The experts were correct. Azure is the biggest pile of shit I've ever had to work with. Everything feels evolutionary. In other words, a new product in azure is barely a product at all, but a small appendage which totally inherits a bunch of preexisting Azure "stuff." And all this preexisting stuff may not really make sense for the product, and it might inherit stuff that makes the product much worse. But, it doesn't matter. To even think about using the product, you need to learn way more about the larger Azure ecosystem than you ever bargained for, and of course deal with Microsoft products that do not really integrate well because the teams don't talk to each other. Log formats, conventions, everything will be different as you float around to different parts of Azure. Basic security concepts, such as a SIEM will be implemented in such strange ways that you wonder if Microsoft has any idea what a SIEM even is.
As a Microsoftie of more than a decade... Yeah, I see this.
We have an internal system called Cosmos[0] that does a great job of processing huge quantities of data very fast. And we sat on it for years while the rest of the industry moved to Spark and its derivatives. We finally released it as Azure Data Lake Analytics (ADLA) but did a shit job of supporting/promoting it.
We built Synapse, and it's garbage. We've now got Fabric which I guess is the new Synapse. I wouldn't really know because I probably have five different systems that I use that basically do large-scale data processing, and yet Fabric isn't one of them; who knows, maybe it will become the sixth?
We've had numerous internal systems for orchestrating jobs, and it wasn't until Azure Data Factory that we finally released something externally that we sort-of-kind-of-but-not-really use internally. (To be fair, some teams do use it internally, but we're not all rowing in the same direction.)
I regularly deal with multiple environments with different levels of isolation for security. I don't even know how it's all supposed to work -- I have my regular laptop and a secure workstation and three accounts that work on the two. Yet I have to do some privileged account escalation to activate these roles; when I'm done, there's no apparent way to end the activation early, so I just let it time out.
These things are but a fraction of the Azure offerings, but literally everything I have used in Azure makes me absolutely HATE working in the cloud. There's not a single bright side to it AFAICT. As best as I can tell, the only reason why Azure makes so much damn money is because Microsoft is huge and can leverage its size into growth. We're very much failing up here.
That's total "normal" for Microsoft at least from 2018, the year I started working with some of their products (Power BI mostly). They adopted a development model that is early release, fast iteration, and users as testers. No wonder everything feels experimental until much later.
Back then I just couldn't use Power BI. But fast forward a few years, I think it got a lot better since maybe 2020. You just have to stick with it for a few years.
Most of the time it's just part of the bundle. If you are heavy into SQL Server, Office 365 and Power BI then there is a BIG chance you are going to use Azure for whatever the reason.
People who take Azure up without previous MS product experience...not sure about those.
a LOT of stuff comes for free or marginal (10-100$ a month) so yes, you do pay but it's already 'baked into' the contracts people generally carry with microsoft, or something for IT to worry about when the yearly renewals show up
I’ve seen this in other “follow the leader” businesses too, they are not looking to even have working features, just parity on a spreadsheet with the market leader… I’m looking at you Gitlab.
Absolute contempt for their users at every level. It’s so transparent. This is the end game of anticompetitive practices for decades— they just don’t have to try anymore… for now. Some day they’ll either have to compete in good faith or sink. I doubt that will happen soon, but someday.
Azure is the color of the face you have after Microsoft beats you with your own wallet. They don’t want to give you access to anything, they want to own it and make you pay for it.
How is this different than Amazon? Same problem there. Oh, you're using this new service? Need to view the logs? Want a nice friendly UI to do that? Fuck you here's Cloudwatch. Good luck.
Just to be clear, I'm responding to the parent comment not the article.
That's great but that's not really the problem. The real problem is Amazon likes to release services that depend on other services, but leave the integration work to us.
I'm convinced Amazon has many teams crapping out new features but they don't have the political clout (or manpower) to create a comprehensive product. They are mandated by management to use existing services, and thus we the users suffer because we have to manage all this extra crap and noise just to enable basic functionality.
It's maddening. And then also it's maddening to see another service from a different team that was able to throw off these shackles and actually make a product that is self contained. You get a taste of how good things could be, and then you're thrown right back into the IAM/SQS/Cloudwatch/Cloudformation/Policy/everything else under the sun soup.
See my other comment. Logs are just one small symptom of a larger problem of poorly integrated very complex services where the complexity is pushed onto the users and not properly managed by Amazon. Which sounds very much like the problems with Azure.
> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".
Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
As far as I know numbers aren't reported, but there's probably at least as many DIB GCC-H customers as government, who in part use it because the government does and it's compliant. Once they're locked in it's very hard to migrate.
Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.
You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
Out of all the SSO login flows Microsoft has to have the buggiest. It’s the only one I can remember routinely having issues with. Why are there so many redirects? And why doesn’t the “remember me” checkbox ever work?
I haven't seen it in a while (perhaps mostly because I'm in Google stuff way less than I used to be) but for years multiple Google sites would get in a state where its auth would route me through about twenty redirects in a loop and never actually finish authenticating me. Clearing cookies and re-logging-in from scratch was the only fix.
Youtube was always involved, somehow, for some reason, even when what I was doing wasn't connected to Youtube at all or the account I was using had never even been intentionally used with Youtube. It'd route me through a few Youtube domain names.
(Microsoft's is indeed even worse, on some of theirs [Azure Devops, looking at you] I can't use them in pinned tabs because somehow they manage to get into a totally broken state where the page won't load due to whatever's happening with their auth flow in the background, and no method of reloading the tab fixes it, and it does this every couple days—but copy-pasting the same URL to a new tab does work)
It is also the only SSO flow I have ever seen that fundamentally cannot work if you have more than one account remembered on your device. So far the only way I’ve found to get it to let you log out of account A and then log into account B is to clear all cookies otherwise it gives you permission denied errors. Have no idea how it can be this horrible
same experience for us, and then they email the living shit out of you about how your weekly entra id stats are good or bad, and you can not opt out of these emails.
The problem is modern MS doing three contradictory things at the same time:
- FB's move fast and break things. Constantly launching new libs.
- Linus's we do not break user space. Great commitment to backwards compatibility.
- Never deprecating dead products until they've been de facto abandoned for like decades.
This combination means every MS product is a labyrinth of overlapping APIs with no guidance as to which one is actually the good one. Some are abandoned garbage, some are brand new and incomplete, and some are both, and there's no way of knowing which are which even experts can mislead you.
I remember trying to buy $9 worth of Minecraft In-app Whatever for my kid, and the goose chase Microsoft put me on just to log in and buy something was totally out of this world. I ended up needing to contact their fraud department around step 74.
I did it for my kids to have accounts and I do not understand how anyone who hasn't built a Gentoo from Stage 1 has a prayer of managing to buy Minecraft Java Edition for their kid, and making it actually work.
Then you've got the hell of overlapping permissions systems on the console and the Microsoft account, to get any amount of online play working on a console if you also get Bedrock. On the Playstation, especially, the error messages also love to not tell you which of the two systems is blocking you, so you get to guess. And Microsoft's site for managing those permissions is so confusingly-laid-out that even after doing it three times in a row I still felt lost on it.
I never did solve the problem of getting Minecraft Java Edition to run on a kid's MacBook with allowlist-only Web access. It wants to contact ten or so apparently-randomly-selected-from-an-enormous-pool IP addresses on every launch. I never did find documentation of which IP blocks I needed to allow, and couldn't guess at it from the IPs themselves. If they'd just used domain names... I must have manually hit "allow" a bunch of times during twenty separate launches, and it was still presenting me the same number of prompts every time, because there was no overlap in the IPs contacted (adding insult to injury is that I'm sure all but at-most two of these were spyware horse-shit that had no actual generously-necessary role in running the software, but it'd fail if it couldn't reach them)
The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?
Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.
I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.
I knew there was another incident that I was forgetting, insanity... I don't understand how Microsoft keeps getting away with this and everyone just forgets.
To be fair, it's not always out of maliciousness. A lot of gov workers/contractors join the supplier company because they know the product and how to fix it better than the people currently at the company. Similar to the guy who infamously got hired at Apple just to fix a bug.
You're just forced to use vendors and if you actually care about the mission, it's just a different team on the same mission.
Of course you know you're being taken advantage of, and long-term maybe you should have gone to the non-technical side to fight it, but at the end of the day you just want to keep the young boys being shipped off to war safe, and you're much better suited to achieve that by remaining on the technical side.
It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.
(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
Yes. US bureaucracy regularly gets told "You have to have <thing>" but because it's against a lot of people's ideology, they aren't allowed to build it internally or develop any sort of actual expertise for such a thing, so their only choice is to buy whatever is offered no matter how bad it is.
For example, our state government says "We will do X Y and Z which all require data science expertise, but we did not approve the $60k a year Data Science position, so instead we are forced to hire a Data Science contractor for $120k a year, and they can't really be fired, and they are terrible at their job"
And then people wonder why things suck all the time.
A lot of state's buy their Obamacare marketplace service from a company I am familiar with. That company is entirely incompetent. They cannot follow basic instructions. They cannot triage a bug at all. They do not read freaking tickets. They take weeks to respond to an issue. They cause bugs regularly in ways that imply they don't have functional source control. They continually fuck up basic feature requests. They change the service in ways that contravene the literal law. The law that was comprehensively explained to them by people I know.
But they can't be fired, because the state is legally compelled to provide this service, and is not really allowed to hire a few engineers to build it in house. They could go to a different software contractor, but all the options are just as bad because it's an entirely captured market.
Obama started a "Digital Services" group in the federal government to actually build systems internally and develop expertise to mitigate some of this, and they built stuff like tax filing solutions for free for Americans. So Trump killed it and hollowed out it's corpse for DOGE.
Emergency notifications are done the same way! Its communism to fucking build it, so let’s have a team of a few engineers make an API to control government infrastructure from incompetent contractors on AWS, offer no real means of testing, breaking changes, downtime… and folks wonder why Hawaii is told bombs are coming
Was this approval before or after evaluators discovered this?
> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.
Microsoft has been selling piles of shit since the beginning of time. The fact that they keep selling is the biggest triumph of sales/marketing over decent engineering.
> Potential Conflict of Interest: The government relies, in part, on third-party firms to vet cloud technology, but those firms are hired and paid by the company being assessed.
Hah. First time looking at FedRAMP?
The real reason for this, of course, is accounting, it moves it off of the government's books.
This fits perfectly with traditional Microsoft strategies of getting a foot in the door and then having the users’ internal pressure on the organization to help get the Microsoft product established.
Decades ago, Lotus 1-2-3 on top of MSDOS was the lever; today it’s GCC High.
I think there's some context missing here. For those who don't remember, the CIA back in like 2014 or so built out private data centers with classified versions of AWS services and all IC workloads that don't require specialized hardware was supposed to be using. DOD historically used it as well for classified cloud workloads, but wanted its own, and this was the JEDI contract, which was also supposed to go to Amazon, until Trump got into a fight with Jeff Bezos in 2019, canceled the contract, and awarded it to Microsoft instead. Amazon sued, and Biden decided to just award the contract to everyone and split it between all the major cloud vendors. That still doesn't mean anyone can actually use it without FedRAMP approval, but well, there you go.
The alternative was AWS, which has been operating at every classification level for over a decade at this point. It's now split between Amazon, Microsoft, Oracle, and Google, which is especially amusing because Google withdrew from the original bid process when they were still pretending to give a shit that their employees don't like working for the military.
Wow, Microsoft is really pushing the wrong boundaries in every direction, isn't it? Executives must be thinking, like many before them, that Microsoft is too big to fail.
Executives only react to share price movements. If share prices are high because whatever investors think, then execs will just open another champagne bottle.
Steve Jobs was the last tech CEO who didn't care about wall street and only care about quality products and consumers saying that if customers are happy, then the share price will take care of itself. But most companies are share price first, customer later.
the product got deployed across the government while the security review was still in progress. then fedramp approved it because it was already everywhere. seem like i saw a lobbyist or two with a broom sweeping something under a rug...
> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.
Once the government decided they wanted the product, they were going to find a patsy.
If you "went looking for" this line, you're just reading into the statements your preconceptions.
I on the other hand have no expectation, and so it's not clear whether the "bureaucracy fighting itself" is a cause or a symptom. You're implying it's a cause and the solution is "less red tape". But it could be just a symptom of conflicts of interest, and less red tape just leads to more efficient corruption.
Again, you're just reading into it what you already believe in.
Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive.
I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.
If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.
I’d love to see proof of your claim that they provisioned a hard disk when you requested an SSD, or, at the very least, tests that showed that the IOPS you requested were not delivered. Can you show us the receipts?
Azure is bad. But to be fair, every security summary of IT services I’ve ever read — or written! — for over 25 years has also been a “pile of shit”. It seems to be inherent to the cybersecurity game that everything is judged based on meaningless check boxes and nonsensical explanations. Meanwhile the actual security posture is obscured and ignored.
The government does most things poorly and with little regard to budget or quality. They can't solve problems that are much simpler than cloud computing, so why should I expect them to perform better at a more complex problem?
We have an internal system called Cosmos[0] that does a great job of processing huge quantities of data very fast. And we sat on it for years while the rest of the industry moved to Spark and its derivatives. We finally released it as Azure Data Lake Analytics (ADLA) but did a shit job of supporting/promoting it.
We built Synapse, and it's garbage. We've now got Fabric which I guess is the new Synapse. I wouldn't really know because I probably have five different systems that I use that basically do large-scale data processing, and yet Fabric isn't one of them; who knows, maybe it will become the sixth?
We've had numerous internal systems for orchestrating jobs, and it wasn't until Azure Data Factory that we finally released something externally that we sort-of-kind-of-but-not-really use internally. (To be fair, some teams do use it internally, but we're not all rowing in the same direction.)
I regularly deal with multiple environments with different levels of isolation for security. I don't even know how it's all supposed to work -- I have my regular laptop and a secure workstation and three accounts that work on the two. Yet I have to do some privileged account escalation to activate these roles; when I'm done, there's no apparent way to end the activation early, so I just let it time out.
These things are but a fraction of the Azure offerings, but literally everything I have used in Azure makes me absolutely HATE working in the cloud. There's not a single bright side to it AFAICT. As best as I can tell, the only reason why Azure makes so much damn money is because Microsoft is huge and can leverage its size into growth. We're very much failing up here.
[0] https://www.microsoft.com/en-us/research/publication/big-dat...
That's total "normal" for Microsoft at least from 2018, the year I started working with some of their products (Power BI mostly). They adopted a development model that is early release, fast iteration, and users as testers. No wonder everything feels experimental until much later.
Back then I just couldn't use Power BI. But fast forward a few years, I think it got a lot better since maybe 2020. You just have to stick with it for a few years.
Also see: SharePoint
So, you have to be a paying tester? Incredible that MS can keep enough businesses as hostage to be able to operate like that.
People who take Azure up without previous MS product experience...not sure about those.
Just to be clear, I'm responding to the parent comment not the article.
I'm convinced Amazon has many teams crapping out new features but they don't have the political clout (or manpower) to create a comprehensive product. They are mandated by management to use existing services, and thus we the users suffer because we have to manage all this extra crap and noise just to enable basic functionality.
It's maddening. And then also it's maddening to see another service from a different team that was able to throw off these shackles and actually make a product that is self contained. You get a taste of how good things could be, and then you're thrown right back into the IAM/SQS/Cloudwatch/Cloudformation/Policy/everything else under the sun soup.
This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".
Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.
They know that if they get entrenched first, it's impossible to migrate away. That's basically free money from a customer that has zero cost ceiling.
You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.
Youtube was always involved, somehow, for some reason, even when what I was doing wasn't connected to Youtube at all or the account I was using had never even been intentionally used with Youtube. It'd route me through a few Youtube domain names.
(Microsoft's is indeed even worse, on some of theirs [Azure Devops, looking at you] I can't use them in pinned tabs because somehow they manage to get into a totally broken state where the page won't load due to whatever's happening with their auth flow in the background, and no method of reloading the tab fixes it, and it does this every couple days—but copy-pasting the same URL to a new tab does work)
This sounds like LinkedIn.
I think LinkedIn spam is worse than being in a crash.
- FB's move fast and break things. Constantly launching new libs.
- Linus's we do not break user space. Great commitment to backwards compatibility.
- Never deprecating dead products until they've been de facto abandoned for like decades.
This combination means every MS product is a labyrinth of overlapping APIs with no guidance as to which one is actually the good one. Some are abandoned garbage, some are brand new and incomplete, and some are both, and there's no way of knowing which are which even experts can mislead you.
I don’t understand how they have non-zero market share.
Then you've got the hell of overlapping permissions systems on the console and the Microsoft account, to get any amount of online play working on a console if you also get Bedrock. On the Playstation, especially, the error messages also love to not tell you which of the two systems is blocking you, so you get to guess. And Microsoft's site for managing those permissions is so confusingly-laid-out that even after doing it three times in a row I still felt lost on it.
I never did solve the problem of getting Minecraft Java Edition to run on a kid's MacBook with allowlist-only Web access. It wants to contact ten or so apparently-randomly-selected-from-an-enormous-pool IP addresses on every launch. I never did find documentation of which IP blocks I needed to allow, and couldn't guess at it from the IPs themselves. If they'd just used domain names... I must have manually hit "allow" a bunch of times during twenty separate launches, and it was still presenting me the same number of prompts every time, because there was no overlap in the IPs contacted (adding insult to injury is that I'm sure all but at-most two of these were spyware horse-shit that had no actual generously-necessary role in running the software, but it'd fail if it couldn't reach them)
I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.
[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...
https://www.bleepingcomputer.com/news/security/microsoft-ent...
Thats why you have Windows in the Pentagon instead of something secure.
You're just forced to use vendors and if you actually care about the mission, it's just a different team on the same mission.
Of course you know you're being taken advantage of, and long-term maybe you should have gone to the non-technical side to fight it, but at the end of the day you just want to keep the young boys being shipped off to war safe, and you're much better suited to achieve that by remaining on the technical side.
...or so I've heard.
(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).
For example, our state government says "We will do X Y and Z which all require data science expertise, but we did not approve the $60k a year Data Science position, so instead we are forced to hire a Data Science contractor for $120k a year, and they can't really be fired, and they are terrible at their job"
And then people wonder why things suck all the time.
A lot of state's buy their Obamacare marketplace service from a company I am familiar with. That company is entirely incompetent. They cannot follow basic instructions. They cannot triage a bug at all. They do not read freaking tickets. They take weeks to respond to an issue. They cause bugs regularly in ways that imply they don't have functional source control. They continually fuck up basic feature requests. They change the service in ways that contravene the literal law. The law that was comprehensively explained to them by people I know.
But they can't be fired, because the state is legally compelled to provide this service, and is not really allowed to hire a few engineers to build it in house. They could go to a different software contractor, but all the options are just as bad because it's an entirely captured market.
Obama started a "Digital Services" group in the federal government to actually build systems internally and develop expertise to mitigate some of this, and they built stuff like tax filing solutions for free for Americans. So Trump killed it and hollowed out it's corpse for DOGE.
> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.
Ref: https://www.cnbc.com/2025/07/18/microsoft-china-digital-esco...
Hah. First time looking at FedRAMP?
The real reason for this, of course, is accounting, it moves it off of the government's books.
Decades ago, Lotus 1-2-3 on top of MSDOS was the lever; today it’s GCC High.
Building in house.
Outsourcing to consultants.
The alternative was AWS, which has been operating at every classification level for over a decade at this point. It's now split between Amazon, Microsoft, Oracle, and Google, which is especially amusing because Google withdrew from the original bid process when they were still pretending to give a shit that their employees don't like working for the military.
Steve Jobs was the last tech CEO who didn't care about wall street and only care about quality products and consumers saying that if customers are happy, then the share price will take care of itself. But most companies are share price first, customer later.
The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.
Once the government decided they wanted the product, they were going to find a patsy.
I on the other hand have no expectation, and so it's not clear whether the "bureaucracy fighting itself" is a cause or a symptom. You're implying it's a cause and the solution is "less red tape". But it could be just a symptom of conflicts of interest, and less red tape just leads to more efficient corruption.
Again, you're just reading into it what you already believe in.
> Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.
I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.
If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.
Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions.
Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.
Right.
You bet.
Absolutely.
The government has historically, routinely, consistently, solved problems more complex than cloud computing.
The only way you'd think otherwise is if you had some other motivation to pretend otherwise... some sort of ideology.