William Francillette

@rucam365 😂

@WillTheFrenchie Even scarier is code I've written 😂

Not a dev. but like most folks in our bubble have been using AI coding agents a ton over last 3-6mo. And I need to ask people who know better than I do: For every take about not having to look at the code anymore, I see another from someone who does look at the code and sees junk. It works, but I assume at the cost of maintainability, performance, and reliability. Is it a case of constantly refining skills, instructions, and agents to achieve code that doesn’t really need human review? Do the models get so good with the laws of scaling we no longer need skills? (every AI coding improvement being Yet Another MD File doesn’t seem right) Or: Are the folks who “just use” whatever’s generated, with no code review, the right ones? Assuming it passes UAT, vulnerability scanning, CSPM, etc. Intuitively this doesn’t seem right, but if it works…? And do you just keep prompting “review the code for inefficiencies” until it taps out? Vibe coding is addictive and I wonder if that’s for the same slot-machine reason as scrolling. Sometimes it’s incredible and nails it, other times it fails miserably so you keep trying: only one more prompt, then i’m good!

@NathanMcNulty @DXPetti Thats music in my ears !!

@WillTheFrenchie @DXPetti I'm working through trying to simplify the user experience right now for normal service principals, but we would just skip secret creation and add the federated credential, then use the passkeylogin script in the federated app side I'm working on a GitHub Action for this stuff

Holy crap 🤯 🎉 Success! The Key Vault-backed passkey authentication works! It took me about an hour fixing up some issues Sonnet 4.5 had with Key Vault permissions and how to use Key Vault, but it works!!! Working on some quality of life changes, will publish this soon 🥳

@NathanMcNulty @DXPetti Thats very interesting, Thanks for sharing I can't wait for you guys to crack the federated credentials so that we can build multi tenant apps and provide comprehensive reports for multi app tenants There so much that is not exposed publicly.

@DXPetti There are many things Service Principals can't touch, either due to no applicaiton permissions available or no legitimate way to obtain a token for the API This allows us to use a service account with a key vault backed passkey to securely authenticate to touch these systems :)

Speaking at #HIPConf in Frankfurt on 10 February. We've built a Microsoft 365 security posture management app and service, and one thing that's become clear a small set of controls deliver disproportionate results at tenant hardening. This session is all about how you can get a whole lot in Entra wrong as long as you get those few things right. Register for 'Entra ID’s 80/20: Practical Lessons in High-Impact Security Controls' at: register.hipconf.com/7B9lvD

Join me, @WillTheFrenchie, and @WelkasWorld TONIGHT, 1800-2000 UTC for the latest Microsoft security news and two awesome speakers: • @RyanJohnMurphy4 – The new Microsoft eDiscovery UI and UX • @sfennah – The Oversharing Solution Blueprint REGISTER: meetup.com/m365sandcug/ev…

Even though Microsoft provided a PowerShell command in April 2025 to disable the SMTP DirectSend feature in Exchange Online, we are still seeing attackers successfully reach the inbox for organizations that do not have their DMARC DNS Record set to Reject or Quarantine. According to public DNS, 30% of the Fortune 500 are vulnerable. Small to Medium orgs are even more likely to be exposed. It is recommended to perform threat hunting to identify these emails. Here is KQL we used to successfully detect DirectSend Phishing in Microsoft Defender XDR or Microsoft Sentinel (security.microsoft.com) EmailEvents |where Timestamp > ago(30d) | where EmailDirection == “Inbound” | extend LeftPartSender = substring(SenderFromAddress, 0, indexof(SenderFromAddress, “@”)) | extend LeftPartRecipient = substring(RecipientEmailAddress, 0, indexof(RecipientEmailAddress, “@”)) | where LeftPartSender == LeftPartRecipient | where isempty(Connectors) // not coming in on a connector | where DeliveryLocation == “Inbox/folder” | where parse_json(AuthenticationDetails) contains “fail” | project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, NetworkMessageId, EmailDirection, Connectors, SenderIPv4 Threat hunting on the EmailEvents table requires the Microsoft Defender for Office P2 license. Otherwise, follow the MSFT reference links below for syntax on Historical Message Trace. One of the easiest ways to detect DirectSend is when the sender and recipient are identical (which is typically unusual). We have observed cases where using an exact match of sender and recipient domain name does not detect all results. In some cases the sender domain is a MOERA domain (alias@tenant.mail.onmicrosoft.com) and they use a different alias on the same mailbox for the recipient address (such as the primary SMTP alias). We suspect this was done to evade the exact == comparison, so we updated the query above to look for the alias matching instead of domain matching (this resulted in finding additional results). If you get too many results, try adding this where clause before the last project statement to reduce results: | where Subject has_any ( 'Pay Raise', 'Strategic Organizational Restructuring', 'Bonus Disbursement', 'Bonus Distribution', 'Merit-Based Pay', 'Compensation Bonus', 'Compensation Review', 'Wage Increase', 'Wages Increase', 'Incentive') References: thecloudtechnologist.com/2025/08/09/an-… techcommunity.microsoft.com/blog/exchange/… techcommunity.microsoft.com/blog/exchange/… If you don't have a valid use of DirectSend you can disable it with this Exchange Online PowerShell cmdlet: Set-OrganizationConfig -RejectDirectSend $true

@rucam365 😅

More art than science.

I’ll be delivering “Zero to Hero: Adaptive Protection with Insider Risk Management and Conditional Access” at 8:15 AM (GMT) on February 21st, 2025, during the Workplace Ninja User Group Denmark meeting. Register now: meetup.com/wpninjasdk/eve…

🌱 Did you know that we have 100+ built-in roles in Microsoft Entra? Here's a free mind map of all of them 👇 BONUS → I'm giving away a free pdf of all my Entra mind maps

@merill @NathanMcNulty @DanielatOCN @SteveMutungiKE It would be useful for that parameter to be an enum rather than a string collection. I've raised an issue here github.com/microsoftgraph…

@WillTheFrenchie @NathanMcNulty @DanielatOCN I figured it would be useful in a lot of scenarios and added it as a cmdlet. Since it's open source anyone can submit a PR to keep it fresh with updates. Probably a future enhancement that can be added to Entra PowerShell cc @SteveMutungiKE

To graph gurus Do you know what is the value of methodsRegistered for passkey in userRegistrationDetails/Get-MgBetaReportAuthenticationMethodUserRegistrationDetail @merill ? @DanielatOCN ? Thanks in advance!

@merill @NathanMcNulty @DanielatOCN Awesome, that's perfect thanks 😊

@NathanMcNulty @WillTheFrenchie @DanielatOCN Yes. We have a cmdlet in Maester to help you parse this out. x.com/merill/status/…

@DanielatOCN @merill It's just that I don't have passkey in this tenant and can't find that value in the schema unfortunately

@WillTheFrenchie @merill If you go to the user registration details page in Entra, you’ll be able to open developer mode (network tab) in your browser and refresh the page and see the Graph query and response in action which should show you the info. I’d check now for you but I’m stuck on the train

fido2 key is passKeyDeviceBound

@flabbiersteam @DrAzureAD A nice feature is the conversion of msol script to the Entra ps module no need to rewrite anymore

@DrAzureAD I find the graph sdk cmdlets also easy to use. The hard part for people averse to programming is the authorization part and that remained the same. Nice to see some movement though.

Yes!!!

@rucam365 @arekfurt

@arekfurt cc @WillTheFrenchie, fancy a challenge? 😂

Okay, so what's your favorite automated way to translate a 200 page guidance document on Active Directory from French to English? I tried the documents feature of Google Translate, but it just returns a doc with blank pages.

First blog of the year: A deep dive in MDE update management french365connection.co.uk/post/mde-keepi…

@jhaych1111 👍🏽

@WillTheFrenchie not sure if you still use this can you respond so I can direct message you please? Thanks

@merill Completely agree, even zooming on and out doesn't resolve the issue but make it worst ...

I spend a lot of time on Microsoft Learn docs and this really annoys me.... Does it annoy you too?