Microsoft: DNS outage impacts Azure and Microsoft 365 services

TL;DR

An inadvertent configuration change tied to Azure Front Door (AFD) and related DNS paths caused a multi-hour global Azure outage on Oct 29, 2025. It disrupted access to Microsoft 365, Xbox/Minecraft, the Azure Portal, and a long tail of third-party sites (airlines, retailers, public services). Microsoft deployed a fix and services recovered late UTC. The Verge+2BleepingComputer+2

What happened

• Trigger: Microsoft says the incident stemmed from an inadvertent configuration change, which affected AFD and DNS resolution, cascading to identity and app endpoints. Newsweek+1
• Why it cascaded: AFD is Microsoft’s global edge and routing layer. When its config or DNS mapping goes bad, front-end termination and routing to backends (portal, APIs, SaaS) fail at scale. ThousandEyes

Timeline (UTC)

• ~16:00 – Customers report widespread errors/timeouts in the Azure Portal and services. Reddit
• 17:26 – Microsoft begins failing the Azure Portal away from AFD; blocks new customer config changes at 17:30; starts pushing “last known good” config from 18:30. Azure Status
• Late evening – Availability trends back toward normal; Microsoft cites >98% AFD availability en route to full mitigation. The Verge
• Oct 30, early UTC – Major services are restored. Reuters

Who was affected

• Microsoft services: Microsoft 365 (Outlook/Teams), Azure Portal, Xbox/Minecraft, and dependencies like Entra ID/Defender/Azure SQL saw disruptions. The Verge
• Downstream businesses: Airlines and retailers reported issues (e.g., check-ins, payments). Reports noted impacts at Starbucks, Costco, Kroger, and some government sites. AP News+1

What Microsoft did

• Change freeze + rollback: Blocked new customer config changes and rolled back to a last-known-good AFD configuration. Azure Status
• Progress updates: Public status updates highlighted AFD as the primary blast radius; recovery followed as the fixed config propagated. TechRadar

Takeaways for SREs & cloud teams

1. Edge/CDN is a single point of global amplification. Validate production changes with progressive rollout + automated rollback at the edge. ThousandEyes
2. DNS safety rails. Enforce signed configs, pre-flight validation, and staged propagation to stop bad records from going global. BleepingComputer
3. Identity coupling. Expect secondary failure modes (login, tokens, policy APIs) when the edge fails; pre-build degraded-mode playbooks. The Verge
4. Customer comms. Mirror status data to your own status page and social channels; avoid single-channel dependency during provider outages. Azure Status

FAQ

Was this a cyberattack?

Microsoft attributes the issue to a configuration change, not malicious activity. Newsweek

Which Azure component failed?

Signals point to Azure Front Door and DNS pathways, affecting front-door routing and access to many services. The Verge+1

Is it over?

As of Oct 30 (CET), Microsoft says services have been restored and mitigation is complete