On Monday, April 27, 2026, a Microsoft service change triggered a widespread outage, preventing Outlook users from signing into their accounts. Users reported intermittent authentication failures, persistent “too many requests” errors, and unexpected sign-outs across multiple platforms.
Inside the Outage: What Actually Happened
Early reports surfaced around midday UTC when users began encountering HTTP 429 (“Too Many Requests”) errors immediately after entering credentials. The failure occurred on Outlook.com, the Outlook desktop client (both Windows and Mac), and mobile apps on iOS and Android. Some users were abruptly signed out of existing sessions, with repeated sign-in attempts met by the same error loop.
Microsoft’s own service health dashboard acknowledged the incident within two hours, attributing it to “a recent service configuration change” that inadvertently throttled authentication requests. The change appeared to affect the Microsoft Account identity service, which handles sign-ins for Outlook.com and consumer Microsoft 365 subscriptions. Crucially, the outage did not impact enterprise Azure Active Directory logins, meaning corporate users remained largely unaffected.
The “too many requests” message baffled many, as it suggested that individual users were exceeding rate limits—an impossibility given normal usage patterns. In reality, the service configuration change had tightened rate limits so drastically that even the initial authentication handshake triggered the limit. The result: a cascading lockout that persisted until Microsoft rolled back the change roughly four hours later.
What It Means for You: Impact by Audience
Home and Personal Users
If you rely on Outlook.com for personal email, you were likely locked out entirely for several hours. Even after service restoration, some users reported lingering issues—repeated sign-in prompts and difficulties re-syncing mailboxes. The iPhone and iPad Apple Mail app, which connects to Outlook.com via Exchange ActiveSync, remained functional for many, offering a temporary back door to read and send emails. This unintended workaround stemmed from the fact that Apple Mail uses a previously authenticated token that the Outlook app itself could not obtain during the outage.
IT Administrators
For those managing personal Microsoft 365 Family or legacy Hotmail accounts used in a business context, the outage underscored the fragility of consumer-grade services. While enterprise tenants were shielded, admins whose teams used personal accounts for scheduling or client communication faced a support headache. The incident serves as a reminder to verify service health dashboards before escalating user complaints, and to have a fallback communication channel—like a shared IM platform—ready for such disruptions.
Developers and Integrators
If your application uses the Microsoft identity platform for consumer login, you might have seen a spike in 429 errors from the /consumer/auth endpoint. Rate-limit design flaws exposed by this change highlight the need to implement robust retry logic with exponential backoff, and to differentiate between transient service issues and true client-side throttling. Check your incident logs and be prepared to explain the root cause to stakeholders.
How We Got Here: The Chain of Events
This is not the first time a configuration change has knocked out Microsoft’s authentication services. In January 2025, a similar misconfiguration caused multi-factor authentication (MFA) prompts to fail for millions of users. Last year, a faulty update to the Microsoft Account service led to a four-hour Outlook sign-in outage. And in 2023, a change to Exchange Online broke Apple Mail connectivity for a full weekend. The pattern is sobering: the complexity of Microsoft’s identity fabric often outpaces its change-management safeguards.
On April 27, the timeline unfolded as follows (all times UTC):
- 11:30 – First user reports of “too many requests” surface on social media.
- 12:15 – Down detector services show a sharp spike in outage reports.
- 13:00 – Microsoft acknowledges the issue on the Microsoft 365 service health dashboard, promising an investigation.
- 14:45 – The configuration change is partially rolled back; some users regain access.
- 16:00 – Microsoft declares the incident resolved, citing full service restoration. Lingering issues for some users persisted into the evening.
The root cause, as later clarified in a preliminary post-incident review, was an automated deployment of rate-limiting rules intended to protect the login service from bot attacks. The rules were tested in a staging environment but behaved differently in production due to an unanticipated interplay with a recently updated authenticator component.
Your Action Plan: Workarounds and Fixes
If you were affected, here’s what you can do now and in future:
-
Use Apple Mail as a fallback
- On iPhone or iPad, the built-in Mail app often maintained its connection throughout the outage. If you had previously set up your Outlook.com account using the Exchange option, you likely could still send and receive. This is a good reason to keep the native app configured as a backup. -
Switch to Outlook on the web (when partially restored)
- During the tail end of the incident, outlook.live.com began working before the desktop clients. Bookmark the web interface as your first recourse during sign-in issues. -
Check the official health dashboard
- Visit admin.microsoft.com/servicehealth (for consumer accounts, the consumer portal will redirect). Microsoft’s status updates often lag, but the dashboard is the single source of truth before you start troubleshooting your own setup. -
Clear credentials and restart
- After an outage, stale tokens can cause repeated sign-in prompts. On Windows, use Credential Manager to remove any “MicrosoftAccount” entries. On Mac, delete the account keychain entries from Keychain Access. Then restart the Outlook client. -
For developers: Adjust retry logic
- Review your authentication flows. If you hard-code retry counts without jitter, you risk compounding server-side throttling. Implement exponential backoff and monitor theRetry-Afterheader, which Microsoft’s service publishes during rate-limiting events. -
Enable multi-factor authentication as a defensive step
- While MFA did not cause this outage, having it active provides an extra replay-attack barrier if your account becomes compromised during such chaos. It remains a best practice. -
Keep an alternative communication channel ready
- For critical messaging, consider setting up a secondary email client (e.g., Thunderbird) or ensuring your phone number is linked for recovery notifications. This reduces panic when primary sign-in fails.
Looking Ahead
Microsoft has promised a full root-cause analysis within five business days, and typically such incidents trigger a broader review of change management processes. Expect the company to adjust its canary deployment strategy for authentication services, likely adding more gradual rollout rings and synthetic traffic simulations before hitting production.
For users, the takeaway is clear: conveniences like single sign-on come with single points of failure. Building redundancy—a backup client, a secondary method to reach email—is a small investment that pays off when the cloud stumbles. The April 27 outage, while resolved within hours, is another data point in a continuing narrative: the infrastructure behind our digital lives remains astonishingly fragile.