Microsoft has admitted that it failed to collect crucial security logs for nearly a month due to a bug, leaving enterprise customers vulnerable to cyberattacks.
The issue, which occurred between September 2 and October 3, disrupted the collection of vital log data used to monitor suspicious activity, such as unauthorized logins and network behavior. Affected services included Microsoft Entra, Azure Logic Apps, Microsoft Sentinel, and Azure Monitor.
The issue, first reported by Business Insider, prevented security logs from being consistently uploaded, resulting in incomplete data that many organizations rely on to detect potential threats.
Microsoft acknowledged the severity of the issue in a Preliminary Post Incident Review (PIR) sent to customers, which was later shared publicly by Microsoft MVP Joao Ferreira. In the review, Microsoft confirmed that the logging problems continued for some services until as late as October 3. Services such as Microsoft Entra, which handles sign-in and activity logs, and Azure Logic Apps, responsible for telemetry data, were among the hardest hit.
“Starting around 23:00 UTC on 2 September 2024, a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform,” the PIR document stated. “This resulted in partially incomplete log data for the affected Microsoft services.”
How did it happen?
Microsoft accidentally introduced the bug while addressing a separate issue in the company’s log collection service.
“Our investigation shows that, in the process of addressing a bug in the log collection service, we exposed an unrelated bug in the internal monitoring agent, which prevented a subset of agents from uploading log event data,” the PIR document stated.
Microsoft explained that the bug caused a “deadlock condition,” preventing logs from being uploaded to servers. While the telemetry agent continued collecting and storing data in the local cache, if the cache reached its size limit before the system restarted, older logs were overwritten, leading to permanent data loss.
“During the investigation of this bug, we determined this incident was not related to any security compromise,” the document said.
Widespread impact on security monitoring
Microsoft acknowledged that the logging failure affected a range of key services. Microsoft Sentinel, a widely used security tool, suffered gaps in its logs, making it difficult for customers to detect threats and generate alerts. Azure Monitor, another important tool for security analysis, also faced incomplete log data, potentially leading to missed alerts for enterprises.
Microsoft Entra experienced sign-in and activity logs issues, while Azure Logic Apps saw disruptions in telemetry data. Though the core functions of these services remained unaffected, the inability to capture critical log data significantly weakened customers’ ability to monitor security events. The company noted that the logs were lost due to a glitch in the telemetry agent, which caused a gradual log backup before data was overwritten when the cache limit was reached.
However, the company said this issue “did not impact the uptime of any customer-facing services or resources” and only affected the collection of log events. “Additionally, this issue is not related to any security compromise.”
“This is an unusual event,” said Pareekh Jain, CEO of Pareekh Consulting. “The absence of critical logs suggests a small chance that someone gained unauthorized access, and there is some risk that damage may have occurred, which could surface later.”
Despite the severity of the issue, Microsoft took several days to identify the problem, further prolonging the risks for affected companies. While Microsoft has stated that it resolved the bug and notified all impacted customers, some organizations claim they were not informed about the issue. Cybersecurity expert Kevin Beaumont noted that at least two companies with missing log data had not received notifications from Microsoft.
“The worrying aspect is how long it took Microsoft to detect the problem,” pointed out Jain. “Bugs can occur, but they need to focus on systems and processes that detect and fix them swiftly—in hours or days, not weeks or months. As one of the world’s largest tech companies, trusted by enterprises for security, Microsoft must prioritize cybersecurity both in letter and spirit.”
…and this is not the first time
The incident has brought renewed attention to Microsoft’s logging practices, particularly as the company has previously faced criticism for charging customers for advanced logging capabilities.
In 2023, Microsoft was criticized by CISA and lawmakers for not providing sufficient log data to detect breaches for free, prompting customers to pay for its Purview Audit (Premium) logging feature. That criticism escalated after Chinese hackers used a stolen Microsoft signing key to breach corporate and government Microsoft 365 accounts in 2023. The breach was detected using Microsoft’s paid logging features, which left many customers without the necessary tools to identify the attack.
Following that criticism, Microsoft worked with CISA and other federal agencies to expand its free logging capabilities. In February 2024, the company began offering enhanced logging services to all Purview Audit standard customers, enabling broader access to data needed for threat detection.
“Microsoft has had some challenges in the recent past around security offerings,” said Yugal Joshi, partner at Everest Group. “Our clients say they plan to scale their Microsoft-centric security solutions; however, such issues dent their confidence.” While Microsoft has taken steps to address logging transparency and expand access to its advanced tools, this latest bug underscores the vital role that logging plays in cybersecurity. The incident serves as a reminder of the importance of log data in detecting unauthorized access and highlights the challenges that organizations face when this data is compromised.