Microsoft has notified customers that it’s missing more than two weeks of security logs for some of its cloud products, leaving network defenders without critical data for detecting possible intrusions.
According to a notification sent to affected customers, Microsoft said that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform” between September 2 and September 19.
The notification said that the logging outage was not caused by a security incident, and “only affected the collection of log events.”
Business Insider first reported the loss of log data earlier in October. Details of the notification have not been widely reported. As noted by security researcher Kevin Beaumont, the notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin rights.
Logging helps to keep track of events within a product, such as information about users signing in and failed attempts, which can help network defenders identify suspected intrusions. Missing logs could make it more difficult to identify unauthorized access to the customers’ networks during that two-week window.
The affected products include Microsoft Entra, Sentinel, Defender for Cloud, and Purview, according to the Business Insider report. Affected customers “may have experienced potential gaps in security related logs or events, possibly affecting customers’ ability to analyze data, detect threats, or generate security alerts,” the notification said.
Microsoft would not answer specific questions about the logging outage, but a Microsoft executive confirmed to TechCrunch that the incident was caused by an “operational bug within our internal monitoring agent.”
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“We have mitigated the issue by rolling back a service change. We have communicated to all impacted customers and will provide support as needed,” said John Sheehan, a Microsoft corporate vice president.
The logging outage comes a year after Microsoft came under fire from federal investigators for withholding security logs from certain U.S. federal government departments that host their emails on the company’s hardened, government-only cloud; investigators said having access to those logs could have identified a series of China-backed intrusions far sooner.
The China-backed intruders, referred to as Storm-0558, broke into Microsoft’s network and stole a digital skeleton key that allowed the hackers unfettered access to U.S. government emails stored in Microsoft’s cloud. According to a government-issued postmortem of the cyberattack, the State Department identified the intrusions because it paid for a higher-tier Microsoft license that granted access to security logs for its cloud products, which many other hacked U.S. government agencies did not have.
Following the China-backed hacks, Microsoft said it would start providing logs to its lower-paid cloud accounts from September 2023.
Carly Page contributed reporting.
