Merill Fernando’s recent YouTube video features Emilien Socchi, a cloud security research engineer, explaining two open-source projects that aim to close gaps in identity and access protections. Together, the tools examine conditional access policy interactions and map privilege escalation risks across Microsoft environments. As the video shows, these projects help shift teams from reactive log review to proactive security testing.
What the Video Covers
First, the video outlines CA Insight, a tool that evaluates millions of sign-in combinations offline and quickly surfaces multifactor authentication (MFA) gaps. Then, it explores AZTier, which models administrative tiers and attack paths across Entra ID, Azure, and Microsoft Graph. Finally, the discussion contrasts offline evaluation with API-driven approaches and explains why scaling matters for real-world defenses.
CA Insight: Massive Offline Evaluation
CA Insight simulates a very large set of conditional access combinations to detect unprotected access paths, and it does so offline to avoid API rate limits. In the video, Emilien explains that the tool evaluates hundreds of millions of combinations in minutes instead of days, which makes broad testing practical for busy security teams. Consequently, organizations can detect gaps that traditional sampling or incremental checks tend to miss.
Moreover, the offline approach reduces dependence on the platform’s live APIs, which can throttle requests and fail to scale for exhaustive testing. However, running large offline simulations requires careful modeling of policies, exclusions, and real-world signals so findings remain accurate. Therefore, teams must balance simulation depth against the effort to keep models synchronized with live configurations.
Furthermore, CA Insight outputs prioritized recommendations rather than raw findings, which helps defenders focus on high-impact fixes first. At the same time, automation can introduce risk: incorrect remediation could block legitimate access or create service interruptions. Thus, the video emphasizes staged rollout and review to ensure accuracy before enforcement.
AZTier: Mapping Roles and Attack Paths
AZTier complements policy testing by mapping administrative roles and potential escalation routes across identity and cloud resources. Emilien demonstrates how the project categorizes roles to show where privilege elevation is possible, giving both red teamers and defenders a clearer view of risk. In this way, teams can prioritize locking down high-risk roles and pathways.
In addition, AZTier integrates knowledge of Entra ID, Azure, and Microsoft Graph interactions to reveal cross-plane escalation scenarios that often go unnoticed. The tool’s layered model helps organizations see how a low-privilege compromise could cascade into broader control. Consequently, defenders can design mitigations that address the real chains attackers might exploit.
Nevertheless, creating and maintaining an accurate tiering model requires organizational discipline and ongoing validation. Roles change, new services appear, and permissions drift over time, so the model must be revisited regularly. Therefore, the video suggests combining AZTier findings with continuous monitoring to reduce stale assumptions and keep controls effective.
Tradeoffs and Operational Challenges
Both projects address important gaps but also introduce tradeoffs that teams should consider when adopting them. For example, exhaustive offline testing demands compute and careful environment representation, while API-driven checks are simpler but can miss complex interactions under rate limits. Thus, teams must choose a strategy that matches their resources and risk tolerance.
Additionally, automation of recommendations and remediation speeds response, but it can amplify mistakes if policies or models are wrong. The video recommends human review of prioritized fixes and phased rollouts to reduce disruption. Meanwhile, governance and clear change control help balance rapid improvement with operational stability.
Practical Guidance for Security Teams
Emilien and Merill both highlight practical steps for teams that want to adopt these tools, including validating models against real traffic and testing changes in nonproduction environments. They also recommend coupling offline analysis with real-time monitoring so teams both prevent gaps and detect anomalies that bypass controls. Consequently, organizations build layered defenses that are both proactive and responsive.
Finally, the presenters advise integrating outputs into existing workflows like incident response and patching cycles to turn findings into sustained risk reduction. Over time, the combination of policy testing, role mapping, and thoughtful automation can significantly reduce the attack surface. Therefore, while challenges remain, the video makes a compelling case for treating conditional access and role hygiene as continuous engineering problems rather than one-off tasks.
