Earlier this year Microsoft announced the retirement of Microsoft 365 Security Administrator certification (commonly known by its exam designation MS-500). This wasn't a surprise as the content was generally replaced by the newer specialty certifications and the SC line of exams.

However I was surprised to find that Microsoft also retired the Microsoft 365 Enterprise Administrator syllabus and exams, and its replacement is far more security focused than before.

As many of us now work remotely, and have many devices of various trust in our homes, there has been a good use case for keeping them separate. Turns out, this can be quite easy to accomplish on inexpensive network equipment.

Following from the prior post discussing MFA use cases and bypasses, this post expands on the prior article and adds further ideas on protecting your users' identities.

Ever since Multi Factor Authentication (MFA) started gaining popularity as a means to limit the usefulness of stolen credentials, it was only a matter of time before attackers adapted to the new reality (as demanded by the Red Queen Effect).

In this article I look at common MFA methods that are not phishing resistant, as well as a recent attack that bypasses MFA.

Check the follow-up post for a different take on bypassing MFA and the resulting implications.

Following from the prior post discussing Azure security and networking, I felt that additional coverage of Azure Network Security Groups was needed, as it is not the most obvious topic (and the design is quite different from how AWS does it).

I'd recently renewed my Azure Network Engineer certification, and it's good to see how much of the syllabus is still highly relevant from a cloud security angle. From a certain perspective, it's a stepping stone to the Azure Security Engineer certification (AZ-500), and a good check for useful knowledge.

I'd recently come across WatchGuard's Internet Security Report for last quarter (available here and a summary article here). The findings are surprising, and if the report's results are broadly accurate, indicate a notable lack of tuning of the relevant network security tools.

In case you may not have heard of Static Site Generators (SSGs), they offer a very cost effective (often free) way to create a website.

However, using SSGs introduces certain feature and security considerations.

Recently I completed the course materials for CloudBreach's "Breaching Azure" and took the lab exam, obtaining their "Offensive Azure Security Professional" (OASP) certification. Microsoft's Azure and security certifications focus on building and defending cloud services, not trying to bypass defenses, making this certification quite different.

Hello and welcome!

I am Michael and I run CloudInfosec.net.

I am a cyber security consultant in Adelaide, Australia - I work in and write about cloud and email security, incident response, and professional development.

If you are interested in seeing collected write-ups of solving particular problems or reviews of various security training offerings, you may find this site to your liking.

Please note, this is a personal website and expresses my opinions alone, and not that of any organizations.