Matt White

Matt White

developer

Matt White

developer

| blog
| categories
| tags
| rss

Azure's Browser Bias

I’ve been tinkering with the Azure cloud recently. On any cloud provider, I try to configure my hardware keys as a method of multi-factor authentication.

Microsoft’s authentication apparatus is much more abrasive than either Google’s or AWS’s. Anyone with a nonstandard setup is used to companies aggressively locking their accounts - I’m never surprised when I have to jump through additional hoops.

It is always more grating when a company’s security theater comes with unfounded TOS violation accusations:

Microsoft hurling accusations of malware, phishing, spaming, and hacking at any user who hasn't logged in from their browser recently.

I plead guilty to the crime of logging in from an unfamiliar browser.

But that’s all uninteresting. Twitter does it. Meta does it. Microsoft does it. What is Microsoft doing that’s unusual?

User Agent Determines Login Success

Microsoft will reject valid credentials depending on which combination of browser/operating system they think you’re using.

I worked through Microsoft’s hardware key enrollment process. They won’t let you use hardware keys as multi-factor - they only let you use it as a password alternative. You can select a security key as your login method.

Azure security key login selection menu

All my login attempts from Firefox consistently failed.

Azure giving me an arbitrary failure because they dislike my user agent

But if I switched my user agent to say I was using Chrome, access granted.

Azure login succeeding after switching user agents to Chrome

What Browsers Do Our Benevolent Lord Microsoft Deem Acceptable?

This got me curious, so I went down the list of user agent presets I had - seeing which would succeed and which Microsoft would arbitrarily reject.

I had expected to see a pattern like “always reject linux” or “only accept chromium”, but the actual behavior was a bit more varied.

Observations

Every attempt was conducted on a Linux 6.5.7-arch1-1 x86_64 system from Firefox 118.0.2 (64-bit).

  1. Logging in from OSX or iOS always succeeded - not a shock, given how many companies issue Apple products as standard kit.

  2. Logging in from Windows always succeeded unless the browser was internet explorer.

  3. Firefox’s success depended entirely on the operating system.

  4. Android logins always failed - but Android logins from Chrome produced an error that I didn’t see from any other user agent:

Azure special error for chrome on android

Conclusion

There are a lot of user agent combinations that I haven’t tested (especially around Microsoft Edge), but given the miniscule odds that Microsoft will ever try to mitigate this behavior, being more thorough would be a waste.

I doubt this behavior is intentional, but since I won’t be changing my browser or operating system selection to suit Microsoft, I’ll steer clear of Azure when I have the choice.

Tested User Agents

Failed logins:

Linux / Firefox 120 

Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/120.0

Android Phone / Firefox 120 

Mozilla/5.0 (Android 14; Mobile; rv:109.0) Gecko/120.0 Firefox/120.0

Android Tablet / Firefox 120 

Mozilla/5.0 (Android 14; Tablet; rv:109.0) Gecko/120.0 Firefox/120.0

Windows / IE 11 

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Android Phone / Chrome 120 

Mozilla/5.0 (Linux; Android 14; Z832 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.119 Mobile Safari/537.36

Android Tablet / Chrome 120 

Mozilla/5.0 (Linux; Android 14; SAMSUNG-SM-T377A Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.119 Mobile Safari/537.36

Successful logins:

Windows / Firefox 120 

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/120.0

Mac OS X / Safari 17 

Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Safari/605.1.15`

Mac OS X / Firefox 120 

Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) Gecko/20100101 Firefox/120.0

Linux / Chrome 120 

Mozilla/5.0 (X11; Linux x86_64; rv:109.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.119 Safari/537.36

Windows / Chrome 120 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.119 Safari/537.36

Windows / Firefox 115 ESR 

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

iPhone / Safari 17 

Mozilla/5.0 (iPhone; CPU OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/14E304 Safari/605.1.15

iPad / Safari 17 

Mozilla/5.0 (iPad; CPU OS 17_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/15E148 Safari/605.1.15

Learn by doing.