Microsoft recently informed its customers about an inconsistency in the storage of security logs for several of its cloud products for two weeks in September. This irregularity might have created difficulties for network protectors in spotting potential security breaches.

In a message circulated to the affected clients, Microsoft disclosed that a glitch in one of their internal monitoring instruments led to a failure in certain agents when they were supposed to upload log data to the company’s internal logging platform.

Microsoft assured customers that this disruption in logging was not due to a security mishap, but it merely impacted the gathering of log events.

This issue was initially brought to light by Business Insider in early October, and the exact details of the notification have not been widely shared. According to cybersecurity expert, Kevin Beaumont, the notifications sent by Microsoft to the impacted companies are probably only accessible to a limited number of users holding tenant administrative privileges.

Logs are crucial for tracking activities within a product such as user sign-ins, failed attempts, etc., that can assist network protectors in detecting potential security breaches. Lack of logs could make it challenging to spot unauthorized access to customers’ networks during that two-week period.

The products impacted include Microsoft Entra, Sentinel, Defender for Cloud, and Purview, as per the Business Insider report. Affected customers might have likely encountered potential voids in security-related logs or events, possibly impacting their capability to scrutinize data, identify threats, or create security alerts.

While Microsoft did not provide specific details about the logging disruption, a company executive confirmed to TechCrunch that the incident was a result of an “operational bug within our internal monitoring agent.”

Microsoft’s Corporate Vice President, John Sheehan, stated that the company addressed the issue by reversing a service change. He also confirmed that all affected customers have been informed and will be provided with the necessary support.

The logging disruption occurred a year after federal investigators criticized Microsoft for not sharing security logs with certain U.S. federal government departments that use the company’s exclusive government-only cloud for their emails. The investigators argued that access to these logs could have helped identify a series of attacks backed by China much earlier.

Storm-0558, the China-backed hackers, infiltrated Microsoft’s network and stole a digital skeleton key that gave them unlimited access to U.S. government emails stored in Microsoft’s cloud. The State Department was able to identify these intrusions because it had a higher-tier Microsoft license that allowed access to security logs for its cloud products, which many other hacked U.S. government agencies did not possess.

In the aftermath of these China-backed cyberattacks, Microsoft announced that it would start providing logs to its lower-paid cloud accounts starting from September 2023.