HN Reader

I’ve worked with Azure for a few years now, AWS and classic data centres for 15 years before that.

It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination. We have a saying in-house that the info is all in their docs, but the sentences and paragraphs for even trivial things are split across ten or fifteen articles.

I see a problem like granting */read in an innocuously named role and am left wondering if it was pragmatism, because figuring out least privilege was tough, or a junior who didn’t know better and was just trying to make progress.

I’m on a phone and can’t search git effectively, but I’d swear there was a comment or note on the golang implementation of msal saying that it used non-idiomatic go with no real support for many of the auth flows in v1 because it was written by an enthusiastic junior dev and released with little review. The modern version looks better, but I felt like I got a window into Azure back when I read that.

Building large services is hard, my hat is off that Microsoft is making it work, but sometimes we get to see that it’s just teams of developers doing it for them and those teams look a lot like the teams we work with every day. There’s no secret sauce, except that MS has the resources to iterate until the thing mostly works most of the time.

Bizarre vulnerability, unprofessional behavior from Microsoft to leave it open for so long and let Azure organization carry this out on the expense of security.

Anecdotally - working with Azure has been hell on earth for me. Insanely unintuitive and buggy interface. Many cryptic errors preventing me from doing anything.

This is par for the course for Azure. Their security posture is genuinely terrifyingly lackluster.

https://www.lastweekinaws.com/blog/azures_vulnerabilities_ar...

This is from a few years ago but nothing seems to have changed. A cursory search of the Wiz blog with "Azure" reveals so many horrific (cross tenant, trivial to exploit) security vulnerabilities it's hard to imagine many people at Azure care about security. And that's just from one group of security researchers, from Wiz, there are others such as OP.

This is crazy. Using HTTP methods to enforce API permissions? Only Microsoft could do something this lazy. No wonder their own developers are getting confused...

Azure identity is so bad. It's like they tried to build it on the original 1998 implementation of LDAP or whatever. Roles fucking inherit??? Like are you kidding me?

I'll take this opportunity to remind anyone on Azure that if you enable service endpoints on a subnet without applying service endpoint policies, anyone with the resourceid of an affected subnet can silently backdoor your network. Your NSGs do not matter for service endpoints.

Azure complainers here clearly have not tried GCP lol.