Matthew Armitage
@mcsamatt.bsky.social
Microsoft Security, Identity and Systems Management nerd. Also enjoy home automation and tinkering with machines. FIDO auth FTW!
I generally enjoy your work Zach, but this may be my favourite comic of yours.
July 26, 2025 at 5:30 PM
I generally enjoy your work Zach, but this may be my favourite comic of yours.
Should this graphic be updated given that “approved apps” is being deprecated in Conditional Access? learn.microsoft.com/en-us/entra/...
Migrate approved client app to application protection policy in Conditional Access - Microsoft Entra ID
The approved client app control is going away. Migrate to App protection policies.
learn.microsoft.com
March 9, 2025 at 5:42 PM
Should this graphic be updated given that “approved apps” is being deprecated in Conditional Access? learn.microsoft.com/en-us/entra/...
Reposted by Matthew Armitage
XML in LDAP teaches you to see God in a new way
December 8, 2024 at 6:58 AM
XML in LDAP teaches you to see God in a new way
Reposted by Matthew Armitage
802.1x what are you doing step bro you shouldn't be a fucking LDAP attribute
December 8, 2024 at 6:56 AM
802.1x what are you doing step bro you shouldn't be a fucking LDAP attribute
😍
Will there perhaps be more info available at an airlift soon?
Will there perhaps be more info available at an airlift soon?
December 9, 2024 at 2:34 AM
😍
Will there perhaps be more info available at an airlift soon?
Will there perhaps be more info available at an airlift soon?
Reposted by Matthew Armitage
Not as long as you might think :).
December 8, 2024 at 4:06 PM
Not as long as you might think :).
Yes, and I wouldn’t set them up any other way (SSO or bust!). But the reliance on another entire overlay network, with additional network endpoints and additional security monitoring/vulnerability management seems like an area for improvement. The Kaseya breach still haunts me…
December 8, 2024 at 9:17 PM
Yes, and I wouldn’t set them up any other way (SSO or bust!). But the reliance on another entire overlay network, with additional network endpoints and additional security monitoring/vulnerability management seems like an area for improvement. The Kaseya breach still haunts me…
If we have the GSA agent already on the endpoint, then why have another privileged control path? Just do RDP/VNC/SSH/Something else with the existing secure path, all secured by Entra ID Conditional Access.
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
December 8, 2024 at 9:08 PM
If we have the GSA agent already on the endpoint, then why have another privileged control path? Just do RDP/VNC/SSH/Something else with the existing secure path, all secured by Entra ID Conditional Access.
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
If this isn’t on their roadmap, along with integrating Azure Arc, then maybe it should be 😀
I would, for example, love to have a remote support agent on endpoint PCs, and enforce access over the GSA network. Current remote support products like TeamViewer, Beyond Trust Remote Support and ScreenConnect all require a separate agent, which adds a net new security boundary to an Org.
December 8, 2024 at 9:02 PM
I would, for example, love to have a remote support agent on endpoint PCs, and enforce access over the GSA network. Current remote support products like TeamViewer, Beyond Trust Remote Support and ScreenConnect all require a separate agent, which adds a net new security boundary to an Org.
Oh don’t get me wrong, the network connector has its place, and leveraging the prior App Proxy was a good call. I think a good SASE/SSE product needs to have all three connectivity options. Agent service, Network Connector, and integration with existing networks.
December 8, 2024 at 8:58 PM
Oh don’t get me wrong, the network connector has its place, and leveraging the prior App Proxy was a good call. I think a good SASE/SSE product needs to have all three connectivity options. Agent service, Network Connector, and integration with existing networks.
I think the real endgame here is moving from having Entra Private Network Connectors, to using a local agent on the systems themselves as the connection. Then firewalling everything else. Ala Tailscale, Cloudflared, or Azure Arc Remote Access. The sooner GSA moves to away from a central connector…
December 8, 2024 at 4:07 PM
I think the real endgame here is moving from having Entra Private Network Connectors, to using a local agent on the systems themselves as the connection. Then firewalling everything else. Ala Tailscale, Cloudflared, or Azure Arc Remote Access. The sooner GSA moves to away from a central connector…
Reposted by Matthew Armitage
Back in the day, we would compose an email, put billg@microsoft.com in the To field, "Fire me, I'm irresponsible" on the subject line, and just leave it front and centre on their screen, before 3) locking it for them.
I was eventually reprimanded for starting that trend.
I was eventually reprimanded for starting that trend.
December 6, 2024 at 5:54 PM
Back in the day, we would compose an email, put billg@microsoft.com in the To field, "Fire me, I'm irresponsible" on the subject line, and just leave it front and centre on their screen, before 3) locking it for them.
I was eventually reprimanded for starting that trend.
I was eventually reprimanded for starting that trend.
Reposted by Matthew Armitage
I’m a fan of adding “SC” and “ES”. Imo it makes it more versatile if changes are being made via Graph or directly in Intune.
December 6, 2024 at 1:08 AM
I’m a fan of adding “SC” and “ES”. Imo it makes it more versatile if changes are being made via Graph or directly in Intune.