D Lind

@ClassyGull @NathanMcNulty @IAMERICAbooted That’s no problem at all, but they can’t have the role-assignable property set to true

@NathanMcNulty @IAMERICAbooted Have you seen a way to use PIM enabled groups inside a RMAU?

I'm a huge fan of using role assignable groups and restricted management admin units - this article is great at explaining why we should :) One thing is missing though: Tier 0 assets in Arc should always be locked down to prevent this type of attack #disable-unnecessary-management-features" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/azure/az…

@richardhicks @merill Was a great listen!

Had a great time talking about #Microsoft #Entra Private Access with @merill last week. We compared Global Secure Access (GSA) with traditional VPN technologies and discussed #VPN migration strategies. Check it out! #mobility #security #DirectAccess #aovpn #ztna #identity

@DanielatOCN @PyroTek3 Ah right, I only ever user the service to translate a domain name to tenant id without authenticating so didn’t think about the additional use cases 😅

@dnsinit @PyroTek3 That’s doesn’t provide you the allowed domains

Microsoft have finally patched another tenant domain enumeration loophole > ourcloudnetwork.com/microsoft-quie… Since Microsoft Patched the Get-FederationInformation endpoint from enumerating tenant domains, researchers and services like my TenantDomainFinder have been using a legacy ACS endpoint to enumerate all tenant domains. However, it looks like from today, Microsoft have quietly patched this exploit! #Entra #Microsoft #OSINT

@SwiftOnSecurity For that countermeasure to be somewhat effective we also need universal CAE for to make sure access tokens can be revoked too… although I didn’t read up on the details in this case, perhaps CAE was in fact in play :)

I like the auto-revoke tripwire

@drbirrdie @SwedishPM Yes, I’m sure they’d brag about a mistake like that on social media 😂

@SwedishPM I see state sponsored pirate operations.

Not everyone gets such a warm welcome to Sweden. 📷: The video shows Swedish authorities decisively intervening against a suspected false-flagged oil tanker in the shadow fleet Thursday night.

👋 If you manage Microsoft Entra, this episode is worth your time. 🎙️🎧 @NathanMcNulty and @DanielatOCN joined me for a deep dive into all the February Entra announcements. Here's a 🧵 of what we covered. Bookmark it. Full episode: entra.chat 1/12

It has been a long time since I started working on this side project, and DLL Pickle is finally ready for an RC! This #PowerShell module is a DLL pre-loader that helps you avoid version conflicts when connecting to Microsoft Az, Graph, EXO, Teams, and SPO! github.com/SamErde/DllPic…

Fully automated deployment of Maester for long term monitoring, including optional Web App secured by Entra authentication 😎 Install azd and azure cli, then: azd init -t nathanmcnulty/azd-maester cd solution-name azd up github.com/nathanmcnulty/…

6 months ago, 4 Microsoft Security MVPs and I started building something. Last week, 120 people attended a 7-hour Entra Identity Masterclass at @ExpertsLiveDK . Nearly all of them stayed the entire time. Today, we're making the Masterclass Labs ❇️free❇️ on GitHub. On the latest Entra Chat podcast, @JanVidarElven, @pimjacobs89, @Thomas_Live, @KlaBiers and I break down exactly what's inside the lab: 🔹 Lab 1: Entra Inbound Provisioning: Connect an HR source and push users into your tenant 🔹 Lab 2: Lifecycle Workflows: Automate joiner, mover, and leaver processes with pre-hire, new hire, and post-onboarding flows 🔹 Lab 3: Privileged Accounts: Create and secure admin accounts with FIDO2 phishing-resistant authentication 🔹 Lab 4: Access Packages & Entitlement Management: Govern access requests end-to-end 🔹 Lab 5: Conditional Access & Security Monitoring: Protect identities and monitor exposure in Entra ID 🔹 Lab 6: Entra Agents: Explore AI-powered identity management All self-guided. All on GitHub. Fork it, contribute to it, learn from it. If you work with Microsoft Entra ID, this is for you. 🎧 Watch/listen to the full episode: entra.chat 👾 Join the community: discord.entra.news Huge thanks to @knudsenmortendk who came up with the brilliant idea for the Identity Masterclass and for putting together this amazing team of MVPs to build and deliver it! #MicrosoftEntra #EntraID #IdentitySecurity #MicrosoftSecurity #ZeroTrust #EntraChat #OpenSource

Look.. it's a Conditional Access policy simulator built by an infra architect guy who got tired of squinting at What If results 🫠 Shiny graphs yay! 🔗ca.haakonwibe.com No sign-in needed, click Sample Data and play around. Or connect to your own data - all's in browser.

Ever need to find out what Entra authentication methods your users are using but don't have Log Analytics/Sentinel? :) It's not as difficult as you might think! To get started, log into the Entra portal, go to Sign-in logs, set the date range to 1 month, then download the JSON:

"Your 13-year-old could set up a phishing kit in 20 minutes." That's what @ericonidentity, told me about EvilGinx and modern adversary-in-the-middle attacks. Eric is the Chief Identity Architect at Semperis and a Microsoft MVP who just led something remarkable: taking a 600-person company from scattered MFA to 100% phishing-resistant authentication in just three months. I had to get him on Entra.Chat to share how they did it. THE PASSKEY PLAYBOOK The technical part wasn't what kept Eric up at night. Conditional Access policies? Straightforward. Hello for Business, Platform SSO, and passkeys as the only allowed methods? Done. What made this rollout succeed was the people strategy: They built a self-enrollment system using Power Platform. Employees could opt-in early and become internal champions. By the time they flipped the switch for everyone, half the company was already converted. Leadership went first. When the C-suite was using passkeys, middle management resistance evaporated overnight. They ran office hours. Not webinars, not documentation dumps. Actual humans answering actual questions in real-time. THE UGLY PARTS Not everything worked smoothly. Azure VPN client doesn't support passkeys. Some legacy apps were still using old Internet Explorer DLLs. A handful of Android 13 users couldn't use device-bound passkeys at all. Their solution? Surgical CA policy exceptions for about 5 apps, tracked in a dashboard, with vendors being "encouraged" to fix their implementations. For the Android holdouts, synced passkeys came to the rescue. Are they as secure as device-bound? No. Are they still infinitely better than passwords and push notifications? Absolutely. THE ATTACKS THAT STILL WORK Here's the part that should concern everyone: Even with passkeys deployed, downgrade attacks are a real threat. The only defense? 100% phishing-resistant conditional access policies with no fallback methods. nOAuth AND THE DEVELOPER PROBLEM Eric's security research goes deeper. He walked me through nOAuth, a vulnerability pattern where applications use email claims instead of the subject identifier to identify users. The problem? Email addresses in Entra ID aren't immutable. An attacker can set their email to match a victim's, and vulnerable apps will grant them full access to that account's data. Microsoft has guidance to fix this, but developers keep building apps the wrong way. And there's no easy way for admins to detect which apps in their tenant are vulnerable. BOTTOM LINE Passkey rollouts are 80% organizational change management, 20% technical implementation. Your help desk needs training. Your documentation needs to be bulletproof. And you need executive air cover from day one. The full conversation covers way more: consent phishing, clickfix attacks, reply URL hijacking, and why the Zero Trust Assessment tool takes 24+ hours on large tenants. Listen here: entra.chat #Passkeys #ZeroTrust #CyberSecurity #Infosec

@merill Looking forward to seeing you all! 🥳

Looking forward to my first time in Europe → 🇩🇰Denmark!

.@Office365 #EntraID introduced a linkable token identifier to track the actions of user accounts in a session. It's a good idea that security folks will love. Here's some #PowerShell to create a report of actions for a user using the identifier office365itpros.com/2025/07/24/lin… #Microsoft365

@Cyb3rMonk @fabian_bader

⚠️The live stream will not be recorded if you want to watch it later. #YellowHat

@ManUtd Did you call Alonso yet?

Our #MUAcademy U21s start the year with a W ✔️🙌 Goals from Tyrell Malacia, Chido Obi (2) and Gabriele Biancheri ensured we go top of the #PL2 table 🔝

@johan_forslund @TinaSvensson08 @PlainviewLegacy Vet inte vad som är dummast; åka från ett fattigt land där man inte har tillgång till en egen dusch till Sverige med en felaktig bild, eller att som svensk med full åtkomst till all världens information tro att man lever i samma världar och kultur här som där.. eller jo förresten

@dnsinit @TinaSvensson08 @PlainviewLegacy Skall inte ens dryftas om man är vettig, tvätta håret själv bör vara lika enkelt som att knyta skorna. Men iofs...

Kenyansk YouTuber berättar om hur hon kom till Sverige med drömmar om gratis utbildning och pengar. Kvinnan blev dock besviken på systemet och kulturen, och reste tillbaka efter några år. En av de största chockerna för henne var att man i Sverige tvingades tvätta sitt eget hår.

@TinaSvensson08 @PlainviewLegacy Jag märker inte ord, det handlar om innehållet i meddelandet. Jättebra att hon märkte att det inte var vad hon trodde och berättar om det. Är inte på något sätt vänster men irriterar mig på människor som huvudlöst sprider propaganda och leker troll på Internet.

@dnsinit @PlainviewLegacy Ah du tror du vinner om du märker ord eller ton? Hon var missnöjd då hon fått helt annan info om Sverige så hon valde att åka hem. Om nu bara vänstersidan också kunde vakna.

@TinaSvensson08 @PlainviewLegacy Nej, att återberätta sin erfarenhet eller upplevelse är inte samma sak som att klaga. Ingenstans har hon en gnällande ton. Bra gjort av henne att göra det på ett lekfullt sätt istället.

@dnsinit @PlainviewLegacy Och? Hon tvättar inte sitt hår i Kenya och klagar på att hon måste göra det själv i Sverige.