In early 2020, I published an article on how a Global Administrator could gain control of Azure resources, that no one would know about it, and how this access would persist even after removing them from Global Administrator. From that article: “While Azure leverages Azure Active Directory for some things, Azure AD roles don’t directly … Continue reading| Active Directory & Azure AD/Entra ID Security
In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at attack paths and privileges which should be considered.| Thomas Naunheim
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and threats. This includes the usage of Conditional Access for Workload ID but also configuring a Microsoft Sentinel Playbook with the least privileges.| Thomas Naunheim
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This has been used, for example as part of the NOBELIUM attack path. Abuse of privileged Workload identities for exfiltration and privilege escalation are just another further steps in such attack scenarios. In this part, we will have a closer look on monitoring workload identities with Identity Threat Detection Response (ITDR) by Microsoft Defender XD...| Thomas Naunheim
Live Response in Microsoft 365 Defender can be used to execute PowerShell scripts on protected devices for advanced incident investigation. But it can be also abused by Security Administrators for privilege escalation, such as creating (Active Directory) Domain Admin account or “phishing” access token from (Azure AD) Global Admin on a PAW device. In this blog post, I will describe the potential attack paths and a few approaches for detection but also mitigation.| Thomas Naunheim
Conditional Access and Entitlement Management plays an essential role to apply Zero Trust principles of “Verify explicitly“ and “Use least-privilege access“ to Privileged Identity and Access. In this article, I like to describe, how this features can be use to secure access to privileged interfaces and how to assign privileged access by considering Identity Governance policies.| Thomas Naunheim
Microsoft has been released a feature to automate on- and off-boarding tasks for Azure AD accounts. Lifecycle workflows offers built-in workflow templates but also the option to integrate Logic Apps as custom extensions. In this blog post, I would like to give an example, how to use this feature to automate the lifecycle of privileged accounts in association with a hiring and termination process| Thomas Naunheim
Microsoft in recent months has made leaps and bounds to support Multi-Tenant organizations utilizing Cross-tenant Synchronization.| Mindcore Techblog
There are several ways you can access the Azure AD Protected APIs in Power Platform Flows and Apps. Without creating Custom Connectors, which basically can connect to any REST based API that is available, it is useful to know what built-in HTTP connectors are available and can be used for delegated authentication to Azure AD […]| GoToGuy Blog
I’m excited to to be travelling to Bonn, Germany, and to speak at the upcoming Cloud Identity Summit 2022, which will be held September 22nd at adesso SE, close to the city of Bonn. This is my second time speaking at the Cloud Identity Summit, the first time was in 2020 and that was a […]| GoToGuy Blog
I’m excited to to be travelling to Glasgow, Scotland, and to speak at the Scottish Summit 2022, which will be held June 10th and 11th at Strathclyde University TIC, Glasgow. This is the first time I travel to Scotland and Glasgow, and to present in-person at the Scottish Summit, altthough I last year presented a […]| GoToGuy Blog
I’m very happy and excited to once again speak at NIC (Nordic Infrastructure Conference), which will be held May 31 – June 2, Oslo Spektrum, Norway. Previously held in a winterly Oslo in February, and last time held just before the Corona outbreak in 2020, attendants and speakers should this time experience a beautiful Oslo spring […]| GoToGuy Blog
I’m excited and very much looking forward to speak at the upcoming Oslo Power Platform & Beyond Community Event, which will happen in-person at May 21st 2022 at Microsoft Norway offices i…| GoToGuy Blog
Post by: Traci Herr – March 14, 2022, Last updated: 6/2/2025 There are many reasons that the Teams IP Phones, Teams Room Systems (MTR-android) devices, Teams Panels and Teams Displays can get…| UC Mess
I’ve done a few troubleshooting blog posts over the years, and they are easily the most popular on my site. This one in particular is still going strong (#1 post of all time), almost five yea…| Out of Office Hours
I’ve seen a lot of blog posts about registering devices with Windows Autopilot, either at a command prompt in OOBE (Shift-F10, run PowerShell) or as part of some other automation. Now with Au…| Out of Office Hours
Hello fellow geeks! Today I’m going to take a break from my AI Foundry series and save your future self some time by walking you through a process I had to piece together from disparate links…| Journey Of The Geek
Since August 2024 there has been a sophisticated phishing campaign actively leveraging the device code authorization flow. Currently, there is a wide range of attacks targeting a wide range of sectors including government/ IT services and critical industries. The attack... Het bericht How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow verscheen eerst op Jeffrey Appel - Microsoft Security blog.| Jeffrey Appel – Microsoft Security blog
Microsoft, and the general identity industry, has recommended that applications use certificates over secrets when it comes to credentials for things like applications. This recommendation has existed for about as […] The post Spying on your ISVs credential choices appeared first on Eric on Identity.| Eric on Identity
AzureAD and MSOnline Modules are being retired this year. Find scripts and migrate them now to Microsoft Graph| LazyAdmin
I could stop there, but I won’t. In any case, let’s review the Windows Enterprise SKU licensing model, straight from the source: Windows 11 Enterprise is licensed as an upgrade license …| Out of Office Hours
The combination of Exchange Online dynamic distribution lists and custom filters allow organizations to precisely target audiences to receive email.| Office 365 for IT Pros
Today, I made the decision to upgrade my test environment and update the version of Azure AD Connect to the latest one. The process is usually simple: download a new MSI, run it, click next a few times, enter the credentials for your Global Admin, and you're finished. However, this time, I encountered an error. The post Upgrade Azure Active Directory Connect fails with unexpected error appeared first on Evotec.| Evotec
I mentioned in my previous post that I was able to use “Co-management Authority” (a.k.a. “Co-management settings”) to install the ConfigMgr agent and then initiate a task se…| Out of Office Hours
For those that must manage application integrations in Entra ID, it’s an inevitable question: What is the difference between an App Registration and an Enterprise Application? Why are there two […] The post Entra App Registrations and Enterprise Applications: The Definitive Guide appeared first on Eric on Identity.| Eric on Identity
In the first part, I set up Workspace ONE and integrated it into my existing Entra ID (Azure AD) tenant. In part 2, I set up apps and policies that should be deployed to my devices. That prepares m…| Out of Office Hours
In the first part, I got to the point where I could successfully get a device into a managed state, but that doesn’t mean the device is actually usable. To get it to that state, I need to dep…| Out of Office Hours
I’ve spent a lot of time over the years talking to ISVs about provisioning Windows devices, but I’ve never actually used any non-Microsoft solutions for doing that. In that time, one of…| Out of Office Hours
My first thoughts around Autopilot v2 (a.k.a. Autopilot device preparation) are scattered through a week of posts: Digging into Windows Autopilot v2 Windows Autopilot v2 experience: Some surprises …| Out of Office Hours
One of the things that is not currently included in the APv2 device preparation policy is an option to configure the computer name, so as a result the devices end up being given a random name like …| Out of Office Hours
The social media DMs, e-mails, and blog comments around Autopilot v2 have raised a bunch of questions, interesting points, speculation, opinions, etc. I figured it would be useful to summarize thos…| Out of Office Hours
Yes, I know the official name is “Windows Autopilot Device Preparation.” But that’s too much of a mouthful and doesn’t really even describe what this is, other than “s…| Out of Office Hours
You’ve probably run into a scenario like this before and never understood why: You assign a new, seemingly harmless policy into a configuration profile in Intune, and now the device reboots a…| Out of Office Hours
Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its health is pivotal for the seamless operation of various services. Today, I decided to look at Microsoft Entra Connect Health (Azure AD Connect Health) service, which allows monitoring Azure AD Connect, ADFS, and Active Directory. This means that under a single umbrella, you can have an overview of three services health. But is it worth it? The post Active Directory Health Check using Mic...| Evotec
A PowerShell script to remove user, or a set of users, from all groups they are a member of by using the Graph API methods. You can leverage the additional parameters of the script in order to also remove any directory role assignments, ownership assignments and delegate permission grants. The script supports Microsoft 365 Groups, Entra Security Groups, Exchange Distribution Groups and Mail-Enabled security groups.| Blog
Recently threat actors like Midnight Blizzard use the OAuth applications in tenants that they can misuse for malicious activity. Actors use compromised user accounts to create/ modify and grant permissions to OAuth applications in tenants and move across test and...| Jeffrey Appel - Microsoft Security blog
Azure AD Privileged Identity Management makes it possible to configure activation and expiration settings on a per-role basis. This is very powerful since the 90+ Azure AD roles provides varying levels of permissions in your tenant. The PIM-portal currently provides little to no bulk-management of roles and you basically need to go in and configure … Continue reading Automatic Azure AD PIM Role Micromanagement Based on Role Impact→| Daniel Chronlund Cloud Security Blog
Ransomware has been the major cyber threat the last couple of years, and it still is! But a new trend I see is the rise of wiper malware, which basically tries to destroy your data, instead of encrypting it. This could be used as part of extortion, but we’ve all seen the recent news of … Continue reading The Threat of Microsoft 365 Wiper Malware→| Daniel Chronlund Cloud Security Blog
According to the Microsoft Digital Defense Report 2022, weak identity controls are listed as a top three contributing factors found during ransomware incident response. One particularly troubling finding within identity […] The post Protect your privilege with PAW appeared first on Eric on Identity.| Eric on Identity
If you haven’t followed the news recently, Descope released an article diving into how their security researchers were able to abuse OpenID Connect (OIDC) ID token claims to spoof the […] The post The nOAuth “flaw” is a symptom of industry anti-patterns appeared first on Eric on Identity.| Eric on Identity
According to Wikipedia, Toshkent (or Tashkent) is the largest city in, as well as the capital of, Uzbekistan, a country located in Central Asia. The city sports a population of […] The post March 23rd, 2023: The Day Everyone Came From Uzbekistan appeared first on Eric on Identity.| Eric on Identity
Back in 2022, I did a post about using the MDM terms of use page (which is almost never actually used since Azure AD now has a better solution as part of conditional access) to prompt for informati…| Out of Office Hours
It seems like a simple question, but a complete answer isn’t necessarily simple. We can start off with the documentation: OK, so about every 8 hours. But it’s different right after you …| Out of Office Hours
I noticed a section on the Features in development page that talks about a change coming on April 1st, which is not very far away (and an interesting place to put “we’re going to break …| Out of Office Hours
It’s a question that’s come up a number of times: How can I take a device running Windows 11 Home, upgrade it to Windows 11 Education, and provision it via Windows Autopilot? I suppose …| Out of Office Hours
In an Autopilot user-driven AAD join deployment profile, you can configure it to specify the “Language (Region)” and as long as there is network connectivity (e.g. a wired device), that…| Out of Office Hours
This is part of my series on Azure Authorization. Azure Authorization – The Basics Azure Authorization – Azure RBAC Basics Azure Authorization – actions and notActions Azure Autho…| Journey Of The Geek
Audit logs can provide all sorts of wonderful points of data. In the interest of identity security, we have historically seen that we can glean rich sets of information around […] The post Dude, Where’s My Audit Logs? appeared first on Eric on Identity.| Eric on Identity
Background A developer at a customer recently asked me: “I have a custom API protected by Entra ID. Can you allow me to grant admin consent to my own APIs, without needing to contact an Entra ID ad…| Microsoft Security Solutions
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation Teams. In addition, it also brings new capabilities for creating custom detections. In this blog post, I will show some options on how to implement a data source for enrichment of non-human identities to Microsoft Sentinel and the benefits for using them in analytics rules.| Thomas Naunheim
Last week I hosted a webinar together with our partner Condatis, where we talked about how to manage External Identities with Azure AD B2B/B2C. Thanks to all who attended it live! You can now watch…| Microsoft Security Solutions
2/11/2025 Update – This action is now captured in the Entra ID Audit Logs! I’d recommend putting an alert in ASAP to track this moving forward. Hello fellow geek! Today I’m going …| Journey Of The Geek
Workload identities should be covered by lifecycle management and processes to avoid identity risks such as over-privileged permissions but also inactive (stale) accounts. Regular review of the provisioned non-human identities and permissions should be part of identity operations. In this article, we will go through the different lifecycle phases and other aspects to workload identities in your Microsoft Entra environment.| Thomas Naunheim
Workload identities will be used by applications, services or cloud resources for authentication and accessing other services and resources. Especially, organizations which follows a DevOps approach and high automation principals needs to manage those identities at scale and implement policies. In the first part of a blog post series, I would like to give an overview about some aspects and features which are important in delegating management of Workload ID in Microsoft Entra: Who can see and...| Thomas Naunheim
Restricted Management Administrative Unit (RMAU) allows to protect objects from modification by Azure AD role members on directory-level scope. Management permissions will be restricted to granted Azure AD roles on scope of the particular RMAU. In this blog post, we will have a look on this feature and how you can automate management of RMAUs with Microsoft Graph API. In addition, I will explain use cases, limitations and why this feature support to implement a tiered administration model.| Thomas Naunheim
Azure AD Kerberos is a modern form of Kerberos for hybrid environments.| syfuhs.net