silver badge

    The important words are : We're reverting a recent change

    Once again, fat-fingered keyboarding without proper checking results in massive pain for many people.

    Ah, to think that, in the good ol' days, if a sysadmin goofed it would only affect the users of that company's network.

    Today's sysadmins can affect people all across the globe.

    Yay progress.

  8. Anonymous Coward
    Anonymous Coward

    Anyone surprised?

    Anyone working with Microsoft 365 knows that one cannot rely on the shown geo location. Okay, the country is usually correct. But the city and state are often wrong, even for fixed office locations.

  9. Anonymous Coward
    Anonymous Coward

    Someone remind me. What are the advantages of using the cloud?

    1. vtcodger Silver badge

      Advantages of the cloud

      Someone remind me. What are the advantages of using the cloud?

      Many fewer stressful hours per year doing actual work?

  10. DJV Silver badge

    Sigh

    Is there no end to the number of total cock-ups that Microsoft will inflict upon their paying customers due to their infamous lack of QA testing?

    As someone who was hit by the Defender icon and program mess a few weeks ago, I have decided that my next main PC will be Linux based and, if I need to run Windows at all, it will be done via a virtual machine. I haven't used MS Office for years, and refuse to have anything to do with their shonky cloud services.

    There will come a point when I will be glad to be completely Microsoft- (and Google-) free.

    1. ecofeco Silver badge

      Re: Sigh

      The last 30 years say, "no end".

  11. Numen

    Apparently lasted more than one day according to NHS

    NHS shows this lasted around 3 days, from 21/3 to 24/3

    https://support.nhs.net/2023/03/microsoft-365-alert-service-degradation-microsoft-365-suite-some-users-with-conditional-access-policies-may-be-unable-to-access-any-microsoft-365-service/

  12. ecofeco Silver badge

    Goddamnit!

    ANOTHER Azure problem?!

    Sigh, no wonder I couldn't get users joined yesterday. Two Azure problems in one week.

    Goddammit MS. And the numpties who lick its taint.

  13. FrenchFries!

    Abandon ship! Can I get a ChatGPT violinist?

  14. PRR Silver badge
    WTF?

    Why (oh why oh why??) would MS base access on IP numbers? 16 years ago I was fire-fighting email because MS was using unregistered IPs to send mail, and my organization's policy was to drop anything which failed reverse-DNS. I was logging whole banks of intraceable IPs (yet some were clean, so the problem seemed "random", depending on luck of the draw at the email load-levelers). Not my job either way, I was just caught in the middle between angry senders and angry non-recipients.

    1. AndrueC Silver badge
      Boffin

      was fire-fighting email because MS was using unregistered IPs to send mail

      That's what the problem really was. Your systems were configured correctly and doing what they should. These days all mail servers should be using IP addresses configured with correct rDNS and some kind of verification protocol. SPF is easy to set up and in conjunction with DMARC (not so easy) provides a useful assurance to recipients. Yes it can occasionally cause problems but that's usually only when someone with a poorly configured mail server tries to send mail and you want those people stopping at the door so that you can dig deeper into who they really are.

      Blocking access using an IP whitelist is an effective security measure. It's only a problem when clients are accessing services with dynamic addresses outside of a defined range but you can work around that by making them use a VPN which adds another useful layer of security.

      1. Anonymous Coward
        Anonymous Coward

        The big problem is that so many companies are now using O365, so their SPF record covers every Azure IP address that can send mail. All the malicious senders have to do is also use Azure to send email and it will pass SPF.

        1. AndrueC Silver badge
          Unhappy

          Really? Oh that's crappy.

        2. MatthewSt Silver badge

          But fail DKIM, which is arguably a more valuable signal

          Also, all of the Azure IP addresses that send mail require validation, so you won't be able to send an email from someone else unless you have their credentials.

          1. Anonymous Coward
            Anonymous Coward

            That assumes you have bothered to set up DKIM on your domains. It is only enabled by default on the onmicrosoft.com domain. I always enable it as it just needs creating a couple of DNS records and switching on. Seen plenty of domains without it enabled though.

  15. John Tserkezis

    Against the advice I've been getting to move to 365, I still insist on using LibreOffice.

    Shockingly, it still works.

  16. john.jones.name
    WTF?

    www.theregister.com FAILS by the same rationale

    Whoever administrates www.theregister.com is VERY behind the times

    ISSUE: None of your web servers has an IPv6 address.

    www.theregister.com IPv6 address = None

    SOLUTION:

    1/ Login to your Cloudflare account.

    2/ Click the Network app.

    3/ Toggle IPv6 Compatibility On.

    ISSUE: Your domain is insecure, because it is not DNSSEC signed.

    Domain Registrar for www.theregister.com = CSC Corporate Domains, Inc.

    SOLUTION:

    1/ Login to your Cloudflare account.

    2/ Go to DNS > Settings.

    3/ For DNSSEC, click Enable DNSSEC.

    (In the dialog, you have access to several necessary values to help you create a DS record at your registrar CSC.)

    ISSUE: Your web server supports TLS versions that should be phased out deliberately, because they are known to be fragile and at risk of becoming insufficiently secure. TLS 1.1 phase out

    SOLUTION

    1/ Login to your Cloudflare account.

    2/ Go to Domain > “Crypto” tab

    3/ choose the “Minimum TLS Version” as TLS 1.2

    I dont think this is complicated. get on it.

  17. PeterM42
    Facepalm

    Office 364½ strikes again

    'Nuff Said!

  18. Anonymous Coward
    Anonymous Coward

    Geolocation is still broken 2 weeks later

    Some T-Mobile cell pools with 172.59.72.x are listed as Shanghai, CN causing our users to fail because of Conditional Access polices. Our Security teams are investigating numerous instances of "Overseas Travelers" everyday because our T-mobile users are trying to access company resources online and generate alerts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like