
Why does Microsoft use onmicrosoft.com and microsoftonline.com? - kileywm
In 2019, it seems a given that a cautious user on the internet should be careful about which domains they connect to. Paying close attention to domains, Microsoft users will quickly see that the company doesn&#x27;t always use microsoft.com - even for high profile endpoints. For example:<p>* Office 365 services use this endpoint for user login: https:&#x2F;&#x2F;login.microsoftonline.com<p>* Email: onmicrosoft.com<p>Can anyone explain the business, user, and technical implications involved in choosing a new domain (microsoftonline.com) over a subdomain of the business&#x27;s core domain (online.microsoft.com)?
======
saurik
(This is in no way a complete of even precise answer, but is maybe still
helpful.) One big issue is how cookies can be configured by subdomains to
affect other subdomains, causing you to sometimes need full domain names to
create security boundaries.

~~~
ts4z
This is exactly right. Different parts of the business have different security
scopes, and different domains are the easiest way to keep things separate:
make the browser help keep data separate, and not share things across the
organization.

This can also reduce cookie size, which adds up.

~~~
mc32
This all sounds reasonable but Google doesn’t use this strategy and it looks
cleaner for the end user. So why can’t O365 do similar?

~~~
kerng
Not everyone equally applies security concepts and isolation the same way.
Google is probably less concerned around certain web attacks compared to
Microsoft. Microsoft isolates their corporation from customer things, which is
good I'd say.

------
russellbeattie
In addition to what others said about cookies and security, there's also
organizational issues as well. In a giant org like Microsoft, services are
launched by different groups at different times, and not always (or better
said, rarely) in a coordinated manner.

If I had to guess, the team that made microsoftonline.com probably could have
dealt with the group that "owns" microsoft.com and gone through all the
security, functionality, routing and systems testing involved to add a new
subdomain or root-level path, but it was faster, easier and safer to just use
a new domain and not worry about 25 years of domain name baggage. Maybe it was
actually a coordinated effort to avoid all that, or simply meet a deadline.

You never know. The longer you work in technology, the more you see systems
get larger and larger and have their own rational for things that seem insane
to an outsider. Maybe microsoft.com is running on an ancient Windows 2000
server and they've forgotten the admin password. You'd think that could
_never_ happen at a company like Microsoft (or maybe you would), but you'd be
surprised.

------
Spooky23
I don’t remember the particulars, but I know that all of the identity
components of Exchange Online and O365 were swapped out once or twice.
Microsoft built the airplane in flight.

They also have a very complex service delivery architecture. O365 “Commercial”
and “Government Community”, share some components, and have separate ones for
others. Then there is a separate US Gov O365 with a different TLD.

------
webmaven
Should be an 'Ask HN:'.

------
quickthrower2
Some ideas:

Different SSL configuration.

Avoid DNS entries getting bloated?

Avoid a single point of failure?

