Discover and read the best of Twitter Threads about #azuread
Most recents (19)
📚 Excellent article on #Phishing techniques targeting #O365 and #Azure🎣 Traditional phishing, device-code authentication, illicit consent grant attacks... it is not easy to make it simple on this topic, and it's the case here! riskinsight-wavestone.com/en/2023/03/ill… 
1️⃣ Obviously, the traditional phishing attack is simple to implement in the absence of multi-factor authent 🔐 We know what to do!
2️⃣ More tricky, device-code authent attack: the attacker’s objective is to get the victim to fill in his device code on the Ms devicelogin page🔥
2️⃣ More tricky, device-code authent attack: the attacker’s objective is to get the victim to fill in his device code on the Ms devicelogin page🔥
3️⃣ Conditional access policies can be used to prohibit suspicious connections from devices not under the control of the company👍
4️⃣ The illicit consent grant attack relies on the ability of an attacker to create an app that requires permission to be granted 💣
4️⃣ The illicit consent grant attack relies on the ability of an attacker to create an app that requires permission to be granted 💣
Do you know how authentication works in #AzureAD? The purpose of #authentication is to verify that we really are who we say we are. But how is it possible that our login remains active even if we close the browser? Let's take a look at how tokens work in Azure AD. [1/5]
After a successfully authentication, Azure AD issues a set of #tokens. An access token defaults to one hour and grants the user access to a single resource. If a user accesses multiple resources, they will have multiple access tokens. [2/5]
A refresh token, on the other hand, has essentially unlimited validity and its only purpose is to issue a new access token when the existing one expires, or to issue a new access token for a different resource, giving us a single sign-on (#SSO) experience. [3/5]
Thread incoming:
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
Example: One of #Windows365's key use cases is the quick onboarding of staff and enabling a secure, managed desktop before a user gets, or possibly instead of a corporate device. Access can be secured via CA & MFA enforced. This could mean accessing via a "BYOD" device.
2/9
2/9
As far as they're concerned, W365 is a Cloud Service, so in scope (fine), but access to this from BYOD would _also_ be in scope (not fine).
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
A bit late to the game, but here we go.
In mid-November, we launched a big piece of work we've been working on for a very long time. We call this the Authentication Methods Policy Convergence in #AzureAD. 1/n
In mid-November, we launched a big piece of work we've been working on for a very long time. We call this the Authentication Methods Policy Convergence in #AzureAD. 1/n
With this preview, we have added more management control for auth methods that have been there in #AzureAD for a long time. The main problem with the old MFA Portal and SSPR blade was that it only allowed admins to enable/disable methods for ALL users, no group targeting. 2/n
With auth methods policies we added group targeting for all methods, exclusions and a migration control that lets you decide when you want these policies to apply to MFA and SSPR and ignore old settings. 3/n
New Tenant Creation setting in AzureAD User Settings?
Yes, allows default users to create Azure AD tenants. No, allows only users with global administrator or tenant creator roles to create Azure AD tenants.
The default seems configured on Yes in all tenants. (1/2)
#AzureAD
Yes, allows default users to create Azure AD tenants. No, allows only users with global administrator or tenant creator roles to create Azure AD tenants.
The default seems configured on Yes in all tenants. (1/2)
#AzureAD
'Yes' allows default users to create new AAD tenants in the environment. Based on my opinion; is it not better to force the 'No' as default.
Don't see any reason why normal users need to create AAD tenants. Though I could be wrong. Curious about the opinion of others
(2/2)
Don't see any reason why normal users need to create AAD tenants. Though I could be wrong. Curious about the opinion of others
(2/2)
Update: Feature is not visible anymore. All still available via the preview portal. preview.portal.azure.com/#view/Microsof…
Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?
Here's are short thread about the feature.
PS. There is a bonus if you read all the way to the end 😉👇
Here's are short thread about the feature.
PS. There is a bonus if you read all the way to the end 😉👇
This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.
I shared more about this in a previous thread
I shared more about this in a previous thread
Moving away from Voice and SMS is in fact called out by NIST who classify PSTN based auth like SMS and Voice as RESTRICTED.
They explain in more detail in this FAQ.
pages.nist.gov/800-63-FAQ/#q-…
They explain in more detail in this FAQ.
pages.nist.gov/800-63-FAQ/#q-…
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
Stop using per-user MFA for #AzureAD MFA. "Don't enable or enforce per-user Azure AD Multi-Factor Authentication if you use Conditional Access policies." learn.microsoft.com/en-us/azure/ac…
If you are still using per-user MFA, and can deploy conditional access policies, deploy the template to require MFA for all users and disable per user MFA. Conversion script here learn.microsoft.com/en-us/azure/ac… (we need to update this to use MS Graph SDK PowerShell and not MSOL) @merill
If you are using a free tenant or you have not enabled conditional access you have enabled the tenant security defaults right? You should go check your tenant right now if you don't know. learn.microsoft.com/en-us/microsof…
@Secureworks just released a threat analysis regarding flaws our team found in #AzureAD Pass-through Authentication (PTA).
secureworks.com/research/azure…
The flaws allow threat actors to:
* Gather credentials
* Login with invalid credentials
* Conduct DoS attacks
1/3
secureworks.com/research/azure…
The flaws allow threat actors to:
* Gather credentials
* Login with invalid credentials
* Conduct DoS attacks
1/3
How is this different from previous PTA exploits like #AADInternals PTASpy?
* After the initial compromise of a PTA agent, the exploitation is remote
* Exploitation can't be detected from the Azure portal or logs
* Exploit is persistent
2/3
* After the initial compromise of a PTA agent, the exploitation is remote
* Exploitation can't be detected from the Azure portal or logs
* Exploit is persistent
2/3
What can administrators do if they detect a compromised PTA agent?
* Contact Microsoft support to remove the agent
How to protect / prevent?
* Treat all servers with PTA agent as Tier 0
3/3
* Contact Microsoft support to remove the agent
How to protect / prevent?
* Treat all servers with PTA agent as Tier 0
3/3
Just a reminder when focusing on #security for your #office365 and #azuread tenants one of the key attack vectors comes from your on-premises environment. If you have not read and implemented the guidance in aka.ms/protectm365 you should & read this thread. 1/7 #identity
"Federated trust relationships, such as Security Assertions Markup Language (SAML) authentication,are used to authenticate to Microsoft 365 through your on-premises identity infrastructure.Ifa SAML token-signing certificate is compromised, federation allows anyone who has.."2/7
certificate to impersonate any user in your cloud.
We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
We recommend that you disable federation trust relationships for authentication to Microsoft 365 when possible."
3/7
7 AzureAD identity-related protection tips for protecting against new identity attacks like OAuth theft, MFA prompt spamming, AiTM, and MFA Phishing. #azureAD #MicrosoftSecurity
Links included for more information to earlier posted blogs.
A thread🛡️
Links included for more information to earlier posted blogs.
A thread🛡️
Tip 1: MFA fatigue / MFA spamming is growing. To protect against MFA spamming enable:
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)
Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)
Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
Tip 2: 1/2: Adversary-in-the-middle/ AiTM attacks are growing/ detected more in the wild. Prevention using:
- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ
jeffreyappel.nl/protect-agains…
- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ
jeffreyappel.nl/protect-agains…
I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you
You will need an Azure subscription, but the first 500 minutes/month are free!
Here's an example of how to automate Azure AD device cleanup :)
You will need an Azure subscription, but the first 500 minutes/month are free!
Here's an example of how to automate Azure AD device cleanup :)
First, we're going to log into the Azure portal: portal.azure.com
Search for Automation and click on Automation Accounts
Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create
Search for Automation and click on Automation Accounts
Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create
If you haven't heard, the MSOnline and AzureAD PowerShell modules are going away at the end of the year
Instead, we are going to use the new Graph SDK PowerShell modules
So let's go under Modules, click Add a Module, browse the gallery, and add Microsoft.Graph.Authentication
Instead, we are going to use the new Graph SDK PowerShell modules
So let's go under Modules, click Add a Module, browse the gallery, and add Microsoft.Graph.Authentication
Ok, so here's my take and recommendations from Identity Security lens on the #log4j2 vuln impact for #zerotrust and #AzureAD. TLDR: It's time for "EXTREME ZT: LPA ALL THE THINGS!" <thread>
The simple fact is that for whatever reason, we're getting an amazing look at what happens when responsible disclosure doesn't go to plan and the attackers and the defenders get vuln info at the same time. As a defender, you are certainly in a deep assessment/patching phase...
But you have a super complex environment evolved over years. All of your endpoints, all of the apps you depend on, all of your IoT devices, OT devices, etc. are potentially vulnerable and being probed for impact... and even you aren't sure where log4j2 has been used.
1/3 This query lets you get all the guest users in your tenant and their last sign in.
Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity"
#azuread #graphps
@NathanMcNulty @Noelinho
Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity"
#azuread #graphps
@NathanMcNulty @Noelinho
2/3 This includes some formatting
Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity" | Select-Object -Property mail,@{Name = 'LastSignIn'; Expression = {$_.signInActivity.lastSignInDateTime}}
Get-MgUser -All -Filter "userType eq 'Guest'" -Select "mail,userPrincipalName,signInActivity" | Select-Object -Property mail,@{Name = 'LastSignIn'; Expression = {$_.signInActivity.lastSignInDateTime}}
3/3 Here's the Graph version of it so you can see the other attributes. The non-interactive signins are more accurate way to find out recent activity.
⚠️ Attention aux droits accordés aux #CSP (Cloud Service Providers ☁️) en environnement #Microsoft ! Un client vient de s'en rendre compte et l'expérience n'est pas agréable... [Thread 1/5]
1️⃣ Un partenaire #CSP peut faire une demande de droits 🔄 (Global Admin ou Helpdesk Admin... soit tout ou rien)
2️⃣ Les droits peuvent être validés par un Billing Admin, dont ce n'est pas le job 👤. Autrement dit, souvent peu de vérification... [2/5]
2️⃣ Les droits peuvent être validés par un Billing Admin, dont ce n'est pas le job 👤. Autrement dit, souvent peu de vérification... [2/5]
THREAD: Yesterday I gave a talk at #ITechDays on #Security approach in a #Cloud with #Azure context.
Here is key points and promised links and references.
Here is key points and promised links and references.
DISCLAIMER: I'm MVP and RD but it isn't based on NDA info. My opinions only.
It might be wrong. You are warned.
Pic (cc) visualhunt.com/re7/e60879a6
It might be wrong. You are warned.
Pic (cc) visualhunt.com/re7/e60879a6
Have you heard about naked guy at @zoom_us call? You don't want it - just TURN ON the password for meeting.
You are on #MicrosoftTeams? Use #azureAD conditional access and lobby settings.
Avoid naked people! Stay safe! Stay home#
mashable.com/article/videoc…
You are on #MicrosoftTeams? Use #azureAD conditional access and lobby settings.
Avoid naked people! Stay safe! Stay home#
mashable.com/article/videoc…
#Office365 lobby settings - support.microsoft.com/en-us/office/c…
Lot's of talk on #remote recently. Quick tip - are you using #JIra @Atlassian?
You can quickly let your people work on it from home. No VPN required. On-prem or through the #Azure #AzureAD #cloud (both options available)
Demo and scenario walkthrough -
You can quickly let your people work on it from home. No VPN required. On-prem or through the #Azure #AzureAD #cloud (both options available)
Demo and scenario walkthrough -
@Atlassian You can also use #SAML with @Atlassian #Jira using #AzureAD or other provider. With #AzureAD application proxy you can publish it without network changes.
Here how it works;
Here how it works;
If you have question about this or other scenario, drop it here - there is plenty of scenarios already addressed people don't know about.
IT crowd can help with #remotework (do we need a hashtag for it :))?
IT crowd can help with #remotework (do we need a hashtag for it :))?
I've finished setting up #Microsoft #Teams for one of agencies in major city in Poland. They have to #switch to #remote because of #coronavirus
Not bragging but - as IT crowd we have huge opportunity to help. It took me an hour and it will make their life easier. 1/2
Not bragging but - as IT crowd we have huge opportunity to help. It took me an hour and it will make their life easier. 1/2
There is urgency and they want to act - sometimes what is needed is a bit of knowledge and will.
Ask your local gov agency/service provider/NGO if they need help with switch to #remote.
It might be one hour for you - it will save them tons of time 2/2
Ask your local gov agency/service provider/NGO if they need help with switch to #remote.
It might be one hour for you - it will save them tons of time 2/2
On the sidenote: it is amazing were we landed with pushing compute to commodity. I got it up and running for them in 15 min. #Office365 and #AzureAD #FTW!
