Comment by debarshri
7 hours ago
Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.
You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
Out of all the SSO login flows Microsoft has to have the buggiest. It’s the only one I can remember routinely having issues with. Why are there so many redirects? And why doesn’t the “remember me” checkbox ever work?
It is also the only SSO flow I have ever seen that fundamentally cannot work if you have more than one account remembered on your device. So far the only way I’ve found to get it to let you log out of account A and then log into account B is to clear all cookies otherwise it gives you permission denied errors. Have no idea how it can be this horrible
Yeah I have had this experience too. Woe betide ye if your company gets bought by another company with pre-existing Azure AD.
Would container tabs solve that? They're pitched as helping separate work and personal logins.
1 reply →
And then sometimes the "switch user" prompt doesn't work but it automatically logs you in with the wrong account to a system that account doesn't have access to, then drops you in a non-interactive "you're not authorized" screen. You have to find a working page, log out, then go back and try logging in...
I haven't seen it in a while (perhaps mostly because I'm in Google stuff way less than I used to be) but for years multiple Google sites would get in a state where its auth would route me through about twenty redirects in a loop and never actually finish authenticating me. Clearing cookies and re-logging-in from scratch was the only fix.
Youtube was always involved, somehow, for some reason, even when what I was doing wasn't connected to Youtube at all or the account I was using had never even been intentionally used with Youtube. It'd route me through a few Youtube domain names.
(Microsoft's is indeed even worse, on some of theirs [Azure Devops, looking at you] I can't use them in pinned tabs because somehow they manage to get into a totally broken state where the page won't load due to whatever's happening with their auth flow in the background, and no method of reloading the tab fixes it, and it does this every couple days—but copy-pasting the same URL to a new tab does work)
I've always assumed the billions of redirects are setting cookies so all the various systems "work" but I have given up trying to understand it.
It is still like this? I remember it being terrible trying to log into xbox.com 15 years ago.
Why, 20% when logging in, do I actually get logged out? I'm sorry if I was already logged in, why the hell are you asking me to log in again?
Having Microsoft on your resume is a huge red flag.
That’s Microsoft. 1000s of features and none of them really work the way they are supposed to.
it's "Enterprise" grade software! need to check the boxes for the procurement process (actually working is a separate department)
Exactly! I can’t even count the number of times we’ve been in the discovery phase of a project and see “Oh this MS product does that! Cool”. Then when we get to the actual implementation realize it’s a broken mess. It’s sales driven software development, they just need to get you far enough along to sign the contract, then it’s too late to back out.
[dead]
There are extra ways to do that, but they're on a document deep in a Sharepoint directory that you can't access.
Moments like this, I miss clippy.
same experience for us, and then they email the living shit out of you about how your weekly entra id stats are good or bad, and you can not opt out of these emails.
> they email the living shit out of you
This sounds like LinkedIn.
Wait a minute. It is owned by Microsoft.
1 reply →
The problem is modern MS doing three contradictory things at the same time:
- FB's move fast and break things. Constantly launching new libs.
- Linus's we do not break user space. Great commitment to backwards compatibility.
- Never deprecating dead products until they've been de facto abandoned for like decades.
This combination means every MS product is a labyrinth of overlapping APIs with no guidance as to which one is actually the good one. Some are abandoned garbage, some are brand new and incomplete, and some are both, and there's no way of knowing which are which even experts can mislead you.
Well said. It feels like Microsoft is willing to release the intern’s poorly thought out product, and then commits to support the garbage design for all time.
Microsoft, you are a behemoth. There are few domains where you actually compete. Give your products a minute to breath before you cast them in stone.
> no guidance as to which one is actually the good one.
To some extent, you’re/we’re the ones deciding that,
because there’s entirely different teams heading the separate offerings,
and none of them are going to offer a potential footgun like:
“hey, we’re not the best modern path into xyz type projects, check with our colleagues on the Blazor team”,
unless someone makes them.
[dead]
Same here, except with Minecraft and XBox One.
I don’t understand how they have non-zero market share.
I remember trying to buy $9 worth of Minecraft In-app Whatever for my kid, and the goose chase Microsoft put me on just to log in and buy something was totally out of this world. I ended up needing to contact their fraud department around step 74.
Wow I had no clue they even had in app crap for minecraft. Got to put the kid on the java build.
I'm still annoyed that I can't share those Minecraft purchases with a family.
For Minecraft they inherited a gigantic userbase from Mojang and then made it 10x harder to add new users.
I did it for my kids to have accounts and I do not understand how anyone who hasn't built a Gentoo from Stage 1 has a prayer of managing to buy Minecraft Java Edition for their kid, and making it actually work.
Then you've got the hell of overlapping permissions systems on the console and the Microsoft account, to get any amount of online play working on a console if you also get Bedrock. On the Playstation, especially, the error messages also love to not tell you which of the two systems is blocking you, so you get to guess. And Microsoft's site for managing those permissions is so confusingly-laid-out that even after doing it three times in a row I still felt lost on it.
I never did solve the problem of getting Minecraft Java Edition to run on a kid's MacBook with allowlist-only Web access. It wants to contact ten or so apparently-randomly-selected-from-an-enormous-pool IP addresses on every launch. I never did find documentation of which IP blocks I needed to allow, and couldn't guess at it from the IPs themselves. If they'd just used domain names... I must have manually hit "allow" a bunch of times during twenty separate launches, and it was still presenting me the same number of prompts every time, because there was no overlap in the IPs contacted (adding insult to injury is that I'm sure all but at-most two of these were spyware horse-shit that had no actual generously-necessary role in running the software, but it'd fail if it couldn't reach them)
1 reply →
I ripped Entra ID from one of our projects and replaced it with Keycloak.