Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
Nov 20 9 tweets 5 min read Twitter logo Read on Twitter
Scrolly
Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof…
1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods Image
For this template, it is recommended to have a couple of emergency access accounts and ensure they are excluded



If you use Entra Connect, be sure to exclude the Directory Synchronization Accounts role

These are good practices on all MFA policies learn.microsoft.com/en-us/entra/id…
Image
Auth methods gets a tricky because there are two places you can set them

For per-user MFA (legacy), only choose the last verification code option


For auth methods, only enable MS Authenticator and software OATH tokens
…ount.activedirectory.windowsazure.com/UserManagement…
portal.azure.com/#view/Microsof…

Image
Image
2) "Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks"

This requires Entra ID P2 licensing but very cool they give this for free with Security Defaults!

Use the Require MFA for risky sign-ins template Image
There may be some other logic they are using as part of this, but I don't believe that information is published anywhere

You can read more about this policy here as well:


I recommend a second policy for admins with risk set to high, medium, and low risklearn.microsoft.com/en-us/entra/id…
3) "Disabling authentication from legacy authentication clients that can't do MFA"

This one is easy - use the Block legacy authentication template

For more info, see:

⚠️ Note: This does not block credential validation. Disable protocols on the mailbox. learn.microsoft.com/en-us/entra/id…
Image
4) "Protecting admins by requiring extra authentication every time they sign in"

This one is very ambiguous. AFAICT, they are selecting admin roles under Users and using Sign-in frequency.

I haven't reverse engineered duration, but anything 12 hours or shorter is a good choice Image
I hope this helps for anyone needing to disable Security Defaults due to some issues they've run into but still want to have similar protection

Hopefully if I've missed anything, others will chime in, and I might create a blog with some deployment automation tooling later :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
Nov 4
This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵
First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well
Remember that without CA, the only additional control you have is MFA

Ironically, for many orgs, per-user MFA is actually better than what they are doing with Conditional Access!

Why?

Because they don't choose All cloud apps -> Require MFA, and that leaves huge gaps
Read 5 tweets
Nathan McNulty Profile picture
Oct 27
I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps
Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…
So first, we need to create custom security attributes. These are similar to a schema extension in AD - requires permissions and cannot be undone

Global Administrator does not have these privileges by default, so we must grant them to ourselves

Here's the primary two we need: Image
Read 10 tweets
Nathan McNulty Profile picture
Oct 6
Looks like a good time for a thread on token theft :)

Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks

That doesn't mean it's useless, but it's becoming less useful
Ideally, we want to move to phishing resistant authentication

In this category, Entra ID supports FIDO2 Security keys, Hello for Business, and Certificate Based Authentication. Microsoft Authenticator and passkeys are coming soon.

Let's start with Hello for Business!
Hello for Business is FIDO2 certified, and you can think of it as certificate based authentication with hardware attestation

In addition to being very secure, it's also a great user experience

For AD users, implement cloud Kerberos trust for on-prem SSO
Read 9 tweets
Nathan McNulty Profile picture
May 14
Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint? 💡

This might be helpful if someone started selling TLD's you'll never do business with ;)

Go to intune.microsoft.com under Endpoint security - Firewall, Reusable settings, click Add Image
Reusable settings can be used in multiple firewall policies, and updates to these settings apply across all policies automatically

Let's give this a memorable name, then click Next Image
Now we're going to click Add, then slide the slider for Auto-resolve to True, then type in *.zip or whatever, and click Save.

Do this for each gTDL or FQDN you would like to block

When finished, click Next, and finally, click Add Image
Read 7 tweets
Nathan McNulty Profile picture
Apr 25
I have a more comprehensive blog article I'm working on, but a few folks have asked about examples, so until then!

This will be KQL heavy because it's what I have and use, but this thread will have examples for both process execution as well as network telemetry for FW rules :)
// PowerShell execution (including renamed binaries) excluding SYSTEM, UPN per device
DeviceProcessEvents
| where InitiatingProcessAccountSid != @"S-1-5-18"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| summarize count()by InitiatingProcessAccountUpn,DeviceName Image
Some places may run PowerShell scripts as standard users to perform automation tasks (ex. shortcut creation), so it's important to audit before creating AppLocker policies

Say we can't prevent PowerShell as standard user, but we might be able to block network calls. Here's how.
Read 7 tweets
Nathan McNulty Profile picture
Feb 26
What are some of the first things you do when setting up Azure subscriptions?

Here's some of my favorites, and I'd love to hear from others too :)

First, I always start by setting up billing anomaly alerts (and budgets/budget alerts)

https://t.co/qS0ply93ZBlearn.microsoft.com/en-us/azure/co…
Image
While I'm at it, I always double check to se who can transfer subscriptions in and out of my tenant

Attackers can transfer subscriptions to their own tenant but leave you with the billing, so you won't see resources until it's too late

Disable and exempt users only when needed Image
I have a few items in Defender for Cloud that I always enable - Key Vault, Resource Manager, and DNS

These three are very cheap insurance, and you can enable others as it fits your org

You can also enable custom initiatives for security recommendations:
learn.microsoft.com/en-us/azure/de… ImageImage
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(