Microsoft is working to resolve an ongoing service disruption that is preventing customers from setting up multi-factor authentication (MFA) and from accessing the My Sign-Ins portal, according to a report by BleepingComputer. The incident, which has no estimated time of resolution as of publication, highlights the fragility of centralised identity infrastructure at a time when Microsoft is aggressively pushing organisations toward MFA adoption.
What Is Affected — and What Is Not
The outage is notably narrow in scope but carries outsized security implications. Customers who are already enrolled in MFA should continue to authenticate normally, as the disruption does not affect the authentication flow itself. Instead, the incident blocks MFA setup and management operations, including the My Sign-Ins portal where users review sign-in activity and manage security methods.
The practical consequence is that any organisation attempting to onboard new users, reset MFA configurations, or enrol replacement devices during the outage window cannot complete those actions. For companies relying solely on Microsoft Entra ID (formerly Azure AD) without redundant identity tooling, this creates a meaningful gap in security posture.
The Conditional Access Policy Risk
One under-discussed dimension of the outage involves conditional access policies. Many enterprise environments enforce policies that require MFA registration before granting access to corporate resources. When the MFA setup infrastructure is down, users caught by these policies — including new hires, employees with expired authenticator registrations, or those who recently reset their devices — may find themselves locked out entirely. IT administrators should be aware of this edge case and consider temporary policy adjustments if business continuity is at stake.
Context: Microsoft's Security Credibility Under Scrutiny
The timing of the incident is awkward for Microsoft. The company has been working to rebuild trust in its security infrastructure following the Storm-0558 breach in 2023, in which Chinese state-sponsored attackers exploited a token validation flaw to access email accounts across multiple organisations, including US government agencies. That incident prompted Microsoft to launch its Secure Future Initiative, a sweeping programme to overhaul internal security practices and push customers toward phishing-resistant MFA.
This is also not the first time Microsoft's MFA infrastructure has stumbled at scale. In 2024, a significant outage disrupted authentication flows across multiple Azure services, locking users out of applications and workloads for hours. That incident prompted widespread criticism and calls for greater transparency around the reliability of identity services that underpin daily operations for millions of organisations.
An outage that disrupts the very MFA infrastructure Microsoft is urging organisations to adopt undercuts that message. Security professionals have long noted the tension between Microsoft's role as both a dominant identity provider and a company still grappling with fundamental security challenges. This latest incident, while likely a reliability issue rather than a security breach, reinforces that concern and raises questions about whether Microsoft's MFA platform meets the uptime standards its security mandate demands.
What Administrators Can Do
For IT teams navigating the disruption, several steps are worth considering:
- Audit current MFA enrolment status to identify any users who may have been mid-registration when the outage began.
- Review conditional access policies for potential lockout scenarios, particularly for new or recently onboarded employees.
- Communicate proactively with affected users about the situation and expected timelines.
- Monitor Microsoft's service health dashboard for updates, as no ETA has been provided.
Organisations that maintain secondary authentication mechanisms — such as hardware security keys already provisioned or alternative identity providers — will be better positioned to weather the disruption.
Looking Ahead
The incident serves as a reminder that even as the industry converges on MFA as a baseline security requirement, the operational reliability of identity platforms remains a single point of failure. For enterprise IT teams, the lesson is not to abandon MFA but to ensure that identity infrastructure is treated with the same redundancy and resilience expectations as any other mission-critical system.
Microsoft has not yet provided an update on resolution timelines. This article will be updated when more information becomes available.
根據科技媒體 BleepingComputer 的報導,Microsoft 正在努力解決一項持續的服務中斷問題,該問題導致客戶無法設定多重要素驗證(MFA),亦無法存取「我的登入」(My Sign-Ins)入口網站。截至文章發佈時,官方尚未提供預計修復時間。此事件凸顯了集中式身份基礎設施的脆弱性,而與此同時,Microsoft 正積極推動各機構採用 MFA。
受影響與未受影響的部分
此次中斷的影響範圍相對有限,但安全影響深遠。已啟用 MFA 的客戶應可繼續正常進行身份驗證,因為問題並未影響驗證流程本身。相反地,事件阻礙了 MFA 的設定與管理操作,包括用戶用於檢視登入活動和管理安全方法的「我的登入」入口網站。
實際後果是,在服務中斷期間,任何嘗試讓新用戶上線、重設 MFA 設定或註冊替換裝置的機構,都將無法完成這些操作。對於僅依賴 Microsoft Entra ID(前身為 Azure AD)而沒有備用身份工具的企業而言,這將在安全態勢上造成重大缺口。
條件式存取策略風險
此次中斷一個較少被討論的面向涉及條件式存取策略。許多企業環境會執行策略,要求用戶在獲准存取公司資源前必須完成 MFA 註冊。當 MFA 設定基礎架構癱瘓時,受這些策略影響的用戶——包括新入職員工、驗證器註冊已過期的員工,或最近重置了裝置的用戶——可能會發現自己被完全鎖定在系統之外。IT 管理員應意識到這種邊緣情況,並在業務連續性受到威脅時,考慮臨時調整策略。
背景:Microsoft 的安全信譽受質疑
事件發生的時機對 Microsoft 來說頗為尷尬。該公司自 2023 年發生「Storm-0558」入侵事件後,一直在努力重建其安全基礎設施的信任。該事件中,中國國家支持的攻擊者利用一個權杖驗證漏洞,存取了包括美國政府機構在內的多家機構的電子郵件帳戶。該事件促使 Microsoft 推出了「安全未來倡議」(Secure Future Initiative),這是一個全面改革內部安全實踐並推動客戶採用防釣魚 MFA 的計劃。
這也並非 Microsoft 的 MFA 基礎架構首次發生大規模故障。2024 年,一場重大中斷影響了多個 Azure 服務的驗證流程,將用戶鎖定在應用程式和工作負載之外長達數小時。該事件引發了廣泛批評,並要求就支撐數百萬機構日常運作的身份服務的可靠性提供更多透明度。
一次中斷恰恰發生在 Microsoft 敦促各機構採用的 MFA 基礎架構本身,這削弱了其傳達的訊息。安全專業人士長期以來都注意到 Microsoft 所存在的角色緊張關係:它既是佔主導地位的身份供應商,又是一家仍在應對基本安全挑戰的公司。這次最新事件,儘管很可能是一個可靠性問題而非安全漏洞,但仍強化了這種擔憂,並引發了關於 Microsoft 的 MFA 平台是否達到其安全要求所要求的正常運作時間標準的疑問。
管理員可以採取的措施
對於正在應對此次中斷的 IT 團隊,以下幾個步驟值得考慮:
- 稽核當前的 MFA 註冊狀態,以識別在服務中斷開始時可能正在進行註冊的用戶。
- 審查條件式存取策略,以排查潛在的鎖定情況,特別是針對新入職或剛完成入職培訓的員工。
- 主動與受影響的用戶溝通,說明情況及預期時間表。
- 監控 Microsoft 的服務健康狀況儀表板以獲取更新,因為目前尚未提供預計修復時間。
擁有備用身份驗證機制的機構——例如已配置的硬件安全金鑰或其他身份供應商——將更有能力應對此次中斷。
展望
此次事件再次提醒,即使業界已趨向將 MFA 視為基本的安全要求,身份平台的操作可靠性仍然是一個單點故障。對於企業 IT 團隊而言,教訓並非要放棄 MFA,而是要確保身份基礎設施獲得與任何其他關鍵任務系統相同的冗餘和韌性預期。
Microsoft 尚未提供關於修復時間表的最新資訊。若有更多資訊,本文將進行更新。