Mitigated - Microsoft Entra ID DNS authentication failures using Seamless SSO and Microsoft Entra Connect Sync

What happened?Between 17:18 UTC and 18:35 UTC on 25 February 2025, a platform issue affected Microsoft Entra ID, which caused customers who were attempting to authenticate with Microsoft Entra ID using the Seamless SSO ( https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso) and Microsoft Entra Connect Sync ( https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect) features may have experienced DNS resolution failures when trying to access Azure services. What do we know so far? As part of a cleanup effort to remove duplicate IPv6 CNAMEs, a change was introduced which removed a domain utilized in the authentication process for Microsoft Entra ID's seamless single sign-on feature. Once removed the domain could no longer be resolved and requests for authentication would fail. How did we Respond?17:18 UTC on 25 February 2025 - Investigation started based on internal telemetry showing DNS resolution failures. 17:40 UTC on 25 February 2025 - We identified the change that introduced the failures being experienced after investigating failure logs and customer reports. 18:35 UTC on 25 February 2025 - We completed reverting the change applied to DNS entries related to this authentication scenario. This restoration allowed the DNS records for the domain autologon.microsoftazuread.sso.com to resolve correctly again, thereby restoring the authentication process. The mitigation was confirmed when the DNS resolution and traffic for the domain returned to normal.What happens next?Our team will be completing an internal retrospective to understand the incident in more detail. We will publish a Preliminary Post Incident Review (PIR) within approximately 72 hours, to share more details on what happened and how we responded. After our internal retrospective is completed, generally within 14 days, we will publish a Final Post Incident Review with any additional details and learnings. To get notified when that happens, and/or to stay informed about future Azure service issues, make sure that you configure and maintain Azure Service Health alerts – these can trigger emails, SMS, push notifications, webhooks, and more: https://aka.ms/ash-alerts For more information on Post Incident Reviews, refer to https://aka.ms/AzurePIRs Finally, for broader guidance on preparing for cloud incidents, refer to https://aka.ms/incidentreadiness