Recent Blogs
March brings a set of updates to Microsoft Sentinel focused on helping your SOC automate faster, onboard data with less friction, and detect threats across more of your environment.
This month's up...
Mar 04, 2026
Working at the intersection of data security, engineering, and governance, the Microsoft Purview product team continually explores capabilities that reshape how organizations understand and manage th...
Mar 04, 2026
In cloud-native environments, malware protection is no longer traditional antivirus — it is runtime workload security, ensuring containerized applications remain safe throughout their lifecycle.
M...
Mar 04, 2026
Check out monthly news for the rest of the MTP suite here!
What's new in Defender for Cloud?
Now in public preview, Defender for Cloud provides threat protection for AI agents built with Foundr...
Mar 03, 2026Recent Discussions
deleted sensitivity label
Hello Everyone I want to identify who deleted a sensitivity label from my information protection blade. Actual scenario is I had one label called Internal-1, it is now disappeared, However if I am trying to create label with same name it says label with same name is already available. In actual that is not showing in GUI. I want to know how to search who deleted the label in Audit. Please advice. Thank you
Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
Defender for iOS: “This account has reached its devices limit” even though no devices are listed
I am using all 5 devices available (2 PC's, 1 Mac, 2 IOS devices) I was trying to install Microsoft Defender for IOS on a new iPhone created by copying from the old phone (iPhone 11) to the new phone (iPhone 17). I erased my old iPhone 11 while Defender was still installed My Microsoft account shows zero mobile devices (none were linked to my MS account) Defender on the new iPhone never completed sign‑in with my MS account “Sign out everywhere” and app removal didn’t help (also app removal, restart IOS device, reinstall Defender for IOS) You suspect a stuck Defender mobile enrollment token You need Microsoft to reset the backend mobile device slot From Office Copilot: What to tell the agent (so you don’t get bounced) Use this exact wording: “Microsoft Defender for iOS says ‘This account has reached its devices limit’ even though no devices appear in my Microsoft account. My old iPhone was erased while Defender was still signed in. I need my Defender mobile device enrollment reset.” This sends them straight to the backend reset tool. Why this works when everything else doesn’t The issue isn’t on your devices or in your account UI — it’s a server-side Defender mobile quota flag that only Microsoft support can clear. The consumer Defender team (under Microsoft 365 support) is the only group with access to that system.
Cloud Kerberos Trust with 1 AD and 6 M365 Tenants?
Hi, we would like to enable Cloud Kerberos Trust on hybrid joined devices ( via Entra connect sync) In our local AD wie have 6 OUs and users and devices from each OU have a seperate SCP to differnt M365 Tenants. I found this Article to configure the Cloud Kerberos Trust . Set-AzureADKerberosServer 1 2 The Set-AzureADKerberosServer PowerShell cmdlet is used to configure a Microsoft Entra (formerly Azure AD) Kerberos server object. This enables seamless Single Sign-On (SSO) for on-premises resources using modern authentication methods like FIDO2 security keys or Windows Hello for Business. Steps to Configure the Kerberos Server 1. Prerequisites Ensure your environment meets the following: Devices must run Windows 10 version 2004 or later. Domain Controllers must run Windows Server 2016 or later. Install the AzureADHybridAuthenticationManagement module: [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12 Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber 2. Create the Kerberos Server Object Run the following PowerShell commands to create and publish the Kerberos server object: Prompt for All Credentials: $domain = $env:USERDNSDOMAIN $cloudCred = Get-Credential -Message 'Enter Azure AD Hybrid Identity Administrator credentials' $domainCred = Get-Credential -Message 'Enter Domain Admin credentials' Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred As I understand the process, a object is created in local AD when running Set-AzureADKerberosServer What happens, if I run the command multiple times, for each OU/Tenant. Does this ovveride the object, or does it create a new objects?
Convert Hybrid Azure AD Join Device to Azure AD Join Only
Hi , We are in Hybrid state ( SCCM+ Intune =CoManaged ) and Hybrid Azure AD Join . Now as next step moving to cloud only , We are moving device from Hybrid to Azure only State . While testing Manually remove a device from AD domain post reboot noticed that not able to even login with Azure that means loose the complete state ( AD as well as Azure ) , Login with Local account found with DSREGCMD that device is not attached to any . If I just removed the AD domain why this has removed from Azure AD Join as well .What is best way to Remove domain join but keep Azure AD join , Loose Users settings as well. Thanks MSBIssues blocking DeepSeek
Hi all, I am investigating DeepSeek usage in our Microsoft security environment and have found inconsistent behaviour between Defender for Cloud Apps, Defender for Endpoint, and IOC controls. I am hoping to understand if others have seen the same. Environment Full Microsoft security and management suite What we are seeing Defender for Cloud Apps DeepSeek is classified as an Unsanctioned app Cloud Discovery shows ongoing traffic and active usage Multiple successful sessions and data activity visible Defender for Endpoint Indicators DeepSeek domains and URIs have been added as Indicators with Block action Indicators show as successfully applied Advanced Hunting and Device Timeline Multiple executable processes are initiating connections to DeepSeek domains Examples include Edge, Chrome, and other executables making outbound HTTPS connections Connection status is a mix of Successful and Unsuccessful No block events recorded Settings Network Protection enabled in block mode Web Content Filtering enabled SmartScreen enabled File Hash Computation enabled Network Protection Reputation mode set to 1 Has anyone else had similar issues when trying to block DeepSeek or other apps via Microsoft security suite? I am currently working with Microsoft support on this but wanted to ask here as well.
Email Entity - Preview Email
Hello all, I want to ask if there is a way to monitor and be alerted when someone is viewing an email from the email entity page by clicking "Email Preview". I couldn't find any documentation, and the action is not registered in any audit logs. Maybe I am missing something so please feel free to share some info regarding this issue since I believe it can have a major impact if a disgruntled security employee chooses to leak info from private emails. Nick
How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?
Dear Community, I would like to implement the following scenario on an environment with Microsoft 365 E5 licenses: Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes). Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" (which appear to be exclusively Azure Purview) connectors are importing the necessary data. Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can identify... ...which user conducted when an audit log search and with what kind of search query. Thank you!URL Hyperlinking phishing training
Mi using the Defender phishing simulations to perform testing. When creating a positive reinforcement email that goes to the person you have the option to use default text or put in your own text. When I put in my own text I have lines in the text, but when it renders the lines are not displayed so it looks like a bunch of text crammed together. Any idea how to get these lines to display?
Issue Using Built in Trainable Classifiers in Auto Labelling Policies - Purview
Over the last few days, I have run into issue while configuring Auto labelling policies in Purview specifically when using built in classifiers for eg: Budget, Agreements These classifiers are parr of ready to use. They have been working well for us until recently but now saving an auto labelling rule that includes any of Trainable classifiers getting client side error: 'Could not find rule pack associated with sensitive information type' this is unexpected because: same classifiers eg: Budget worked perfectly just few weeks ago. No changes have made to roll, permissions on our side. Still not sure why showing issue now. Kindly request you, help me with root cause of the cause. Please feel free to post it comments if someone faced same issue in using trainable classifiers in auto labelling policies. Thanks in advance. Regards, BanuMuraliEmail to external(trusted user) not require verify user Identity(with Google or One-time passcode)
Dear Expert and Community, I am starting with MS Purview - Data Loss Prevention. I have one point to clarify and seek your advise / comment / contribute or sharing good practice regarding with below: - Firstly, we can send email to externally user contain sensitive information, it is encryption or blocked (result: worked as expected). If remail encrypt, the external receiver require verify the Identity via sign in with google acc / with a one time password. - Second: we plan sending email to external user (only trusted user / domain). Is it possible, do not require these scope user reverify their Identity again and again? If yes, how to do it? If not - why? Well appreciated for update and supporting. Thanks,Federating Two Domains to Single Google Workspace Org — IssuerUri Conflict
Problem: I'm federating two custom domains (domainA.com and domainB.com) in the same Entra tenant to Google Workspace as the IdP using New-MgDomainFederationConfiguration. Cloud-only tenant, no on-premises AD. domainA.com works perfectly. When attempting to federate domainB.com, I get: 409 Conflict — Request_MultipleObjectsWithSameKeyValue Root cause: Both domains are in the same Google Workspace org. Google always sends the same IssuerUri in every SAML response regardless of which SAML app is used. Entra's global IssuerUri uniqueness constraint blocks the second domain. Workarounds attempted: Modified IssuerUri with unique query parameter — Google's SAML assertion still contains the original IssuerUri, Entra silently rejects it Second Google SAML app — Google sends identical IdP Entity ID regardless Google Legacy SSO profile with domain-specific issuer — only affects Google authentication, not Microsoft-initiated SAML flows Beta Graph API — same constraints MSOnline module — fails with Negotiate/forbidden error Questions: Is there any supported way to federate two domains in the same tenant to the same Google Workspace org? Is there a Graph API equivalent of the legacy -SupportMultipleDomain switch? domainB.com also returns "No matching stub found. Please reset the federation" on every update attempt — is this a known backend issue? We have a support ticket open for 21 days with no engineer response. Any help appreciated!
IdentityLogonEvents - IsNtlmV1
Hi, I cannot find documentation on how the IdentityLogonEvents table's AdditionalFields.IsNtlmV1 populated. In a demo environment, I intentionally "enforced" NTLMv1 and made an NTLMv1 connection to a domain controller. On the DC's Security log, event ID 4624 shows correct info: Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 On MDI side however it looks like this: (using the following KQL to display relevant info here: IdentityLogonEvents | where ReportId == @"f70dbd37-af8e-4e4e-a77d-b4250f9e0d0b" | extend todynamic(AdditionalFields) | project TimeGenerated, ActionType, Application, LogonType, Protocol,IsNtlmV1 = AdditionalFields.IsNtlmV1 ) TimeGenerated ActionType Application LogonType Protocol IsNtlmV1 Nov 28, 2025 10:43:05 PM LogonSuccess Active Directory Credentials validation Ntlm false Can someone please explain, under which circumstances will the IsNtlmV1 property become "true"? Thank you in advanceHow to add glossary term to domain
Does anyone know how to add a glossary term to a domain using the REST API? What is the correct url? None of these work: url = f"{my_purview_endpoint}/unifiedcatalog/domains/{my_glossary_guid}/glossaryTerms" url = f"{my_purview_endpoint}/datagovernance/catalog/businessdomains/{my_glossary_guid}/glossaryTerms" url = f"{my_purview_endpoint}/businessdomains/{my_glossary_guid}/terms"
Events
Start your journey to secure AI workloads in the cloud. Learn how Defender for Cloud provides foundational protection for your AI solutions and why it’s essential for modern security strategies.
Wh...
Online
Security practitioners, bring your real questions.
Join Microsoft Security experts live at RSA Conference or online via Tech Community for a live AMA focused on data and AI security in real-world e...
Hybrid