Microsoft Azure|Office|Office 365

Azure AD Sign-in Changes Cause Problems for Office 365

Azure AD sign-in change for Office 365

Dark Clouds Gather

Another day, another dark cloud scuttles across the sky to make life difficult for cloud administrators. In this case, one Microsoft development group delivered a valuable update that makes sense but did so in a way that caused problems for many Office 365 tenants. And as sometimes happens in the cloud, the change came without warning.

Azure Active Directory Tries to Make Life Better

The root of the problem is an effort to make Azure Active Directory sign-ins work more rationally and effectively. On August 2, Alex Simons, Director of Product Management for Microsoft’s Identity Division, announced that the “New Azure AD Sign-in Experience is now in public preview”. According to the post:

  1. “Azure AD & Microsoft account sign-in pages will both change to have a consistent look and feel, so you won’t experience anymore jarring transitions when you move between the two.
  2. Pagination of the Azure AD sign-in page. The new design (Figure 1) prompts you to enter your username on the first screen followed by a credential (typically a password) on a second screen. We’ve done a lot of testing of this design and our telemetry shows that people are able to sign in with a notably higher success rate using this approach. It also sets us up to be able to easily introduce new forms of authentication like phone sign-in and certificate-based authentication.

We know that this will be a disruptive change for some of you, but we believe that this sets us up for an exciting future of innovation in the sign-in space. To give you time to prepare for the change, we’ll leave the new experience as an opt-in public preview for the next few weeks. We plan to switch over to the new UI by default during the last week of September.”

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts.

The bolding in the statement is mine.

New Azure AD Sign-in
Figure 1: The new Azure AD sign-in (image credit: Tony Redmond)

Disruptive Change Happens

As it turns out, the prediction of “disruptive change” was all too true. A long and interesting discussion in the Microsoft Technical Community, tells how many Office 365 tenants, including some who had invested in customizing their tenant log-in pages, saw the change in production on August 1.

Being told by users that “We have a new sign-in experience – try it now” appears on the log-in page for Office 365 is enough to make an administrator choke on their coffee, especially when this comes unexpectedly. Indeed, as one comment noted, changing the sign-in experience at a time of heightened awareness about phishing attacks is not a good thing to do.

Microsoft says that the new sign-in design has been rolling out for other Microsoft services over the past few weeks, so you might have seen it for services like As the blog notes, on August 2, it was “Azure AD’s turn.”

The only problem was that this preview change, which will become the default in the last week of September, appeared in production with no warning, no announcement specifically targeted at the Office 365 community, no message showed up in the Office 365 Admin Center until August 5 (MC112663), and nothing about the change appears in the Office 365 Roadmap. In short, this was a good example of how not to manage fundamental change in a critical service exposed to end users.

Change Breaks Office 2010/SharePoint

In addition, to make life even more interesting, the new sign-in experience breaks the ability of Office 2010 desktop applications to open documents stored in SharePoint Online and OneDrive for Business sites, an unfortunate discovery when you are mid-way through the deployment of 28,000 Office 365 seats (as reported by one customer). Clearing cookies from the IE or Chrome cache is a temporary and short-lived fix for the problem.

In an August 7 update, Kevin Xia, a program manager on Microsoft’s identity team, said that they “might be close to a fix.” He also said that “the new experience is solely a UI update with no changes in protocol. As such, there’s no change to how authentication is done in the 2010 client apps – there’s no change to how modern auth is used.

Update 11AM EST: Microsoft says that they have rolled-out a fix for Office 2010.

Previous Change Caused Problems Too

Surprisingly, the change to the sign-in page came after similar disruption occurred when the Azure AD team pushed out a previous change that caused problems in April 2017. Again, you could not fault the logic and the usefulness of the change, but the way Microsoft introduced the new code forced Alex Simons to apologize, saying:

“Additionally, we learned that we took many you by surprise and did not give you enough time to alert and train your employees about the change….

We’re going to revisit the overall here (sic) plan and take steps to better socialize and communicate future end-user facing UX changes.”

Despite avowing to do better, perhaps the Azure AD team did not complete revisiting their overall plan before the time came to ship the new sign-in.

In a comment on his latest blog post, Alex Simon defends the way that Microsoft introduced the new sign-in experience. He makes the point that Microsoft tested the changes with preview customers first and that the changes are now in a 30-plus day preview period. Both points are valid, but the lack of communication to Office 365 customers is just dreadful, especially when Office 365 is such a large and important consumer of Azure Active Directory.

Also, apologizing for the blog post appearing after changes appeared in production because “the dev team surprised us by getting the changes up and running a few days earlier than planned” is simply unacceptable in terms of customer communication.

Better Testing, Better Coordination Needed

Last week’s data breach, the changes to Azure AD, and issuing Office applications with the wrong digital signatures, are examples of poor change management and flawed testing within Microsoft. You could also add poor internal communications into the mix as the Office 365 team certainly does not seem to have been aware of the havoc that the Azure AD changes in April and August could cause.

The chance to meet and greet the Azure AD and Office 365 product managers at the Ignite conference is fast approaching. I look forward to hearing about how the Office 365 team plans to improve how they introduce updates into production. Improvement is sorely needed.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: