Daniel Bradley

Check out 𝐄𝐧𝐭𝐫𝐚𝐃𝐨𝐜𝐬𝐓𝐫𝐚𝐜𝐤𝐞𝐫 to stay always up to date with everything Microsoft Entra > entradocs.ourcloudnetwork.com 𝐓𝐡𝐢𝐬 𝐢𝐬 𝐝𝐞𝐟𝐢𝐧𝐢𝐭𝐞𝐥𝐲 𝐚 𝐩𝐚𝐠𝐞 𝐭𝐨 𝐛𝐨𝐨𝐤𝐦𝐚𝐫𝐤 One way I stay up to date with all changes in Microsoft Entra is by monitoring updates to the Microsoft documentation, which often gets updated before official announcements of new features. Previously, I did this privately, but here I have turned it into an easy-to-use website, with a sprinkle of AI to summarise often difficult-to-read large commits. Let me know what you think! #Microsoft #Entra #EntraDocsTracker

@chrispy_sec Great write up Chris! Now you just need to find the right feature flags to enable it in the UI ;)

If you're curious to see how you can backdoor conditional access policies by using a legitimate hidden condition then have a gander here: labs.reversec.com/posts/2026/04/…

𝐃𝐢𝐝 𝐲𝐨𝐮 𝐤𝐧𝐨𝐰? You can create custom Entra Roles scoped to only specific applications/principals in Microsoft Entra > ourcloudnetwork.com/how-to-assign-… It's super easy to do and extremely effective, enabling privileged users to only be able to modify specific settings on specific applications without assigning them a built-in tenant-wide role! #Microsoft #Entra

@IAMERICAbooted Well only global admins can consent permission. So, disable users from registering apps, removed admin consent requests and bin them global admins off :)

With the explosion of citizen development occuring, I'd like to remind everyone of something I'd refer to as Shadow Admins. In m365 APIs, there are delegate permissions (actions within a user's context) and application permissions. You should be thinking about application permissions as privileged access, similar to custom roles. What governance and security measures do you currently have in place to ensure users aren't creating bots that are Shadow Admins?

@CynicLib @Dim1tri1 I know about M365DSC :)

@Dim1tri1 It was a pain dans did not cover everything fat from it

Say you didn't know about Microsoft365DSC

Native multi-tenant configuration drift management is now built directly into Microsoft Entra, take a read > ourcloudnetwork.com/use-entra-tena… ❤️ With the recent release of UTCM, the engine behind the snapshots, baselines, monitors and drifts, Tenant Governance adds a framework that enables you to apply the UTCM engine, as well as management permissions across multiple Microsoft Entra tenants! Another game changer for Entra!

@Tank23x0 I wrote them hashtags myself thank you very much

Only ai slop has hashtags…

Microsoft Entra Backup just dropped this morning! I talked a little about this in my previous blog > ourcloudnetwork.com/microsoft-entr… You get: • Automated backups taken once per day for the last 5 days! • Ability to revert objects to any previous state within the last 5 days! • To view the difference reports to see the state difference between backups! Yes, it is not a foolproof solution, and the retention doesn't account for the average time an attack can go unnoticed! But, it's better than nothing and a huge step forward! #Entra #Microsoft #Backup

@PJ_Marcum @ncbrady Here you go #view/Microsoft_AAD_Devices/DeletedDevices.ReactView" target="_blank" rel="nofollow noopener">entra.microsoft.com/#view/Microsof…

@ncbrady @DanielatOCN Me too. In the blog he gets to the page.

I am curious if this page loads for anyone else? #view/Microsoft_AAD_Devices/DevicesMenuBlade/~/DeletedDevices" target="_blank" rel="nofollow noopener">portal.azure.com/#view/Microsof… @DanielatOCN See this: ourcloudnetwork.com/microsoft-entr…

@PJ_Marcum @ncbrady Did you use the Entra URL? The link you use in the last message was the legacy Azure portal?

Microsoft have finally started to update the 𝐄𝐧𝐭𝐫𝐚 𝐋𝐢𝐜𝐞𝐧𝐬𝐞 𝐔𝐭𝐢𝐥𝐢𝐬𝐚𝐭𝐢𝐨𝐧 𝐢𝐧𝐬𝐢𝐠𝐡𝐭𝐬 blade! > ourcloudnetwork.com/microsoft-upda… It's been over 6 months since I sat down with the Microsoft product owner for this feature and gave my feedback, and it's great to see some improvements appearing in the UX this morning! #Entra #Microsoft #License

@UK_Daniel_Card @sysadafterdark The Rubrik claim is fake news, they didn't compromise the backups.

@sysadafterdark ? Is this new coz they were owned the other day (week)

Yikes man, they are IN.

@dnsinit @PyroTek3 That’s doesn’t provide you the allowed domains

@DanielatOCN @PyroTek3 What about well known open id config? I.e. login.microsoftonline.com{TENANT_ID}/v2.0/.well-known/openid-configuration Replace {TENANT_ID} with tenant name

Microsoft have finally patched another tenant domain enumeration loophole > ourcloudnetwork.com/microsoft-quie… Since Microsoft Patched the Get-FederationInformation endpoint from enumerating tenant domains, researchers and services like my TenantDomainFinder have been using a legacy ACS endpoint to enumerate all tenant domains. However, it looks like from today, Microsoft have quietly patched this exploit! #Entra #Microsoft #OSINT

@egosumdns @passtheprt Probably because you are checking the same domains over and over? ACS returns all domains for some tenants, but I assume there is just some caching on Microsoft's end and it will stop soon.

@passtheprt @DanielatOCN The existing one still works for some domains, at least for me. I wonder if that's why this was still working when I tried it last night: sprocketsecurity.com/blog/tenant-en…

@passtheprt The race begins!

@DanielatOCN .. until we find the next API

@proximityNZ @PyroTek3 How do you mean? Do they have a partnership?

@DanielatOCN @PyroTek3 Makes sense, it's just a partnership with Veeam behind the scenes right, so whatever comes to Veeam will slowly trickle through to m365 "*native*"

It looks like there might be a native Microsoft Entra backup solution on the way... ourcloudnetwork.com/microsoft-entr… 👀 If you keep an eye on changes to the Graph API's like me, you may have noticed that the "/roleManagement/directory/roleDefinitions" endpoint started returning two new roles: • Entra Backup Reader & • Entra Backup Administrator Although speculation right now, this could indicate a native Entra Backup solution that tightly integrates with UTCM is on the way! Very exciting! #Entra #Microsoft #Backup

Was a member of your IT team socially engineered? Do you not use RBAC and multi-admin approvals? Do you not limit GA? Do you review these critical lateral movement paths? Did you consent to a third-party app which was overprivileged? Was it the supply chain? There are a thousand ways someone can get the credentials to just "log in". Don't get me wrong, this is absolutely horrible, but I know for a fact that these things I mentioned above are simply not done by most organisations larger than Stryker. We wrap change control in a thousand processes, but you still don't have visibility. I hope things can be resolved promptly.

I am the Chief Information Officer of Stryker Corporation. I build the robots that perform your surgery. The defibrillators that restart your heart. The systems that let your nurse find your doctor at three in the morning when something goes wrong. Twenty-five billion dollars a year. Fifty-six thousand employees. Sixty-one countries. Every device in every country, managed from one console. On March 11th, someone who was not me sat down at that console and erased everything. I should be precise. They did not hack us. They logged in. Microsoft Intune is an endpoint management platform. I deployed it across every laptop, workstation, manufacturing terminal, and enrolled phone in my organization. From one console I could push an update to Kalamazoo, enforce a policy in Cork, wipe a compromised device in Freiburg. One console. Every device. That was the architecture. That was the selling point. That was the attack surface. Intune can push software. It can enforce compliance. It can, if instructed by an administrator with the correct credentials, wipe any device to factory settings. These are features. I paid for them. I presented them to the board as our zero-trust posture. A group called Handala used them to erase every managed device in my organization in a single afternoon. I will be precise about what happened next, because my lawyers are in the room and precision is the only thing that still belongs to me. No malware was deployed. No ransomware was installed. No zero-day was used. No vulnerability in any product was found. A threat actor obtained administrative credentials and issued a remote wipe command using the remote wipe feature that I chose this product for. My security tool did not fail. It performed exactly as designed. It wiped every device it was told to wipe, without error, on schedule. The architect of my destruction was my own IT budget line item. The command went out. The devices obeyed. Laptops in Kalamazoo. Workstations in Cork. Terminals in Freiburg. Manufacturing floors in Mahwah. The screens did not go dark. They changed. Where there had been a Stryker logo, there was now a barefoot cartoon boy with his back turned to the viewer -- the Handala icon, hands clasped behind him, facing away from the audience -- on every monitor in every office in sixty-one countries. They claim fifty terabytes. I cannot confirm or deny this. I do not yet know what I still own. Let me walk you through my first forty-eight hours. Hour one. Our Irish operations -- fifty-five hundred employees, eight sites, our largest hub outside the United States -- went dark. Not gradually. Entirely. Security walked everyone out. The voicemail at our Michigan headquarters was changed to say "building emergency." There was no building emergency. The building was fine. Everything inside it was gone. Hour four. Employees who had installed Microsoft Outlook on their personal phones discovered that their personal phones had been wiped. Intune does not distinguish between a corporate laptop and a personal iPhone with a company email profile. It manages endpoints. It managed them. Hour eight. Hospitals called. Not because they had been breached. Because they could not order surgical implants. I make the hip replacements. The knee joints. The spinal hardware. The trauma fixation systems. My ordering system was down. My manufacturing was down. My shipping was down. A hospital in Baltimore could not schedule a knee replacement because a hacktivist group on another continent had pressed a single button on a console I built. Hour twelve. Maryland Emergency Medical Services issued a memo. Hospitals were disconnecting from LIFENET -- my system that transmits your EKG from the ambulance to the emergency department while you are still in the back of the ambulance -- not because LIFENET had failed, but because they no longer trusted anything with my name on it. Hour twenty-four. Fifty-six thousand employees coordinating on WhatsApp. Twenty-five billion dollar company. Sixty-one countries. Crisis response running on a free consumer messaging app, because every internal system I owned was now owned by someone else. Hour thirty-six. I released my first official statement. "As a precaution, we have proactively taken all systems offline." Proactively. As though I had a choice. As though the systems I was taking offline had not already been taken. I released six statements in forty-eight hours, plus an SEC filing. Each said less than the one before it. By statement five, I was confirming that specific products still functioned. Mako surgical robots: unaffected. LIFEPAK 35 defibrillators: unaffected. Vocera badges: unaffected. When a medical device company begins listing which of its products still work, that is not reassurance. That is a casualty report delivered in reverse. Handala says this is retaliation. For Minab. February 28th. A U.S. Tomahawk struck an IRGC naval base in southeastern Iran. The girls' school next door collapsed. One hundred and seventy-five dead. Most of them children. Handala published a statement. They called Stryker a "Zionist-rooted corporation." They said they would make us understand what it means to lose something you cannot replace. I do not make missiles. I make hip replacements. I make the robot that holds the scalpel and the defibrillator in the crash cart. But I am a defense contractor's second cousin, and in the calculus of retaliation, proximity is guilt. I filed with the SEC on March 11th. "The full scope, nature and impacts of the incident are not yet known." That is the most honest sentence I have produced in two days. I do not know what they took. I do not know what they copied before they wiped. I cannot audit what was lost, because the tool I built to audit my systems is the tool they used to erase them. My stock dropped three and a half percent. One analyst called it "contained." A cybersecurity researcher called it "the first drop of blood in the water." I prefer the analyst. The analyst is wrong, but I prefer him. Here is what I know. I built a console that could touch every device in sixty-one countries. I gave it the authority to wipe anything it touched. I protected it with credentials. Someone obtained those credentials. And my management tool managed. No malware. No ransomware. No exploit. No CVE. Nothing to patch. Nothing to update. Nothing broken. Just a feature, performing its documented function, at the scale I purchased it for. I make the machines that keep people alive. I was taken offline by my own architecture doing the one thing it was designed to do. The system worked. That is the problem.

A game changer for multi-tenant apps just dropped: you can now limit consent and login to specific tenants > ourcloudnetwork.com/how-to-restric… 🎁 Want to limit your app to specific tenants? Whether it's for security or managing highly privileged environments, you can now control exactly which tenants are allowed to consent and log into your application. #Entra #Microsoft #Preview

Microsoft just announced Entra support for device-bound Passkeys in Windows Hello for unmanaged devices! ourcloudnetwork.com/new-microsoft-… 🔑 Soon, you will be able to extend the passkey experience to Windows Hello, which is particularly useful for BYOD scenarios where staff are working on unmanaged devices. Of course, Passkeys have been available in Windows for a while on certain apps, this native support within Entra Authentication Methods policies is a massive step forward! #Entra #Passkeys #Microsoft