[Update] Microsoft Exchange admin portal became ‘unsecure’ because some admin forgot to renew SSL certificate

Microsoft Exchange SSSL Certificate
A Microsoft-owned website became unsecured due to an expired SSL Certificate. Pic credit: Shutterstock

Attempting to visit the primary administration portal or website for Microsoft Exchange could be tricky. It turns out admin.exchange.microsoft.com has an expired security certificate.

The SSL certificate, which guarantees visitors enter a secure website, expired for an important Microsoft Exchange website. It now remains inaccessible for many.

Admins greeted with warnings and red flags about their connection not being private to a Microsoft website:

Starting at 8 AM EST today, quite a few Microsoft Exchange admins were left baffled by a rather bizarre and concerning sight. The admin portal at admin.exchange.microsoft.com threw warnings about an insecure connection.

It turns out Microsoft simply forgot to renew the SSL certificate for the website. Hence, the portal reverted back to an HTTP connection instead of the usual HTTPS address of the portal.

According to Qualys’ SSL Labs, the SSL certificate to the Microsoft Exchange admin portal expired today, Sun, 23 May 2021, at 12:00:00 UTC or Sun, 23 May 2021 08:00:00 EST.

Needless to mention, several admins may have approached Microsoft, and the latter has confirmed the issue:

Since Microsoft is aware of the situation, it would be a matter of hours before the portal is back to its ‘Secured’ status. However, it is quite likely that several admins would criticize Microsoft for forgetting such a trivial but critically important aspect.

How to access the Microsoft Exchange admin portal through a simple but temporary workaround:

A web browser could block users from accessing the site as a security precaution or show an alert that the data may not be secure. For example, Google Chrome will stop users from accessing the site altogether, while Firefox will warn about the insecure connection, but allow users to continue on to the “unsecure” website.

Microsoft states admins can access the admin portal from the https://outlook.office.com/ecp/ URL. This website has a valid SSL certificate and should not throw up any warnings.

Expired SSL (Secure Sockets Layer) certificates are quite common. Consumer-facing services such as Spotify, Microsoft Teams, and Facebook’s Tor server have reportedly suffered due to this minor but glaring issue.

The internet is rapidly ditching the less secure HTTP protocol for the secure HTTPS pathway. However, the transition needs a valid SSL certificate, which has an expiry date for security reasons.

Needless to mention, encrypted communications often come with additional complexity and human error, such as forgetting to renew an SSL certificate.

[Update] Microsoft appears to have addressed the problem. Attempting to reach admin.exchange.microsoft.com results in the standard login page for Microsoft services. It seems the company has redirected website visitors through another secure channel that has a valid SSL certificate.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x