Microsoft reports that it has lost weeks of security logs for its customers' cloud products.

Microsoft has informed its customers that it has less than two weeks of security logs for some of its cloud products, which has left network defenders without crucial data to detect possible intrusions. In a notification issued to affected customers, the company explained that “a bug in one of Microsoft’s internal monitoring agents caused a malfunction in some of these agents when uploading log data to our internal platform” between September 2 and September 19. The company added that the interruption in logging was not the result of a security incident and that it “only affected log event collection.”

The media outlet Business Insider was the first to report the loss of these logging data in early October, although the details of the notification have not been widely disclosed. According to security researcher Kevin Beaumont, the notifications sent by Microsoft to affected companies are likely only accessible to a limited number of users with tenant administrator rights. Logs are essential for tracking events within a product, providing information about users logging in and failed attempts, which helps network defenders identify potential intrusions. The lack of logs could complicate the identification of unauthorized access to customers' networks during that two-week period.

The affected products include Microsoft Entra, Sentinel, Defender for Cloud, and Purview. The notification states that customers “may have experienced possible gaps in logs or security-related events, which could have affected their ability to analyze data, detect threats, or generate security alerts.” Microsoft did not respond to specific questions about the logging interruption; however, a company executive confirmed to TechCrunch that the incident was caused by an “operational error within our internal monitoring agent.”

John Sheehan, corporate vice president at Microsoft, stated, “We have mitigated the issue by rolling back a change in the service. We have communicated with all affected customers and will provide support as needed.” This logging interruption occurs a year after Microsoft faced criticism from federal researchers regarding the retention of security logs from certain U.S. federal government departments that host their emails in the company’s exclusive and secure cloud. Researchers argued that access to those logs could have allowed for the identification of a series of China-backed intrusions much more quickly. These intruders, known as Storm-0558, managed to access Microsoft’s network and steal a digital key that gave them unrestricted access to U.S. government emails stored in Microsoft’s cloud. According to a report issued by the government on the cyberattack, the State Department identified the intrusions because it paid for a higher-level Microsoft license that granted access to the security logs for its cloud products, something that many other affected government agencies did not have. Following the China-backed attacks, Microsoft announced that it would begin providing logs to cloud accounts with lower payments starting in September 2023.