ClassyGull

@IAMERICAbooted Are you aware of any solutions that helps with entra app attestation? Essentially attest app is still valid or it will be disable/deleted.

How many App Registrations do you haveand what do they do? Who owns them? What is the approved URIs? Who are the approved owners and why are they needed? What API permissions are assigned? Consented? Used? Which ones are federated and where are they federated with? What Oauth flows are they using? Exposed APIs? Which ones require assignment? How many have deprecated APIs? How many have Application APIs? How many can write and where can they write? Which ones require application locks? Who can alter the configuration of them? (you probably have no idea because owners can) Where are credentials/secrets/certs/keys exposed across the enterprise? Where does your regulated data aggregate? What's in what DB where? Who can tell me every device hostname in the org and who it's assigned to right now? (the answer is none of you) Who can tell me which Cloud Apps are implemented with SP-Intitiated Authn and what types of data live in them? What authentication policies allow undafe fallback methods? (the answer is most likely all of them). Which ones are integrated using SCIM? Which ones are not? How many SharePoint owners do you have? How many admin roles are assigned in each admin center and to whome? Why do they need that role? How would they use it? For high risk roles that only need seldom elevation, do you have a second approver before elevation process? (I know, people still hate me recommending this for years) Who can write to what share? Who can read what share? How many stale groups do you have? How many M365 public groups do you have? How many dynamic groups do you have and how are they configured? Just a small sample ofc. I've yet to see one organization that doesn't severely struggle with governance and asset management. .

Did more testing today following your blog @NathanMcNulty but wasn’t able to add eligible member to pim enabled group located in an RMAU. This test group is not enabled for role assignments. After looking over audit logs for my account (even though it proxies through service principal) it does show the failure but it’s not for ms-pim identity. It’s for one called Azure AD PIM. Only the sp id is listed, app id is not provided. Perhaps MS has changed what sp is used? Without app id I can’t register it and hence can add it to custom role. Thought?

@ClassyGull @IAMERICAbooted Yup, the role assignable creates a hard blocker that this workaround doesn't fix

I'm a huge fan of using role assignable groups and restricted management admin units - this article is great at explaining why we should :) One thing is missing though: Tier 0 assets in Arc should always be locked down to prevent this type of attack #disable-unnecessary-management-features" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/azure/az…

@1ssve True. Although it’s a lot less painful with AI now.

I fucking DESPISE annual corporate self-review and goal setting. My goal is to get a paycheck every couple weeks

@techspence What changed?

CISOs have more responsibility and take more of the blame now more than ever. So they should be compensated in relation to that.

@randomrecruiter Something is not right with tracking employees. Zero trust is bad atmosphere.

I just heard of multiple companies letting go of employees for coffee badging. They have a requirement for 3 days onsite per week, or 24 hours. Some of these people have been going in and immediately going back home, leaving after lunch, or a little early at 3 or 4. In two cases I heard of the manager approving this, and even doing it themselves. But I guess from a higher level, they dont care, adn they were all let go. If your company has hard RTO mandates, especially if you’re in a more “traditional” industry like banking and financial services, I’d think twice about coffee badging in this environment.

@techspence How do you get people to care?

You can have all the fancy security tools you want. If your IT/Security team don’t care, if they are just going through the motions, stuff will get by, you will have incidents because of the mistakes they make.

@NathanMcNulty @IAMERICAbooted I think the problem I had run into was PIM in combination with ATR flag. Thanks for that article, that’s exactly the guidance I followed.

@NathanMcNulty @IAMERICAbooted Have you seen a way to use PIM enabled groups inside a RMAU?

@fabian_bader Have you seen the enrollment UX documented somewhere?

Microsoft just announced official support to store device bound Passkeys for Entra ID in the Windows Hello container. No app, no external hardware key but built in support. Sadly no attestation while in preview. mc.merill.net/message/MC1247… #Passkey #EntraID

Hey @merill wondering if you have any insight on this topic. I want to leverage device-bound passkey in MS Authenticator, however there is a known issue when also leveraging Conditional Access to require app protection policy for all apps on mobile os. The provided workarounds aren’t great but there is an undocumented work around of excluding Azure Credential Configuration Endpoint Service app from app protection CAP. This works but not sure if that introduces additional risk. Thoughts?