Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Merill Fernando Profile picture
@merill
Feb 28 5 tweets 3 min read Read on X
The ability to block Device Code Flow just became available in Microsoft Entra ID Conditional Access.

Here's a quick walkthrough of how attackers use device code flow to get access to your tenant and what you can do to protect yourself. Attn M365 admins & security teams Create this CA policy NOW and protect your users from Device Code Flow phishing & social engineering attacks!
❇️ Why does device code flow exist?

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices.

Unfortunately, attackers frequently use this mechanism to target your users. The new Conditional Access feature Authentication Flows, lets you target Device Code Flow + Authentication Transfer and BLOCK them from your tenant
🪟 Microsoft's recommendation

Microsoft's recommendation is to block device code flow wherever possible and only allow device code flow where necessary.

Learn more




→ How-to article: learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
Here’s how the new CA policy works to block Device Code Flow and protect your users! Illustration showing how the block access policy will prevent user from signing in
Bookmark, like and repost if you found this useful.

Sign up to my newsletter to get this directly in your inbox. entra.news
Found this useful? Follow, like and repost to share with your network. Plus, sign up to my newsletter to get updates like this delivered straight to your inbox. https://entra.news
Shout out to eagle eyed @rootsecdev who figured out this new CA feature before Microsoft published it. 👋

If you want to learn more don't miss this awesome blog post by @fabian_bader ⬇️



cloudbrothers.info/en/protect-use…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Merill Fernando

Merill Fernando Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @merill

Merill Fernando Profile picture
Feb 8
So your Microsoft 365 tenant has been compromised by a malicious app!

Here's a step by step guide to block access to the app and remove it from your tenant -Bkmk this!

1️⃣ Go to Microsoft Entra → Enterprise Apps
2️⃣ Select the compromised app
3️⃣ Permissions → Review Permissions Image
Select 'This app is malicious and I'm compromised' Image
Follow the recommendations to
✅ Disable the app

Then run the PowerShell scripts that is generated to
✅ Require user assignment
✅ Revoke all permissions
✅ Invalidate refresh tokens of users with access to the app Image
Read 4 tweets
Merill Fernando Profile picture
Oct 24, 2023
Windows LAPS just went GA today!

Here's a refresher and quick walkthrough on what it is and how you can start using it.

🧵⬇️ What is Windows LAPS with Microsoft Entra ID and why is everyone so excited about today's GA announcement?
2/8 Local Administrator Password Solution Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. LAPS is a Windows feature that automatically manages and backs up the password of the local admin account.
3/8 Windows LAPS is available for both Entra joined and hybrid Entra joined devices! Windows LAPS is now built-in into Windows! 🎯 Windows 10 20H2 and later 🎯 Windows 11 21H2 and later 🎯 Windows Server 2019 and later
Read 9 tweets
Merill Fernando Profile picture
Oct 23, 2023
What are HAR files?
A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.

Admins usually share these files with customer support when troubleshooting issues.

Here's a thread on how you can handle .har files safely.

🧵⬇️
Exporting HAR files
There are a few ways to record your session to create HAR files. You might need to use different tools depending on what you are recording.

→ Browser
Every modern browser lets you export an HAR file of the current tab's session from the Network tab. Export HAR file from browser session
→ Desktop
Sometimes you might need to troubleshoot a non-browser-based app, for example a desktop app like Outlook or a CLI or PowerShell script.

Your admins are usually asked to use an app like Fiddler that adds a system proxy to capture all the web traffic on the desktop. Screenshot of exporting HAR using Fiddler for desktop apps
Read 18 tweets
Merill Fernando Profile picture
Aug 8, 2023
It's 2023 and your IT team is still forcing the entire company to change their passwords every few months 🤦

PS. I work at Microsoft, and we stopped doing this nearly four years ago.

Send the link below to your IT team 👇 Image of Margot from Barbie movie crying
💠

The recommendation now is to only force a user to change their password if a compromise has been detected.

If your org is using Microsoft 365, you can set it up to force a password change when a user's password is compromised.

If you are not licensed… https://t.co/Ipo25zfUa9zdnet.com/article/micros…
twitter.com/i/web/status/1…
To those asking about audits & PCI requirements.

How many of your users have access to your customer's credit card data❓️
Why not apply the forced expiry to the subset of users that actually handle credit card data?

📢 Plus, it's now 1 year expiry ⬇️

https://t.co/pWDAnMEiHKbleepingcomputer.com/news/security/…
Five new requirements for PCI 4.0 PCI version 4.0 requires multifactor authentication to be more widely used. Whereas multifactor authentication had previously been required for administrators who needed to access systems related to card holder data or processing, the new requirement mandates that multifactor authentication must be used for any account that has access to card holder data. The new standards also require user’s passwords to be changed every 12 months. Additionally, user’s passwords must be changed any time that an account is suspected to have been compromised
Read 4 tweets
Merill Fernando Profile picture
Aug 3, 2023
🎯 Tip for Microsoft 365, Microsoft Entra and infosec admins

As promised here is a quick breakdown of one way you can set up a process to either force users to change passwords or force an MFA prompt.

🔵 Screenshot with illustration of setting up a password change flow. Need to reset user passwords after a compromise? Set up this process for one-off and bulk resets of user passwords or to force prompt for MFA. Step 1: Create Risky User CA Policy Step 2: Mark user as High Risk User prompted to change password
Start by creating a CA policy.

You can either scope it to all users or use a custom group to isolate this from your other risk-based CA policies.

For detailed steps see https://t.co/XII9cpMg2Klearn.microsoft.com/en-us/azure/ac…
Screenshot of CA policy
Next, we set the user as high risky by calling Graph API. You can automate this using PowerShell, CLI, Logic Apps or your choice of DevOps tool.
Read 5 tweets
Merill Fernando Profile picture
Jul 7, 2023
Here's a quick one pager on authentication methods for all you admins!

Huge call out to the PMs building this feature 👉 @Luc_MSFT who came up with the neat idea for this illustration along with @juliapettere!

1/6
#1 Auth methods allowed for user

These three policies define the authentication options your users are allowed to register when they visit the Security info page.

→ SSPR policy
→ Authentication methods policy
→ Legacy MFA policy

2/6 https://t.co/3CNA6Nf6H2twitter.com/i/web/status/1…
#2 Auth methods user has registered

If a user doesn't have the required MFA set up, these settings will interrupt the user at the time of sign in and guide them to set up the auth methods.

→ SSPR policy
→ Identity Protection
→ Registration campaign
→ Conditional access
→… https://t.co/eYbUWvKXwjtwitter.com/i/web/status/1…
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(