And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)

https://twitter.com/reprise_99/status/1778325781103743315

Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered

You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned

This is a great graphic, but hopefully after reading this thread, it will tell an incomplete story

Too many orgs provide directory wide permissions allowing admins to have control over all users and all supported admins

It doesn't have to be this way, Entra ID supports scoping

https://twitter.com/EricaZelic/status/1732119494380736724

9 years ago (!), Microsoft released a feature called Administrative Units

These were kind of like OUs, but also kind of like groups because you could be in more than one

These were designed to scope permissions like helpdesk admin to a subset of users

learn.microsoft.com/en-us/entra/id…

Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof… 1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods

This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵

https://twitter.com/arekfurt/status/1720781454110552454

First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well

I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps

https://twitter.com/neutroncore/status/1717093663078289677

Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…

Looks like a good time for a thread on token theft :)

Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks

That doesn't mean it's useless, but it's becoming less useful

https://twitter.com/SantasaloJoosua/status/1710163010528981132

Ideally, we want to move to phishing resistant authentication

In this category, Entra ID supports FIDO2 Security keys, Hello for Business, and Certificate Based Authentication. Microsoft Authenticator and passkeys are coming soon.

Let's start with Hello for Business!

Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint? 💡

This might be helpful if someone started selling TLD's you'll never do business with ;)

Go to intune.microsoft.com under Endpoint security - Firewall, Reusable settings, click Add Reusable settings can be used in multiple firewall policies, and updates to these settings apply across all policies automatically

Let's give this a memorable name, then click Next

I have a more comprehensive blog article I'm working on, but a few folks have asked about examples, so until then!

This will be KQL heavy because it's what I have and use, but this thread will have examples for both process execution as well as network telemetry for FW rules :)

https://twitter.com/NathanMcNulty/status/1649480551777312769

// PowerShell execution (including renamed binaries) excluding SYSTEM, UPN per device
DeviceProcessEvents
| where InitiatingProcessAccountSid != @"S-1-5-18"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| summarize count()by InitiatingProcessAccountUpn,DeviceName

What are some of the first things you do when setting up Azure subscriptions?

Here's some of my favorites, and I'd love to hear from others too :)

First, I always start by setting up billing anomaly alerts (and budgets/budget alerts)

https://t.co/qS0ply93ZBlearn.microsoft.com/en-us/azure/co…
While I'm at it, I always double check to se who can transfer subscriptions in and out of my tenant

Attackers can transfer subscriptions to their own tenant but leave you with the billing, so you won't see resources until it's too late

Disable and exempt users only when needed

If you have secrets in PowerShell scripts, at the very least, log in with the account that will be running the script and do the following:

Get-Credential | Export-CliXml -Path $env:USERPROFILE\creds.xml

In your script:

$creds = Import-CliXml -Path $env:USERPROFILE\creds.xml

https://twitter.com/Lee_Holmes/status/1570866426436788225

What happens here is that Export-CliXml sees the credential object and uses DPAPI to encrypt the output

This is why you must run the command as the account that will run the script. It's also why this is Windows only.

For scripts run with a gMSA, use PSExec to run PS as gMSA

You can easily block these attacks by enforcing Code Integrity Guard for teams.exe and onedrive.exe using Defender Exploit Protection

This mitigation won't work for everyone, especially if you rely on 3rd party plugins, but you should at least put it in audit mode

Here's how :)

https://twitter.com/chadtilbury/status/1557756479259688962

First, open Windows Security, go under App & browser control, then click Exploit protection settings

Now click Program settings in the top right, then click Add program to customize, and click Add program to customize

Add an entry for teams.exe and onedrive.exe and enable CIG

You can also use Windows Firewall to block outbound connections to non-private IP ranges from processes like rundll32 or PowerShell

If you have an EDR/SIEM, go hunting and see if you find anything. If you find legit use cases, add them as an exception with the private ranges ;)

https://twitter.com/n1nj4sec/status/1421190238081277959

You might think this is pointless since an attacker can just disable the local firewall or modify the rules

There's actually a feature for both Defender exclusions and Firewall rules called Disable local admin merge

It does exactly what it sounds like

https://twitter.com/SwiftOnSecurity/status/1515417303927582724?t=VIenKGlqs4eGU_ApQD0gww&s=19

I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you

You will need an Azure subscription, but the first 500 minutes/month are free!

Here's an example of how to automate Azure AD device cleanup :) First, we're going to log into the Azure portal: portal.azure.com

Search for Automation and click on Automation Accounts

Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create

Lots of good patches today. Doing a quick thread on them as some of these have Event IDs that should be collected.

Domain controller impersonation using sAMAccountName spoofing

After applying KB5008102, collect System Log Event IDs 16990-16991 on DC's

support.microsoft.com/en-us/topic/kb… To discover non-compliance sAMAccountName:

Get-ADComputer -LDAPFilter "(samAccountName=*)" | ? SamAccountName -NotLike "*$" | select DNSHostName, Name, SamAccountName

Non-compliant UserAccountControl:
Get-ADComputer -LDAPFilter "UserAccountControl:1.2.840.113556.1.4.803:=512"

So you don't enforce MFA on all Azure admin roles? Not really sure where to start?

Looks like Microsoft has added a nice doc (and script in the doc) to help discover and assess your privileged users so you can minimize potential impacts ;)

docs.microsoft.com/en-us/azure/ac… I think it's great they are pushing more and more content to make the message clear - all admins should be covered by strong authentication / conditional access policies

I am really curious about this though.. Anyone know what this refers to?

Who wants to play with Defender for Endpoint's Removable Storage Access Control?

Yeah, me neither, but I'm doing it anyway

So what is it?

Well, it lets us do things like block writing to all removable media except specific ones using serial numbers

docs.microsoft.com/en-us/microsof… If you try to read the docs.. I apologize for the aneurism. They're pretty rough, but we'll get through it.

First, we need serial numbers for all our USB drives we want to allow 😬

"Hey Bob, here's an 8 step process to get serial numbers for me. No, you don't have to press F12"

DMARC: Domain-based Message Authentication, Reporting and Conformance

Phew, that's a mouthful. Let's simplify this a bit.

DMARC lets you tell other mail servers what to do about email sent from your domains - apply policy and report

If you haven't done SPF/DKIM, do that first:

https://twitter.com/NathanMcNulty/status/1439301306292731906

If you're using O365 and don't have DMARC reports going somewhere useful, you can now set this up for free:

microsoft.com/security/blog/…

Now, I'm not a big fan of how they handle DNS... but it's free? I've always used @dmarcian and really prefer the way they do it.

But let's test!

Let's walk through setting up email in Office 365 :D

If you haven't added a custom domain or signed up for a free M365 Developer account, check the QT thread

To get started, let's sign into the M365 admin center (admin.microsoft.com) and sign into the DNS for your domain :)

https://twitter.com/NathanMcNulty/status/1419737293212950528

While doing this setup through the M365 admin center is not required, it sure makes life easier if you don't know the DNS records off the top of your head

So we go under Settings - Domains, and you should see something like the picture below

Check your domain and continue setup

I'd like to talk about #windows for a minute

I know it's hard to do something that will last 20+ years, and maybe design choices from the 90's weren't the best ideas...

There are foundational issues that need to be addressed. A clean install of windows ruined by its foundation. The amount of failures I'm seeing are just unacceptable. We can all agree who is mostly to blame, but that won't help fix the years of rot we're looking at.

I do believe this can be fixed, but it's going to require removing old, vulnerable crap and rebuilding with a better base

It's finally time to learn about Groups in Azure AD :)

Groups are foundational components for granting access to resources, email delivery, and even assigning licenses within Azure AD.

But first, you need users, so if you haven't yet, go create some :)

https://twitter.com/NathanMcNulty/status/1397041008374734849

In Azure AD, we have a few different types of groups

The main group types are security and Microsoft 365 groups, but in Exchange we also have distribution lists which are mail enabled groups with no security context

Each group also has an assigned and dynamic membership type