Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksWhat is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple years, and there's a buildup of alerts for sign-in attempts I can't even pull logs for. These users would've been required to change their password since the date on most of these, and we have some hybrid environments I plan on enabling self-clearing for. But wondering what other MSPs have done in this scenario?
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Blocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan RojasHow to Solution Prevent User Downgrade Sensitivity Label is changed
Hi Everyone , Now I use Microsoft 365 E3 + Microsoft 365 E5 Information Protection and Governance. I am looking for a way to prevent User Downgrade Sensitivity Label from High to Low. I understand that before they change the label, they have to comment and they can change it. Is there any solution that can block this or notify from the log?
Risky sign-ins not showing anything
Hi, For some time already, I am not sure why but I cannot see anything in risky sign-ins in Identity Protection (MS Entra). Even when I receive a summary email (Microsoft Entra ID Protection Weekly Digest) mentioning there were risky sinn-ings detected. When I click on the risky signings directly in the email to take me to the report, I see no data there at all... When I modify filters to include all, nothing shows up either. It has been like this for few months already. Before, I could see them with no issues. Has anything changed? Or why I can't see any records?Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
Hi, I see this alert "Suspected identity theft (pass-the-ticket)" when a user switches from LAN to WiFi or back. The laptop's DNS record has both IP addresses. I'm guessing Defender still thinks a different device is using the same Kerberos ticket. How do you deal with that? Can you tune the alert somehow so that doesn't keep alerting? Jan 16, 2025 4:15 PM This Kerberos ticket was first observed on 1/16/25 4:15 PM on [Device Name] (Laptop IP1). Jan 16, 2025 4:57 PM - Jan 16, 2025 4:57 PM [Username] accessed [Server Name] (CIFS) from [Server IP] (Laptop IP2). Thanks for your support
