I spent the past year working for a company that relies heavily on Microsoft for email, productivity tools, and identity management. After that experience, I can say with confidence: never again. The support is astonishingly poor, and user experience feels like an afterthought.
More importantly, using Microsoft at scale can leave your organization fundamentally insecure. The obscure, insecure defaults are, at best, dangerous missteps and, at worst, borderline negligent. I’m convinced that only a small fraction of enterprises using Microsoft have the expertise and budget required to secure it properly.
My personal view is that if your organization depends heavily on Microsoft, it’s not serious about security, whether they’re aware of it or not.
I work for a company that now uses everything from Microsoft. They used to have Jira, AWS and tons of other different products, but now everything is Microsoft, and it's terrible. Azure DevOps is particularly horrific. It's like Jira+Jenkins except you can never find anything. Nothing about it makes sense to me.
As far as I can tell, the databases on Azure are all either slow, expensive, or both.
And of course it means we hand over all of our highly sensitive data to a company that has said that US law will overrule EU law. How can anyone trust a company that says they will not obey the law?
That's the thing. The decision makers are not programmers who care about good dev tooling, but executives who care about good agenda management. So Microsoft's agenda management is great, and their dev tooling sucks.
It really feels like ADO was just quickly patched together to they can offer it as part of a complete package.
Corporate people who decide what services to buy don't care about what the employees think about those services.
And regarding Microsoft, it's easy: paying for the whole package is much easier in terms of contract overhead and with MS the discounts are quite advantageous as soon as you increase the width of the package.
Short term and if you only look at the bill, it makes sense.
Long term, forcing your teams to work with shitty services is a terrible idea.
I'm always amazed at how needlessly complicated and useless administration of Microsoft products and services are. So much of 365 feels like it is 75-90% completed then abandoned. Every time I find something that sounds like it should be really useful, it turns out to lack at least one function or feature needed to do what I would need it to.
Where do I find money to fund my rewrite of Kerberos 5 in Rust, removing the dumb options and Kerberos 4 compatibility and eventually create Kerberos 6 + AD that will solve a metric buttload of issues in Linux and knock a major peg of MS off?
That doesn't seem right to me, assuming you still want the paradigm of one-time principal-to-domain authentication with just-in-time principal-to-resource authentication. While I think you could probably use x509 certs to streamline and modernize the ticket-granting-and-session-key dance, you'd still be doing a lot of the same high-level things.
Depending on the use-case, Kerberos (/this imagined x509 Kerberos) or Oauth2 still seems suitable for single-authenticator/multiple-services paradigm.
Ultimately Kerberos is used to authenticated basically everything in a Windows on-prem environment and in a way that is largely transparent to the user. Silent SSO is a very nice feature.
Even if you're doing OIDC or SAML, those protocols do not define what is actually performing authentication at the IdP which, again, ultimately ends up being Kerberos if you're people are on-prem.
So whatever your feelings are about Kerberos as a protocol, it doesn't matter if that's what Windows uses.
And again, it cannot be obsoleted by other protocols.
Even if you're using a newer fido thing like passkeys or client certs or whatever, ultimately the device has to be authenticated to get that passkey or cert or whatever it is installed into the authenticator app of the device. So Kerberos is king on prem.
MIT Kerberos on Linux is not really compatible with Windows Kerberos in ways that cause problems that are not solved by re-writing Kerberos in another language. More important issues have to do with sharing credentials and getting trust info and other such things.
> Ultimately Kerberos is used to authenticated basically everything in a Windows on-prem environment and in a way that is largely transparent to the user. Silent SSO is a very nice feature.
When it works. And when it doesn't work (which is most of the time if you're outside of corporate LAN) you simply can't debug what's happening.
> MIT Kerberos on Linux is not really compatible with Windows Kerberos
It actually is! Long, long time ago I managed to join Windows into a pure Kerberos domain. Everything worked, including things like GSSAPI authentication in Putty or MySQL. It involved some `ksetup.exe` incantations, I think this guide might be still relevant: https://docs.oracle.com/cd/E19316-01/820-3746/gisqf/index.ht...
Of course, there was no group synchronization (because no AD).
That was about 20 years ago. Back then, I was working on helping companies migrate to Linux, and I toyed with an idea of having a background service to periodically sync groups from the Linux SMB server with the local users.
simplify gssapi, for one. single authentication and authorization: submit on slurm? ask kerberos + ldap. can i upload to this service? as kerberos + ldap. Policies applied on this computer? ask kerberos + ldap
i may be naive a bit, i'll accept that, but I really like how AD works (which is essentially kerberos + ldap)
I tried to set up network file sharing with NFS the other day and it was like pulling teeth. You need Kerberos if you want to map user names instead of user ids and still have some security.
Ultimately I gave up and used samba instead, but it does seem like there's a big gap in linux offerings for "home/small business network file sharing" with shared auth
It's for a drive holding primarily media files, my experiences with sshfs have been that it is slow. My goal here was to have a network drive mounted on login for two different accounts on my linux desktop, and the same users (my partner and I) on different accounts (because apple) on two different macbooks. It's a typical home network, with a firewall, so the extra security of ssh would be nice but isn't really critical for us - any malware on the computers we use would already have network access and our ssh keys.
I also want to share the home printer/scanner, which I believe samba can do, but obviously sshfs won't. Side note - I would love to see a standard protocol and server for a 3d printer. We have a Bambu and the software is... alright... but doesn't play nice sharing an account between computers.
Ultimately I set up samba on the server, with mapped users, and a line in fstab on the desktop. Plain old NFS might have worked for the desktop but the users don't have the same UIDs between the desktop and the server and... reconciling that seemed painful.
I did try to make kerberos work with NFS for a few days but the experience was akin to staring into the sun.
Even if you do, you’re still going to get breached. They drop features all of the time that open potential vulnerabilities.
I used to run a Microsoft productivity ops team. Email/SharePoint/etc. Our headcount was about 20-24. O365 dropped that to ~8. Now? I’m told it’s about 60, much of it relating to security.
Check out the Microsoft baseline security guidelines for Windows 11. It's about 400 entries. 400 settings that Microsoft themselves recommend changing from the defaults to achieve a baseline security.
Why does windows 11 show stock values in the task bar by default? Why does it show ads, games and yellow press headlines when you click on it? On the enterprise edition! Xbox services are installed and running by default. Why?
Direct Send was my favorite. Direct Send allows devices to send unauthenticated email to internal recipients using your organization’s domain, which can expose you to internal emails for phishing etc. It bypasses user authentication, making sender identity difficult to verify or audit. For all orgs made before mid 2025 it was enabled by default.
I saw a great Blackhat talk this year about Entra misconfiguration that got Microsoft's own sensitive internal services owned by a researcher, one of them owned by their security team. After the report they reconfigure their services, didn't pay a bounty and considered the problems solved. What about their customers making the same config errors as the Microsoft team... no changes planned.
One not-so-obscure problem is how hard it is to only elevate yourself to admin when you need it (and run as a regular user the other time).
Essentially you need to pay double license for admin users so they can have two logins; and it's a pain to quickly elevate privilege to do day to day admin tasks.
So if your friendly domain admin clicks the wrong link, your entire network is owned.
Obscure from a typical user's POV: the fact that file extensions are not being shown by default. This makes it possible for the user to click on a file that has the extension and the icon of a picture (imbedded inside), but turns out to be an executable file.
They've apparently had a corporate philosophy of obfuscating the underlying system from the end user and deliberately inhibiting their ability to learn how it fits together since at least the early 2000's.
I feel like the current ignorance of the average computer user was a deliberate outcome they've been working towards for more than 20 years. As someone who has been using computers since the late 80's, I find their current offerings harder to use than ever.
Have you admined a Google Apps account and an MS365 account? I'm curious why you think Microsoft is more secure? For me they are completely different, Google is secure by default, Microsoft is not. Do you have "Direct Send" enabled on your account for example?
Because outside of a handful of nerdy tech companies, all small businesses need to use Microsoft Office. From there, it’s a no brainer to stay in the MS ecosystem and use Sharepoint etc…
For a small business without a dedicated IT team, simply hire a IT contractor to harden the tenant (MFA etc…), have them review every six months and be done with it and focus your resources on running your business.
My father’s decidedly non-nerdy logistics consulting business with roughly 20 employees ran (and runs) on Mac OS since the founding of the company in the mid 1990s with my mom being the „IT team“. There are some situations where companies rely on certain compatibilities requiring windows. But most could do completely fine without, especially nowadays.
You can run a logistics consulting business without windows, but you will struggle without Excel and PowerPoint, and 365 with SharePoint is basically needed for collaboration in any consulting business.
Im also a logistics consultant… try to parse a multi-million line orderlines extract in Google Sheets compared to excel.
I’m also on Mac but to be honest it’s a challenge - there are still enough industry specific tools that are windows only so I have to run a parallels VM to get by.
Collaboration with Sharepoint is I think the biggest issue with M365. It’s impossible to figure out where a file is stored… on your hard drive? One drive? Teams? Sharepoint?
And the biggest problem I have is managing revisions with multiple editors. If I were talking to Microsoft about strategy, this would be the thing I’d suggest. I know it’s common to use Sharepoint for collaboration, but it’s such a Frankenstein’d system that it’s going to be a problem for everyone sooner or later.
It's still better than anything else and the de-facto standard so you need it.
Clients will send you their PowerPoint template and want you to use it. They will send you their complex spreadsheets riddled with VBA macros and you will need to fix them. They will invite you to a Teams site because that's where their project updates go. I just don't see how you can avoid it as a consulting company!
For things like Excel - We can say it's 'bad' but I've not seen anything do the job it does better. And besides, even if it was bad, it doesn't matter - as a consultant you need to use it because your clients probably want your workings as part of the deliverables, and if it's on Google Sheets they often won't want that.
Many of the 22-25 year old-ish people in a grad school class I was part of recently had no idea where a shared project document was or how to edit it outside of Office 365’s online editor. Many didn’t know that the “attachment” from email was actually a Sharepoint link and not a file. This becomes a problem when you need to use some features in the desktop Word program that aren’t in the online editor.
Honestly, I’m less interested in how things work on day one. When systems are fresh or new, it’s easier to keep working. The mess always ends up happening after things have had time to accumulate cruft. Working on a collaborative manuscript in the current Microsoft shared system is normally a nightmare.
Trying to manage/accept/reject edits and revisions between different people is still difficult. That is unless you can use a source code repository like GitHub. But good luck trying to convince people to do that. Sadly, this means that emailing files around is still the easiest way to keep things straight.
More importantly, using Microsoft at scale can leave your organization fundamentally insecure. The obscure, insecure defaults are, at best, dangerous missteps and, at worst, borderline negligent. I’m convinced that only a small fraction of enterprises using Microsoft have the expertise and budget required to secure it properly.
My personal view is that if your organization depends heavily on Microsoft, it’s not serious about security, whether they’re aware of it or not.