Discover and read the best of Twitter Threads about #AzureAD

Most recents (19)

📚 Excellent article on #Phishing techniques targeting #O365 and #Azure🎣 Traditional phishing, device-code authentication, illicit consent grant attacks... it is not easy to make it simple on this topic, and it's the case here! riskinsight-wavestone.com/en/2023/03/ill… Image
1️⃣ Obviously, the traditional phishing attack is simple to implement in the absence of multi-factor authent 🔐 We know what to do!
2️⃣ More tricky, device-code authent attack: the attacker’s objective is to get the victim to fill in his device code on the Ms devicelogin page🔥
3️⃣ Conditional access policies can be used to prohibit suspicious connections from devices not under the control of the company👍
4️⃣ The illicit consent grant attack relies on the ability of an attacker to create an app that requires permission to be granted 💣
Read 4 tweets
Do you know how authentication works in #AzureAD? The purpose of #authentication is to verify that we really are who we say we are. But how is it possible that our login remains active even if we close the browser? Let's take a look at how tokens work in Azure AD. [1/5]
After a successfully authentication, Azure AD issues a set of #tokens. An access token defaults to one hour and grants the user access to a single resource. If a user accesses multiple resources, they will have multiple access tokens. [2/5]
A refresh token, on the other hand, has essentially unlimited validity and its only purpose is to issue a new access token when the existing one expires, or to issue a new access token for a different resource, giving us a single sign-on (#SSO) experience. [3/5]
Read 5 tweets
Thread incoming:
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
Example: One of #Windows365's key use cases is the quick onboarding of staff and enabling a secure, managed desktop before a user gets, or possibly instead of a corporate device. Access can be secured via CA & MFA enforced. This could mean accessing via a "BYOD" device.
2/9
As far as they're concerned, W365 is a Cloud Service, so in scope (fine), but access to this from BYOD would _also_ be in scope (not fine).
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
Read 9 tweets
A bit late to the game, but here we go.
In mid-November, we launched a big piece of work we've been working on for a very long time. We call this the Authentication Methods Policy Convergence in #AzureAD. 1/n
With this preview, we have added more management control for auth methods that have been there in #AzureAD for a long time. The main problem with the old MFA Portal and SSPR blade was that it only allowed admins to enable/disable methods for ALL users, no group targeting. 2/n
With auth methods policies we added group targeting for all methods, exclusions and a migration control that lets you decide when you want these policies to apply to MFA and SSPR and ignore old settings. 3/n
Read 6 tweets
New Tenant Creation setting in AzureAD User Settings?

Yes, allows default users to create Azure AD tenants. No, allows only users with global administrator or tenant creator roles to create Azure AD tenants.

The default seems configured on Yes in all tenants. (1/2)

#AzureAD Image
'Yes' allows default users to create new AAD tenants in the environment. Based on my opinion; is it not better to force the 'No' as default.

Don't see any reason why normal users need to create AAD tenants. Though I could be wrong. Curious about the opinion of others

(2/2)
Update: Feature is not visible anymore. All still available via the preview portal. preview.portal.azure.com/#view/Microsof…
Read 5 tweets
Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?

Here's are short thread about the feature.

PS. There is a bonus if you read all the way to the end 😉👇 Screenshot from the Authent...
This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.

I shared more about this in a previous thread Illustration showing the ri...
Moving away from Voice and SMS is in fact called out by NIST who classify PSTN based auth like SMS and Voice as RESTRICTED.

They explain in more detail in this FAQ.
pages.nist.gov/800-63-FAQ/#q-… 5.1.3.3 Authentication usin...
Read 10 tweets
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
Read 7 tweets
Stop using per-user MFA for #AzureAD MFA. "Don't enable or enforce per-user Azure AD Multi-Factor Authentication if you use Conditional Access policies." learn.microsoft.com/en-us/azure/ac…
If you are still using per-user MFA, and can deploy conditional access policies, deploy the template to require MFA for all users and disable per user MFA. Conversion script here learn.microsoft.com/en-us/azure/ac… (we need to update this to use MS Graph SDK PowerShell and not MSOL) @merill
If you are using a free tenant or you have not enabled conditional access you have enabled the tenant security defaults right? You should go check your tenant right now if you don't know. learn.microsoft.com/en-us/microsof…
Read 10 tweets
@Secureworks just released a threat analysis regarding flaws our team found in #AzureAD Pass-through Authentication (PTA).

secureworks.com/research/azure…

The flaws allow threat actors to:
* Gather credentials
* Login with invalid credentials
* Conduct DoS attacks

1/3
How is this different from previous PTA exploits like #AADInternals PTASpy?
* After the initial compromise of a PTA agent, the exploitation is remote
* Exploitation can't be detected from the Azure portal or logs
* Exploit is persistent

2/3
What can administrators do if they detect a compromised PTA agent?
* Contact Microsoft support to remove the agent

How to protect / prevent?
* Treat all servers with PTA agent as Tier 0

3/3
Read 3 tweets
Just a reminder when focusing on #security for your #office365 and #azuread tenants one of the key attack vectors comes from your on-premises environment. If you have not read and implemented the guidance in aka.ms/protectm365 you should & read this thread. 1/7 #identity
"Federated trust relationships, such as Security Assertions Markup Language (SAML) authentication,are used to authenticate to Microsoft 365 through your on-premises identity infrastructure.Ifa SAML token-signing certificate is compromised, federation allows anyone who has.."2/7
certificate to impersonate any user in your cloud.

We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
Read 14 tweets
7 AzureAD identity-related protection tips for protecting against new identity attacks like OAuth theft, MFA prompt spamming, AiTM, and MFA Phishing. #azureAD #MicrosoftSecurity

Links included for more information to earlier posted blogs.

A thread🛡️
Tip 1: MFA fatigue / MFA spamming is growing. To protect against MFA spamming enable:

- Azure MFA number matching (preview)
- Show additional context in notifications (preview)

Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
Tip 2: 1/2: Adversary-in-the-middle/ AiTM attacks are growing/ detected more in the wild. Prevention using:

- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ

jeffreyappel.nl/protect-agains…
Read 10 tweets
I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you

You will need an Azure subscription, but the first 500 minutes/month are free!

Here's an example of how to automate Azure AD device cleanup :)
First, we're going to log into the Azure portal: portal.azure.com

Search for Automation and click on Automation Accounts

Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create
If you haven't heard, the MSOnline and AzureAD PowerShell modules are going away at the end of the year

Instead, we are going to use the new Graph SDK PowerShell modules

So let's go under Modules, click Add a Module, browse the gallery, and add Microsoft.Graph.Authentication
Read 13 tweets
Ok, so here's my take and recommendations from Identity Security lens on the #log4j2 vuln impact for #zerotrust and #AzureAD. TLDR: It's time for "EXTREME ZT: LPA ALL THE THINGS!" <thread>
The simple fact is that for whatever reason, we're getting an amazing look at what happens when responsible disclosure doesn't go to plan and the attackers and the defenders get vuln info at the same time. As a defender, you are certainly in a deep assessment/patching phase...
But you have a super complex environment evolved over years. All of your endpoints, all of the apps you depend on, all of your IoT devices, OT devices, etc. are potentially vulnerable and being probed for impact... and even you aren't sure where log4j2 has been used.
Read 24 tweets
1/3 This query lets you get all the guest users in your tenant and their last sign in.

Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity"
#azuread #graphps
@NathanMcNulty @Noelinho
2/3 This includes some formatting

Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity" | Select-Object -Property mail,@{Name = 'LastSignIn'; Expression = {$_.signInActivity.lastSignInDateTime}}
3/3 Here's the Graph version of it so you can see the other attributes. The non-interactive signins are more accurate way to find out recent activity.
Read 4 tweets
⚠️ Attention aux droits accordés aux #CSP (Cloud Service Providers ☁️) en environnement #Microsoft ! Un client vient de s'en rendre compte et l'expérience n'est pas agréable... [Thread 1/5]
1️⃣ Un partenaire #CSP peut faire une demande de droits 🔄 (Global Admin ou Helpdesk Admin... soit tout ou rien)
2️⃣ Les droits peuvent être validés par un Billing Admin, dont ce n'est pas le job 👤. Autrement dit, souvent peu de vérification... [2/5]
3️⃣ Ce n'est pas une blague : les droits n’apparaissent pas dans #AzureAD 🚨 (les auditeurs les moins chevronnés passeront à travers). Pire que ça : le #CSP a la possibilité de se connecter au tenant client sans mesure de sécurité particulière 🔐 [3/5]
Read 5 tweets
THREAD: Yesterday I gave a talk at #ITechDays on #Security approach in a #Cloud with #Azure context.
Here is key points and promised links and references.
DISCLAIMER: I'm MVP and RD but it isn't based on NDA info. My opinions only.
It might be wrong. You are warned.

Pic (cc) visualhunt.com/re7/e60879a6 Image
John Boyd defined #OODA loop. It is not strongest or best equip who survive.
Rate of adaptation to change matters.

How it applies to #security? Image
Read 28 tweets
Have you heard about naked guy at @zoom_us call? You don't want it - just TURN ON the password for meeting.

You are on #MicrosoftTeams? Use #azureAD conditional access and lobby settings.

Avoid naked people! Stay safe! Stay home#

mashable.com/article/videoc…
Read 4 tweets
Lot's of talk on #remote recently. Quick tip - are you using #JIra @Atlassian?
You can quickly let your people work on it from home. No VPN required. On-prem or through the #Azure #AzureAD #cloud (both options available)

Demo and scenario walkthrough - Image
@Atlassian You can also use #SAML with @Atlassian #Jira using #AzureAD or other provider. With #AzureAD application proxy you can publish it without network changes.

Here how it works;
If you have question about this or other scenario, drop it here - there is plenty of scenarios already addressed people don't know about.

IT crowd can help with #remotework (do we need a hashtag for it :))?
Read 3 tweets
I've finished setting up #Microsoft #Teams for one of agencies in major city in Poland. They have to #switch to #remote because of #coronavirus

Not bragging but - as IT crowd we have huge opportunity to help. It took me an hour and it will make their life easier. 1/2
There is urgency and they want to act - sometimes what is needed is a bit of knowledge and will.

Ask your local gov agency/service provider/NGO if they need help with switch to #remote.

It might be one hour for you - it will save them tons of time 2/2
On the sidenote: it is amazing were we landed with pushing compute to commodity. I got it up and running for them in 15 min. #Office365 and #AzureAD #FTW!
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!