Microsoft
MicrosoftLijuV, may I please recommend that KB5008380 be updated to indicate when HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement is to be depreciated?
Link to KB: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
It would most probably also be prudent to include a notice in the KB that Event ID notifications relating to 'login.microsoftonline.com' are to be ignored? This may however introduce an even bigger security problem if SIEM rules and administrators begin to blindly ignore real threats impersonating Azure AD. IMHO, the best course would be to remove false positive alerts.
Is there information available as to when this was fixed? We experienced production interruption when first enforcing this on the 31st of January 2022 and were under the impression that Azure AD was still incompatible with us wanting to enable 'PacRequestorEnforcement' (ie value '2') as of 24th of August 2022 due to the Event IDs still appearing as noted above:
