In this thread, I will provide Graph PowerShell commands to find synced users with admin privileges

Microsoft has been very vocal about not granting privileges to synced accounts for about 4 years now

Read this post by @Alex_T_Weinert:


Then check below techcommunity.microsoft.com/t5/microsoft-e…

https://twitter.com/_wald0/status/1820951605333950947

@Alex_T_Weinert For those with PIM, these two scopes will help us get what we need (remove the /'s):

Connect-MgGraph -Scopes 'RoleAssignmentSchedule./Read.Directory','RoleEligibilitySchedule./Read.Directory'

If you don't use PIM, I believe you only need: RoleManagement./Read.Directory

How non-privileged users can make themselves admin of your SaaS apps - a short story :)

Let's say your company uses Salesforce and has configured SAML for SSO with your Identity Provider

Salesforce's SAML implementation lets us pass identity and roles (permissions) on the token

https://twitter.com/merill/status/1818119365646290948

So we create a security group named "Salesforce Admins" and add our admins to the group

Then we configure the claims rule in our Identity Provider to send the role value of System Administrator for members of a group with the display name of "Salesforce Admin" 🚩

The OP is about excluding networks from MFA requirements (I'm not a fan)

But I want to focus on why we should set up Named/Trusted Locations and use them in a CA policy

Primarily, this enables Continuous Access Evaluation and tunes Identify Protection

learn.microsoft.com/en-us/entra/id…

https://twitter.com/ChadWst/status/1801631429559730423

That doc is a long but valuable read, especially since CAE affects things you probably don't realize

To start, CAE aware tokens are only supported for Exchange, SharePoint, Teams, and Graph

While any 3rd party can integrate and use CAE, I am not aware of any vendor who did so

Managing policies for Defender AV on Servers is a big pain point

We have like 6 ways to do it, and for many orgs, there is no single option that covers everything you want.. 😩

Join me on this thread where I'll discuss the options, limitations, and design considerations

https://twitter.com/paulbendall/status/1798725316841783374

Group Policy - well known, easy to evaluate against benchmarks

Downsides:

Must be bound to AD (Azure VMs, backup systems, etc. often are not)

Need line of sight to a DC (usually not an issue for servers)

No additional Tamper Protection like we get from Intune sources

I'm so excited to see these new records available to everyone :)

But also, please make sure you enable all of the audit records that you want to collect

Below, you will see the default records as compared to everything you could collect, and this is just for Owner events..

🧵

https://twitter.com/reprise_99/status/1792877678649069814

First, if auditing isn't enabled, you aren't getting anything...

# Users w/o auditing
Get-Mailbox -Filter "AuditEnabled -eq 'False' -and RecipientTypeDetails -eq 'UserMailbox'"

To enable, add:

| ForEach-Object { Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true

And there it is - Passkey in Microsoft Authenticator!

If you'd like to set up Passkeys in Microsoft Authenticator, follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :)

https://twitter.com/reprise_99/status/1778325781103743315

Before we being, it's very important to call out that the Preview requires we set "Enforce attestation" to No, and for this reason, we NEED to restrict use to specific keys

In this case, we want to use the Allow option so that only those explicitly on the list can be registered

You might need to check your Teams Admin Center.. 😩

It looks like the defaults for 3rd party apps changed so users can now add over 2300 apps to Teams without requiring approval

To change this, click Actions - Org-wide app settings, turn off 3rd party apps (more in next tweet) After changing "Let users install and use available apps by default" to Off, we'll see Assignments change from Everyone to Not Assigned

This is a great graphic, but hopefully after reading this thread, it will tell an incomplete story

Too many orgs provide directory wide permissions allowing admins to have control over all users and all supported admins

It doesn't have to be this way, Entra ID supports scoping

https://twitter.com/EricaZelic/status/1732119494380736724

9 years ago (!), Microsoft released a feature called Administrative Units

These were kind of like OUs, but also kind of like groups because you could be in more than one

These were designed to scope permissions like helpdesk admin to a subset of users

learn.microsoft.com/en-us/entra/id…

Someone asked about recreating Security Defaults in Conditional Access so similar policies still apply but with more flexibility

This short thread is my best attempt based on the information available here:


Note: Entra ID P2 required for full replacementlearn.microsoft.com/en-us/microsof… 1) "Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP"

For this, we need to combine the "Require multifactor authentication for all users" template with limiting use of Authentication methods

This is a *very* nuanced statement, and Brian offers some good clarifications in the thread

But I would also say Conditional Access is the only way to meaningfully improve security when ideal scenarios cannot be applied across the board

The real issue with CA is weak policies🧵

https://twitter.com/arekfurt/status/1720781454110552454

First, it's important to note that CA (authorization) comes AFTER authentication

You want significant security improvements? Require phishing resistant authentication - period

Can't do that in all cases? CA is your best tool to gradually improve and handle exceptions well

I saw a guide on this a while back but can't find it anymore... :(

I don't have Windows 365 to test right now, but this is what *should* work and best of what I can remember from the thread/blog that I read some time last year...

Quick 🧵on Conditional Access filter for apps

https://twitter.com/neutroncore/status/1717093663078289677

Filter for apps was introduced late last year that allows us to leverage custom security attributes within Conditional Access policies

Very helpful for microservices architectures with constantly changing appIds, but also, apps not shown in the picker 💡

learn.microsoft.com/en-us/entra/id…

Looks like a good time for a thread on token theft :)

Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks

That doesn't mean it's useless, but it's becoming less useful

https://twitter.com/SantasaloJoosua/status/1710163010528981132

Ideally, we want to move to phishing resistant authentication

In this category, Entra ID supports FIDO2 Security keys, Hello for Business, and Certificate Based Authentication. Microsoft Authenticator and passkeys are coming soon.

Let's start with Hello for Business!

Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint? 💡

This might be helpful if someone started selling TLD's you'll never do business with ;)

Go to intune.microsoft.com under Endpoint security - Firewall, Reusable settings, click Add Reusable settings can be used in multiple firewall policies, and updates to these settings apply across all policies automatically

Let's give this a memorable name, then click Next

I have a more comprehensive blog article I'm working on, but a few folks have asked about examples, so until then!

This will be KQL heavy because it's what I have and use, but this thread will have examples for both process execution as well as network telemetry for FW rules :)

https://twitter.com/NathanMcNulty/status/1649480551777312769

// PowerShell execution (including renamed binaries) excluding SYSTEM, UPN per device
DeviceProcessEvents
| where InitiatingProcessAccountSid != @"S-1-5-18"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| summarize count()by InitiatingProcessAccountUpn,DeviceName

What are some of the first things you do when setting up Azure subscriptions?

Here's some of my favorites, and I'd love to hear from others too :)

First, I always start by setting up billing anomaly alerts (and budgets/budget alerts)

https://t.co/qS0ply93ZBlearn.microsoft.com/en-us/azure/co…
While I'm at it, I always double check to se who can transfer subscriptions in and out of my tenant

Attackers can transfer subscriptions to their own tenant but leave you with the billing, so you won't see resources until it's too late

Disable and exempt users only when needed

If you have secrets in PowerShell scripts, at the very least, log in with the account that will be running the script and do the following:

Get-Credential | Export-CliXml -Path $env:USERPROFILE\creds.xml

In your script:

$creds = Import-CliXml -Path $env:USERPROFILE\creds.xml

https://twitter.com/Lee_Holmes/status/1570866426436788225

What happens here is that Export-CliXml sees the credential object and uses DPAPI to encrypt the output

This is why you must run the command as the account that will run the script. It's also why this is Windows only.

For scripts run with a gMSA, use PSExec to run PS as gMSA

You can easily block these attacks by enforcing Code Integrity Guard for teams.exe and onedrive.exe using Defender Exploit Protection

This mitigation won't work for everyone, especially if you rely on 3rd party plugins, but you should at least put it in audit mode

Here's how :)

https://twitter.com/chadtilbury/status/1557756479259688962

First, open Windows Security, go under App & browser control, then click Exploit protection settings

Now click Program settings in the top right, then click Add program to customize, and click Add program to customize

Add an entry for teams.exe and onedrive.exe and enable CIG

You can also use Windows Firewall to block outbound connections to non-private IP ranges from processes like rundll32 or PowerShell

If you have an EDR/SIEM, go hunting and see if you find anything. If you find legit use cases, add them as an exception with the private ranges ;)

https://twitter.com/n1nj4sec/status/1421190238081277959

You might think this is pointless since an attacker can just disable the local firewall or modify the rules

There's actually a feature for both Defender exclusions and Firewall rules called Disable local admin merge

It does exactly what it sounds like

https://twitter.com/SwiftOnSecurity/status/1515417303927582724?t=VIenKGlqs4eGU_ApQD0gww&s=19

I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before, then this thread is for you

You will need an Azure subscription, but the first 500 minutes/month are free!

Here's an example of how to automate Azure AD device cleanup :) First, we're going to log into the Azure portal: portal.azure.com

Search for Automation and click on Automation Accounts

Then we'll click Create, pick the sub and resource group (or create one), give it a descriptive name, select a location, and hit Review + Create

Lots of good patches today. Doing a quick thread on them as some of these have Event IDs that should be collected.

Domain controller impersonation using sAMAccountName spoofing

After applying KB5008102, collect System Log Event IDs 16990-16991 on DC's

support.microsoft.com/en-us/topic/kb… To discover non-compliance sAMAccountName:

Get-ADComputer -LDAPFilter "(samAccountName=*)" | ? SamAccountName -NotLike "*$" | select DNSHostName, Name, SamAccountName

Non-compliant UserAccountControl:
Get-ADComputer -LDAPFilter "UserAccountControl:1.2.840.113556.1.4.803:=512"

So you don't enforce MFA on all Azure admin roles? Not really sure where to start?

Looks like Microsoft has added a nice doc (and script in the doc) to help discover and assess your privileged users so you can minimize potential impacts ;)

docs.microsoft.com/en-us/azure/ac… I think it's great they are pushing more and more content to make the message clear - all admins should be covered by strong authentication / conditional access policies

I am really curious about this though.. Anyone know what this refers to?