The original title is:

> Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway.

Wow, Microsoft is really pushing the wrong boundaries in every direction, isn't it? Executives must be thinking, like many before them, that Microsoft is too big to fail.

> [...]And because federal agencies were allowed to deploy the product during the review, GCC High spread across the government as well as the defense industry. By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

This sounds like the crux of the issue. The combination of: "tool can be used during analysis" and "analysis takes long" shifts the barrier of rejection from "is this tool safe?" to "is this tool so unsafe that we're willing to start a fight with a lot of other government agencies to remove it, find an alternative, etc?".

Not criticizing FedRAMP. Proper security review takes time. And probably more when dealing with vendors.

I think plenty of software is a pile of shit and still derive value from it.

I'm guessing the requirements were written in a way that only Microsoft's cloud could with the bid.

Thats why you have Windows in the Pentagon instead of something secure.

The Justice Department CIO who pressured FedRAMP to approve GCC High was hired by Microsoft the next year. I wonder if this shouldn't invalidate the authorization in the first place?

> By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology — not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.

The article talks a lot about conflicts of interest, but this is the line I went looking for. A bureaucracy fighting itself over goal prioritization, and what's a necessary roadblock vs red tape is the less sexy but more meaningful problem at the core of this.

Once the government decided they wanted the product, they were going to find a patsy.

The government does most things poorly and with little regard to budget or quality. They can't solve problems that are much simpler than cloud computing, so why should I expect them to perform better at a more complex problem?

Recently tried using Entra ID. There are 12 ways to enforce MFA, 20 days ways to disable users, 4 ways to authenticate users, Add conditional access stuff with 50 variables and templates etc.

You can customize the way you want. After configuring it, my colleagues could not log in. Thats one way to secure your organization.

The sheer amount of conflict of interest with folk involved in this later getting employed by Microsoft is a bit crazy.

It's not very clear from the article, but I get the feeling from the context that the 'pile of shit' quote referenced the package of documentation about the service rather than the service itself.

(That seems to be the main complaint, that Microsoft never provided the clear information required to conduct the assessment properly).

Basically exactly what my org did. The momentum of being a Microsoft shop is hard to fight against.

Azure is easily the most expensive, least reliable and worst cloud available. It's borderline scam. An example today, I provisioned high IOPS SSDs (supposedly) and what is actually connected to the instance? A spinning hard drive! I didn't even know they were still made, but I guess Azure uses them and scams their users into thinking you're getting an SSD for $700/mo when its really an old hard drive.

I would warn anyone far and wide to avoid Azure at all costs, especially if you are a startup. And especially if you are doing any kind of AI because the only GPUs they have available are ancient and also crazy over-priced.

If I cared more, I'd try to migrate away from Azure. But I don't, and that's probably Azure's business model at this point.

Frustrating that FedRAMP is both a pain to get compliant with and also apparently is not a strong signal of actual security.

Maybe the gaps are a frature or benefit at the same time.

Given the scale and scope of the Federal Government. what are the alternatives to Microsoft?

Building in house.

Outsourcing to consultants.

Is this just a case of MS needing to merge a lot of platforms, and there are gaps and overlaps.?

Maybe the critical question, are they making continuing improvements? Especially to merge conflicting functions.

Like when they bought Minecraft, or Skype. Each already had user management. Xbox was a mess. Merging them all took a lot of years.

Microsoft has never been good at security, and that is why their centralization to cloud is absolutely terrifying.

I'm reminded of Storm-0558 [1] where a stolen signing key was able to forge authentication tokens for any MSA / Azure AD / Government AD user. They downplayed the severity. Just imagine if that level of access was used to pull a Stryker on a nation-wide scale. That is an economic disaster waiting to happen.

[1] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...

Exactly, and that is the moat- a pile of shit that everyone can smell from afar.

Little has changed since Bill Gates tried to install Movie Maker.

Was this approval before or after evaluators discovered this?

> Microsoft on Friday revised its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s cloud services.

Ref: https://www.cnbc.com/2025/07/18/microsoft-china-digital-esco...

its as funny as the IA research reports from DORA dev which all seem to be sponsored AI provider ads instead....

I fucking hate microsoft, i'm so sick of this retarded fucking bullshit

I'm so fucking sick of this retarded bullshit

The experts were correct. Azure is the biggest pile of shit I've ever had to work with. Everything feels evolutionary. In other words, a new product in azure is barely a product at all, but a small appendage which totally inherits a bunch of preexisting Azure "stuff." And all this preexisting may not really make sense for the product, and it might inherit stuff that makes the product much worse. But, it doesn't matter. To even think about using the product, you need to learn way more about the larger Azure ecosystem than you ever bargained for, and of course deal with Microsoft products that do not really integrate well because the teams don't talk to each. Log formats, conventions, everything will be different as you float around to different parts of Azure. Basic security concepts, such as a SIEM will be implemented in such strange ways that you wonder if Microsoft has any idea what a SIEM even is.