Jose Reyes

@RealEmirHan this is the first episode from this show I actually sat and watched after the super bowl, I didn't really get it before. Still my favorite episode.

The Office writers were told to open the Super Bowl episode so wild no one changes the channel. They almost went with “Jim loses Pam in a poker game.” Instead: the legendary fire drill chaos. Filming took 1.5 days. Real cast panic made it even crazier. Two trained identical cats, a $12K stuffed double backup. No animals harmed, takes were tightly controlled. It was the most-watched episode of the series

@IAMERICAbooted @merill It bugs me that if I disable or delete a compromised app registration/secret the malicious session remains until it expires. A lot can happen in that time. Considering workload identity premium for at least some mitigation around secret usage for critical apps with app perms.

Tomorrow is an exciting day! @merill and I are going to talk about APIs! I'm betting Merill has some great stories and I will put the fear of nation states in your heart :p

@Coach_Yac in the pregame radio for this game that the niners were leading league in takeways up to that point. I remember thinking... wow we can probably be really good this year.

Justin Smith’s forced fumble to win the game for the 49ers I honestly believe had they beaten the Giants in the NFCCG that season, they would have won the Super Bowl

@arpeyton @IAMERICAbooted like deploying add ins in M365 admin console. for some reason even though the docs say an Exchange Admin can do I've only been able to do so with GA. Specifically when deploying custom add ins.

@IAMERICAbooted MS: don’t use GA Also MS: to perform this completely normal admin task you need user admin, SharePoint admin, teams admin, application admin, and Intune admin.

Whoever came up with tiering for M365 roles (yes, I know many who did), dont understand how to abuse the roles they missed for privilege escalation to Global Admin. If your trying to contain and prevent damage to the company, there are a lot more roles with privesc paths to Global Admin. Hint: that's why Microsoft calls them privileged roles. Additionally, theres SharePoint Admin. If you could only fathom what you would find and what you can do with that role.... The problem is, many people working in security dont have the experience as security engineers in the cloud. Thats why they dont know.

@domguerrera24 @49ers Am I blind or did the 5th SB trophy get left out of the video?

Had the opportunity to create the @49ers 2026 Schedule Release Video🎬 - Full 3d Render (no ai). Every asset was hand crafted or scanned by me. Words can't even describe the care and effort put into every room. Thank you to the entire 49ers Social Team for trusting me!

@Coach_Yac My mental health was not ready for this today but I watched it again for the millionth time. The loss hurts, but man that feeling when you get so close and there is hope still alive is such a thrill. Even the last play I recall feeling like "we can do this"

This sequence of play calls

@49ers @Ticketmaster We only have 4 titles apparently

If these walls could talk. 🎟️: 49rs.co/48ZvFLn @Ticketmaster | #FTTB

@OurSf49ers 3x 1pm home games early in the season is going to be hot as heck out there for us in the sun. usually they give us a week or two on the road then a prime time game.

The #49ers official 2026 Schedule Leaked: What do you think their record will be 🤔

@NathanMcNulty Thank goodness for tab complete, imagine typing that out in bash... invoke-mgsupercalifragilisticexpialidocious

@lfredoreyes lol x.com/NathanMcNulty/…

I love getting gaslit by Azure all the time... Automation accounts and Function apps only support PowerShell 7.4, even though 7.5 was released 1.5 years ago and 7.6 was released a few months ago "Please consider updating it soon." 😒 No Azure, you consider updating it soon...

@NathanMcNulty Yep, I do the same. I’ve always preferred using the rest API URIs directly rather than learning get-mggrapsuperlongcommand.

@lfredoreyes Runtimes are amazing, and try to pull in only Microsoft.Authentication, then only use Connect-MgGraph and Invoke-MgGraphRequest :) It's definitely a pain, but keeps the memory low and the code more auditable.

@Drect R A Rugged Man on Uncommon Valor Capadonna on Winter Warz

We named some of the HARDEST VERSES in rap history: Bun B - Murder Kim - Quiet Storm Andre - Elevators Nas/AZ - Life’s a B*tch Banks/Biggie - Victory Nicki - Monster Eminem - The Way I Am Ross - Devil in a New Dress Wayne - Cannon 50 - Many Men Remy - Ante Up What did we miss?

@merill The connect sync to cloud sync is interesting. Last I looked at it there wasn’t full parity, especially for hybrid scenarios. I have wondered if both can run in parallel while handling different things. I need to dig back into this.

👋 Check out this new Microsoft Entra blog post 👇 What's New in Microsoft Entra: May 2026 techcommunity.microsoft.com/t5/microsoft-e…

@gogogogetem @Philly19553993 @NCBubblehead @ModestTeacher Decks mostly come in the same order. Most are shuffled the same (machine or rifled). people play the same games leading to similar groupings of cards prior to shuffling. 52! but given the patterns in our games and methods it’s possible the same order has been dealt IMO.

@Philly19553993 @NCBubblehead @ModestTeacher Yeah but you gotta think how many times a deck has been shuffled considering casinos and commonly played house games. I'm sure the same order has happened before

Shuffle a deck of playing cards. That exact order of cards has never existed and will never exist again in the history of humanity.

@stoolgambling 49ers classic logo

What is the only NFL logo that faces to the left?

@merill That's interesting, I thought MS killed legacy auth some time ago, well at least for Exchange. We still have our old policy in place prior to that but I assumed it was redundant. learn.microsoft.com/en-us/exchange…

Entra Hardening Tip #4 - Block legacy authentication Problem: Legacy auth (SMTP/IMAP/ROPC) doesn’t support MFA, making it a prime target for password attacks and an easy entry point for attackers using stolen creds. Legacy authentication also provides attackers with a consistent method to reenter a system using compromised credentials without triggering security alerts or requiring reauthentication. @ellishlomo shared some insights on how attackers are still targeting tenants that allow legacy protocols (see below). Fix: - Assignments - All users - Target resources > All resources - Conditions - Client apps, set Configure to Yes. - Check only the boxes Exchange ActiveSync clients and Other clients. - Access controls - Block access

@merill does this have to be a rule that explicitly includes the action or does an overarching MFA rule if accessing any resource suffice?

Entra Hardening Tip #2: Require MFA for device join & device registration using 'User Action' If you don’t enforce a Conditional Access policy for “Register or join devices”, you’re leaving a gap. Attackers can take advantage of this and register new devices without MFA. Once they’re in, they can: 🚩 Stay persistent 🚩 Bypass controls that rely on trusted devices From there, it opens the door to: 🚩 Data exfiltration 🚩Dropping malicious apps 🚩 Moving laterally across your environment 🚩Recon of your device configuration and compliance policies The fix: Create a CA policy → Include: All users → Target: User Action = Register or join devices → Grant access: Require authentication strength - MFA

@mozzeph Is detecting for this just looking for logs with "Add service principal credentials" operation? Looks like managed identities have a few events with that operation and also adding new SSO certificates trigger that log as well.

I updated my blog about Entra ID App Registrations vs Service Principals. It was only a couple of months ago that I learned that with Graph API, it's possible to add credentials directly to service principals and that they never show up in Entra Portal except in audit log. #update-19042026" target="_blank" rel="nofollow noopener">heusser.pro/p/whats-the-di…

@IAMERICAbooted Reminds me I need to submit CPEs because of course I do.

CISSP 😋

@IAMERICAbooted does requiring admin consent make a difference here or since these are not application level perms the admin consent isn't usually required?

Part 1 of why your delegated API permissions are not the control you think they are: Entra App Registration owners can add delegated permissions to the application manifest and create additional secrets. This allows attackers to move laterally by sending a consent to unknowing users. They WILL consent most of the time because non-technical users have no idea whats happening. Moreover, the phish can be easily masked as other things going on. For example: MyCoolApp has 10 owners who have already consented to the app permissions. Attacker pops one owner. They can now read all other owners and consenters files and move laterally by phishing consents and token harvesting. Delegated API permissions for internal apps added in a manifest by an app owner do not require admin consent from GA, Privileged Role Admin, Cloud Apps Admin, or App Admin. They are added immediately.