security

I had a customer conversation earlier last week where an interesting scenario popped up - they were using Entra ID to protect their API hosted in Azure Functions, and wanted to make sure that they can use the access token for other Azure API access. The authentication they used was what’s known as Easy Auth.

Just a week ago I was talking about an approach to authenticating into MCP servers with Entra ID. While the approach was OK as a prototype, it had some interesting aspects to it that might or might not work depending on the context. But what if we could improve this a bit?

Not too long ago, Anthropic put forward a draft specification that outlines how authentication and authorization works in the context of MCP. It’s pretty vanilla in terms of what you’d expect from an OAuth-based implementation, but it gets a bit trickier if we try and integrate Microsoft Entra ID into it.

Entra ID has this thing called “flexible Federated Identity Credentials”, or “flexible FIC” for short. You might be confused a bit by the very long name, but behind the term is a really powerful capability that I hope to cover well enough in this post.

Experian, the multinational consumer credit reporting and data aggregator company, is planning to sell off more of your data to third-parties starting February 5, 2025.

I discovered that you can get anyone’s true email address (Google Account) if they are hosting their email on Google Workspaces from their alias, even if the alias is not on the same domain.

The other day one of my friend shared an interesting letter they received, that I thought I’d cover on this blog. It all started with them peeking at their USPS Informed Delivery digest to see that there was a letter headed to them postmarked with an automated Canada Post label.

A short overview of how modern app stores can lead you or your relatives to install authenticator apps that are not really authenticator apps.

I have nothing against the concept of aliases at its core, but I have a lot to say about it being treated as some kind of security barrier against the bad guys and gals busting into your private accounts. Email aliases are a privacy and not a security measure.

To remove the toil of writing authentication code directly, our team at Microsoft has been working on adding a new tool to the developer toolbox - an authentication broker.