Recent Blogs
Learn about the latest features and change announcements across Microsoft Entra.
Dec 10, 2025
5 MIN READ
The updated CAF 4.0 raises expectations around control A2.b - Understanding Threat.
Rather than focusing solely on awareness of common cyber-attacks, the framework now calls for a sector-specific, ...
Dec 10, 2025
Effective device management is critical for ensuring security hygiene and maintaining operational agility within enterprise environments. In Microsoft Defender for Endpoint (MDE), device tagging play...
Dec 10, 2025
Introduction
In the ever-evolving paradigm shift that is Generative AI, adoption is accelerating at an unprecedented level. Organizations find it increasingly challenging to keep up with the multip...
Dec 09, 2025Recent Discussions
Block transfer of labelled data through CLI Apps - Powershell
I have a ticket open with microsoft since mid november, and to date not fixed, still chasing. So we have labelled data, using a custom label intellectual property. We block and alert using it, from uploads to list of urls, to prompt to override, etc. So the label works. Next step is to prevent exfil using Cli apps. This is where the issue is.. Not working. Would you have any idea if this actually works? Has anyone set it up? In settings and then Restricted apps and app groups I have setup the following: Then I created a policy that is applied to my machine and my user to block the move and upload of data that is labelled as Intellectual Property (Sensivity Label) It should block when I am using WinSCP or powershell. It does not. I tried with the restricted app group and with access by restricted apps. None works My machine is in sync
MCAS logcollector docker image : 0 logs received
I followed that documentation : https://learn.microsoft.com/en-us/defender-cloud-apps/discovery-docker-ubuntu?tabs=ubuntu My Collector is displaying a connected status in the console : But as you can see, no data was received, and if I do a collector_status -P on my docker : I checked all possible logs files, nothing helped me So if someone can help about that.. Thank you !Purview Data Map – Proposed Domain & Collection Structure
Microsoft Purview Data Map – Proposed Domain & Collection Structure This proposed Microsoft Purview Data Map domain and collection structure ensures that users responsible for specific data assets can be granted precisely scoped permissions—particularly for updating metadata—by mapping Business Units, Departments, Teams, and environments in a clear hierarchy that allows RBAC inheritance to assign the right level of access to the right people. Domain Name Data Catalogue (Short, clear, governance-aligned name to avoid UI truncation and scripting issues.) Collection Path Data Catalogue → Business Units → Departments → Teams → [Prod | Non-Prod] Level 1: Business Units Level 2: Departments (within each Business Unit) Level 3: Teams (within each Department) Optional: Environment segregation under Teams (Prod / Non-Prod) Reasons & Requirements 1. Domain Naming Short, clear name avoids UI truncation and scripting issues. Detailed descriptions stored in metadata; name remains simple for automation and future-proofing. 2. Structure Alignment Alignment with organisational charts and unified governance hierarchy: Business Units → Departments → Teams Provides intuitive navigation and meaningful context for users. 3. Hierarchy Depth Limited to 4–5 levels for usability and RBAC inheritance. Avoids unnecessary complexity while maintaining clarity. 4. Environment Handling Prod / Non-Prod split under Teams for simplicity. Additional environments only if governance differs significantly. 5. RBAC & Ownership Permissions align with organisational roles. Supports the principle of least privilege. 6. Scanning & Policy Scans assigned at Team level for precise governance. Policies inherit from higher levels for consistency. Selective scanning preferred for cost efficiency. 7. Best Practice Compliance Matches Microsoft guidance: short names, shallow hierarchy, environment segregation. Clear distinction between governance path and technical hierarchy. Role Assignment in Collections Data Curator Role Designed for users who: Edit and update metadata. Manage business context for assets within the collection. Assign to: Data Owners (Directorate level). Data Stewards (Team level). Data Product Owners / Asset Managers (for their own assets). Why at Collection Level? RBAC in Purview inherits down the collection hierarchy: Assign at Team collection → edit metadata for all assets in that Team. Assign at Group or Directorate level → edit metadata for all child collections. Ensures least privilege and ownership-based editing. Best Practice Read-only roles (Data Reader) applied broadly for transparency. Data Curator scoped to the lowest level where the user has responsibility (usually Team). Avoid assigning Data Curator at the root unless absolutely necessary.
Exclude File Hash's from Data leak/Insider policy
Absolute long shot, but is there any way to exclude file Hashes from the attachments part of a data leak policy, we use a service for our signatures and due to the way it works the images in it keep getting picked up as part of sending external with attachment, the image name changes, but the SHA-256 stays the same. Anyone have any idea if this is or ever will be possible?KQL query to report on Audit/Block status of Network Protection
Anyone know how to run a query using KQL in the defender portal to return the status of Network Protection - Audit or Block mode? The following query returns the results but "IsCompliant" = 1 when Network Protection is on in either Audit or Block mode. I thought the context might help but for this SCID it is always empty. DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-96" The information is available within the portal when you drill into the device - configuration management - effective settings - but this is not scalable when needing to check across a large estate. How could you query this via KQL or another way to generate on a report on overall estate health and configuration? Long term would be great to report on this in a powerBi dashboard. ThanksMDE use of Certificate based IoC not working
I have been trying to use MDE IoC with certificates as per the following link: https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates#create-an-indicator-for-certificates-from-the-settings-page This is on a demo tenant with full M365 E5 licenses and vulnerability trial enabled just in case. Test devices are: windows 11 with latest updates - domain joined and managed by Intune MDE onboarded and active with AV Network protection in block mode Cloud delivered protection enabled File hash enabled In defender portal - settings - endpoints advanced settings - all options enabled I am testing with Firefox - the installer and the application .exe after installation. I have extracted the leaf certificate from both these .exe's using the helpful information in the following link: https://www.linkedin.com/pulse/microsoft-defender-missing-manual-how-actually-create-adair-collins-paiye/ Then uploaded the certs into defender portal - settings - endpoints - IoC - certificates - set to Block and remediate Issue: Its been 24h and nothing happens on the client devices. In the defender portal - assets - devices - device timeline - I can see the firefox processes but at no point is the installer or application blocked. Have I miss understood how the feature works? Has anyone else managed to get this to work? Advice appreciated. Thanks Warren
Windows Hello passkeys dialog appearing and cannot remove or suppress it.
Hi everyone, I’m dealing with a persistent Windows Hello and passkey issue in Chrome and Brave and yes this is relevant as they're the only browsers having this issue whilst Edge for example is fine, and at this point I’m trying to understand whether this is expected behavior, a bug, or a design oversight. PS. Yes, I'm in contact with related browser support teams but since they seem utterly hopeless i'm asking here, since its at least partially Windows Hello issue. Problem description Even with: Password managers disabled in browser settings, Windows Hello disabled in Chrome/Brave settings, Windows Hello PIN enabled only for device login, Passkeys still stored under chrome://settings/passkeys (which I cannot delete since its used for logging on the device), The devices are connected to Entra ID but this is not required to reproduce the issue although a buisness account configuration creates a Passkey with Windows Hello afaik. Observed behavior When I attempt to sign in on office.com, Windows Hello automatically triggers a dialog offering authentication via passkeys, even though: I don’t want passkeys used for browser logins, passkeys are turned off everywhere they can be, Windows Hello is intended only for local device authentication. The dialog cannot be suppressed, disabled, or hidden(trust me, i tried for weeks). It effectively forces the Windows Hello prompt as a primary option, which causes problems both personally and in business contexts (wrong credential signaling, misleading users that are supposed to use a dedicated password manager solution insted of browser password managers, enforcing an unwanted authentication flow, etc.). What I already verified Many, many, (too many) Windows registry workarounds that never worked. Dug through almost all flags on those browsers. Chrome/Brave → Password Manager: disabled Chrome/Brave → Windows Hello toggle: off Looked through what feels like almost every related option in Windows Settings. Tried gpedit.msc local rules System up to date Windows Hello configured to use PIN, but stores "passkeys used to log on to this device" Why this is a problem Windows Hello automatically assumes that the device-level Windows Hello credentials should always be available as a WebAuthn authenticator. This feels like a big security and UX issue due to: unexpected authentication dialogs, Inability to controll where and how passkey credential are shared to applications, inability to turn the feature off, no administrative or local option to disable Hello for WebAuthn separately from device login. Buisness users either having issues with keeping passwords in order (our buissnes uses a dedicated Password Manager but this behaviour covers its dialog option) or not having PIN to their devices (when I disable windows hello entierly, since when there is no passkeys the option doesn't appear) Questions Is there any supported way to disable Windows Hello as a WebAuthn/passkey option in browsers, while keeping Hello enabled for local device login? Is this expected behavior from the Windows Hello, or is it considered a bug? Are there registry/policy settings (documented or upcoming) that allow disabling the Windows platform authenticator specifically for browsers like Chrome and Brave? Is Microsoft aware of this issue? If so, is it tracked anywhere? Additional notes This issue replicates 100% across (as long as there are passkeys configured): Windows 11 devices i've managed to get my hands on, Chrome and Brave (latest versions), multiple Microsoft accounts and tenants, multiple clean installations. Any guidance or clarification from the Windows security or identity teams would be greatly appreciated. And honestly if there is any more info i could possibly provide PLEASE ask away.
Issue with Microsoft Purview Governance/Business Domains invisible/not found
I was wondering if anybody has experienced such issue? After new Purview update and introducing Governance domains instead of business domains in data catalog, I cannot see the previously established business/governance domains but can still see the data products I had previously created under legacy business domains. - I have Purview admin and data governance admin tenant level as well but still the issue persists. - I cannot create new governance domains since I get cyclic dependency error - Have tried different web browsers no luck so far! - Any similar experience and potential tip/workaround for this issue? #Purview #governance_domains
MS Defender 101.25102 update error
I have been trying to update MS Defender for several days now and without luck. I am on a iMac M3 with macOS 26.1. I tried removing and reinstalling the app, but it seems that the uninstall script does not remove the app at all. Yes, I did restart the machine. Does anyone have a solution?Aggregate alerts not showing up for Email DLP
Hi, I’m unable to see the “Aggregate alerts” option while configuring an Email DLP policy, although the same option is visible for Endpoint DLP. The available license is Microsoft 365 E5 Information Protection and DLP (add-on). If this is a licensing limitation, why am I still able to see the option for Endpoint DLP but not for Email DLP? Screen short showing option for Endpoint DLP alerts
Defender for Endpoint on Linux
I'm using the Linux version of the defender agent on RHEL 8. The intended setup is, The agents are registered to the Defender cloud. And we have enabled the InTune to Defender connector. So when you register your endpoint, it should also create a skeleton registration in Intune so it can manage the Linux policy. I've got that setup. However, If you need to make quick, perhaps unscheduled changes to your Linux MDATP profile. How do you do it? As it seems to be based on when the endpoint checks in with Intune. Which Intune does between 4-6 hours. Some of the docs I read, said just make the change to the .json config on the client. Then Intune will reapply the update policy when it checks the agent in. Ok, but if you have enabled the anti tamper feature on the agents. How do you then update the .json file? It's just going to block you from doing thatSecuring Data with Microsoft Purview IRM + Defender: A Hands-On Lab
Hi everyone I recently explored how Microsoft Purview Insider Risk Management (IRM) integrates with Microsoft Defender to secure sensitive data. This lab demonstrates how these tools work together to identify, investigate, and mitigate insider risks. What I covered in this lab: Set up Insider Risk Management policies in Microsoft Purview Connected Microsoft Defender to monitor risky activities Walkthrough of alerts triggered → triaged → escalated into cases Key governance and compliance insights Key learnings from the lab: Purview IRM policies detect both accidental risks (like data spillage) and malicious ones (IP theft, fraud, insider trading) IRM principles include transparency (balancing privacy vs. protection), configurable policies, integrations across Microsoft 365 apps, and actionable alerts IRM workflow follows: Define policies → Trigger alerts → Triage by severity → Investigate cases (dashboards, Content Explorer, Activity Explorer) → Take action (training, legal escalation, or SIEM integration) Defender + Purview together provide unified coverage: Defender detects and responds to threats, while Purview governs compliance and insider risk This was part of my ongoing series of security labs. Curious to hear from others — how are you approaching Insider Risk Management in your organizations or labs?
Defender for Identity health issues - Not Closing
We have old issues and they're not being "Closed" as reported. Are we missing something or is this "Microsoft Defender for Identity" Health Issues process broken? Thanks! Closed: A health issue is automatically marked as Closed when Microsoft Defender for Identity detects that the underlying issue is resolved. If you have the Azure ATP (workspace name) Administrator role, you can also manually close a health issue.Defender for Endpoint - macOS scan takes 1 second
Hello, We use Defender for Endpoint on macOS deployed by Mosyle MDM. However, we noticed when user run quick or full scan that action takes 1 second and that is it - 0 files scanned. This used to work before; I happen to have a screenshot: Now, if I run scan from command line, again the same: We use config profiles from here: https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles mdatp health output: Did anyone have this issue? Thanks!Request to enable preview feature - Face Check with CAP
Dear Microsoft, I am on a business premium plan for my home test tenant. I cannot raise ticket nor do I have an account manager. I know this is in private preview. I would like my tenant to be enabled to test this new Verified ID feature to have "Face Check" in CAP as one of the Grant conditions. tenant id: bc85b508-0107-4472-a49c-fc8cefd4f0d7 Thank you.Unexpected Service Principal Additions After Purview Label Schema Migration
Hi everyone, I recently migrated our Microsoft Purview label schema in our tenant and noticed some interesting audit log entries right after the migration. Specifically, Entra ID recorded Add service principal actions for: Microsoft Edge management service Purview Ecosystem (https://api.purview.microsoft.com) Both events were logged under my admin account, with the User-Agent showing kiota-dotnet/1.16.4, which suggests an automated process or Microsoft Graph SDK interaction. Here are some details: Operation: Add service principal Result: Success Tags: disableLegacyUserImpersonationClient, disableLegacyUserImpersonationResource, and for Purview: GitCreatedApp Triggered at: The exact time I completed the label schema migration. My question: Is this expected behavior when migrating Purview label schemas? Are these service principals required for Purview and Edge management integration? Any best practices to confirm these additions are legitimate and secure? Thanks in advance for your insights! Best regards Stephan
