Azure AD Sign-in Changes Cause Problems for Office 365

Posted on August 8, 2017 by Tony Redmond in Microsoft Azure, Office, Office 365 with

Azure AD sign-in change for Office 365

Dark Clouds Gather

Another day, another dark cloud scuttles across the sky to make life difficult for cloud administrators. In this case, one Microsoft development group delivered a valuable update that makes sense but did so in a way that caused problems for many Office 365 tenants. And as sometimes happens in the cloud, the change came without warning.

Azure Active Directory Tries to Make Life Better

The root of the problem is an effort to make Azure Active Directory sign-ins work more rationally and effectively. On August 2, Alex Simons, Director of Product Management for Microsoft’s Identity Division, announced that the “New Azure AD Sign-in Experience is now in public preview”. According to the post:

  1. “Azure AD & Microsoft account sign-in pages will both change to have a consistent look and feel, so you won’t experience anymore jarring transitions when you move between the two.
  2. Pagination of the Azure AD sign-in page. The new design (Figure 1) prompts you to enter your username on the first screen followed by a credential (typically a password) on a second screen. We’ve done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach. It also sets us up to be able to easily introduce new forms of authentication like phone sign-in and certificate-based authentication.

We know that this will be a disruptive change for some of you, but we believe that this sets us up for an exciting future of innovation in the sign-in space. To give you time to prepare for the change, we’ll leave the new experience as an opt-in public preview for the next few weeks. We plan to switch over to the new UI by default during the last week of September.”

The bolding in the statement is mine.

New Azure AD Sign-in

Figure 1: The new Azure AD sign-in (image credit: Tony Redmond)

Disruptive Change Happens

As it turns out, the prediction of “disruptive change” was all too true. A long and interesting discussion in the Microsoft Technical Community, tells how many Office 365 tenants, including some who had invested in customizing their tenant log-in pages, saw the change in production on August 1.

Being told by users that “We have a new sign-in experience – try it now” appears on the log-in page for Office 365 is enough to make an administrator choke on their coffee, especially when this comes unexpectedly. Indeed, as one comment noted, changing the sign-in experience at a time of heightened awareness about phishing attacks is not a good thing to do.

Microsoft says that the new sign-in design has been rolling out for other Microsoft services over the past few weeks, so you might have seen it for services like Outlook.com. As the blog notes, on August 2, it was “Azure AD’s turn.”

The only problem was that this preview change, which will become the default in the last week of September, appeared in production with no warning, no announcement specifically targeted at the Office 365 community, no message showed up in the Office 365 Admin Center until August 5 (MC112663), and nothing about the change appears in the Office 365 Roadmap. In short, this was a good example of how not to manage fundamental change in a critical service exposed to end users.

Change Breaks Office 2010/SharePoint

In addition, to make life even more interesting, the new sign-in experience breaks the ability of Office 2010 desktop applications to open documents stored in SharePoint Online and OneDrive for Business sites, an unfortunate discovery when you are mid-way through the deployment of 28,000 Office 365 seats (as reported by one customer). Clearing cookies from the IE or Chrome cache is a temporary and short-lived fix for the problem.

In an August 7 update, Kevin Xia, a program manager on Microsoft’s identity team, said that they “might be close to a fix.” He also said that “the new experience is solely a UI update with no changes in protocol. As such, there’s no change to how authentication is done in the 2010 client apps – there’s no change to how modern auth is used.

Update 11AM EST: Microsoft says that they have rolled-out a fix for Office 2010.

Previous Change Caused Problems Too

Surprisingly, the change to the sign-in page came after similar disruption occurred when the Azure AD team pushed out a previous change that caused problems in April 2017. Again, you could not fault the logic and the usefulness of the change, but the way Microsoft introduced the new code forced Alex Simons to apologize, saying:

“Additionally, we learned that we took many you by surprise and did not give you enough time to alert and train your employees about the change….

We’re going to revisit the overall here (sic) plan and take steps to better socialize and communicate future end-user facing UX changes.”

Despite avowing to do better, perhaps the Azure AD team did not complete revisiting their overall plan before the time came to ship the new sign-in.

In a comment on his latest blog post, Alex Simon defends the way that Microsoft introduced the new sign-in experience. He makes the point that Microsoft tested the changes with preview customers first and that the changes are now in a 30-plus day preview period. Both points are valid, but the lack of communication to Office 365 customers is just dreadful, especially when Office 365 is such a large and important consumer of Azure Active Directory.

Also, apologizing for the blog post appearing after changes appeared in production because “the dev team surprised us by getting the changes up and running a few days earlier than planned” is simply unacceptable in terms of customer communication.

Sponsored

Better Testing, Better Coordination Needed

Last week’s data breach, the changes to Azure AD, and issuing Office applications with the wrong digital signatures, are examples of poor change management and flawed testing within Microsoft. You could also add poor internal communications into the mix as the Office 365 team certainly does not seem to have been aware of the havoc that the Azure AD changes in April and August could cause.

The chance to meet and greet the Azure AD and Office 365 product managers at the Ignite conference is fast approaching. I look forward to hearing about how the Office 365 team plans to improve how they introduce updates into production. Improvement is sorely needed.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Tagged with , , , ,