Recent Discussions
User + Server exclusions
Following a recent deployment of Advanced Threat Analytics (ATA) my client is getting "Remote execution attempt detected" alerts for their Veeam backup service account against several servers. This is a known service account and they would like to exclude the alert for this activity for just this user account. However ATA only provides an option to exclude the server. Do we know if providing the ability to exclude both a specfic user and server is on the ATA roadmap?
Block Anonymous Access to Teams without GSA
Documentation states that anonymous access to Teams and Sharepoint can be blocked on the data plane with TrV2 through GSA. Testing TrV2 with a browser extension (Modheader) to inject the TrV2 header I found that injecting this header also to "data plane", ie Teams.microsoft.com does block anonymous access to Teams. I am wondering if this method could be safely used to block anonymous access to specific M365 service until a potential move to GSA
Get Custom Details from Sentinel
How do I go about getting the custom details set using https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts using REST API? I need to do this outside of logic app and using REST API. The incidents API endpoint doesn’t provide this detail and I couldn’t find any API endpoint listed in https://learn.microsoft.com/en-us/rest/api/securityinsights/operation-groups?view=rest-securityinsights-2024-01-01-preview that would allow me get to get the custom details with the values. Is there a sentinel or a graph API endpoint that’ll allow for me to get this information?
Global Administrator MFA recovery not possible
Since Microsoft automatically enforced MFA on administrator role in Azure you can end up in the situation where it is no longer possible to recover your tenant. If your only account on that tenant is with Global Administrator role and you accidentally loose your MFA, the only way is to call Microsoft support. Support on the phone is automated where any question regarding Azure is redirected to visit Azure portal. If your only user cannot login then Azure portal is not accessible.
File Plan/Retention Labels cannot be deleted OR found in content explorer
When we try to delete a Purview Records Management > File Plan label (or Data Lifecycle Management > Retention label), we get the following error: "You can't delete this record label because it's currently applied to items in your organization. You can use content explorer to determine which items have this label applied." (see attached image). When we go to content explorer to find the label (in this example, Bank Reconciliations), it doesn't appear to exist (see attached image). We also reviewed our Label policies and Retention policies, and the given labels are not associated with any policy that we can see. So, in result, we cannot clean up File Plan labels since we can't find and remove the association between them and policies / items. Has anyone encountered this error when deleting file plan retention labels, but then unable to find anything the label is associated with?Get $25 USD for reviewing a Microsoft Security product on Gartner Peer Insights in 2025
Turn your expertise into impact—and $25—by sharing your review of Microsoft Security products on Gartner Peer Insights. Your feedback helps other decision-makers confidently choose the right solutions and provides valuable input to improve products and services. Select a product to review: Security Copilot Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Purview Microsoft Sentinel Here’s all you need to do: To submit a product review, log in to your Gartner Peer Insights account or create a free account in seconds. Once you have completed your review, Gartner Peer Insights will prompt you to choose a gift card option. Gift cards are valued at $25 USD and are available in multiple currencies worldwide. As soon as your review is approved, the gift card will be sent to you digitally via email What makes a successful review? Choose a Product You Know Well: Pick a product you’ve used extensively to provide detailed feedback. Share Your Experience: Describe your specific user experience with the product and any outcomes you realized. Highlight Features: Note any features and capabilities that made an impact. Terms & Conditions: Only Microsoft customers are eligible; partners and MVPs are not. Offer valid for reviews on Gartner Peer Insights as linked on this page. Non-deliverable gifts will not be re-sent. Microsoft may cancel, change, or suspend the offer at any time without notice. Non-transferable and cannot be combined with other offers. Offer runs through June 30, 2025, or while supplies last. Not redeemable for cash. Taxes are the recipient's responsibility. Not applicable to customers in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and China. Please see the below for more information Microsoft Privacy Statement Gartner’s Community Guidelines & Gartner Peer Insights Review GuideBlocking TCP 3389 - issues?
There is a strong push here to block RDP over part of our network. MSDI uses 3389 for name resolution. What order does MSDI use the three available methods for name resolution - TCP 135 (NTLM), UDP 137 (NetBIOS) and TCP 3389 (RDP)? We are currently seeing a lot of 3389 network traffic from the MSDI sensors to clients. TIA.Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)Attack Simulation - Copy to SOC Mailbox
Hello Community! Currently we are using Knowbe4 to simulate phishing campaigns. We are evaluating the Microsoft E5 Attack simulation. One problem that I cannot figure out with the MSFT version is as follows: I have the SOC mailbox setup to send phishing emails to a shared mailbox for triage (I have it setup to not forward to Microsoft) When I create an attack simulation, and folks report the phish, I still get a copy of it in the phishing mailbox (I send these out monthly to thousands of people so I would prefer not to have a copy) I have looked at the email headers, and there is nothing in them that I can create a custom rule for. Has anyone been able to filter out attack simulation emails, while still receiving normal user reported emails in the SOC mailbox? Any advice appreciated. EmMicrosoft Security Fun Friday Week 4! This week's game- FACT OR FICTION
Hey there Security Tech Community! We're back with Week 4 of our Security Fun Fridays. This week's game will be Fact or Fiction! Below are FIVE statements related to cybersecurity and it is up to YOU to determine whether the statements are Facts (true) or Fiction (false). The first THREE people to respond below in the comments with all five correct answers will earn our new "Microsoft Security Star" Badge to add to their profile. I will give everyone until TUESDAY 2/25 before I post the answer key and award the badges (so even if 3 people answer before you, they may not be correct). Good luck! Note: This badge is only given out during Fun Friday games or by being an outstanding member of the community, so it is very exclusive! STATEMENTS: An organization has deployed Microsoft 365 applications to all employees. Per the shared responsibility model, Microsoft is responsible for the accounts and identities relating to these employees. Data sovereignty is the concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it's physically collected, held, or processed. Multifactor authentication works by requiring a user to provide multiple forms of identification to verify that they are who they claim to be. The Zero Trust model operates on the principle of “constantly be collecting information about your systems, vulnerabilities, and attacks.” Wardriving is the name of a common network attack where the cybercriminal compromises a router in the network to eavesdrop on, or alter, data.
Params required for Secure Score not available - AntiPhishPolicy
I have a pwsh script to configure the various threat protection policies. Has worked great. Went to run it on one tenant today, and got a number of invalid param errors. I investigated, and found that 1) The online portal doesn't list these params, they can't be set. Ex: EnableMailboxIntelligenceProtection, MailboxIntelligenceProtectionAction, EnableSimilarDomainsSafetyTips, etc They have a recommendation to configure Mailbox Protection to send to the Junk Mail folder (like everyone, which is what I've been doing for everyone). But this isn't an option for this tenant. Not on the web, or via ExchangeOnlineManagement. ``` PS C:\Users\me> Set-AntiPhishPolicy -EnableMailboxIntelligenceProtection $true Set-AntiPhishPolicy : A parameter cannot be found that matches parameter name 'EnableMailboxIntelligenceProtection'. ``` However, when I run Get-AntiPhishPolicy, those params DO return. A number of which I just can't set, but ARE Secure Score recommendations. EnableMailboxIntelligenceProtection : False EnableTargetedDomainsProtection : True EnableFirstContactSafetyTips : False EnableSimilarDomainsSafetyTips : False TargetedUserProtectionAction : Quarantine TargetedUserQuarantineTag : DefaultFullAccessPolicy MailboxIntelligenceProtectionAction : NoAction MailboxIntelligenceQuarantineTag : DefaultFullAccessPolicy TargetedDomainProtectionAction : NoAction TargetedDomainQuarantineTag : DefaultFullAccessPolicy AuthenticationFailAction : Quarantine SpoofQuarantineTag : DefaultFullAccessPolicy EnableSpoofIntelligence : True Furthermore, though this may be a temporary thing, I am unable to save any changes to the available params in the web console.Azure Sentinel Training Lab solution is no longer on Azure Marketplace
Hi folks! It appears the Azure Sentinel Training Lab solution is no longer on Azure Marketplace. Was this removed for SFI security reasons and if so what are alternative deployments for this? https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Training/Azure-Sentinel-Training-LabAIP Scanner - Unable to authenticate and setup Microsoft Azure Information Protection
Hi All, I'm getting stuck in below issues to test AIP Scanner. Error Set-AIPAuthentication : As I worked through below the steps I had faced the following issue and cannot move forward. https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/deploy-aip-scanner-configure-install.md or https://alberthoitingh.com/2020/07/21/azure-information-protection-scanner-2/ I have done these steps Install Win Server 2019 & SQL Express on VM Workstation. Install AIP Client Install AIP Client on PowerShell and it's running in services.msc Install-AIPScanner -SqlServerInstance AIPSCANNER\SQLEXPRESS -Profile Cluster1 Create AD on premise (GG.COM) and installed AD Connect (Express Setting) to Azure AD (testing.onmicrosoft.com) Create User on premise (aipscanner) role (Administrator) and sync to Azure AD (aipscanner@testing.onmicrosoft.com) and assigned E5 license. Login with GG\aipscanner on Win Server 2019. Get APPID, App Secret, Tenant ID from Azure Portal I tried to get the token run below the command but no ok. $pscreds = Get-Credential "testingtenant101.onmicrosoft.com\aipscanner" Set-AIPAuthentication -AppId "bac7ce5e-7a0b-40da-bb89-888888888" -AppSecret "6192e5b8-afb0-49bc-9a0e-888888888" -TenantId "623c0945-6ee5-42a1-8894-888888888" -DelegatedUser aipscanner@testing.onmicrosoft.com -OnBehalfOf $pscreds I think something wrong in authentication on-premise to azure (-DelegatedUser). Please kindly help me to move forward.New Place to Chat with the Microsoft Information Protection Team
Happy Wednesday, all! We're constantly working to provide easily accessible channels for direct interaction with our product team including feedback on how to improve your experience with our products! Moving forward, you can: talk to the Microsoft Information Protection team about our product and integrations via our Yammer Channel or provide feedback via our UserVoice Forum. You can also continue to get updates in our Microsoft Information Protection blog. Finally, we have a complete list of resources available here. If you're currently engaged in a conversation, the conversation space will be moved to the Microsoft Security and Compliance conversation space on 9/2. Feel free to comment with any questions regarding channels or informational resources.Blocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan RojasHow to Solution Prevent User Downgrade Sensitivity Label is changed
Hi Everyone , Now I use Microsoft 365 E3 + Microsoft 365 E5 Information Protection and Governance. I am looking for a way to prevent User Downgrade Sensitivity Label from High to Low. I understand that before they change the label, they have to comment and they can change it. Is there any solution that can block this or notify from the log?Microsoft Security Fun Friday Week 3! This week's game- WORDLE
Hey Tech Community! We're back with Week 3 of our Security Fun Fridays. This week's game will be much more unique and interactive than the first two! If you've ever played Wordle you'll know it usually takes a few guesses to get it right. Take turns guessing our 5 LETTER SECURITY-THEMED WORD OF THE DAY and I will be commenting the updated guessing chart below to confirm correct or incorrect letters and their placement. Anyone that helps in the final completion of the Wordle by guessing correct letters will earn our new "Microsoft Security Star" Badge to add to their profile! Note: This badge is only given out during these Fun Friday games or by being an outstanding member of the community, so it is very exclusive! Also just like previous weeks, if you have any ideas of other fun games that you would like to see in the future, please comment below. Good luck and happy solving!All the locations where you can find Sensitivity labels
Here are the locations where you can find the sensitivity label of a document (if there are any that I've missed, please feel free to add it here) Sensitivity Label Button in the Document: In Office applications such as Word, Excel, and PowerPoint, you can find the Sensitivity label button on the Home tab. This button allows users to apply or view sensitivity labels directly within the document interface. (Sensitivity label app on the upper right) (the bottom left will show the label applied to the document) Document Properties > Advanced Properties Sensitivity labels can also be found in the document properties. To access this, go to File > Info > Properties > Advanced Properties. Here, you can see detailed metadata, including any applied sensitivity labels. Sensitivity Label Column in SharePoint: In SharePoint, sensitivity labels are displayed in a dedicated column. This allows users to quickly see the sensitivity level of documents stored within SharePoint libraries Windows File Explorer: Sensitivity labels can be extended to Windows File Explorer, allowing users to apply and view labels directly from their file management interface. Mobile Applications: Office mobile apps for iOS and Android also support sensitivity labels, enabling users to apply and view labels on the go. Microsoft Purview Compliance Portal: Administrators can manage and view sensitivity labels applied across the organization through the Microsoft Purview Compliance Portal. This portal is only accessible to IT admins who has the right Purview role.
Suspected identity theft (pass-the-ticket) on multiple endpoints krbtgt
User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert? Related account: krbtgt Suspect account: domain user Hosts related: DC, DirectAccess server with local NPS Source host: domain user machine I can use the above SID and exclude but I'm hesitant as TP alerts may automatically close. I've several alerts like these daily.Here's how I prepared for the Microsoft Security, Compliance, and Identity Fundamentals exam SC-900!
Dear Microsoft 365 / Azure Security Friends, What I always have to tell myself when I read Fundamentals, never underestimate an exam like this. Such exams are always a kilometer long but only 1 centimeter deep. That means a lot of topics are asked, but not how to install or configure it. What does that mean exactly? For example, a question might be structured like this: You need to capture signals from an on-premises Active Directory with a cloud solution, what do you use? The answer is Microsoft Defender for Identity. On the exam there are single choice questions and multiple choice questions (minimum 2 answers). No case studies or sliding scale questions. Now to my preparations for the exam: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900 Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Mr81 2. So that I can prepare for an exam I need a test environment (this is indispensable for me). You can sign up for a free trial here. https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products I chose the "Microsoft 365 Business Premium" plan for my testing. 3. Now it goes to the Microsoft Learn content. These learn paths (as you can see below, all 4) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/describe-concepts-of-security-compliance-identity/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-identity-access/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-security-solutions/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-compliance-solutions/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900 5. Thomas Maurer's exam preparation information is super helpful! https://www.thomasmaurer.ch/2021/04/sc-900-study-guide-microsoft-security-compliance-and-identity-fundamentals/ 6. What you should also definitely watch is the YouTube of John Savill, really super informative! https://youtu.be/Bz-8jM3jg-8 I know you've probably read and heard this many times: read the exam questions slowly and accurately. Well, that was the key to success for me. It's the details that make the difference between success and failure. One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom Wechsler
Events
in 15 hours
Microsoft Entra Suite helps enforce Conditional Access to cloud apps and internet resources. Watch our product expert demo how to implement secure risk-based access to all resources with Microsoft En...
Online
Recent Blogs
- Part 1: What Is Cyber Resiliency and How Do I Get It? Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when ...Mar 10, 2025
- When managing identities across multiple tenants, organizations often face a crucial decision: should they choose ADSS (Active Directory Synchronization Service) Tenant Sync or Entra Native Cross-Ten...Mar 06, 2025
