Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
May 19, 2021 10 tweets 5 min read Read on X
Scrolly
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications?

I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :)

developer.microsoft.com/en-us/microsof…
Upon visiting the Microsoft 365 Dev Center, it will ask you to sign in with your Microsoft account.

This will be the Microsoft account that your developer tenant will be associated with, but not the one you use to log into it.

You should see something like this 👇 Image
So we simply fill out a few forms that let Microsoft know what we intend to do.

Please do not abuse this or use it for business purposes.

I build automation scripts, test SSO like SAML/OIDC with various apps, and build documentation for sharing with others for learning. ImageImageImage
And just like that, we now have our own M365 Developer account where we can set up our E5 subscription! Image
So the next step is to click the big blue "Set up E5 subscription" button and follow the wizard.

Note: Microsoft has a really bad password limitation on sign up, so use a crappy one and change it once you've logged in

2nd note: Kudos to MS on requiring MFA, even if it is SMS :) ImageImageImage
You should now see 92 days or so (I did this a bit ago) remaining on the subscription, and you can renew this over and over as long as you are using it appropriately.

While you are here, you can definitely add their sample data packs which might be helpful to learn with :) Image
Next thing we can do is log into the Azure Portal by going to portal.azure.com

Click the hamburger menu icon (that's what we're calling it, right?), and click Azure Active Directory.

You should now see that you are a Global Admin with Azure AD Premium P2

Feel the power! ImageImage
So you now have a dev tenant that you can just look around and play in.

Check out Azure AD, poke around, create users, groups, etc.

I have an AD lab that I will be connecting to this, and I'll be creating threads in the near future on setting up everything we can in M365.
If you have specific things you want to see, let me know

Plan is Azure AD first (Roles/PIM, Apps/SP's/SSO, Conditional Access, Users, Groups, AUs, etc), then Exchange/SharePoint/ConfigMgr migration stuff, and finally set up the full Defender/MCAS suite

Bedtime for now though :)
Many people asked about renewals, so I'm tossing a little update on here

I've logged into this tenant about 40 times in the last 90 days and played around with various settings, and I added my GitHub to my dev account with a few dozen commits.

That was all it needed to renew 👇 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Apr 11
And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)
Image
Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered Image
The query below can be used to identify all AAGUIDs currently in use in your environment

Add those along with these two :)

Authenticator for Android: de1e552d-db1d-4423-a619-566b625cdc84
Authenticator for iOS: 90a3ccdf-635c-4729-a248-9b709135078f


Image
Read 11 tweets
Nathan McNulty Profile picture
Mar 27
You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) Image
After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned
Image
Image
Unfortunately, we may have some cleanup to do as well...

This is a fun note, and I'm not actually sure how Entra user consent settings comes into play here :-/ Image
Read 5 tweets
Nathan McNulty Profile picture
Dec 6, 2023
This is a great graphic, but hopefully after reading this thread, it will tell an incomplete story

Too many orgs provide directory wide permissions allowing admins to have control over all users and all supported admins

It doesn't have to be this way, Entra ID supports scoping
9 years ago (!), Microsoft released a feature called Administrative Units

These were kind of like OUs, but also kind of like groups because you could be in more than one

These were designed to scope permissions like helpdesk admin to a subset of users

learn.microsoft.com/en-us/entra/id…
Initially, they only supported users but were expanded to support groups and devices, which also included some roles associated with those object types

One big issue had always been having to script add objects to AUs, but now we can use queries!

learn.microsoft.com/en-us/entra/id…
Read 6 tweets
Nathan McNulty Profile picture
Nov 20, 2023
Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof…
1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods Image
For this template, it is recommended to have a couple of emergency access accounts and ensure they are excluded



If you use Entra Connect, be sure to exclude the Directory Synchronization Accounts role

These are good practices on all MFA policies learn.microsoft.com/en-us/entra/id…
Image
Read 9 tweets
Nathan McNulty Profile picture
Nov 4, 2023
This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵
First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well
Remember that without CA, the only additional control you have is MFA

Ironically, for many orgs, per-user MFA is actually better than what they are doing with Conditional Access!

Why?

Because they don't choose All cloud apps -> Require MFA, and that leaves huge gaps
Read 5 tweets
Nathan McNulty Profile picture
Oct 27, 2023
I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps
Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…
So first, we need to create custom security attributes. These are similar to a schema extension in AD - requires permissions and cannot be undone

Global Administrator does not have these privileges by default, so we must grant them to ourselves

Here's the primary two we need: Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(