The ability to block Device Code Flow just became available in Microsoft Entra ID Conditional Access.

Here's a quick walkthrough of how attackers use device code flow to get access to your tenant and what you can do to protect yourself. ❇️ Why does device code flow exist?

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices.

Unfortunately, attackers frequently use this mechanism to target your users.

So your Microsoft 365 tenant has been compromised by a malicious app!

Here's a step by step guide to block access to the app and remove it from your tenant -Bkmk this!

1️⃣ Go to Microsoft Entra → Enterprise Apps
2️⃣ Select the compromised app
3️⃣ Permissions → Review Permissions Select 'This app is malicious and I'm compromised'

Windows LAPS just went GA today!

Here's a refresher and quick walkthrough on what it is and how you can start using it.

🧵⬇️ 2/8

What are HAR files?
A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.

Admins usually share these files with customer support when troubleshooting issues.

Here's a thread on how you can handle .har files safely.

🧵⬇️
Exporting HAR files
There are a few ways to record your session to create HAR files. You might need to use different tools depending on what you are recording.

→ Browser
Every modern browser lets you export an HAR file of the current tab's session from the Network tab.

It's 2023 and your IT team is still forcing the entire company to change their passwords every few months 🤦

PS. I work at Microsoft, and we stopped doing this nearly four years ago.

Send the link below to your IT team 👇 💠

The recommendation now is to only force a user to change their password if a compromise has been detected.

If your org is using Microsoft 365, you can set it up to force a password change when a user's password is compromised.

If you are not licensed… https://t.co/Ipo25zfUa9zdnet.com/article/micros…
twitter.com/i/web/status/1…

🎯 Tip for Microsoft 365, Microsoft Entra and infosec admins

As promised here is a quick breakdown of one way you can set up a process to either force users to change passwords or force an MFA prompt.

🔵 Start by creating a CA policy.

You can either scope it to all users or use a custom group to isolate this from your other risk-based CA policies.

For detailed steps see https://t.co/XII9cpMg2Klearn.microsoft.com/en-us/azure/ac…

Here's a quick one pager on authentication methods for all you admins!

Huge call out to the PMs building this feature 👉 @Luc_MSFT who came up with the neat idea for this illustration along with @juliapettere!

1/6 #1 Auth methods allowed for user

These three policies define the authentication options your users are allowed to register when they visit the Security info page.

→ SSPR policy
→ Authentication methods policy
→ Legacy MFA policy

2/6 https://t.co/3CNA6Nf6H2twitter.com/i/web/status/1…

📌 Microsoft 365 and Azure AD admins!

This one is for you in case you missed the Message Center announcement.

🧵⬇️ Today users can choose their default sign-in method
from aka.ms/mySecurityInfo

The Australia government's Cyber Security Centre publishes an MFA maturity level, which government agencies are audited against.

This is a fantastic way to assess your own org's MFA maturity and relevant to everyone as they are based on NIST with a few variations.

⬇️ Most enterprises I work with are putting together a roadmap to get to the highest maturity level over the next few years.

Where is your org in this maturity level?

❓Do you allow SMS and Voice as MFA options?
👉 Then you are at Maturity Level 1.

ICYMI we shared our quarterly update of Entra change announcements last week.

Here is a quick summary. 👇

I have highlighted the delta of new changes. The first one is Microsoft Authenticator App Number matching. Switching from push notifications to number match as the default was scheduled for last month.

The change is now extended to May 8.

If you can turn it on now. Don't wait.

learn.microsoft.com/en-au/azure/ac…

A quick tip on setting up Graph PowerShell for least privilege access.

Create custom apps with the steps below and limit the users and permissions assigned to each app.

Your teams can then connect using their custom app. This helps reduce permission consent sprawl. When your users connect, they will need to pass in the ClientId to use the custom app.

To learn more on how to set this up see merill.net/2023/03/azure-…

Folks, today we are launching the 'App instance lock 🔐' public preview.

This feature will block the tampering of multi tenant apps by attackers.

learn.microsoft.com/azure/active-d…

Remember Solorigate? This helps ISVs and customers protect themselves from the app hijack.

How?🧵👇 With Solorigate attackers impersonated a cloud IDP and then hid in the cloud by creating credentials against multi-tenant apps.

App devs can now lock sensitive properties such as key creds, password creds and prevent malicious attempts to add creds on their Service principals.

Question: What's better than peanut butter and jelly for an Azure AD admin?

Answer: Our newly launched feature that adds conditional access policy support to Azure AD PIM.

Folks, this is a marriage made in heaven. Read on for a quick walkthrough. 🧵👇🏾 Let's say you want to start requiring a FIDO2 security key MFA whenever someone wants to activate the Global Administrator role.

The first step is to head to the authentication context blade in conditional access (adca.cmd.ms) and create a new auth context.

Here's a tip for Android users. Did you know that you can read and send text (SMS) messages from ANY Mac, PC or iPad by simply browsing to messages.google.com/web/ Bonus tip, you can install the Messages for Web app on your desktop and pin it to your start menu (Windows) or the dock (mac), heck you can even add it to your home screen on your iPhone and iPad 🚀

Do you work with Microsoft Graph, Graph Explorer and Graph PowerShell?

I shared some of my productivity tips at the last Microsoft Identity Platform Community Call. The recording is on YouTube.

Read on below for a quick summary 🧵👇🏾 Tip #1: Get your own free M365 tenant!
✅ Includes 25 E5 licenses
✅ Fully loaded sample data
✅ Tenant automatically renews every 90 days

These tenants never expire. My oldest tenant was created more than 5 years ago.

developer.microsoft.com/en-us/microsof…

Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?

Here's are short thread about the feature.

PS. There is a bonus if you read all the way to the end 😉👇 This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.

I shared more about this in a previous thread

https://twitter.com/merill/status/1587216547894157312?s=20&t=AzbQLyqFTz9565eociL2nA

Why is MFA over SMS/Voice not considered safe vs other MFA methods like TOTP & Authenticator apps?

I'll break down a blog post by Microsoft's VP of Identity Security @Alex_T_Weinert on why he considers SMS to be the least secure of MFA methods.

👇 Not all MFA authentication methods are equal. Some are stronger than others.

SMS and voice based MFA mechanisms are based on publicly switched telephone networks (PSTN).

💡Before we begin a quick reminder that any MFA is better than no MFA.

Are you tired of clicking around in Microsoft portals to get to a blade?

Introducing cmd.ms your Microsoft cloud command line for the browser!

Use the power of your keyboard and your memory to get to your favourite Microsoft portal or blade in seconds. Try it out. Open a new tab and type {command}.cmd.ms using any of the available commands (see the full list at cmd.ms)

For those who like autocomplete from the address bar you can get the browser extensions from cmd.ms/docs/tips

Public Preview: Conditional Access filters for apps ift.tt/Hk3WQaY This is an exciting feature! You no longer need to keep updating your CA policy to add new apps.

Instead you can tag each app. e.g.

Sensitivity = Business Critical / Medium / Low

Then create a CA policy for each sensitivity level (eg. Business Critical = Require security key)

Advanced Microsoft Authenticator security features are now generally available! techcommunity.microsoft.com/t5/microsoft-e… If your org was prevented from enabling public preview features, that goes away today.

Number matching is GA today!

Did you know that CA policies now provide granular control over the types of external users you want to apply the policy to?

External users are categorized based on how they authenticate (internally or externally) and their relationship to your org (guest or member). The 'B2B direct connect' checkbox now let's you target Teams Connect shared channel users even though these users don't exist in your tenant.

To learn more about what each checkbox means see learn.microsoft.com/en-us/azure/ac…