Not sure why, but we logged into webmatrix, hosting joomla, using our Azure AD-integrated accocunt
then we enabled SSL.
So is this vulnerable?
Well, the IIS express seemed to be the entity deliering the SSL (which means windows is doing the work). It didn’t SEEM to be joomla doing its own.
On the matter of logging into Azure AD, the publication to an azure website was lovely. Well done microsoft azure!