Hacker News

Why does Microsoft use onmicrosoft.com and microsoftonline.com?

In 2019, it seems a given that a cautious user on the internet should be careful about which domains they connect to. Paying close attention to domains, Microsoft users will quickly see that the company doesn't always use microsoft.com - even for high profile endpoints. For example:

* Office 365 services use this endpoint for user login: https://login.microsoftonline.com

* Email: onmicrosoft.com

Can anyone explain the business, user, and technical implications involved in choosing a new domain (microsoftonline.com) over a subdomain of the business's core domain (online.microsoft.com)?

20 pointskileywm posted 12 days ago10 Comments
10 Comments:
saurik said 12 days ago:

(This is in no way a complete of even precise answer, but is maybe still helpful.) One big issue is how cookies can be configured by subdomains to affect other subdomains, causing you to sometimes need full domain names to create security boundaries.

ts4z said 12 days ago:

This is exactly right. Different parts of the business have different security scopes, and different domains are the easiest way to keep things separate: make the browser help keep data separate, and not share things across the organization.

This can also reduce cookie size, which adds up.

mc32 said 12 days ago:

This all sounds reasonable but Google doesn’t use this strategy and it looks cleaner for the end user. So why can’t O365 do similar?

kerng said 12 days ago:

Not everyone equally applies security concepts and isolation the same way. Google is probably less concerned around certain web attacks compared to Microsoft. Microsoft isolates their corporation from customer things, which is good I'd say.

said 12 days ago:
[deleted]
repolfx said 12 days ago:

Google does use it:

googleusercontent.com

gstatic.com

etc

russellbeattie said 12 days ago:

In addition to what others said about cookies and security, there's also organizational issues as well. In a giant org like Microsoft, services are launched by different groups at different times, and not always (or better said, rarely) in a coordinated manner.

If I had to guess, the team that made microsoftonline.com probably could have dealt with the group that "owns" microsoft.com and gone through all the security, functionality, routing and systems testing involved to add a new subdomain or root-level path, but it was faster, easier and safer to just use a new domain and not worry about 25 years of domain name baggage. Maybe it was actually a coordinated effort to avoid all that, or simply meet a deadline.

You never know. The longer you work in technology, the more you see systems get larger and larger and have their own rational for things that seem insane to an outsider. Maybe microsoft.com is running on an ancient Windows 2000 server and they've forgotten the admin password. You'd think that could never happen at a company like Microsoft (or maybe you would), but you'd be surprised.

Spooky23 said 11 days ago:

I don’t remember the particulars, but I know that all of the identity components of Exchange Online and O365 were swapped out once or twice. Microsoft built the airplane in flight.

They also have a very complex service delivery architecture. O365 “Commercial” and “Government Community”, share some components, and have separate ones for others. Then there is a separate US Gov O365 with a different TLD.

webmaven said 12 days ago:

Should be an 'Ask HN:'.

quickthrower2 said 12 days ago:

Some ideas:

Different SSL configuration.

Avoid DNS entries getting bloated?

Avoid a single point of failure?