Category: Microsoft Security | Microsoft Community Hub

Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Recent Discussions

Microsoft Security Fun Friday Week 4! This week's game- FACT OR FICTION
Hey there Security Tech Community! We're back with Week 4 of our Security Fun Fridays. This week's game will be Fact or Fiction! Below are FIVE statements related to cybersecurity and it is up to YOU to determine whether the statements are Facts (true) or Fiction (false). The first THREE people to respond below in the comments with all five correct answers will earn our new "Microsoft Security Star" Badge to add to their profile. I will give everyone until TUESDAY 2/25 before I post the answer key and award the badges (so even if 3 people answer before you, they may not be correct). Good luck! Note: This badge is only given out during Fun Friday games or by being an outstanding member of the community, so it is very exclusive! STATEMENTS: An organization has deployed Microsoft 365 applications to all employees. Per the shared responsibility model, Microsoft is responsible for the accounts and identities relating to these employees. Data sovereignty is the concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it's physically collected, held, or processed. Multifactor authentication works by requiring a user to provide multiple forms of identification to verify that they are who they claim to be. The Zero Trust model operates on the principle of “constantly be collecting information about your systems, vulnerabilities, and attacks.” Wardriving is the name of a common network attack where the cybercriminal compromises a router in the network to eavesdrop on, or alter, data.
Solved
Trevor_Rusher
Community Manager
Feb 21, 2025 Place Microsoft Security
FunFriday
168Views
0likes
6Comments
Microsoft Security Fun Friday Week 2! This week's game- Security Crossword.
Hey Tech Community! We're back with Week 2 of our Security Fun Friday. The first to complete and post a screenshot in the comments of today's Security-themed Crossword Puzzle will earn our new "Microsoft Security Star" Badge to add to their profile! This badge will only be given out during these Fun Friday games or by being an outstanding member of the community, so it will be very exclusive! Also just like last week, if you have any ideas of other fun games that you would like to see in the future, please comment below. Good luck and happy solving!
Solved
Trevor_Rusher
Community Manager
Feb 07, 2025 Place Microsoft Security
FunFriday
91Views
0likes
3Comments
Easiest way to view remediated risk detections?
I'm looking in Lighthouse at a series of risky logins that are remediated. The thing is, this tenant previously experienced a breach that got remediated, so I'm trying to be extra cautious. When I click "View in Entra", it brings up no risk detections. If I navigate to Protection > Risky Activities > Risky Sign-Ins I get nothing. Switching to all statuses, I still get nothing. Same thing happens if I got to Risk Detections, nothing. Short of bringing up each user, and checking every single login to try to find what was risky, is there a way I can see these once the statuses are remediated? It seems like I SHOULD able to... But here are the different ways I've tried filtering Risk detections: Risky Sign-Ins Trying to understand the users popping in Lighthouse, but they don't appear with any of these filters (or the defaults).... Anyone able to advise? THanks
Solved
underQualifried
Brass Contributor
Jan 28, 2025 Place Microsoft Defender for Identity
59Views
0likes
2Comments
DLP Policy Tip Stopped Working in SharePoint/OneDrive
Greetings, I created a DLP policy in Microsoft Purview several years ago to display a policy tip to users and it has been working until recently. No changes have been made to the policy. Now, when I go to a SharePoint document library, whether I hover on a sensitive document to see the "View policy tip" or select on the details pane, I no longer see the policy tip information. If I try to share the sensitive document, I also see the "View policy tip". However, this time it shows a Policy tip details dialog box "Policy tip couldn't be displayed. Please try again." Has anyone seen this? Could you share the solution to fix it? Thanks!
Solved
Vee_Max
Brass Contributor
Dec 10, 2024 Place Microsoft Security
data loss prevention
microsoft purview
80Views
0likes
1Comment
Rollout Windows hello for Business
Hello, I would like to roll out Windows Hello for Business (cloud trust). The configuration with Endpoint Manager is complete. Everything works very well for new installations. There are problems with clients with activated Windows Hello (without Business). The only option here is to delete the Windows Hello configuration and then log on to the client with TPA. Windows Hello for Business can then be configured. Is there a better way to configure it for existings cliens with active windows hello (without Business)? If the user first login with password the PIN create runs in a timeout with the information it needs more secure informaton. The user has no MFA configured. Thanks for your help Stefan
Solved
StefanKi
Iron Contributor
Oct 19, 2024 Place Microsoft Security
Passwordless Authentication
499Views
0likes
5Comments
Sensitivity Labels & External Sharing
Can anyone help, please? We've rolled out sensitivity labels for emails and we're experiencing an issue with external recipients accessing downloaded attachments. In particular, when an encrypted email is sent externally (using a label which allows external access and giving Owner rights on the file), recipients can view the email body and open attachments but as soon as they download the attachment the downloaded file converts into an .xml file. We don't have this issue with PDF files.
Solved
PavIT5
Copper Contributor
Oct 17, 2024 Place Microsoft Security
Advanced Message Encryption
information protection and governance
579Views
0likes
8Comments
Unable to access Update 3 for Microsoft Advanced Threat Analytics 1.9
Hi, Microsoft Tech Community and Ricky Simpson from Microsoft, I cannot download Update 3 for Microsoft Advanced Threat Analytics 1.9. Whenever I tried to access the download update from this article, it seemed the ID number 56725 was missing, and an error code of 404 was returned. Tried URL: https://www.microsoft.com/download/details.aspx?id=56725 Hope you can fix this problem as soon as possible, because Microsoft ATA still plays an important role in most of the enterprise network, including my company's network. Best regards for all people in the community
Solved
shiroinekotfs
Brass Contributor
Oct 16, 2024 Place Microsoft Defender for Identity
security posture
Sensor
updates
326Views
0likes
3Comments
Missing remediation actions
Hi everyone, Remediation actions such as Disable/Enable user in AD, Force password reset are currently not available through the Defender portal (user page, advanced hunting). Anyone aware of this change? https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions#supported-actions
Solved
koroioan
Copper Contributor
Sep 25, 2024 Place Microsoft Defender for Identity
microsoft 365 defender
535Views
1like
1Comment
Azure Lighthouse: Updated Entra ID Group used for Authorization with new Users
With Azure Lighthouse and the managed tenant, when applying additional users to a related Entra ID group used for authorization, how do you identify the issues when those users show they do not have access to valid customer tenants and their resources, such as Log Analytics Workspaces?
Solved
JMSHW0420
Iron Contributor
Sep 15, 2024 Place Microsoft Security
admin
azure security
microsoft 365
microsoft sentinel
280Views
0likes
2Comments
MailTips for Exchange
We would like to implement a warning message that alerts users when they are sending an email to an external recipient. We initially tried using DLP policies to achieve this, but it seems that DLP only allows control over emails sent outside the organization when they contain attachments. We tried using MailTips as a potential solution, but it appears that Microsoft may have changed the functionality of MailTips. As far as I can tell, they no longer offer the capability we need for this scenario. Can somebody determine how we can configure a system that notifies end users when they are sending emails to external recipients? We’re looking for a solution that either prompts the user or provides some form of notification.
Solved
Addjam
Copper Contributor
Sep 05, 2024 Place Microsoft Security
events
Getting Started
437Views
0likes
3Comments
Training Campaigns: not all members invited AND newly created only in Scheduled State
we have started last week a training campaign (12 modules) and imported the targets via TXT-File ~ 4.200 Users via Email Address. the Preview showed the correct user-amount, but once the campaign was "running", the users were reduced to 3.462. Some people, who are not shown in the campaign nor received the mail with the trainings, are able to login via the generic link (https://security.microsoft.com/trainingassignments) and can see / run the assigned modules, but some get an empty list. to cover the "lost" accounts, we created a second training campaign with the same targets yesterday (repeated over is configured to 365 days), but the campaign won't leave the "scheduling" state. for testing purpose, we created a training with "fresh" modules (never used) and assigned only 2-3 users, but campaigns still won't change from "scheduled" to "running" or whatever status it should be. we faced an issue with one training module (phish by phone): in German, it only shows a grey-window, but no player starts. Debugger shows some 404 / 403 errors when loading the module. when we try the same module in EN, we get some error messages, but the course starts properly and people are able to "complete" it. for this specific issue, we already opened a ticket, but it would be interesting, if the "campaign state = scheduled" is a "global issue" or an undocumented limitation. as far as we see, we should not reach any limitation. michael
Solved
m2kAT
Copper Contributor
Aug 06, 2024 Place Microsoft Security
Attack Simulation Training
training
529Views
0likes
3Comments
MDI & gMSA config
Hi, We have followed the MDI Deployment guide from Microsoft: https://learn.microsoft.com/en-us/defender-for-identity/deploy/deploy-defender-identity We have also cross referenced this guide: https://jeffreyappel.nl/how-to-implement-defender-for-identity-and-configure-all-prerequisites/ The MDI Portal shows the gMSA account. The MDI agents are running fine and reporting to the MDI Portal. However, when we look at Services.msc on the Domain Controllers, the MDI agent runs under the security context of "Local Service" and not the gMSA account. Can anyone advise us on whether this is correct? or should we see the gMSA account in Service.msc console? And what other config may be required to make it run under the gMSA account? Thank you SK (screenshot below)
Solved
ShimKwan
Brass Contributor
Jul 08, 2024 Place Microsoft Defender for Identity
identity protection
Sensor
673Views
0likes
2Comments
Clarify the purpose of labelling features in Microsoft Defender for Cloud Apps and Purview
I find the lineup of Microsoft's products, bundles and licenses confusing. The names seem to change regularly and it is difficult to know whether documentation is referring to old or new features. I'm looking into sensitivity labels and what features are available for different license levels. The main features are provided in the Purview portal but there are other sensitivity label features in Microsoft Defender for Cloud Apps. From my understanding, a user with an Office 365 E3 license will be licensed for the entry level Purview components (Information Protection, Data Loss Prevention, Data lifecycle management, eDiscovery and auditing, insider risk management). You need to step up to Office 365 E5 to get auto-labeling features. Microsoft Defender for Cloud Apps also has some sensitivity labeling features. I believe this requires a Microsoft 365 E5 or a (Office 365 E5 + Enterprise Mobility + Security E5). Which means you would also have access to most of the Purview features. What is the difference between the Microsoft Defender for Cloud Apps sensitivity label features compared to the Purview features for Microsoft 365 content? Is it just for labeling content in other cloud services like Box and Dropbox? I saw one article that says the Cloud Apps feature can only label 100 (SharePoint?) items per day.
Solved
IvanWilson
Iron Contributor
Jun 12, 2024 Place Microsoft Security
microsoft defender for cloud
microsoft information protection
547Views
0likes
1Comment
MDI Sensor Windows-Service issue Version 2.235.17900.47908
Hello all, We have successfully installed the MDI sensor with version 2.235.17900.47908 on an Windows Server 2022. After installation, the MDI sensor does not start. According to the readiness tool, everything is in place. We also added the MDI service account to the Logon as service group. The MDI sensor then tries to start the sensor-service over and over again, but without success. We receive the following errors: Microsoft.Tri.Sensor-Errors.log 2024-05-23 13:40:20.4944 Error HttpResponseMessageExtension Microsoft.Tri.Infrastructure.ExtendedHttpRequestException: Response status code does not indicate success: 400 (Bad Request). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request). Microsoft.Tri.Sensor.Updater-Errors.logs 2024-05-23 13:41:02.8043 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed. at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout) at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)] I can't find anything about this behaviour in any other discussion. That's why I started this one. Thanks for all the inputs.
Solved
lorisAmbrozzo
Copper Contributor
May 27, 2024 Place Microsoft Defender for Identity
719Views
0likes
1Comment
Block File Sharing to a Network Subnet
Hey - I have a use case to detect and block files being saved to storage devices / file shares on a subnet 192.168.0.0/16 (to prevent users connected over VPN copying data to their home LAN). Is that possible using Microsoft Endpoint DLP or MDE? thanks
Solved
GrahamP67
Copper Contributor
May 15, 2024 Place Microsoft Security
Endpoint Security
microsoft defender for endpoint
868Views
0likes
3Comments
Lateral Movement Alert Documentation
On page Lateral movement security alerts - Microsoft Defender for Identity | Microsoft Learn The Suspected identity theft (pass-the-ticket) section (Lateral movement security alerts - Microsoft Defender for Identity | Microsoft Learn) MITRE sub Technique points to the wrong technique it points to Pass-the-Hash not Pass-The-Ticket As github documentation is no longer used, not sure if this is the right place to be raising this
Solved
JayK_13
Copper Contributor
May 10, 2024 Place Microsoft Defender for Identity
596Views
0likes
1Comment
Sensitivity label works in Outlooks web app but not desktop app
We are currently using M365 Business Premium licence and hence are using Azure Information Protection Premium Plan 1. We created an 'Internal' sensitivity label on compliance.microsoft.com, with "assign permissions now" configuration granting co-author access to all users and groups within the organisation . The label is working in the user's Outlook web app. However, when drafting a new email in Outlook desktop app, the option to select the label is there, but when I click on the label itself it reverts back to "no label". All the users to which label policy is scoped can see the Label. but can't apply it. Some insights: 1. If I create a label with "Let users assign permission" configuration and then select the "Encrypt-Only" or "Do-Not-Forward" options. Then users can see that label and apply it in the Outlook desktop app and web. 2. If I create labels with "Assign Permission now" configuration, scope it to both file and email, grant co-author access to 'Authenticated Users', or 'all users and groups within the organisation', then users can select the label in Word/Excel etc, but not Outlook Desktop app. They can assign the same label in Outlook Web though. We are on the latest - Microsoft® Outlook® for Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176) 64-bit. We use built-in labels by Office apps and never used AIP unified labelling client or the classic client.
Solved
vbakshi123
Copper Contributor
Apr 28, 2024 Place Microsoft Security
compliance
compliance management
microsoft 365 compliance center
Microsoft Compliance Manager
microsoft information protection
1.3KViews
0likes
2Comments
leverage the memberof in Dynamic Groups
I am wondering if it is possible to exclude membership to a dynamic group, when the user is member of a group. Adding a member is following syntax user.memberof -any "$Groupid" i tried -not, notcontains and notin. Example and (user.memberof -notcontains "123d12e3-123d-1234-ad56-782b901cff23")
Solved
TherealKillerbe
Brass Contributor
Apr 16, 2024 Place Microsoft Security
identity and access management
534Views
0likes
1Comment
What are the disadvantages with encrypting all files?
We are working with a client that has Office 365 E3 licenses. They want to protect their files from being accessed by external parties or ex-employees. We are planning to implement Information Protection sensitivity labels. Since they only have E3, they won't be able to auto-apply sensitivity labels. Any label will need to be applied manually. One approach we are considering is setting the default file label to encrypt the document and grant permissions to all staff. If a document is copied outside the network it will only be accessible to staff with an active account. Is there any disadvantage with this approach?
Solved
IvanWilson
Iron Contributor
Apr 15, 2024 Place Microsoft Security
information protection and governance
582Views
1like
1Comment
Event based retention and event types
When you want to create some event based retention, Microsoft offers 3 event types: - Employee activity - Expiration or termination of contracts and agreements - Product lifetime I know that a label is associated with 1 event type. And when you create an event, you have to choose: - 1 event type - in the query, you select the asset ID - 1 date Arrival and departure of an employe are two typical events for employee activity. Can I use the same event type 'Employee activity' for those 2 events? Or do I have to create two additionnal event types 'Employee arrival' and 'Employee departure'?
Solved
kmktnn
Iron Contributor
Apr 13, 2024 Place Microsoft Security
microsoft information governance
records management
709Views
0likes
1Comment

Events

Tune into Microsoft Entra Suite webinar series!

Microsoft Entra Suite scenario deep dive: Secure access to internet resources with Microsoft Entra Suite

in 11 hours

Microsoft Entra Suite helps enforce Conditional Access to cloud apps and internet resources. Watch our product expert demo how to implement secure risk-based access to all resources with Microsoft En...

Thursday, Mar 13, 2025, 07:00 AM PDT

Online

2likes

242Attendees

0Comments

Recent Blogs

3 MIN READ
Blog Series: Charting Your Path to Cyber Resiliency
Part 1: What Is Cyber Resiliency and How Do I Get It? Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when ...
LizTesch Microsoft Security Blog
Mar 10, 2025
enterprise security
216Views
2likes
0Comments
5 MIN READ
ADSS TSync vs Entra Cross-Tenant Sync: A Comprehensive Comparison
When managing identities across multiple tenants, organizations often face a crucial decision: should they choose ADSS (Active Directory Synchronization Service) Tenant Sync or Entra Native Cross-Ten...
SankaraNarayananMS Microsoft Security Blog
Mar 06, 2025
identity and access management
identity migration service
microsoft entra
416Views
0likes
0Comments

Resources

Share

Tags

cloud security1084

microsoft information protection765

information protection and governance659

microsoft 365541

microsoft sentinel359

microsoft purview350

data loss prevention318