I've been in Entra since it was partner hosted, before BPOS became Office 365
App registrations vs Service Principals vs Applications still confuse to me at times
So it's natural people are confused thinking Application policies only apply to auth, not SAML
It applies to both:
Did you know there are at least 6 ways to store data about users in Entra? 😅
Outside of normal user object attributes, directory extensions tend to be one of the best fits for most things, except for sensitive data - use custom security attributes ;)
https://t.co/NwuGJ8XJIY
Just dropped a new EntraChat episode with @PyroTek3 from @TrustedSec and honestly my brain is full 🤯
Sean has been doing Microsoft identity security since Azure AD was barely a thing and he still sees the same misconfigs in enterprise environments every. single. day.
legacy auth left on. app permissions nobody's auditing. shadow tenants nobody knows exist.
the fundamentals aren't boring, they're just not done 🎙️👇
Get ready, folks. 🌟
You’re about to witness ONE. BIG. BEAUTIFUL. ABSURDLY. EPIC. THREAD. 🧵🔥
Some say this might be the MOST EPIC and MOST RIDICULOUSLY LONG identity thread ever written
📗 Bookmark this
Honestly… the cover image alone deserves a like + retweet
DO IT 😂
👋 Entra Exporter v3.0 is now out folks!
Amazing effort from @AndrewZtrhgf for
🚀 Blazingly fast export
🌀 Azure IAM support and more
Many thanks to our other contributors including @SamErde, @LitoMore, JayDoubleu and JulianSteiman
Check it out at https://t.co/qzSbhwzpE4
Today I learned: Using diskshadow to fetch the NTDS.dit. As mentioned several times, I love reading the HTB writeups from 0xdf because I always learn something new. Like here [1]:
"To dump the domain hashes, I’ll want to get the C:\Windows\NTDS.dit file. Unfortunately, this file can’t just be copied as it is locked and in use. I can access it via a shadow copy, which I’ll generate with diskshadow and this script:
set verbose on
set context persistent nowriters
set metadata C:\Windows\Temp\0xdf[.]cab
add volume c: alias 0xdf
create
expose %0xdf% e:
and pass it [the script from above] to diskshadow:
C:\programdata> diskshadow /s C:\programdata\backup"
Attackers love vssadmin, and so do the EDR vendors. How about diskshadow? We tested the attack flow in our lab with various EDRs, and the results were .. interesting. Would the command above trigger an alert in your environment?
And here, for reference, is the corresponding lolbas article [3]
[1] https://t.co/coiRYMKEmP
[2] https://t.co/eTvvrlMbrD
[3] https://t.co/cCAh5iWOmX
When “Block All” in Conditional Access blocks too much… 🔒
Until recently, guest users couldn’t change their MFA methods when you blocked all cloud apps.
The My Sign-ins app is now selectable in Conditional Access 🎉
Finally possible:
✅ Limit guests to M365 resources
✅ Keep self-service (MFA, profile) working
🧩 Read how to configure it: https://t.co/gmA2IJRWBY
#EntraID #ConditionalAccess #Microsoft365 #Intune
Everyone who works in Microsoft Cloud, download this roadmap. Thank @merill and many others at Microsoft when you get a chance. This is the best work Microsoft has done for security, in my humble opinion.
I used to be in the "Zero Trust is just an idea" camp. Microsoft has worked very hard to create a step by step roadmap and includes links to documentation with implementation instructions depending on the vertical. It helps a lot if you have applied learning and hands on experience. I wouldn't say it's the best for newcomers but if it were me when I was new, I would go straight to it and start learning the forest now instead of the individual trees. Microsoft has done all the architecture work that's difficult for us: Planning, Road Mapping, Timeline Estimations, Level of Effort, etc.
This entire workbook can be broken out into individual initiatives and encompasses Identity and Access, Devices, Data, Network, Infrastructure, and Security Operations. You already have all your Epics and Stories.
Guess what: the best part about it is it's free. No vendors trying to sell you solutions to deal with Zero Trust.
https://t.co/lmjKYUH9nJ
Awesome idea from @RobbeVdDaele to use Defender for Identity's telemetry :)
I've added his content to a new section on my blog article (with his permission of course!):
https://t.co/kCNiZJEDYg
We may also see some official docs for discovering SSSO usage in the future 🥳
Seamless SSO is a security risk, and many orgs enabeld it without knowing and are now stuck wondering what might break if they turn it off...
Since Microsoft provides no help identifying actual usage, I did some research so you can safely turn it off :)
https://t.co/roijf9YmIa
Microsoft is sharing details from ongoing investigations of threat actors exploiting vulnerabilities targeting on-premises SharePoint servers. Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed exploiting the vulnerabilities: https://t.co/oQ2HDZZbJB
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: https://t.co/8BNa2cZHj8
Check out this new browser extension > https://t.co/vMHKqvd37u. Conveniently 𝐂𝐨𝐩𝐲 or 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 any Conditional Access policy to JSON! ⭐
If you have ever needed to backup, recreate or document a Conditional Access policy, the first step is usually to programmatically obtain the configuration in JSON format...
Now you don't have to do this programmatically, as I have baked this functionality directly into the admin portal with my 𝐂𝐀 𝐏𝐨𝐥𝐢𝐜𝐲 𝐂𝐨𝐩𝐢𝐞𝐫
extension!
Use the link above to learn how to install it!
#Entra #ConditionalAccess #Microsoft
I kept meaning to write an article for this, decided to record a quick video instead 🎥
TL;DW - Create an auth context, target the auth context in a CA policy (SIF Every time, other conditions), select auth context in PIM role settings
Thanks @StephanG_AIM for the reminder :)
We just launched a new webinar series at @PatchMyPC : Patch-n-Rant
In this series, I walk through how I troubleshoot weird Intune issues and the tools I actually use to do so!
Episode 1 is all about #Fiddler
– What Fiddler is, and when to use it
– Capturing Intune traffic
– SYSTEM vs user-mode capture
– SSL pinning workarounds
🎥 Patch Me If You Can – Fiddler
https://t.co/8YpjaLDFO3
And yes… I dropped it on my birthday. Why not.
#Intune #MSIntune #Windows #Windows11 #PatchMyPC #WindowsAutopilot #Security
Got a topic you think is worth a Patch-n-Rant? Drop it in the comments.
I really like getting alerts before something goes wrong in Intune.
When a certificate is about to expire, when devices start going out of compliance, or when apps fail to install across many devices. It saves time and it means I can enjoy my coffee instead of clicking through logs all morning 😄
I’ve just updated and added 4 scripts that help with this:
• Apple Token Expiration
• Device Compliance Drift
• Stale Device Cleanup
• App Deployment Failure
They checks the tenant for problems and let you know before users start calling. No more guessing or manual checks.
You can find these and more on the website.
Hope they help someone out there save a few hours too.
It's here! Modern auth for Entra Connect Sync is now available 🚀
This finally moves from user/pass to auth with Entra to using a Service Principle with a certificate. Another benefit is misconfigs in CA policies will no longer break syncing :)
Docs:
https://t.co/kytbW8u7JD