This is the Trace Id: 4e122d5f526a6a0d4fc7968dc0ab06f8
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

From first report to MVR: Harun’s path in cloud security research

MSRC
/ By MSRC /
Harun

Harun’s relationship with technology began early, driven by curiosity rather than obligation. While still in high school, he taught himself Pascal and C simply because he wanted to understand how things worked. Those languages never became central to his professional career, but they shaped how he approached problem solving. Later, when Harun began working deeply with the Microsoft Cloud, that same curiosity found a far larger and more complex environment to explore.

As his experience grew, Harun worked hands-on with almost every Microsoft 365 and Azure resource, developing an instinct for recognizing when something did not behave as expected. That instinct paid off in December 2021 during a weekend of testing Azure DNS. While experimenting in his own environment, Harun noticed subtle inconsistencies between what the Azure Portal displayed and what scripts returned. Reproducing the behavior in a test tenant confirmed that it was not just an isolated glitch. Something deeper was wrong, even if the cause was not yet clear.

While researching the issue, Harun discovered that findings like this could be responsibly reported to Microsoft Security Response Center (MSRC). His first submission was not perfect, but within two days MSRC validated it as important. Engineering fixed the issue quickly, and the experience left a lasting impression on him. That early success gave Harun both confidence and momentum, reinforcing that careful observation and persistence could lead to real security improvements at cloud scale.

Today, Harun focuses his research on identity and cross-product integration, areas where scale and complexity naturally create risk. Within the Microsoft Cloud, each service uses its own architecture and role model, and those seams are where Harun concentrates his efforts. He is never bored by documentation, instead reading deeply to understand how products are expected to interact. His research philosophy centers on boundary conditions, especially where identity flows across services and assumptions break down.

Among Harun’s many discoveries, a few stand out for their impact. In one case, he identified a vulnerability that allowed an unauthenticated attacker to update Entra ID administrative settings for any organization, creating a direct path to privilege escalation. MSRC addressed the issue immediately, but Harun later uncovered a related variant, which led to additional fixes and even a broader design change.

Another discovery proved equally impactful. Harun found a critical vulnerability in a core Microsoft 365 product that exposed passwords, tokens, endpoint APIs, and detailed communications shared between Microsoft and its customers. The severity of the issue prompted a swift response and remediation from MSRC. Findings like these contributed to Harun being recognized as a Microsoft Most Valuable Researcher (MVR), acknowledging his ongoing commitment to strengthening the security of the Microsoft ecosystem.

Outside of independent research, Harun works as an M365 and Azure Cloud Consultant, a role that complements his security mindset. Seeing hundreds of Microsoft services interact in real customer environments fuels his desire to understand how APIs communicate and how configuration choices ripple across systems. This perspective has helped him qualify for programs such as Zero Day Quest, where his individual research style and persistence continue to produce meaningful results.

When he steps away from security research, Harun relaxes by watching football, especially UEFA Champions League matches and national team games. Sitcoms also play an important role, helping him recharge after long stretches of intense technical focus.

Reflecting on his journey, Harun emphasizes patience, empathy, and lifelong learning. Discovering serious vulnerabilities in products that undergo extensive testing can be challenging, and reports are often reviewed from different perspectives. Patience is essential, as is communicating with empathy throughout the disclosure process. Even when an initial submission is met with skepticism, clear reasoning and respectful collaboration often lead to positive outcomes.

Harun also credits the broader security community for his continued growth. He actively follows security discussions across LinkedIn, treating them as a living knowledge base. He tests new ideas and lessons in his own tenant before drawing conclusions, strengthening his understanding through hands-on validation.

For new researchers, Harun’s advice is simple and practical. Read Microsoft documentation carefully and test everything in a dev & test environment. Completing Azure and Microsoft 365 certifications helped him understand not just how features are designed, but how they behave when integrated at scale. At the same time, he encourages researchers to trust their own instincts. Everyone brings a unique perspective to security research and embracing that individuality is often what leads to breakthroughs. His experiences as both an MVR and a Zero Day Quest qualifier have reinforced that originality, persistence, and curiosity are just as valuable as deep technical knowledge.

Through careful observation and relentless curiosity, Harun continues to improve the security of the Microsoft Cloud, one boundary case at a time.

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads