Attempting to visit the primary administration portal or website for Microsoft Exchange could be tricky. It turns out admin.exchange.microsoft.com has an expired security certificate.
The SSL certificate, which guarantees visitors enter a secure website, expired for an important Microsoft Exchange website. It now remains inaccessible for many.
Admins greeted with warnings and red flags about their connection not being private to a Microsoft website:
Starting at 8 AM EST today, quite a few Microsoft Exchange admins were left baffled by a rather bizarre and concerning sight. The admin portal at admin.exchange.microsoft.com threw warnings about an insecure connection.
It turns out Microsoft simply forgot to renew the SSL certificate for the website. Hence, the portal reverted back to an HTTP connection instead of the usual HTTPS address of the portal.
Microsoft Exchange admin portal inaccessible because Microsoft forgot to renew the TLS certificate. Not the first time this happens to them. If only there was a way to automate this 😉. https://t.co/YCJ01l1cc9#infosec
— John Opdenakker (@j_opdenakker) May 23, 2021
According to Qualys’ SSL Labs, the SSL certificate to the Microsoft Exchange admin portal expired today, Sun, 23 May 2021, at 12:00:00 UTC or Sun, 23 May 2021 08:00:00 EST.
Needless to mention, several admins may have approached Microsoft, and the latter has confirmed the issue:
We've isolated the problem and are applying a fix. Additional details can be found in the Service health dashboard under EX257883.
— Microsoft 365 Status (@MSFT365Status) May 23, 2021
Since Microsoft is aware of the situation, it would be a matter of hours before the portal is back to its ‘Secured’ status. However, it is quite likely that several admins would criticize Microsoft for forgetting such a trivial but critically important aspect.
How to access the Microsoft Exchange admin portal through a simple but temporary workaround:
A web browser could block users from accessing the site as a security precaution or show an alert that the data may not be secure. For example, Google Chrome will stop users from accessing the site altogether, while Firefox will warn about the insecure connection, but allow users to continue on to the “unsecure” website.
Microsoft states admins can access the admin portal from the https://outlook.office.com/ecp/ URL. This website has a valid SSL certificate and should not throw up any warnings.
Expired SSL (Secure Sockets Layer) certificates are quite common. Consumer-facing services such as Spotify, Microsoft Teams, and Facebook’s Tor server have reportedly suffered due to this minor but glaring issue.
@Microsoft Exchange admin portal is currently inaccessible from some browsers after #Microsoft forgot to renew #SSL certificate for website. Temporarily you can access the admin portal from https://t.co/G23eigJThD URL as well.@dynamicCISO #GirlsWhoCode #cybersecurity #infosec pic.twitter.com/Z5c4pS4kCz
— Rahul Neel Mani (@rneelmani) May 24, 2021
The internet is rapidly ditching the less secure HTTP protocol for the secure HTTPS pathway. However, the transition needs a valid SSL certificate, which has an expiry date for security reasons.
Needless to mention, encrypted communications often come with additional complexity and human error, such as forgetting to renew an SSL certificate.
[Update] Microsoft appears to have addressed the problem. Attempting to reach admin.exchange.microsoft.com results in the standard login page for Microsoft services. It seems the company has redirected website visitors through another secure channel that has a valid SSL certificate.