Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
EZ Profile picture
EZ
@IAMERICAbooted
Yesterday is history. Tomorrow is a mystery. Cloud Solutions Engineer at Contoso. Hacktive Directory admin. Posts don't represent my employer(s).
Nov 8 7 tweets 3 min read
IAM = Identity AND ACCESS management.

When you use a CASB, you are delegating ACCESS management to the CASB.

What is a CASB?
- Sanctioning (determining ACCESS to apps)
- ACCESS management (a component of IAM)
- Session management (Data in Motion DLP)
- Labeling data and determining ACCESS
- UEBA (threat policies)
- Governance (monitoring and actioning API and app deprecation and determining risk)
- SSPM (SaaS Posture Management)

When you have a CASB AND you are using it, you have delegated ACCESS management (of IAM) to the CASB.

How is this achieved? Oauth. For those who like pictures, we are talking about here: Image
Sep 14 9 tweets 2 min read
Let's play a game: How do you hold an M365 tenant hostage?

So, the attacker got Global Admin. Let's play scorched earth.

1. Lock out all the admins except yourself with CAPs.
2. Change all the client secrets and certs+keys.
3. Block everyone from using Exchange, Sharepoint, and Teams with CAPs.
4. Enable customer lockbox
5. Configure all the sensitivity labels with BYOK :p
6. Unassign all Enterprise applications and revoke API permissions :p
7. Disable any B2B trusts
8. In all the admin centers, remove all admin roles not in Entra.

What else? 9. Disable any partner access/ gdap