Sign-In Frequency (SIF) is a commonly misunderstood control, one many orgs use to inflict unnecessary suffering on their employees 😩

It probably doesn't work the way you think it does and is often used in less than ideal ways...

So let's look at how it works and when to use it

https://twitter.com/Xenoulis1/status/1985286647840481374

To understand authorization controls (Conditional Access), we need to understand the authentication tokens it evaluates

When we log into a Hybrid or Entra joined device, we authenticate to Entra and get a Primary Refresh Token (PRT) with the time of the event in it

The "issue":

Hello for Business works great with AD integrated apps (Kerberos/NTLM), but it requires setting up a trust model

Very poorly generalized, Hello uses certificates that AD doesn't understand, so we need a way to request a Kerberos ticket with the certs

This is crazy easy now 🧵

https://twitter.com/magnus133/status/1883097307463483657

Before I share how easy it is now, I want to share why people still hate Hello because its history was way more complicated

Originally we had certificate trust which required full PKI deploying certificates to all of your devices and AD

Doing this properly was really hard...

I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work

Conditional Access performs authorization by evaluating tokens from the authentication service This provides important insights 💡

CA policies cannot block anything until AFTER authentication occurs

This means CA cannot help with password spray/credential stuffing. This is why we have Password Protection and Smart Lockout.

learn.microsoft.com/en-us/entra/id…
learn.microsoft.com/en-us/entra/id…

You likely aren't collecting all available events to the Unified Audit Log

First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).

Retention is based on license... This policy only applies to users with the Microsoft 365 Advanced Audit SKU assigned, audit records are retained for 1 year. Audit records for users without this SKU are retained for 180 days (thanks CISA for the bump up from 90 days!)

Second, this still doesn't get everything..

A common ask I get often is:

I want to require fresh strong authenticaton from a compliant device (or specific devices) when someone activates a role via PIM

So let's walk through that scenario really quick

If anything is unclear, just try harder!

I'm kidding, ask away 😜

https://twitter.com/NathanMcNulty/status/1831864788789686540

First, if the built-in phishing resistant auth strength works for you, use it

If not, we can customize exactly what we want (avoid requiring one not allowed in another poilcy)

We can even define AAGUIDs to specify exact models of keys that must be used

learn.microsoft.com/en-us/entra/id…

In this thread, I will provide Graph PowerShell commands to find synced users with admin privileges

Microsoft has been very vocal about not granting privileges to synced accounts for about 4 years now

Read this post by @Alex_T_Weinert:


Then check below techcommunity.microsoft.com/t5/microsoft-e…

https://twitter.com/_wald0/status/1820951605333950947

@Alex_T_Weinert For those with PIM, these two scopes will help us get what we need (remove the /'s):

Connect-MgGraph -Scopes 'RoleAssignmentSchedule./Read.Directory','RoleEligibilitySchedule./Read.Directory'

If you don't use PIM, I believe you only need: RoleManagement./Read.Directory

How non-privileged users can make themselves admin of your SaaS apps - a short story :)

Let's say your company uses Salesforce and has configured SAML for SSO with your Identity Provider

Salesforce's SAML implementation lets us pass identity and roles (permissions) on the token

https://twitter.com/merill/status/1818119365646290948

So we create a security group named "Salesforce Admins" and add our admins to the group

Then we configure the claims rule in our Identity Provider to send the role value of System Administrator for members of a group with the display name of "Salesforce Admin" 🚩

The OP is about excluding networks from MFA requirements (I'm not a fan)

But I want to focus on why we should set up Named/Trusted Locations and use them in a CA policy

Primarily, this enables Continuous Access Evaluation and tunes Identify Protection

learn.microsoft.com/en-us/entra/id…

https://twitter.com/ChadWst/status/1801631429559730423

That doc is a long but valuable read, especially since CAE affects things you probably don't realize

To start, CAE aware tokens are only supported for Exchange, SharePoint, Teams, and Graph

While any 3rd party can integrate and use CAE, I am not aware of any vendor who did so

Managing policies for Defender AV on Servers is a big pain point

We have like 6 ways to do it, and for many orgs, there is no single option that covers everything you want.. 😩

Join me on this thread where I'll discuss the options, limitations, and design considerations

https://twitter.com/paulbendall/status/1798725316841783374

Group Policy - well known, easy to evaluate against benchmarks

Downsides:

Must be bound to AD (Azure VMs, backup systems, etc. often are not)

Need line of sight to a DC (usually not an issue for servers)

No additional Tamper Protection like we get from Intune sources

I'm so excited to see these new records available to everyone :)

But also, please make sure you enable all of the audit records that you want to collect

Below, you will see the default records as compared to everything you could collect, and this is just for Owner events..

🧵

https://twitter.com/reprise_99/status/1792877678649069814

First, if auditing isn't enabled, you aren't getting anything...

# Users w/o auditing
Get-Mailbox -Filter "AuditEnabled -eq 'False' -and RecipientTypeDetails -eq 'UserMailbox'"

To enable, add:

| ForEach-Object { Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true

And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)

https://twitter.com/reprise_99/status/1778325781103743315

Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered

You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned

This is a great graphic, but hopefully after reading this thread, it will tell an incomplete story

Too many orgs provide directory wide permissions allowing admins to have control over all users and all supported admins

It doesn't have to be this way, Entra ID supports scoping

https://twitter.com/EricaZelic/status/1732119494380736724

9 years ago (!), Microsoft released a feature called Administrative Units

These were kind of like OUs, but also kind of like groups because you could be in more than one

These were designed to scope permissions like helpdesk admin to a subset of users

learn.microsoft.com/en-us/entra/id…

Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof… 1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods

This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵

https://twitter.com/arekfurt/status/1720781454110552454

First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well

I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps

https://twitter.com/neutroncore/status/1717093663078289677

Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…

Looks like a good time for a thread on token theft :)

Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks

That doesn't mean it's useless, but it's becoming less useful

https://twitter.com/SantasaloJoosua/status/1710163010528981132

Ideally, we want to move to phishing resistant authentication

In this category, Entra ID supports FIDO2 Security keys, Hello for Business, and Certificate Based Authentication. Microsoft Authenticator and passkeys are coming soon.

Let's start with Hello for Business!

Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint? 💡

This might be helpful if someone started selling TLD's you'll never do business with ;)

Go to intune.microsoft.com under Endpoint security - Firewall, Reusable settings, click Add Reusable settings can be used in multiple firewall policies, and updates to these settings apply across all policies automatically

Let's give this a memorable name, then click Next

I have a more comprehensive blog article I'm working on, but a few folks have asked about examples, so until then!

This will be KQL heavy because it's what I have and use, but this thread will have examples for both process execution as well as network telemetry for FW rules :)

https://twitter.com/NathanMcNulty/status/1649480551777312769

// PowerShell execution (including renamed binaries) excluding SYSTEM, UPN per device
DeviceProcessEvents
| where InitiatingProcessAccountSid != @"S-1-5-18"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| summarize count()by InitiatingProcessAccountUpn,DeviceName

What are some of the first things you do when setting up Azure subscriptions?

Here's some of my favorites, and I'd love to hear from others too :)

First, I always start by setting up billing anomaly alerts (and budgets/budget alerts)

https://t.co/qS0ply93ZBlearn.microsoft.com/en-us/azure/co…
While I'm at it, I always double check to se who can transfer subscriptions in and out of my tenant

Attackers can transfer subscriptions to their own tenant but leave you with the billing, so you won't see resources until it's too late

Disable and exempt users only when needed

If you have secrets in PowerShell scripts, at the very least, log in with the account that will be running the script and do the following:

Get-Credential | Export-CliXml -Path $env:USERPROFILE\creds.xml

In your script:

$creds = Import-CliXml -Path $env:USERPROFILE\creds.xml

https://twitter.com/Lee_Holmes/status/1570866426436788225

What happens here is that Export-CliXml sees the credential object and uses DPAPI to encrypt the output

This is why you must run the command as the account that will run the script. It's also why this is Windows only.

For scripts run with a gMSA, use PSExec to run PS as gMSA