Recent Discussions
Block Anonymous Access to Teams without GSA
Documentation states that anonymous access to Teams and Sharepoint can be blocked on the data plane with TrV2 through GSA. Testing TrV2 with a browser extension (Modheader) to inject the TrV2 header I found that injecting this header also to "data plane", ie Teams.microsoft.com does block anonymous access to Teams. I am wondering if this method could be safely used to block anonymous access to specific M365 service until a potential move to GSA
Get Custom Details from Sentinel
How do I go about getting the custom details set using https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts using REST API? I need to do this outside of logic app and using REST API. The incidents API endpoint doesn’t provide this detail and I couldn’t find any API endpoint listed in https://learn.microsoft.com/en-us/rest/api/securityinsights/operation-groups?view=rest-securityinsights-2024-01-01-preview that would allow me get to get the custom details with the values. Is there a sentinel or a graph API endpoint that’ll allow for me to get this information?
Blocking TCP 3389 - issues?
There is a strong push here to block RDP over part of our network. MSDI uses 3389 for name resolution. What order does MSDI use the three available methods for name resolution - TCP 135 (NTLM), UDP 137 (NetBIOS) and TCP 3389 (RDP)? We are currently seeing a lot of 3389 network traffic from the MSDI sensors to clients. TIA.Attack Simulation - Copy to SOC Mailbox
Hello Community! Currently we are using Knowbe4 to simulate phishing campaigns. We are evaluating the Microsoft E5 Attack simulation. One problem that I cannot figure out with the MSFT version is as follows: I have the SOC mailbox setup to send phishing emails to a shared mailbox for triage (I have it setup to not forward to Microsoft) When I create an attack simulation, and folks report the phish, I still get a copy of it in the phishing mailbox (I send these out monthly to thousands of people so I would prefer not to have a copy) I have looked at the email headers, and there is nothing in them that I can create a custom rule for. Has anyone been able to filter out attack simulation emails, while still receiving normal user reported emails in the SOC mailbox? Any advice appreciated. EmAzure Sentinel Training Lab solution is no longer on Azure Marketplace
Hi folks! It appears the Azure Sentinel Training Lab solution is no longer on Azure Marketplace. Was this removed for SFI security reasons and if so what are alternative deployments for this? https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Training/Azure-Sentinel-Training-Lab
Params required for Secure Score not available - AntiPhishPolicy
I have a pwsh script to configure the various threat protection policies. Has worked great. Went to run it on one tenant today, and got a number of invalid param errors. I investigated, and found that 1) The online portal doesn't list these params, they can't be set. Ex: EnableMailboxIntelligenceProtection, MailboxIntelligenceProtectionAction, EnableSimilarDomainsSafetyTips, etc They have a recommendation to configure Mailbox Protection to send to the Junk Mail folder (like everyone, which is what I've been doing for everyone). But this isn't an option for this tenant. Not on the web, or via ExchangeOnlineManagement. ``` PS C:\Users\me> Set-AntiPhishPolicy -EnableMailboxIntelligenceProtection $true Set-AntiPhishPolicy : A parameter cannot be found that matches parameter name 'EnableMailboxIntelligenceProtection'. ``` However, when I run Get-AntiPhishPolicy, those params DO return. A number of which I just can't set, but ARE Secure Score recommendations. EnableMailboxIntelligenceProtection : False EnableTargetedDomainsProtection : True EnableFirstContactSafetyTips : False EnableSimilarDomainsSafetyTips : False TargetedUserProtectionAction : Quarantine TargetedUserQuarantineTag : DefaultFullAccessPolicy MailboxIntelligenceProtectionAction : NoAction MailboxIntelligenceQuarantineTag : DefaultFullAccessPolicy TargetedDomainProtectionAction : NoAction TargetedDomainQuarantineTag : DefaultFullAccessPolicy AuthenticationFailAction : Quarantine SpoofQuarantineTag : DefaultFullAccessPolicy EnableSpoofIntelligence : True Furthermore, though this may be a temporary thing, I am unable to save any changes to the available params in the web console.Microsoft Security Fun Friday Week 4! This week's game- FACT OR FICTION
Hey there Security Tech Community! We're back with Week 4 of our Security Fun Fridays. This week's game will be Fact or Fiction! Below are FIVE statements related to cybersecurity and it is up to YOU to determine whether the statements are Facts (true) or Fiction (false). The first THREE people to respond below in the comments with all five correct answers will earn our new "Microsoft Security Star" Badge to add to their profile. I will give everyone until TUESDAY 2/25 before I post the answer key and award the badges (so even if 3 people answer before you, they may not be correct). Good luck! Note: This badge is only given out during Fun Friday games or by being an outstanding member of the community, so it is very exclusive! STATEMENTS: An organization has deployed Microsoft 365 applications to all employees. Per the shared responsibility model, Microsoft is responsible for the accounts and identities relating to these employees. Data sovereignty is the concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it's physically collected, held, or processed. Multifactor authentication works by requiring a user to provide multiple forms of identification to verify that they are who they claim to be. The Zero Trust model operates on the principle of “constantly be collecting information about your systems, vulnerabilities, and attacks.” Wardriving is the name of a common network attack where the cybercriminal compromises a router in the network to eavesdrop on, or alter, data.Microsoft Security Fun Friday Week 3! This week's game- WORDLE
Hey Tech Community! We're back with Week 3 of our Security Fun Fridays. This week's game will be much more unique and interactive than the first two! If you've ever played Wordle you'll know it usually takes a few guesses to get it right. Take turns guessing our 5 LETTER SECURITY-THEMED WORD OF THE DAY and I will be commenting the updated guessing chart below to confirm correct or incorrect letters and their placement. Anyone that helps in the final completion of the Wordle by guessing correct letters will earn our new "Microsoft Security Star" Badge to add to their profile! Note: This badge is only given out during these Fun Friday games or by being an outstanding member of the community, so it is very exclusive! Also just like previous weeks, if you have any ideas of other fun games that you would like to see in the future, please comment below. Good luck and happy solving!Microsoft Security Fun Friday Week 2! This week's game- Security Crossword.
Hey Tech Community! We're back with Week 2 of our Security Fun Friday. The first to complete and post a screenshot in the comments of today's Security-themed Crossword Puzzle will earn our new "Microsoft Security Star" Badge to add to their profile! This badge will only be given out during these Fun Friday games or by being an outstanding member of the community, so it will be very exclusive! Also just like last week, if you have any ideas of other fun games that you would like to see in the future, please comment below. Good luck and happy solving!Introducing Microsoft Security Fun Fridays! This week's game- Word Search.
Hey Tech Community! I want to introduce to you a fun new initiative I am starting on the Microsoft Security Community: The first to complete and post a screenshot in the comments of today's Security-themed Word Search will earn our brand new exclusive "Microsoft Security Star" Badge to add to their profile! This badge will only be given out during these fun game posts or by being an outstanding member of the community (more details to come). Also, if you have any ideas of other fun games that you would like to see, please comment below. Good luck and happy hunting!Easiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanksFile Plan/Retention Labels cannot be deleted OR found in content explorer
When we try to delete a Purview Records Management > File Plan label (or Data Lifecycle Management > Retention label), we get the following error: "You can't delete this record label because it's currently applied to items in your organization. You can use content explorer to determine which items have this label applied." (see attached image). When we go to content explorer to find the label (in this example, Bank Reconciliations), it doesn't appear to exist (see attached image). We also reviewed our Label policies and Retention policies, and the given labels are not associated with any policy that we can see. So, in result, we cannot clean up File Plan labels since we can't find and remove the association between them and policies / items. Has anyone encountered this error when deleting file plan retention labels, but then unable to find anything the label is associated with?
Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
Hi, I see this alert "Suspected identity theft (pass-the-ticket)" when a user switches from LAN to WiFi or back. The laptop's DNS record has both IP addresses. I'm guessing Defender still thinks a different device is using the same Kerberos ticket. How do you deal with that? Can you tune the alert somehow so that doesn't keep alerting? Jan 16, 2025 4:15 PM This Kerberos ticket was first observed on 1/16/25 4:15 PM on [Device Name] (Laptop IP1). Jan 16, 2025 4:57 PM - Jan 16, 2025 4:57 PM [Username] accessed [Server Name] (CIFS) from [Server IP] (Laptop IP2). Thanks for your support
Global Administrator MFA recovery not possible
Since Microsoft automatically enforced MFA on administrator role in Azure you can end up in the situation where it is no longer possible to recover your tenant. If your only account on that tenant is with Global Administrator role and you accidentally loose your MFA, the only way is to call Microsoft support. Support on the phone is automated where any question regarding Azure is redirected to visit Azure portal. If your only user cannot login then Azure portal is not accessible.
Attack simulation Payload editor - recently broken?
Hello, Just last Wednesday, Jan. 8th, I created a new custom payload and was happy with the testing of the email. I logged in today and noticed that a majority of the formatting had been removed. I found this post: https://answers.microsoft.com/en-us/msoffice/forum/all/phishing-attack-simulation-payload-editor-is/88232e12-9744-4d87-9566-3fd5d8c2ed3a Seems like he is having the same issue I am facing. Nothing is centering and many of the blocks I have created are gone (ie the External email, banner). Anyone else having these issues or has anyone found a way to "fix" it. Here is a snip of the same payload, one sent Wednesday, the other Monday: Monday, Jan. 13th: Any help would be appreciated.New additions in Compliance manager
Hi everyone, I was just marveling about the addition of custom regulations in Compliance manager but apparently very few users seem to be using this particular module in Purview , at least I can't seem to find any user forum for it. Can anyone point me in the right direction or am I the only user of Compliance manager in the know universe 🙃 Regards, GuðjónAuthenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?
Events
in 11 hours
Microsoft Entra Suite helps enforce Conditional Access to cloud apps and internet resources. Watch our product expert demo how to implement secure risk-based access to all resources with Microsoft En...
Online
Recent Blogs
- Part 1: What Is Cyber Resiliency and How Do I Get It? Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when ...Mar 10, 2025
- When managing identities across multiple tenants, organizations often face a crucial decision: should they choose ADSS (Active Directory Synchronization Service) Tenant Sync or Entra Native Cross-Ten...Mar 06, 2025
