Agent ID is going to be a big part of your life if you are an IAM admin, cybersec, architect, or enterprise ai/agent dev.

There is a lot new to learn and understand. We'll be sharing more in this area over the coming months.

Tip for those attending Experts Live Denmark in Feb next year, sign up for the Identity masterclass.

We will be covering Agent ID

eldk26.expertslive.dk

https://x.com/merill/status/1991753664499982661?s=20

Get ready, folks. 🌟

You’re about to witness ONE. BIG. BEAUTIFUL. ABSURDLY. EPIC. THREAD. 🧵🔥

Some say this might be the MOST EPIC and MOST RIDICULOUSLY LONG identity thread ever written

📗 Bookmark this

Honestly… the cover image alone deserves a like + retweet

DO IT 😂 Who doesn't like Free!

If you have E5 and the required number of users you can now start running the Conditional Access Optimization Agent which only consumes one SCU per day (you can even run it weekly if you want)

Want a deep dive into the agents?

Queue up these podcast episodes I recorded with the Microsoft PMs for these agents

🎧 Conditional Access Optimization Agent → entra.news/p/jordans-visi…

🎧 Access Review Agent → entra.news/p/ai-is-coming…

This doesn't happen everyday folks!!

Entra ID application management policies no longer require a Workload ID Premium license! 👏🎁🍾🥳🎊

This change happened back in October last year and I somehow missed it.

Here's a complete walkthrough 🧵👇

✳️ Bookmark this. Threat actors love apps.

They can find long lived app secrets in text files on servers, code repos and even email archives.

Microsoft just published their SFI progress report. Here's the TLDR; version.

There is a lot that CISOs, M365/Entra admins and cybersecurity teams can learn from what Microsoft is doing and apply to their own organizations.

🧵👇 How far along is your org in this journey?

The ability to block Device Code Flow just became available in Microsoft Entra ID Conditional Access.

Here's a quick walkthrough of how attackers use device code flow to get access to your tenant and what you can do to protect yourself. ❇️ Why does device code flow exist?

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices.

Unfortunately, attackers frequently use this mechanism to target your users.

So your Microsoft 365 tenant has been compromised by a malicious app!

Here's a step by step guide to block access to the app and remove it from your tenant -Bkmk this!

1️⃣ Go to Microsoft Entra → Enterprise Apps
2️⃣ Select the compromised app
3️⃣ Permissions → Review Permissions Select 'This app is malicious and I'm compromised'

Windows LAPS just went GA today!

Here's a refresher and quick walkthrough on what it is and how you can start using it.

🧵⬇️ 2/8

What are HAR files?
A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.

Admins usually share these files with customer support when troubleshooting issues.

Here's a thread on how you can handle .har files safely.

🧵⬇️
Exporting HAR files
There are a few ways to record your session to create HAR files. You might need to use different tools depending on what you are recording.

→ Browser
Every modern browser lets you export an HAR file of the current tab's session from the Network tab.

It's 2023 and your IT team is still forcing the entire company to change their passwords every few months 🤦

PS. I work at Microsoft, and we stopped doing this nearly four years ago.

Send the link below to your IT team 👇 💠

The recommendation now is to only force a user to change their password if a compromise has been detected.

If your org is using Microsoft 365, you can set it up to force a password change when a user's password is compromised.

If you are not licensed… https://t.co/Ipo25zfUa9zdnet.com/article/micros…
twitter.com/i/web/status/1…

🎯 Tip for Microsoft 365, Microsoft Entra and infosec admins

As promised here is a quick breakdown of one way you can set up a process to either force users to change passwords or force an MFA prompt.

🔵 Start by creating a CA policy.

You can either scope it to all users or use a custom group to isolate this from your other risk-based CA policies.

For detailed steps see https://t.co/XII9cpMg2Klearn.microsoft.com/en-us/azure/ac…

Here's a quick one pager on authentication methods for all you admins!

Huge call out to the PMs building this feature 👉 @Luc_MSFT who came up with the neat idea for this illustration along with @juliapettere!

1/6 #1 Auth methods allowed for user

These three policies define the authentication options your users are allowed to register when they visit the Security info page.

→ SSPR policy
→ Authentication methods policy
→ Legacy MFA policy

2/6 https://t.co/3CNA6Nf6H2twitter.com/i/web/status/1…

📌 Microsoft 365 and Azure AD admins!

This one is for you in case you missed the Message Center announcement.

🧵⬇️ Today users can choose their default sign-in method
from aka.ms/mySecurityInfo

The Australia government's Cyber Security Centre publishes an MFA maturity level, which government agencies are audited against.

This is a fantastic way to assess your own org's MFA maturity and relevant to everyone as they are based on NIST with a few variations.

⬇️ Most enterprises I work with are putting together a roadmap to get to the highest maturity level over the next few years.

Where is your org in this maturity level?

❓Do you allow SMS and Voice as MFA options?
👉 Then you are at Maturity Level 1.

ICYMI we shared our quarterly update of Entra change announcements last week.

Here is a quick summary. 👇

I have highlighted the delta of new changes. The first one is Microsoft Authenticator App Number matching. Switching from push notifications to number match as the default was scheduled for last month.

The change is now extended to May 8.

If you can turn it on now. Don't wait.

learn.microsoft.com/en-au/azure/ac…

A quick tip on setting up Graph PowerShell for least privilege access.

Create custom apps with the steps below and limit the users and permissions assigned to each app.

Your teams can then connect using their custom app. This helps reduce permission consent sprawl. When your users connect, they will need to pass in the ClientId to use the custom app.

To learn more on how to set this up see merill.net/2023/03/azure-…

Folks, today we are launching the 'App instance lock 🔐' public preview.

This feature will block the tampering of multi tenant apps by attackers.

learn.microsoft.com/azure/active-d…

Remember Solorigate? This helps ISVs and customers protect themselves from the app hijack.

How?🧵👇 With Solorigate attackers impersonated a cloud IDP and then hid in the cloud by creating credentials against multi-tenant apps.

App devs can now lock sensitive properties such as key creds, password creds and prevent malicious attempts to add creds on their Service principals.

Question: What's better than peanut butter and jelly for an Azure AD admin?

Answer: Our newly launched feature that adds conditional access policy support to Azure AD PIM.

Folks, this is a marriage made in heaven. Read on for a quick walkthrough. 🧵👇🏾 Let's say you want to start requiring a FIDO2 security key MFA whenever someone wants to activate the Global Administrator role.

The first step is to head to the authentication context blade in conditional access (adca.cmd.ms) and create a new auth context.

Here's a tip for Android users. Did you know that you can read and send text (SMS) messages from ANY Mac, PC or iPad by simply browsing to messages.google.com/web/ Bonus tip, you can install the Messages for Web app on your desktop and pin it to your start menu (Windows) or the dock (mac), heck you can even add it to your home screen on your iPhone and iPad 🚀

Do you work with Microsoft Graph, Graph Explorer and Graph PowerShell?

I shared some of my productivity tips at the last Microsoft Identity Platform Community Call. The recording is on YouTube.

Read on below for a quick summary 🧵👇🏾 Tip #1: Get your own free M365 tenant!
✅ Includes 25 E5 licenses
✅ Fully loaded sample data
✅ Tenant automatically renews every 90 days

These tenants never expire. My oldest tenant was created more than 5 years ago.

developer.microsoft.com/en-us/microsof…

Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?

Here's are short thread about the feature.

PS. There is a bonus if you read all the way to the end 😉👇 This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.

I shared more about this in a previous thread

https://twitter.com/merill/status/1587216547894157312?s=20&t=AzbQLyqFTz9565eociL2nA

Why is MFA over SMS/Voice not considered safe vs other MFA methods like TOTP & Authenticator apps?

I'll break down a blog post by Microsoft's VP of Identity Security @Alex_T_Weinert on why he considers SMS to be the least secure of MFA methods.

👇 Not all MFA authentication methods are equal. Some are stronger than others.

SMS and voice based MFA mechanisms are based on publicly switched telephone networks (PSTN).

💡Before we begin a quick reminder that any MFA is better than no MFA.