The Microsoft Security Grant Project program invites researchers across the globe to explore security aspects which align to Microsoft’s ongoing mission to empower every person and organization on the planet to achieve more – safely and securely.

Microsoft’s Identity services encompass all consumer and commercial identity entities in relation to all aspects of user, device, application and services. To this end research into vulnerabilities, improvements, privacy, security, function, fraud and abuse are all critical to our desire to protect our customers using these services to authenticate and access their resources.

The Microsoft Security Response Center (MSRC) invites researchers to submit proposals that explore the security of the Identity solutions for both Consumers (Microsoft Account) and Enterprise (Azure Active Directory) in new ways.

Proposals should align with our ongoing areas of interest, which include but are not limited to the following:

Project Category

Identity Research Project Ideas

Protocol Design & Implementation

Identify security vulnerabilities and/or propose solutions to strengthen the design of protocols and standards (proprietary or open source) used by Microsoft’s Identity services (e.g. OAuth 2.0).


Identify security vulnerabilities and/or propose solutions to strengthen the implementations of standards and protocols used by Microsoft’s Identity services.

Security and User Perception

Research towards identifying and/or bridging potential gaps between the security guarantees provided by Microsoft’s Identity services and users’ understanding of these services, especially where this may have security consequences.

Application Security

Research into novel vulnerabilities and mitigations within individual Microsoft specific software, features, and offerings relating to Identity.

PII and Private Data Leakage

Research into highly used 1st or 3rd party applications that may be unintentionally or intentionally misrepresenting their functionality to leak or steal PII.

Threat Actors, Architectures and Trends

Research into actors, architectures, and trends of malicious or abusive actors and applications specifically targeting identities and services built on Microsoft services.

Project information:
  • Proposals can be made by individuals or small collaborative teams.
  • Projects must be no more than 12 months in duration, with a preference for shorter periods.
  • Proposals may request funding up to $75,000 USD, depending on the specific requirements.
  • Successful awardees will be listed on the MSRC website and permitted to publish findings/insights from their work, though we request coordinated disclosure if your findings would reveal otherwise unresolved vulnerabilities.
To apply:

We ask applicants to submit a 2–3 page proposal which should include:

  • A research question and a clear statement of work.
  • A summary of the project (1–2 pages) specifying the area of focus, a description of the project, relevant prior work, and a timeline with milestones for deliverables and expected outcomes.
  • A draft budget description (max 1 page) including an approximate cost of the award and explanation of how funds would be spent.
  • Name(s) of the personnel involved in the proposed project, with links to all relevant CVs.
  • Indication of any previous or current connections/collaborations with Microsoft, Microsoft Research and/or MSRC vulnerability reports.
  • Grant proposals must be submitted via email to this address ( in any of the following formats: Word document, text-only file, or PDF. Hard-copy proposals will not be considered.
Timing and dates:
  • Applications are now open. The deadline for submitting proposals is Friday, March 6, 2020 at 23:59 Anywhere on Earth.
  • Awardees will be notified by the end of March 2020.
  • Applicants may submit one proposal per solicitation.
  • Applicant(s) must be the primary researcher on any resulting grant.
  • Researchers must be eligible as outlined in the “PROGRAM ELIGIBILITY” subsection of the MSRC Bounty Terms.
Terms and Conditions:
  • In-Scope vulnerabilities found during an active research grant can be reported here.
  • Grant proposals submitted to Microsoft will not be returned. Microsoft cannot assume responsibility for the confidentiality of information in submitted grant proposals. Therefore, proposals should not contain information that is confidential, restricted, or sensitive.
  • Incomplete grant proposals will not be considered.
  • Due to the volume of submissions, MSRC cannot provide feedback to individuals who propose, but do not receive, a grant.
  • All research must comply with the MSRC Code of Conduct.