Blog by MEEQIT

Appearance

Geopolitical Volatility and Microsoft 365

About 1253 wordsAbout 4 min

MEEQITMicrosoftEntra IDHybrid

2025-05-12

Geopolitical Volatility and Microsoft 365

Brad Smith, Vice Chairman and President of Microsoft, recently published this post in an attempt to assure European customers that they can continue to use Microsoft Cloud Services in the year 2025 and beyond. Many have anticipated and welcomed that a statement of this sort was pending and needed, and the obvious reason is of course the elephant in the room. The Donald Trump administration.

The commitment statements are to me similar to statements made in the early years of Office 365 when Microsoft had to convince organizations that their data was safe with them in the cloud. Those early days statements was backed up with technology implementations such as Customer Lockbox and Bring Your Own Key and transparency on government requests for data. In the past I have used these, rather successfully I think, as arguments to sway organizations into starting their journey to the Microsoft Cloud.

I am no longer confident that I will be able to win arguments with Information Security representatives in risk-aware Enterprise organizations. I might not even want to. The value proposition of using Microsoft 365 is as great as ever, especially with Generative AI Agents expected to be most valuable when properly grounded in your data, but the risks of depending upon it has changed.

The changed risks to account for is not primarily about your data being secure, I still consider Microsoft has sufficient mechanisms to ensure that (you have to use them though), it is about the accessibility of your data. Or rather, the availability of the services that make your data accessible. Let me explain by first quoting the SLA for Microsoft Online Services (covers both Azure and Microsoft 365):

This SLA and any applicable Service Levels do not apply to any performance or availability issues:

  1. Due to factors outside our reasonable control (for example, natural disaster, war, acts of terrorism, riots, government action, or a network or device failure external to our data centers, including at your site or between your site and our data center);

The above is pretty standard in an SLA so what is my problem? Rule of Law is. You accept an SLA that exempts the service provider from liability due to government actions because you assume Rule of Law will protect you from that happening. The commitment statements from Microsoft by Brad Smith is to ensure you they will protect the services you use within the boundaries of Rule of Law. The problem is that Rule of Law in the United States of America in 2025 seems not to function properly. There are now multiple documented cases where Executive orders are being enforced even though the Judiciary branch has determined the orders to be illegal.

Let that sink in a little. Illegal orders are now being enforced in the United States of America. That is not a good place for a Democracy to be in. How is Microsoft going to ensure the uptime of services your organization pays for under such circumstances? According to the SLA they do not really have to...

From the Microsoft commitment statement:

In the unlikely event we are ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe, we are committing that Microsoft will promptly and vigorously contest such a measure using all legal avenues available, including by pursuing litigation in court.

They are basically saying they will take it to court, which there are now precedent on not being sufficient to stop an illegal order from being enforced. I thus conclude that the SLA in combination with latest commitment statements are not enough to ensure services will remain running in the case current US administration issues an order telling Microsoft to stop services for your organization. What is needed from Microsoft, I argue, is a a much clearer statement that assures European customers that they will physically stop agents attempting to enforce an illegal order affecting services you use.

Also note the choice of word "unlikely". Not improbable or impossible. Unlikely is something that very well might happen, but probably not to you. Like being in a car accident. Likely happening somewhere in the world while you read this, but not involving you. Do you have airbag in your car and use seatbelts to mitigate impact of such an unlikely event?

To be able to continue to recommend all types of organizations to go all-in on Microsoft 365 (including Copilot Agents) and Azure (including Azure Foundry hosted Gen AI Agents) I need to hear from Microsoft that they will actively stop the enforcement of presidential orders that are determined to be illegal or are pending litigation in court.

Until Microsoft has sufficiently clarified their latest commitment statement, I will recommend organizations to re-evaluate risk assessments on using Public Cloud from companies with operations in the USA, which obviously includes Microsoft 365 and Azure from Microsoft, and determine if they are still within the boundaries of acceptable risk. In the case of using Microsoft Online Services the commitment statement might result in lower risk anticipated as compared to competitors AWS (Amazon Web Services) and GCP (Google Cloud Platform), which to my knowledge has not even made similar statements as Microsoft, but in the end the type of business your organization is in will likely determine most if your risk level has changed.

Most organizations and companies can probably, and hopefully, ignore this entirely, but some industries and types of businesses come to mind that might be in the wrong end of the "unlikely" spectrum:

  • Non-profits related to free speech or environmental issues
  • Electric car manufacturers
  • Satellites or other hauling to space industries
  • Military related
  • Medical industry with vaccines in the portfolio
  • you get it, is your line of business risking colliding with the interest of current administration?

If you are in the fossil fuel or minerals mining business, you are probably safe...

Alright, so you have determined that your organization might at some point anger current unpredictable US administration and the risk vs. reward matrix does no longer look as comfortable as you need it to, but you have gone cloud-only and all-in on Microsoft 365 and established business critical functions based on it. What can you do? Here is a few suggestions.

Short term:

  1. Setup a mirror tenant for Microsoft 365 and replicate everything business critical to it. The mirror tenant can of course also be shut down, but can grant you some time in a disaster scenario.

Mid term:

  1. AD-DS + AD-FS - Setup on-premises authentication infrastructure as alternative for user authentication. While Entra ID is great it ends up being single-point-of-failure for all other services.
  2. Exchange Hybrid - Move your business critical mail flows (sales and invoicing perhaps?) to on-premises Exchange Server
  3. SharePoint Server Hybrid - Move your Sites with business-critical functionality and data to on-premises.

Long term:

  1. Abandon Microsoft 365 in favour of on-premises hosted open-source alternatives...

Apologies for derailing this post into a bit of a rant. Originally, I intended it to focus more on mitigating risk when using Microsoft 365 in times of turmoil, but that seems to have to be a separate post.

Powered by VuePress on Azure Static Web Apps

MEEQIT AB © 2025