Microsoft Cancels $3B Oracle Cloud Deal, Citing Security Concerns and Prioritizing Azure Control

Microsoft has backed out of a ~$3 billion deal to lease Oracle's cloud infrastructure, citing significant security concerns.

The decision follows a recently disclosed critical vulnerability in Oracle's PeopleSoft software, which heightened scrutiny over third-party risks.

While the financial impact is manageable for Oracle, the move signals Microsoft's strategic priority to maintain tight control over its Azure-first ecosystem for security and supply assurance.

MSFT.KSORCL.KSEQIX.KSDLR.KS

Microsoft recently made a significant strategic move, walking away from a roughly $3 billion deal to lease capacity on Oracle's Cloud Infrastructure (OCI).

This decision wasn't primarily about money, but about control and security. For a company like Microsoft, which promises top-tier security to its Azure cloud customers, relying on a third-party's infrastructure introduces risks. The timing of this cancellation is key to understanding the 'why now', as several recent events likely tipped the scales.

First and most importantly, a critical security flaw was recently discovered. In early June 2026, Oracle disclosed a 'zero-day vulnerability' in its widely used PeopleSoft software. This wasn't just a theoretical problem; hackers were actively exploiting it to breach over 100 organizations. For Microsoft, which was in the process of vetting Oracle's infrastructure, this news would have raised major red flags about third-party security risks.

Second, this specific security incident landed amid a broader narrative of caution surrounding Oracle. News reports had already been highlighting Oracle's massive backlog for AI projects and its increasing need for financing. While this is mainly a financial story, it adds to the perception of counterparty risk—essentially, the risk that the other party in a deal won't be able to hold up its end of the bargain, especially on a long-term lease with critical security obligations.

Ultimately, this decision reinforces Microsoft's 'Azure-first' strategy. The company has a massive capital expenditure (capex) plan of around $190 billion for 2026, signaling its intent to build and control its own capacity wherever possible. The $3 billion saved from the Oracle deal is a tiny fraction of this budget. By stepping away, Microsoft is sending a clear message: the security, reliability, and direct control it gets from its own data centers are more valuable than the convenience of leasing extra capacity, even from a long-standing partner.

For Oracle, losing a $3 billion deal is a narrative blow, but the financial impact is likely manageable. Spread over a typical 5-to-10-year lease, the annual revenue loss would be a small percentage of its total cloud income. The bigger challenge will be reassuring other potential customers about its security posture.

Zero-day vulnerability: A software security flaw that is known to the software vendor but doesn't have a patch in place to fix it. This makes it a prime target for hackers.
Capex (Capital Expenditure): Funds used by a company to acquire, upgrade, and maintain physical assets such as property, plants, buildings, technology, or equipment.
Azure-first: A strategy where a company prioritizes using its own cloud platform (in this case, Microsoft Azure) for its services and operations over third-party providers.