March 19, 2026
Ghost logins, real outrage
Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
Fixed now—but “invisible logins” have admins fuming and trust on life support
TLDR: A researcher revealed two now-fixed tricks to get into Microsoft’s cloud without showing up in logs, even getting real access keys. Commenters split between “trust is broken” and “we’ve seen worse,” trading “logs that lie” horror stories and heist-movie links that make this feel bigger than a bug
Security sleuth Nyxgeek just dropped two more ways people could slip into Microsoft’s cloud without leaving a trace—yes, invisible logins—and this time the sneaky method could hand over full access tokens. It’s all patched now, but the crowd isn’t calm. One commenter waved around a fresh takedown from the press, quoting federal experts who called Microsoft’s cloud a “pile of…” and asking why anyone still trusts it, pointing to Ars Technica. Another shouted, basically, “nothing to see here,” arguing bigger Entra ID (Microsoft sign-in) disasters exist. Cue the flame war.
The mood swung from rage to thriller. A reader linked a government report that reads like a cyber heist, where hackers broke into Microsoft and then into U.S. agencies—“popcorn, anyone?” vibes from the CISA report. Admins piled on with “logs that lie” stories, including one who says Azure blamed them for deleting a secret they never touched. Others joked about trying these “ghost doors” to stop Microsoft from billing them for ancient accounts.
Underneath the memes, a simple fear: if sign-in logs—the basic burglar alarm—miss real break-ins, how do you catch intruders? Even fixed, the trust hangover is real, and the community is debating whether this is the final straw—or just another Tuesday in cloud land
Key Points
- •A researcher disclosed two additional Azure Entra ID sign-in log bypasses that were recently fixed, bringing the total to four since 2023.
- •The latest bypasses could return fully functional tokens without generating Entra ID sign-in log entries.
- •Prior techniques (GraphNinja and GraphGhost) allowed password validation without ‘successful’ sign-in logs using ROPC requests to login.microsoftonline.com.
- •GraphNinja targeted a foreign tenant’s token endpoint to reveal valid passwords without logging in the correct tenant; GraphGhost used invalid logon parameters to avoid logging.
- •The article references using KQL queries to detect patterns indicative of sign-in log bypasses and provides a normal ROPC curl example for context.