In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at attack paths and privileges which should be considered.| Thomas Naunheim
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and threats. This includes the usage of Conditional Access for Workload ID but also configuring a Microsoft Sentinel Playbook with the least privileges.| Thomas Naunheim
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This has been used, for example as part of the NOBELIUM attack path. Abuse of privileged Workload identities for exfiltration and privilege escalation are just another further steps in such attack scenarios. In this part, we will have a closer look on monitoring workload identities with Identity Threat Detection Response (ITDR) by Microsoft Defender XD...| Thomas Naunheim
Live Response in Microsoft 365 Defender can be used to execute PowerShell scripts on protected devices for advanced incident investigation. But it can be also abused by Security Administrators for privilege escalation, such as creating (Active Directory) Domain Admin account or “phishing” access token from (Azure AD) Global Admin on a PAW device. In this blog post, I will describe the potential attack paths and a few approaches for detection but also mitigation.| Thomas Naunheim
Conditional Access and Entitlement Management plays an essential role to apply Zero Trust principles of “Verify explicitly“ and “Use least-privilege access“ to Privileged Identity and Access. In this article, I like to describe, how this features can be use to secure access to privileged interfaces and how to assign privileged access by considering Identity Governance policies.| Thomas Naunheim
Microsoft has been released a feature to automate on- and off-boarding tasks for Azure AD accounts. Lifecycle workflows offers built-in workflow templates but also the option to integrate Logic Apps as custom extensions. In this blog post, I would like to give an example, how to use this feature to automate the lifecycle of privileged accounts in association with a hiring and termination process| Thomas Naunheim
Today I’ve released a new version of my Conditional Access Framework. Version 2025.2.3 has one modified and one new policy which are meant for internals. The post Conditional Access Framework (2025.2.3) appeared first on Joey Verlinden.| Joey Verlinden
Microsoft, and the general identity industry, has recommended that applications use certificates over secrets when it comes to credentials for things like applications. This recommendation has existed for about as […] The post Spying on your ISVs credential choices appeared first on Eric on Identity.| Eric on Identity
Today I’ve released a new version of my Conditional Access Framework. Version 2025.2.1 has some additional policies which are meant for internals admins. In short: The post Conditional Access Framework (2025.2.1) appeared first on Joey Verlinden.| Joey Verlinden
Today (Tuesday February 27th) I have the pleasure to speak at the February 2024 Azure APE Meetup organized by the Azure Platform Engineering (APE) community. The event, which is hosted by ShareValue, is held in Gouda, the Netherlands and starts at 18:00. At this event, I will be speaking about Microsoft Entra Id Conditional Access,... The post Speaking at the February 2024 Azure APE Meetup appeared first on Modern Workplace Blog.| Modern Workplace Blog
Next week it’s time again for the annual Workplace Ninja Summit in Lucerne, Switzerland. The summit will start on Monday September 16th till Thursday September 19th. The Workplace Ninja summit is organized by the different Workplace Ninja user groups and consists of many Microsoft community heroes like Mirko Colemberg, Thomas Kurth, Daniel Schädler, Kenny Buntinx,... The post Speaking at the Workplace Ninja Summit 2024 appeared first on Modern Workplace Blog.| Modern Workplace Blog
For those that must manage application integrations in Entra ID, it’s an inevitable question: What is the difference between an App Registration and an Enterprise Application? Why are there two […] The post Entra App Registrations and Enterprise Applications: The Definitive Guide appeared first on Eric on Identity.| Eric on Identity
According to the Microsoft Digital Defense Report 2022, weak identity controls are listed as a top three contributing factors found during ransomware incident response. One particularly troubling finding within identity […] The post Protect your privilege with PAW appeared first on Eric on Identity.| Eric on Identity
According to Wikipedia, Toshkent (or Tashkent) is the largest city in, as well as the capital of, Uzbekistan, a country located in Central Asia. The city sports a population of […] The post March 23rd, 2023: The Day Everyone Came From Uzbekistan appeared first on Eric on Identity.| Eric on Identity
A year ago, I released the Autopilot Manager to support Autopilot hash imports during Windows OOBE via an approval process (if not already familiar with Autopilot Manager, please read here Introducing Autopilot Manager first) and the solution is used by a lot of companies in the meanwhile. This is quite some time to discuss about…| Modern IT – Cloud – Workplace
Originally presented at SOCON-2024, and continuing the series into post-exploitation techniques against Identity Providers, in this blog post we'll look at Ping, OneLogin and Entra ID. I'll discuss how post-exploitation techniques effective against Okta apply to other providers, release new tools for post-exploitation, and look at what proves to be effective when critical assets lie beyond an Identity Provider portal.| XPN InfoSec Blog
Audit logs can provide all sorts of wonderful points of data. In the interest of identity security, we have historically seen that we can glean rich sets of information around […] The post Dude, Where’s My Audit Logs? appeared first on Eric on Identity.| Eric on Identity
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation Teams. In addition, it also brings new capabilities for creating custom detections. In this blog post, I will show some options on how to implement a data source for enrichment of non-human identities to Microsoft Sentinel and the benefits for using them in analytics rules.| Thomas Naunheim
Workload identities should be covered by lifecycle management and processes to avoid identity risks such as over-privileged permissions but also inactive (stale) accounts. Regular review of the provisioned non-human identities and permissions should be part of identity operations. In this article, we will go through the different lifecycle phases and other aspects to workload identities in your Microsoft Entra environment.| Thomas Naunheim
Workload identities will be used by applications, services or cloud resources for authentication and accessing other services and resources. Especially, organizations which follows a DevOps approach and high automation principals needs to manage those identities at scale and implement policies. In the first part of a blog post series, I would like to give an overview about some aspects and features which are important in delegating management of Workload ID in Microsoft Entra: Who can see and...| Thomas Naunheim
Restricted Management Administrative Unit (RMAU) allows to protect objects from modification by Azure AD role members on directory-level scope. Management permissions will be restricted to granted Azure AD roles on scope of the particular RMAU. In this blog post, we will have a look on this feature and how you can automate management of RMAUs with Microsoft Graph API. In addition, I will explain use cases, limitations and why this feature support to implement a tiered administration model.| Thomas Naunheim