Why does Microsoft use onmicrosoft.com and microsoftonline.com?

20 pointskileywm6y ago9 comments

In 2019, it seems a given that a cautious user on the internet should be careful about which domains they connect to. Paying close attention to domains, Microsoft users will quickly see that the company doesn't always use microsoft.com - even for high profile endpoints. For example:

* Office 365 services use this endpoint for user login: https://login.microsoftonline.com

* Email: onmicrosoft.com

Can anyone explain the business, user, and technical implications involved in choosing a new domain (microsoftonline.com) over a subdomain of the business's core domain (online.microsoft.com)?

9 comments

saurik6y ago

(This is in no way a complete of even precise answer, but is maybe still helpful.) One big issue is how cookies can be configured by subdomains to affect other subdomains, causing you to sometimes need full domain names to create security boundaries.

ts4z6y ago

This is exactly right. Different parts of the business have different security scopes, and different domains are the easiest way to keep things separate: make the browser help keep data separate, and not share things across the organization.

This can also reduce cookie size, which adds up.

mc326y ago

This all sounds reasonable but Google doesn’t use this strategy and it looks cleaner for the end user. So why can’t O365 do similar?

3 more replies

russellbeattie6y ago

In addition to what others said about cookies and security, there's also organizational issues as well. In a giant org like Microsoft, services are launched by different groups at different times, and not always (or better said, rarely) in a coordinated manner.

If I had to guess, the team that made microsoftonline.com probably could have dealt with the group that "owns" microsoft.com and gone through all the security, functionality, routing and systems testing involved to add a new subdomain or root-level path, but it was faster, easier and safer to just use a new domain and not worry about 25 years of domain name baggage. Maybe it was actually a coordinated effort to avoid all that, or simply meet a deadline.

You never know. The longer you work in technology, the more you see systems get larger and larger and have their own rational for things that seem insane to an outsider. Maybe microsoft.com is running on an ancient Windows 2000 server and they've forgotten the admin password. You'd think that could never happen at a company like Microsoft (or maybe you would), but you'd be surprised.

Spooky236y ago

I don’t remember the particulars, but I know that all of the identity components of Exchange Online and O365 were swapped out once or twice. Microsoft built the airplane in flight.

They also have a very complex service delivery architecture. O365 “Commercial” and “Government Community”, share some components, and have separate ones for others. Then there is a separate US Gov O365 with a different TLD.

webmaven6y ago

Should be an 'Ask HN:'.

quickthrower26y ago

Some ideas:

Different SSL configuration.

Avoid DNS entries getting bloated?

Avoid a single point of failure?

j / k navigate · click thread line to collapse