from Hacker News

Why does Microsoft use onmicrosoft.com and microsoftonline.com?

by kileywm on 7/10/19, 9:25 PM with 9 comments

In 2019, it seems a given that a cautious user on the internet should be careful about which domains they connect to. Paying close attention to domains, Microsoft users will quickly see that the company doesn't always use microsoft.com - even for high profile endpoints. For example:

* Office 365 services use this endpoint for user login: https://login.microsoftonline.com

* Email: onmicrosoft.com

Can anyone explain the business, user, and technical implications involved in choosing a new domain (microsoftonline.com) over a subdomain of the business's core domain (online.microsoft.com)?

  • by saurik on 7/10/19, 10:13 PM

    (This is in no way a complete of even precise answer, but is maybe still helpful.) One big issue is how cookies can be configured by subdomains to affect other subdomains, causing you to sometimes need full domain names to create security boundaries.

  • by russellbeattie on 7/11/19, 12:03 AM

    In addition to what others said about cookies and security, there's also organizational issues as well. In a giant org like Microsoft, services are launched by different groups at different times, and not always (or better said, rarely) in a coordinated manner.

    If I had to guess, the team that made microsoftonline.com probably could have dealt with the group that "owns" microsoft.com and gone through all the security, functionality, routing and systems testing involved to add a new subdomain or root-level path, but it was faster, easier and safer to just use a new domain and not worry about 25 years of domain name baggage. Maybe it was actually a coordinated effort to avoid all that, or simply meet a deadline.

    You never know. The longer you work in technology, the more you see systems get larger and larger and have their own rational for things that seem insane to an outsider. Maybe microsoft.com is running on an ancient Windows 2000 server and they've forgotten the admin password. You'd think that could never happen at a company like Microsoft (or maybe you would), but you'd be surprised.

  • by Spooky23 on 7/11/19, 11:31 PM

    I don’t remember the particulars, but I know that all of the identity components of Exchange Online and O365 were swapped out once or twice. Microsoft built the airplane in flight.

    They also have a very complex service delivery architecture. O365 “Commercial” and “Government Community”, share some components, and have separate ones for others. Then there is a separate US Gov O365 with a different TLD.

  • by webmaven on 7/11/19, 12:04 AM

    Should be an 'Ask HN:'.

  • by quickthrower2 on 7/11/19, 1:35 AM

    Some ideas:

    Different SSL configuration.

    Avoid DNS entries getting bloated?

    Avoid a single point of failure?