Today we secure our tenants using conditional access or security defaults, but in the old days many tenants were configured to use Legacy per-user Multi-Factor Authentication (MFA). It is recommended that per-user Microsoft Entra multifactor authentication should not be enabled or enforced when Conditional Access policies are in use. Convert users from per-user MFA to […]| Mindcore Techblog
App Roles in Microsoft Entra are under utilized and deserve more attention, this guide will help you get started| Coding Stephan
Yes. The name is snarky on purpose. With the drive to using phishing-resistant MFA something on the mind of many organizations, I’ve been taking a look at the Usage & […] The post Entra Useless Insights Report appeared first on Eric on Identity.| Eric on Identity
In Part 3 of our Controlling Access in Entra ID Apps series, we explore how combining Administrative Units with RBAC roles enables scoped, secure management of Microsoft 365 resources. Learn how dynamic membership rules and role assignments help enforce least privilege, simplify delegation, and improve operational clarity across your tenant. The post Controlling Access to Microsoft 365 Entra ID Apps Part #3 appeared first on Practical 365.| Practical 365
In previous blogposts, I’ve described how we can use the OpenSSH extension through Azure Arc to gain better remote SSH and RDP sessions to machines without requiring direct network access. However, they’ve always required we login to the machine with local credentials (or domain, but that’s old school, we want to get away from that). […] The post Modern Server Management – Azure Arc RDP with Entra ID Authentication appeared first on Mindcore Techblog.| Mindcore Techblog
With the recent generally available Entra ID functionality into Bicep while I was on vacation, I couldn’t wait to get back and try it out. Specifically, I wanted to see if using this functionality would allow for some level of Infrastructure as code (IaC) to good ol’ Active Directory when combined with Group Writeback using […]| Mindcore Techblog
Master Conditional Access: uncover key components, real-world examples and strategies aligned with users and business needs.| The Quest Blog
In early 2020, I published an article on how a Global Administrator could gain control of Azure resources, that no one would know about it, and how this access would persist even after removing them from Global Administrator. From that article: “While Azure leverages Azure Active Directory for some things, Azure AD roles don’t directly … Continue reading| Active Directory & Azure AD/Entra ID Security
Three new Graph API resources provide easy access to Entra ID authentication method summary data. The information is helpful to understand the type of sign-ins that happen, and the authentication methods used by user connections. The article includes a script based on the MFA sign-in summary to highlight non-MFA connections and the apps users connect to.| Office 365 for IT Pros
Learn how to enable Entra ID-based SSH logins for Linux servers managed with Azure Arc. Eliminate SSH key sprawl, improve auditing, and enforce Conditional Access, RBAC, and MFA for secure, streamlined remote access.| Mindcore Techblog
The #TROOPERS25 'AD & Entra ID Security' track was a blast – as was the whole conference ;-) – bringing together some of the smartest researchers in the field and a great audience of practitioners willing to share their experiences during the roundtable. The slides of the talks have been released in the interim on the TROOPERS website, but since many speakers published additional blogpost ...| Insinuator.net
Explore how to securely manage remote access to Linux servers using Azure Arc and Entra ID in Part 2 of our series. Learn how to eliminate VPNs and jump hosts with RBAC, PIM, Conditional Access, and SSH key automation for a Zero Trust architecture.| Mindcore Techblog
If you use the Microsoft Graph PowerShell SDK, you don’t need to worry about obtaining an access token because SDK cmdlets include automatic token management. Although you don’t need to know the details of the access token used in an SDK session, it’s possible to find and examine its contents, and even use the token with a Graph request. It's a nice to know thing that you’ll never need in practice.| Office 365 for IT Pros
Recently we faced a situation that we needed to revert from Entra ID Join back to a Hybrid Azure AD Join, for an AVD environment. The post Fasten Hybrid Join AVD + Intune Deployment appeared first on Joey Verlinden.| Joey Verlinden
A banner posted in the Entra admin center informs administrators that Entra ID governance features used by guest accounts incur charges from June 2025. This only affects Microsoft 365 tenants that use ID governance for features like inactive guest access reviews, but unexpected charges might come as a surprise. This article explains a PowerShell script to find chargeable events in audit logs and how to calculate likely charges.| Office 365 for IT Pros
What is Azure Arc Azure Arc is a Microsoft service that extends your Azure management and governance capabilities to your resources outside of Azure, and this can include on-premises servers, virtual machines, and other cloud environments. With Azure Arc, you can centrally manage, secure, and automate workloads across hybrid and multi-cloud environments using familiar Azure […] The post Azure Arc & Hybrid Workers – Simplifying Hybrid Cloud Automation Pr.1 appeared first on Mindcore Techblog.| Mindcore Techblog
In this post, we’ll look at suppressing single sign-on (SSO) consent prompts for Azure Virtual Desktop (AVD) and Windows 365. These consent prompts can be very disruptive as they interrupt the smooth sign-in flow. I first came across the option to suppress SSO consent prompts while testing Windows 365 Link devices. If your organization is […] The post Say Goodbye to SSO Consent Prompts for AVD and Windows 365 appeared first on Mindcore Techblog.| Mindcore Techblog
Managing permissions for Managed Identities in Azure/Entra ID has been a long-standing challenge. Microsoft has yet not provided a built-in interface for this, leaving administrators reliant on PowerShell to handle permissions – even if the “same” exists for App Registrations and Enterprise Applications. To bridge this gap, I developed this PowerShell-based tool to the community […] The post Entra ID – Managed Identity Permission Manager appeared first on Mindcore Techblog.| Mindcore Techblog
Recently we ran into a fun experience when adjusting the Cross-Cloud meetings within the Teams Admin Center which caused Entra ID Cross-Tenant Access Settings to be changed. This behavior didn’t seem to be documented anywhere and did cause some head-scratching before we figured out why B2B invitations weren’t automatically being accepted any longer. Update 07-02-2025: […] The post Entra ID Cross-Tenant Access Settings vs. Teams Cross-Cloud meetings – Who wins? appeared first on Mindco...| Mindcore Techblog
Microsoft in recent months has made leaps and bounds to support Multi-Tenant organizations utilizing Cross-tenant Synchronization.| Mindcore Techblog
Linkable token identifiers is a new Entra ID feature that adds a GUID to all the audit events for a session. The new identifiers make it easier to track all user actions taken during a session, and should be of great advantage to security investigators who need to know if an account is performing suspicious actions, possibly due to an attacker compromise.| Office 365 for IT Pros
The conditional access policy condition for token protection now extends to Microsoft Graph PowerShell SDK interactive sessions. Any account within the scope of a CA policy that requires token protection can use Web Account Manager (WAM) to sign in and check that everything is secure and ready to go. It’s a protection that might be of interest to administrators and developers that access sensitive data in Graph SDK sessions.| Office 365 for IT Pros
In July, Microsoft plans to introduce an app consent policy to stop users granting access to third-party apps to their files and sites. Letting users grant unsupervised consent to third-party apps to access files stored in OneDrive for Business and SharePoint Online is a bad idea. There are certainly apps out there that need such access, but requiring one-time administrator approval is no hardship.| Office 365 for IT Pros
Microsoft 365 tenants with Entra P1 or P2 licenses can use a custom banned password list to stop people using specific terms in their passwords. The idea is to prevent easily-guessed terms being used in passwords. You could also block words deemed to be objectionable. In any case, this article explains how to maintain the custom blocked password list with a PowerShell script.| Office 365 for IT Pros
After July 1, 2025, any sharing links generated with one-time passcodes (OTP) will stop working. Only links based on Entra ID B2B Collaboration will work. Users who lose access to content shared from SharePoint Online or OneDrive for Business will have to contact the original sharer to ask them to generate a new sharing link. Sounds like a recipe for confusion, which is what might happen.| Office 365 for IT Pros
The prospect of agents running amok in Microsoft 365 tenants lessened a tad with the introduction of Entra Agent ID. Tenants will be able to manage agents through the Entra admin center. Custom agents created with Copilot Studio or Azure AI Foundry now have Entra identifiers and show up in the admin center. So far, not much else happens but the promise of more functionality is there.| Office 365 for IT Pros
The ConditionalAccessPolicy setting in an OWA mailbox policy can be configured to work with Entra ID conditional access so that OWA blocks access to attachments on unmanaged devices. Microsoft originally introduced the feature in 2018 and as it turns out, the combination of OWA mailbox policy and CA policy also blocks attachment access for the new Outlook for Windows client.| Office 365 for IT Pros
Microsoft Azure is probably the most widely used cloud platform in Switzerland, powering businesses of all sizes, from startups to multinational companies. According the the official Microsoft page over 95% of Fortune 500 companies rely on Microsoft Azure in one form or another. With this industry-wide adoption, it has become a critical component of modern-day IT infrastructure. However, as more and more companies migrate to cloud or cloud-local hybrid infrastructure, the security risks that ...| blog.compass-security.com
Microsoft will remove the Azure AD Graph API from “early September 2025” according to an official post at […]| DEVCLASS
Microsoft is offering clients an updated Intune Connector for Active Directory and this connector is what Intune will be using starting from Intune 2501. This connector uses Windows Autopilot to deploy devices that are Microsoft Entra hybrid joined. The updated … Continue reading → The post Intune Connector for Active Directory – What To Know About The Latest Security Update appeared first on Thomas Marcussen.| Thomas Marcussen
Streamline Azure Entra ID Groups access reviews to manage user permissions efficiently and boost security, compliance, and operational control.| SysOpsTechnix
In the first installment of Securing Microsoft 365 with Graph Activity Logs, Mezba Uddin dives into the essentials of the Microsoft Graph Activity Log, what it does, its importance for visibility, and how to get it running to start seeing it's data.| Practical 365
Entra ID's password protection feature was introduced back in 2018, adding support for a banned password list, the smart lockout controls and integration with| Blog
A while back I published a blog post on how you can add Microsoft Graph application role permissions to a Managed Identity, something that is useful if you have deployed Azure services that use managed identities, and need permission to access Graph API. https://gotoguy.blog/2022/03/15/add-graph-application-permissions-to-managed-identity-using-graph-explorer/ The above blog post is currently the only “graphical” or UI […]| GoToGuy Blog
In this contribution I will show you how you can build your own Security Copilot, by using Azure Open AI, AI Search Service and your own security data sources, in a creative way that let users ask about their own security status in a natural language! This is part of my contribution to the Festive […]| GoToGuy Blog
Microsoft recently announced that Workload Identity Federation for Azure Pipelines now is in Public Preview: https://devblogs.microsoft.com/devops/public-preview-of-workload-identity-federation-for-azure-pipelines/. This opens for a lot of scenarios for Azure service connections, without the need to manage secrets for service principals and more security as there are no secrets that can be exposed or exfiltrated. As I work a lot […]| GoToGuy Blog
TL;DR: PowerShell tool to enumerate Entra ID objects, assignments and identify highly privileged objects or risky configurations.| blog.compass-security.com
I’ve seen a lot of blog posts about registering devices with Windows Autopilot, either at a command prompt in OOBE (Shift-F10, run PowerShell) or as part of some other automation. Now with Au…| Out of Office Hours
Check out this guide to learn what enterprise-level Entra ID recovery strategies are needed to mitigate risk and business disruption.| The Quest Blog
In this post I’ll show you how to migrate the legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies to the new unified Authentication Methods policy in Entra ID (formerly known as Azure Active Directory). Deadline for migration is September 30th, 2025. These are the key steps you need to take: Let’s get started. ... Read moreSource| Sam Mitrovic
Today I’ve released a new version of my Conditional Access Framework. Version 2025.2.3 has one modified and one new policy which are meant for internals. The post Conditional Access Framework (2025.2.3) appeared first on Joey Verlinden.| Joey Verlinden
Microsoft, and the general identity industry, has recommended that applications use certificates over secrets when it comes to credentials for things like applications. This recommendation has existed for about as […] The post Spying on your ISVs credential choices appeared first on Eric on Identity.| Eric on Identity
Today I’ve released a new version of my Conditional Access Framework. Version 2025.2.1 has some additional policies which are meant for internals admins. In short: The post Conditional Access Framework (2025.2.1) appeared first on Joey Verlinden.| Joey Verlinden
As Microsoft continues to enhance security across its platforms, Multi-Factor Authentication (MFA) is becoming mandatory for an increasing number of administrative portals. This shift means that relying solely on a username and complex password for break glass accounts is no longer viable and should be revisited (if not already done). This initiative aligns with Microsoft’s... The post Protecting your Break Glass accounts in Entra now that MFA gets enforced on more and more Admin portals ap...| Modern Workplace Blog
Today (Tuesday February 27th) I have the pleasure to speak at the February 2024 Azure APE Meetup organized by the Azure Platform Engineering (APE) community. The event, which is hosted by ShareValue, is held in Gouda, the Netherlands and starts at 18:00. At this event, I will be speaking about Microsoft Entra Id Conditional Access,... The post Speaking at the February 2024 Azure APE Meetup appeared first on Modern Workplace Blog.| Modern Workplace Blog
I could stop there, but I won’t. In any case, let’s review the Windows Enterprise SKU licensing model, straight from the source: Windows 11 Enterprise is licensed as an upgrade license …| Out of Office Hours
With my new Conditional Access Gallery tool Invoke-DCConditionalAccessGallery in DCToolbox you can pick and choose from any of 25+ available Conditional Access templates included, and the tool will auto-deploy them in your tenant (report-only mode), automatically create all dependencies like groups, named locations, and terms of use agreements, and finally document your new policy design … Continue reading Conditional Access Gallery – Point, Select, and Deploy in Minutes→| Daniel Chronlund Cloud Security Blog
As we approach the fourth anniversary of the Entra ID Attack and Defense Playbook in October 2024, it’s a perfect time to reflect on its evolution and the collective effort that has made it a valuable resource (based on the feedback) for security professionals. The playbook began as a vision to consolidate common attack scenarios […]| Sam's Corner
Next week it’s time again for the annual Workplace Ninja Summit in Lucerne, Switzerland. The summit will start on Monday September 16th till Thursday September 19th. The Workplace Ninja summit is organized by the different Workplace Ninja user groups and consists of many Microsoft community heroes like Mirko Colemberg, Thomas Kurth, Daniel Schädler, Kenny Buntinx,... The post Speaking at the Workplace Ninja Summit 2024 appeared first on Modern Workplace Blog.| Modern Workplace Blog
This Thursday, I will visit and speak at the Cloud Identity Summit in Cologne, Germany. The Cloud Identity Summit is organized by Thomas Naunheim, Gregor Reimling and René Wasel. The Cloud Identity Summit is a hybrid event, were attendees can join both on location and remote via Teams. Sessions are not recorded though and even... The post Speaking at the Cloud Identity Summit 2024 on Thursday September 5th appeared first on Modern Workplace Blog.| Modern Workplace Blog
For those that must manage application integrations in Entra ID, it’s an inevitable question: What is the difference between an App Registration and an Enterprise Application? Why are there two […] The post Entra App Registrations and Enterprise Applications: The Definitive Guide appeared first on Eric on Identity.| Eric on Identity
In the first part, I set up Workspace ONE and integrated it into my existing Entra ID (Azure AD) tenant. In part 2, I set up apps and policies that should be deployed to my devices. That prepares m…| Out of Office Hours
I’ve spent a lot of time over the years talking to ISVs about provisioning Windows devices, but I’ve never actually used any non-Microsoft solutions for doing that. In that time, one of…| Out of Office Hours
Sometimes we need to grant temporary access to Entra ID users for specific purposes, like onboarding. As you might know, Microsoft Entra ID provides a feature called Temporary Access Pass (TAP) tha…| Daniel Chronlund Cloud Security Blog
Microsoft has extended their permissions model for working with files, list items and lists within the Graph API. The newly introduced Files.SelectedOperations.Selected, ListItems.SelectedOperations.Selected and Lists.SelectedOperations.Selected scopes are available in both delegate and application permission flavors and allow you to granularly control application access! At the same time, they use the same model the Sites.Selected permissions used, so you can easily adopt them.| Blog
One of the things that is not currently included in the APv2 device preparation policy is an option to configure the computer name, so as a result the devices end up being given a random name like …| Out of Office Hours
The social media DMs, e-mails, and blog comments around Autopilot v2 have raised a bunch of questions, interesting points, speculation, opinions, etc. I figured it would be useful to summarize thos…| Out of Office Hours
This is part of my series on the Azure OpenAI Service: Azure OpenAI Service – Infra and Security Stuff Azure OpenAI Service – Authentication Azure OpenAI Service – Authorization A…| Journey Of The Geek
This is part of my series on Azure Authorization. Azure Authorization – The Basics Azure Authorization – Azure RBAC Basics Azure Authorization – actions and notActions Azure Autho…| Journey Of The Geek
A PowerShell script to remove user, or a set of users, from all groups they are a member of by using the Graph API methods. You can leverage the additional parameters of the script in order to also remove any directory role assignments, ownership assignments and delegate permission grants. The script supports Microsoft 365 Groups, Entra Security Groups, Exchange Distribution Groups and Mail-Enabled security groups.| Blog
Introduction So, I decided to write my own Conditional Access evaluation engine in PowerShell, like one does on rainy November nights, right? Its purpose is to provide capabilities similar to the built-in What If tool in the Entra ID portal, but with a clear focus on finding grant control gaps in common an uncommon use … Continue reading Conditional Access ‘What If’ Simulation with PowerShell→| Daniel Chronlund Cloud Security Blog
Managing Conditional Access polices in Entra ID at scale can be a real hassle. The GUI-based management tools were not designed to perform any kind of configuration in bulk. I decided to automate some of the most common bulk management tasks in Conditional Access management and put them into DCToolbox. These tools will sure save … Continue reading Easy Bulk Management of Entra ID Conditional Access Policies→| Daniel Chronlund Cloud Security Blog
This is by far the most substantial time saving tool I’ve ever shared with the community. From my many years of working with Conditional Access deployments, baselines, and automation tools, I wanted to package all that knowledge, experience, and best-practices, in a singel fully automated PowerShell tool. I give you Deploy-DCConditionalAccessBaselinePoC 🙌 With Deploy-DCConditionalAccessBaselinePoC in … Continue reading How To Deploy a Complete Entra ID Conditional Access PoC in Under 5...| Daniel Chronlund Cloud Security Blog
Threat hunting is a powerful method of trying to detect stealthy cyber attacks. Threat hunting is an art form and over time you can become a skilled hunter. However, these days we need to do more to detect breaches in our IT environments. One method of trying to lure the attackers and reveal themselves is … Continue reading Microsoft Entra ID Honeypot Accounts with Microsoft Sentinel→| Daniel Chronlund Cloud Security Blog
According to the Microsoft Digital Defense Report 2022, weak identity controls are listed as a top three contributing factors found during ransomware incident response. One particularly troubling finding within identity […] The post Protect your privilege with PAW appeared first on Eric on Identity.| Eric on Identity
According to Wikipedia, Toshkent (or Tashkent) is the largest city in, as well as the capital of, Uzbekistan, a country located in Central Asia. The city sports a population of […] The post March 23rd, 2023: The Day Everyone Came From Uzbekistan appeared first on Eric on Identity.| Eric on Identity
I noticed a section on the Features in development page that talks about a change coming on April 1st, which is not very far away (and an interesting place to put “we’re going to break …| Out of Office Hours
At the end of September 2023, Microsoft Entra ID Protection received a new pretty cool feature that brings hybrid users to the same level of protection and auto-remediation as cloud users. The ability to remediate risk in Microsoft Entra ID Protection (former Azure AD Identity Protection) has been there for years already but in a […]| Sam's Corner
This is part of my series on Azure Authorization. Azure Authorization – The Basics Azure Authorization – Azure RBAC Basics Azure Authorization – actions and notActions Azure Autho…| Journey Of The Geek
Scenario You want to allow an application the permission to add and remove members in an Entra Group with the least possible permissions used. Solution You can of course solve this by giving your application one of the following Application … Continue reading →| Microsoft Security Solutions
Audit logs can provide all sorts of wonderful points of data. In the interest of identity security, we have historically seen that we can glean rich sets of information around […] The post Dude, Where’s My Audit Logs? appeared first on Eric on Identity.| Eric on Identity
Background A developer at a customer recently asked me: “I have a custom API protected by Entra ID. Can you allow me to grant admin consent to my own APIs, without needing to contact an Entra ID ad…| Microsoft Security Solutions
2/11/2025 Update – This action is now captured in the Entra ID Audit Logs! I’d recommend putting an alert in ASAP to track this moving forward. Hello fellow geek! Today I’m going …| Journey Of The Geek