Matthew Armitage
@mcsamatt.bsky.social
Microsoft Security, Identity and Systems Management nerd. Also enjoy home automation and tinkering with machines. FIDO auth FTW!
I generally enjoy your work Zach, but this may be my favourite comic of yours.
July 26, 2025 at 5:30 PM
I generally enjoy your work Zach, but this may be my favourite comic of yours.
Should this graphic be updated given that “approved apps” is being deprecated in Conditional Access? learn.microsoft.com/en-us/entra/...
Migrate approved client app to application protection policy in Conditional Access - Microsoft Entra ID
The approved client app control is going away. Migrate to App protection policies.
learn.microsoft.com
March 9, 2025 at 5:42 PM
Should this graphic be updated given that “approved apps” is being deprecated in Conditional Access? learn.microsoft.com/en-us/entra/...
Reposted by Matthew Armitage
I think Cryptomator is available in the UK. If you know similar software feel free to comment.
cryptomator.org/for-individu...
cryptomator.org/for-individu...
Cryptomator - Cryptomator
Cryptomator is an open-source encryption tool for secure cloud storage. Protect your privacy for free on Dropbox, Google Drive, OneDrive, and more.
cryptomator.org
February 23, 2025 at 11:14 AM
I think Cryptomator is available in the UK. If you know similar software feel free to comment.
cryptomator.org/for-individu...
cryptomator.org/for-individu...
Reposted by Matthew Armitage
Starting today you can udpate your profile in #Microsoft365 using a new and modern profile editor (replacing the #Delve experience). Go to office.com, search for your name and click on it and find the "Update your profile" button. The team is eager for feedback!
December 9, 2024 at 9:29 AM
Starting today you can udpate your profile in #Microsoft365 using a new and modern profile editor (replacing the #Delve experience). Go to office.com, search for your name and click on it and find the "Update your profile" button. The team is eager for feedback!
Reposted by Matthew Armitage
XML in LDAP teaches you to see God in a new way
December 8, 2024 at 6:58 AM
XML in LDAP teaches you to see God in a new way
Reposted by Matthew Armitage
802.1x what are you doing step bro you shouldn't be a fucking LDAP attribute
December 8, 2024 at 6:56 AM
802.1x what are you doing step bro you shouldn't be a fucking LDAP attribute
Reposted by Matthew Armitage
You're welcome
Home Updater
Did you know your home device/computer needs regular updates to stay secure? Automate your patching for over 500+ applications free of charge.
new.patchmypc.com
December 8, 2024 at 9:29 PM
You're welcome
😍
Will there perhaps be more info available at an airlift soon?
Will there perhaps be more info available at an airlift soon?
December 9, 2024 at 2:34 AM
😍
Will there perhaps be more info available at an airlift soon?
Will there perhaps be more info available at an airlift soon?
Reposted by Matthew Armitage
Not as long as you might think :).
December 8, 2024 at 4:06 PM
Not as long as you might think :).
Reposted by Matthew Armitage
December 8, 2024 at 11:25 AM
Yes, and I wouldn’t set them up any other way (SSO or bust!). But the reliance on another entire overlay network, with additional network endpoints and additional security monitoring/vulnerability management seems like an area for improvement. The Kaseya breach still haunts me…
December 8, 2024 at 9:17 PM
Yes, and I wouldn’t set them up any other way (SSO or bust!). But the reliance on another entire overlay network, with additional network endpoints and additional security monitoring/vulnerability management seems like an area for improvement. The Kaseya breach still haunts me…
If we have the GSA agent already on the endpoint, then why have another privileged control path? Just do RDP/VNC/SSH/Something else with the existing secure path, all secured by Entra ID Conditional Access.
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
December 8, 2024 at 9:08 PM
If we have the GSA agent already on the endpoint, then why have another privileged control path? Just do RDP/VNC/SSH/Something else with the existing secure path, all secured by Entra ID Conditional Access.
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
I would, for example, love to have a remote support agent on endpoint PCs, and enforce access over the GSA network. Current remote support products like TeamViewer, Beyond Trust Remote Support and ScreenConnect all require a separate agent, which adds a net new security boundary to an Org.
December 8, 2024 at 9:02 PM
I would, for example, love to have a remote support agent on endpoint PCs, and enforce access over the GSA network. Current remote support products like TeamViewer, Beyond Trust Remote Support and ScreenConnect all require a separate agent, which adds a net new security boundary to an Org.
Oh don’t get me wrong, the network connector has its place, and leveraging the prior App Proxy was a good call. I think a good SASE/SSE product needs to have all three connectivity options. Agent service, Network Connector, and integration with existing networks.
December 8, 2024 at 8:58 PM
Oh don’t get me wrong, the network connector has its place, and leveraging the prior App Proxy was a good call. I think a good SASE/SSE product needs to have all three connectivity options. Agent service, Network Connector, and integration with existing networks.
I think the real endgame here is moving from having Entra Private Network Connectors, to using a local agent on the systems themselves as the connection. Then firewalling everything else. Ala Tailscale, Cloudflared, or Azure Arc Remote Access. The sooner GSA moves to away from a central connector…
December 8, 2024 at 4:07 PM
I think the real endgame here is moving from having Entra Private Network Connectors, to using a local agent on the systems themselves as the connection. Then firewalling everything else. Ala Tailscale, Cloudflared, or Azure Arc Remote Access. The sooner GSA moves to away from a central connector…
Reposted by Matthew Armitage
Back in the day, we would compose an email, put billg@microsoft.com in the To field, "Fire me, I'm irresponsible" on the subject line, and just leave it front and centre on their screen, before 3) locking it for them.
I was eventually reprimanded for starting that trend.
I was eventually reprimanded for starting that trend.
December 6, 2024 at 5:54 PM
Back in the day, we would compose an email, put billg@microsoft.com in the To field, "Fire me, I'm irresponsible" on the subject line, and just leave it front and centre on their screen, before 3) locking it for them.
I was eventually reprimanded for starting that trend.
I was eventually reprimanded for starting that trend.
Reposted by Matthew Armitage
Reposted by Matthew Armitage
A good write up on how Credential Guard prevented an common attack. isc.sans.edu/diary/Creden.... If you haven't looked at this in a while, now is a great time to start. learn.microsoft.com/en-us/window.... Kudos to @syfuhs.net and the team for doing all the hard work on this. #infosec
December 6, 2024 at 4:33 PM
A good write up on how Credential Guard prevented an common attack. isc.sans.edu/diary/Creden.... If you haven't looked at this in a while, now is a great time to start. learn.microsoft.com/en-us/window.... Kudos to @syfuhs.net and the team for doing all the hard work on this. #infosec
Reposted by Matthew Armitage
This is pretty awesome - require PIM activation before you can RDP to a server, access a credential vault, etc.
This could even be done with approval workflow and authentication contexts to enforce very strong restrictions 🔥
learn.microsoft.com/...
This could even be done with approval workflow and authentication contexts to enforce very strong restrictions 🔥
learn.microsoft.com/...
December 7, 2024 at 8:53 AM
This is pretty awesome - require PIM activation before you can RDP to a server, access a credential vault, etc.
This could even be done with approval workflow and authentication contexts to enforce very strong restrictions 🔥
learn.microsoft.com/...
This could even be done with approval workflow and authentication contexts to enforce very strong restrictions 🔥
learn.microsoft.com/...
Reposted by Matthew Armitage
I’m a fan of adding “SC” and “ES”. Imo it makes it more versatile if changes are being made via Graph or directly in Intune.
December 6, 2024 at 1:08 AM
I’m a fan of adding “SC” and “ES”. Imo it makes it more versatile if changes are being made via Graph or directly in Intune.
Reposted by Matthew Armitage
Okay, the self-service site to get your account verified is almost ready to go.
But it's too late over here in Australia, and I'm not brave enough to hit publish on a new site and go to bed 🙈
So the plan is to launch this 👇 tomorrow!
Stay tuned...
December 1, 2024 at 12:28 PM
Okay, the self-service site to get your account verified is almost ready to go.
But it's too late over here in Australia, and I'm not brave enough to hit publish on a new site and go to bed 🙈
So the plan is to launch this 👇 tomorrow!
Stay tuned...
Reposted by Matthew Armitage
One of the highest importance things in Security is thinking as a Graph not a List. Owning Twitter doesn't get you Twitter. It gets you everything that trusts Twitter.
John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
medium.com/@johnlatwc/d...
John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
medium.com/@johnlatwc/d...
Defender’s Mindset
This is a collection of thoughts, quips, and quotes from tweets, blogs, and presentations over the years. If you find them helpful, drop me…
medium.com
December 1, 2024 at 9:35 PM
One of the highest importance things in Security is thinking as a Graph not a List. Owning Twitter doesn't get you Twitter. It gets you everything that trusts Twitter.
John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
medium.com/@johnlatwc/d...
John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
medium.com/@johnlatwc/d...
Reposted by Matthew Armitage
If, like me, you're retaining your account to prevent someone else from scooping it up, you should go delete all of these. Settings and privacy > Security and account access > Apps and sessions > Connected apps
Twitter is a sign-in identity provider too... And revoking access at Twitter or deleting your account does not necessarily break that delegation token...
I trust their security team made this happen. But it's not intrinsic.
I trust their security team made this happen. But it's not intrinsic.
December 1, 2024 at 9:22 PM
If, like me, you're retaining your account to prevent someone else from scooping it up, you should go delete all of these. Settings and privacy > Security and account access > Apps and sessions > Connected apps
Reposted by Matthew Armitage
i think i may start doing 'skytalks' on how not to get fucked when starting a company, getting investment, and building a team
there's a lot of folks in infosec and adjacent industries that have stars in their eyes and brilliant ideas, but have no idea what a bad deal looks like
there's a lot of folks in infosec and adjacent industries that have stars in their eyes and brilliant ideas, but have no idea what a bad deal looks like
November 27, 2024 at 12:59 AM
i think i may start doing 'skytalks' on how not to get fucked when starting a company, getting investment, and building a team
there's a lot of folks in infosec and adjacent industries that have stars in their eyes and brilliant ideas, but have no idea what a bad deal looks like
there's a lot of folks in infosec and adjacent industries that have stars in their eyes and brilliant ideas, but have no idea what a bad deal looks like
Reposted by Matthew Armitage
Microsoft Intune now allows you to configure Platform SSO (Single Sign-On) for Apple macOS devices. Platform SSO is an extension to the existing Microsoft Enterprise SSO plug-in that brought single sign-on (SSO) to macOS using Microsoft Entra ID accounts.
November 27, 2024 at 8:56 AM
Microsoft Intune now allows you to configure Platform SSO (Single Sign-On) for Apple macOS devices. Platform SSO is an extension to the existing Microsoft Enterprise SSO plug-in that brought single sign-on (SSO) to macOS using Microsoft Entra ID accounts.