Azure-docs: Azure AD password reset page(s) look like phishing

@ngie-eign Thank you for your feedback . You can provide feedback on the page https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166251 which relates specific to Self-Service Password Reset . We will investigate and update further on this one.

@ngie-eign While we understand your concern of layout and design of the page and agree that we can do better than the current UI , we do not think the security is any way compromised . The first thing to check the security and authenticity of a webpage is to check the https connection authenticity and see if the certificate is valid or not . And if the certificate is valid and appears to be assigned to the proper organisation from a public certificate authority , we should be good.

And I totally get your arguments for a better design.

• punctuation not capitalized,
• grammar is a bit questionable
• the domain (https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx?regref=ssprsetup) was long/not obviously linked to microsoft.com namespace .

Windowsazure.com was the initial Azure portal URL that Microsoft started providing azure services with long back in initial days hence you would see this URL in many places , a lot of services have transitioned from these old URLs and the ones which are still on , i am sure will be transitioned over time. However , we assure you/your users that you do not need to panic at all as the page is completely legitimate and provided by Microsoft with complete security considerations.

There are plans to change the password reset experience underway at this moment as per this uservoice thread. We believe the current page would also be updated as its part of the SSPR setup however we recommend you to create a new feedback request for the Product Group to consider. We will close this issue now and request you to open a new feedback request as you see fit.

Thank you.

This continues to be a serious problem. As phishing attacks around the world escalate, responsible tech administrators are training their users to be highly skeptical of sketchy looking websites. WindowsAzure.com is super sketchy looking, and resembles real phishing sites. This undermines our efforts to build good user behavior, and ultimately makes your whole infrastructure less safe. Users who are acclimated to logging in to sketchy-looking Microsoft websites are more likely to log in to sketchy-looking phishing websites. You need to get your design team to fix this ASAP before it causes (another) huge hack.

@shashishailaj: I'm a bit frustrated this was closed a year ago.

How hard is it to fix punctuation in an HTML/CSS page? Doing this seems like the absolute bare minimum to making the website seem more trustworthy.

I would have submitted a PR to fix this if I had access to the source; it would have been quicker than this back and forth over GitHub -_-.

Also, having to verify the identity of a website via the SSL/TLS certificate information is way beyond the expectation for most non-technical users when it comes to ensuring that they're logging into a secure resource.

Many companies/groups have been hacked and data has been exfiltrated due to ransomware or other phishing based attacks. I would really appreciate it for Microsoft to take data security seriously, since relying on their infrastructure in its current state might lead to data leaks on a large scale or have major repercussions on a global scale. As more groups move to a cloud-based providers for identity-based authentication, it's in the groups' best interests to think of the data/identities that they are charged with keeping secure.

See also:

1. Baltimore Data Breach
2. DNC Data Breach
3. Experian Data Breach
4. Sony Data Breach
5. Target Data Breach