Full Report
Microsoft is working to address an ongoing incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. [...]
Analysis Summary
# Incident Report: Microsoft MFA and My Sign-Ins Service Outage
## Executive Summary
On June 1, 2026, Microsoft experienced a significant service disruption affecting the My Sign-Ins platform and Multi-Factor Authentication (MFA) setup processes. The incident resulted in "504 Gateway Timeout" errors for users globally, hindering security enrollment and account management. Microsoft mitigated the issue by failing over to healthy alternative infrastructure.
## Incident Details
- **Discovery Date:** June 1, 2026, approx. 05:00 AM ET
- **Incident Date:** June 1, 2026
- **Affected Organization:** Microsoft (M365 / Azure AD Services)
- **Sector:** Information Technology / Cloud Service Provider
- **Geography:** Global (Impact reported across multiple regions)
## Timeline of Events
### Initial Access
- **Date/Time:** June 1, 2026, prior to 05:00 AM ET
- **Vector:** N/A (Service Instability/System Failure)
- **Details:** The incident appears to be a backend service failure or infrastructure bottleneck rather than a malicious external breach. Users began encountering "504 Gateway Timeout" errors.
### Lateral Movement
- **N/A:** No unauthorized lateral movement was reported; current investigation points to an operational service outage.
### Data Exfiltration/Impact
- **Impact:** Administrative and security operations were blocked. Users could not register new MFA methods or manage their security profiles via the My Sign-Ins portal. Existing MFA sessions remained largely unaffected, but new enrollments were stalled.
### Detection & Response
- **Discovery:** Public reports and internal telemetry identified elevated error rates.
- **Response actions:** Microsoft moved traffic to alternative healthy infrastructure (failover) and optimized service request processing to reduce the 504 error rates.
## Attack Methodology
*Note: Based on current Microsoft reporting (MO1329260), there is no evidence of an active exploit or "attack." This is classified as a service availability incident.*
- **Initial Access:** N/A
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Resource Exhaustion / Service Interruption (Code: 504 Gateway Timeout).
## Impact Assessment
- **Financial:** Indirect costs related to lost productivity and support desk volume.
- **Data Breach:** None reported.
- **Operational:** High; prevented users from performing critical security enrollment and account management.
- **Reputational:** Moderate; part of a series of recent outages (Teams, Outlook) affecting Microsoft’s reliability perception.
## Indicators of Compromise
- **Network indicators:** hxxp[://]mysignins[.]microsoft[.]com (Returning 504 status codes).
- **File indicators:** N/A.
- **Behavioral indicators:** Inability to save MFA settings; timeout during authentication enrollment.
## Response Actions
- **Containment measures:** Redirection of traffic away from degraded infrastructure.
- **Eradication steps:** Optimization of request processing logic to manage elevated error rates.
- **Recovery actions:** Failed over to healthy standby infrastructure; continued monitoring of service telemetry.
## Lessons Learned
- **Infrastructure Redundancy:** While failover worked, the initial saturation caused a noticeable window of downtime for security-critical tasks.
- **Dependency Management:** MFA setup is a "critical path" for security; its unavailability can block onboarding and emergency account recovery.
- **Communication:** Early acknowledgment via the Microsoft 365 Status account helped manage user expectations.
## Recommendations
- **Client Side:** Organizations should ensure users are enrolled in MFA *before* critical deadlines to avoid being blocked by temporary portal outages.
- **Provider Side:** Implement more aggressive auto-scaling and circuit-breaking patterns for the authentication management plane to prevent 504 timeouts from cascading.