@DebugPrivilege For backup scenarios, create BTGs in the target tenant to execute privileged actions like assigning roles and consenting to application permissions in case of a restore.
English
Glenn Van Rymenant
91 posts
@DebugPrivilege I would personally avoid consenting such permissions, even to IAM solutions as they are absolute (cannot be scoped). Your entire Microsoft 365 (including Azure and potentially your AD) is at the mercy of your IAM solution.
English
@rucam365 @TechBrandon @NathanMcNulty Didn't immediately find the reference to 8 digits, what is your stance on 8 versus 6? I read a few reports that concluded that 8 doesn't offer the additional value people think it does because of human nature.
English
@TechBrandon @NathanMcNulty #mfcd" target="_blank" rel="nofollow noopener">pages.nist.gov/800-63-3/sp800…
It’s compliant if you force TPM + 8 digit PIN because they explicitly recognize a TPM-bound key as a valid ‘something you have’ factor.
Here’s a first party reference I have to pull out from my bookmarks a lot for customers: techcommunity.microsoft.com/blog/publicsec…
English
BuT HeLLo FoR BuSiNeSs IsN't SeCurE
GIF
Brian in Pittsburgh@arekfurt
Sigh. If you care about security and your employees can remotely access sensitive info or conduct remote administration, they should be using corporate-owned & managed devices to do so. And if they are, you can implement phishing-resistant auth with no additional hardware.
English
Indonesia
@merill @TechBrandon @rucam365 Such a fantastic doc, would be neat to add to @SkipToEndpoint's OIB 💡
That 15 minute timeout on AAL3 is so brutal though :p
English
Is anyone else finding it incredibly difficult to hide non-email licensed cloud admin accounts from Teams search results?
Or am I missing a trick here?
English
@merill #TeamPascal (switched to camel on multiple occasions but always returned to pascal 🤷♂️)
English
In PowerShell, do you use PascalCase or camelCase for your variable names?
The unofficial PowerShell style guide leans towards Pascal case. 👇
If you wish, you may use camelCase for variables within your functions (or modules) to distinguish private variables from parameters, but this is a matter of taste.
github.com/PoshCode/Power…
Which format do you prefer using?
English
@JefTek @lbonjean @NathanMcNulty Its early days, and things are still falling into place. Just today, my default browser Arc added native macOS passkey support.
English
On my way to the Microsoft campus, first time trying to use Microsoft Authenticator passkeys on an airplane...
I just learned the authenticator (phone) requires Internet access as well
This means MS Authenticator is still a no go for poor signal areas - back to security keys
Nathan McNulty@NathanMcNulty
Here we go 🛫
English
English
Sad to see the creation of new free M365 dev tenants going away.
Read this post for details: devblogs.microsoft.com/microsoft365de…
If this impacts you please join the Research panel and help shape the future of the M365 dev program.
ux.microsoft.com/Panel/M365Devs…
English
@merill @david_obrien @NathanMcNulty @MySnozzberries @smereczynski @JoonasWestlin if only we were able to piggyback on the auth of the SDK and expose the token 🙊😉
English
@david_obrien @NathanMcNulty @MySnozzberries @smereczynski @JoonasWestlin Got it. I thought you were connecting with that scope.
The Az module use case is for managing your Azure subscription.
To use APIs that are not included in the default Az scope you would need to first get an access token with all the required scopes and then use that token
English
Confusing. I have an Entra ID access token with "Directory.AccessAsUser.All" scope. The user can browse the Entra ID portal and see everything (Global Reader), like #view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/UserSettings" target="_blank" rel="nofollow noopener">portal.azure.com/#view/Microsof… .
However, calling the REST endpoint for those settings using that token says "no access".
English
@rucam365 This really is starting to become the "gift" that keeps on giving, curious for what else will pop up... Begs the question if they wouldn't have been better off disclosing the full breadth and possible ramifications from the start...
English
Sounds like Midnight Blizzard dumped all the mail they had access to (scope was never confirmed, but they had full_access_as_app), are harvesting it for secrets, then spraying those.
microsoft.gcs-web.com/node/32471/html
English
@reprise_99 And while you're at it, if you sync users to Entra ID with Password Hash Sync (PHS) and still expire passwords (for whatever reason), make sure you enable CloudPasswordPolicyForPasswordSyncedUsersEnabled #cloudpasswordpolicyforpasswordsyncedusersenabled" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/entra/id…
English
This is your yearly reminder to go and deploy Microsoft Entra ID Password Protection to improve your password complexity in on-premises Active Directory if you're licensed for it. Over the years, I have collected a list of misconceptions about how this product works, see below:
English
TL;DR: the house always wins (read: cheats) and mainstream media is not your friend 🤷
Roberto Rios@peruvian_bull
3 YEARS AGO TODAY, JAN 28th 2021: Price was going parabolic, and then Robinhood turned off the BUY BUTTON on $GME. What was revealed would shock the financial world- and the story still isn't over! A THREAD 🧵🔥👇
English
PSA: listing Privileged Access Groups (PAGs) a.k.a. PIM for Groups with Graph: graph.microsoft.com/beta/privilege… (spend an hour searching for it in documentation then tried some stuff based on Get-MgBetaPrivilegedAccessResource 🤦♂️)
English
not gonna lie. if you reply all to an email storm with “please remove me immediately”, i cannot take you seriously.
English
ING medewerker legt even uit waarom ik via de post mijn zaken moet regelen.....
Nederlands
@merill as we can now set a sponsor on a (guest) user object in EID (preview), will we soon be able to leverage that in Identity Governance (e.g.: Access Review - reviewers) as well?
English
@DrAzureAD @rucam365 Indicates low blinker fluid level, they don't fill it.
English
The car is working fine, besides that weird error light. Also keeps odd clicking noise, there wasn't anything like that on my previous Beemer. Any ideas @rucam365?
English
New azure-blue family member has arrived! Should I claim the price of new vanity plates from Microsoft due to #AzureAD re-branding 🤔
English
Glenn Van Rymenant retweetledi
If you are a reddit user, we now have a /r/entra subreddit where you can ask questions and get help from the Entra community.
BTW if you are an MVP or Microsoft employee, join and let me know so I can set your user flair/badge.
English
@mariussmellum Good thing that MS allows eady blocking from the portal (creates auth policy on EXO as well) but I would love to see a whitelist option in the portal for orgs that have a few exceptions.
English
@mariussmellum SMTP is used to validate passwords, even with CA blocking, response differs if the password is correct, see twitter.com/gvanrymenant/s…
Glenn Van Rymenant@gvanrymenant
Friendly reminder: EXO basic auth on SMTP is still open and can be easily used to validate passwords - CA alone is not enough due to the existence of "EXODS", use authentication policies and block where possible
English
Lots of organizations seeing an increased number of smtp based brute force attempts towards their 365 environments, even though CA block is in place. You should look into disabling SMTP auth: learn.microsoft.com/en-us/exchange…
English