Recent Blogs
Integrating Microsoft Security Copilot with Azure Logic Apps enables security teams to automate investigations, orchestrate fast incident response, and unify workflows across the modern enterprise. B...
Sep 24, 2025
4 MIN READ
As organizations navigate the complexities of modern cloud environments, embedding security early in the architecture lifecycle proves invaluable. For privacy and compliance requirements I will p...
Sep 24, 2025
The internet’s transport layer is undergoing one of its most significant evolutions in decades. QUIC (Quick UDP Internet Connections) — the protocol underpinning HTTP/3 — is rapidly becoming the defa...
Sep 24, 2025
Shadow IT has always been a bit of a ghost story in cybersecurity. You know it’s there, lurking in the background, but it rarely shows itself until something goes wrong. For years, people thought it ...
Sep 23, 2025Recent Discussions
Java MIP SDK 1.17.154: commitAsync() TemplateNotFoundError (C# OK; Java fails Win & Ubuntu)
TL;DR Java SDK 1.17.154: calling setLabel() then commitAsync() fails with TemplateNotFoundError (TemplateId=2ea3c830-...). Same label/code works on Java 1.16.x and C# 1.17.154. Policy cache cleared, templates/labels verified, token/tenant checked—issue persists. Environment SDK (Java): 1.16.x (OK), 1.17.154 (FAIL) SDK (C#): 1.17.154 (OK) OS (Java): Windows 10/11 (win32 build), Ubuntu 20.04 / 22.04 / 24.04 Java: Corretto/OpenJDK 17.0.16 (x64) Service/Tenant: Microsoft Purview Information Protection Auth: (e.g., user delegated token / app-only token) Code Snippet (Java) // Label apply options LabelingOptions labelingOptions = new LabelingOptions(); labelingOptions.setAssignmentMethod(AssignmentMethod.PRIVILEGED); labelingOptions.setDowngradeJustified(true); labelingOptions.setJustificationMessage("Label Apply"); // Get label Label label = fileEngine.getLabelById(labelId); // Apply label (no explicit template handling) fileHandler.setLabel(label, labelingOptions, new ProtectionSettings()); // Commit File workFile = new File(domainFolder, UidUtil.makeUid()); CompletableFuture<Boolean> commitFuture = fileHandler.commitAsync(workFile.getAbsolutePath()); commitFuture.get(); // <-- Throws TemplateNotFoundError on 1.17.154 Stack trace excerpt: Caused by: com.microsoft.informationprotection.internal.gen.Error: TemplateNotFoundError: Could not find template with id: 2ea3c830-5a0e-4eea-b48b-c72186d453c0, BadInputError.Code=General, CorrelationId=42ffaad4-3a0f-4986-ba9d-b5a79c5fd076 (ProtectionEngine), CorrelationId=16819f70-e419-473f-9895-c756f3dd5e4b (FileHandler) at com.microsoft.informationprotection.internal.gen.SdkWrapperJNI.SwigDirector_FileHandler_Observer_OnCommitFailure(SdkWrapperJNI.java:2688) Expected Behavior setLabel() should apply the label (and its protection) and commit successfully, as it does in Java 1.16 and C# 1.17.154. Actual Behavior commitAsync() fails with TemplateNotFoundError for the GUID referenced by the label’s ApplyProtectionAction. What I’ve Tried Policy/cache refresh: Deleted %LOCALAPPDATA%\Microsoft\MSIP\ / ~/.mip/, reloaded engine. Template/label verification: Confirmed existence and publish scope in Purview portal & via PowerShell/Graph. Label actions check: policyEngine.getLabelActions(labelId) shows an ApplyProtectionAction with that GUID. Token/tenant sanity check: Correct scopes and same tenant. Rollback test: Java 1.16 works; C# 1.17.154 works. Questions Any breaking change in Java 1.17 regarding how protection templates are resolved during setLabel()? Is this a known issue specific to Java SDK 1.17.154 (win32 & Ubuntu 20/22/24 builds)? Should we now explicitly use ProtectionDescriptor / SetProtection() in Java? Can someone review the service logs using the CorrelationIds above? Happy to provide additional logs, PowerShell/Graph queries, or action dumps if needed. Thanks!Access Package Assignment Issue
Hello, We have an access package that was functioning properly in the past, but the assignment process has stopped working. The issue started on August 22; the last successful assignment was on July 29. When attempting to manually assign the access package to an external user, we receive the following error: "You don't meet policy requirements to request this entitlement." Additional details: The configuration of the policy has not been changed. Users who can request access is set to “None (administrator direct assignments only)”. Changing the “Enable new requests” setting (enabled/disabled) does not resolve the issue. Expiration is set to 90 days. This access package is intended for external users, but I tested assigning it to an internal user and it works correctly. At this point, I do not have additional information about what might be causing the issue. Could you please help us identify the root cause and suggest next steps? Thank you for your assistance. Kind regards,Managing Multi-Tenant Azure/365: Workarounds for Cross-Tenant Limitations in Purview and Fabric
I am working in a Microsoft Azure/365 multi-tenant setting due to some constraints. I am using Purview (Tenant1) and Fabric (Tenant2), M365 in (Tenant 2). I'm facing issues with various solutions due to cross tenant limitation for eg: Data Quality Connection, Metadata ingestion, lineage, etc. To overcome this I am exploring various workarounds. Key Question: 1. Are there proven workarounds or solutions to manage data estate in this scenario? (Can't merge /migrate tenants)
Inbound Screening & PCI-DSS
PCI-DSS frowns on having credit card numbers and related information in systems not otherwise in scope. Yet we sometimes have law enforcement asking for us for researching by these very terms; they send these sometimes via E-mail. I wonder therefore whether Exchange can screen using DLP policies, with the intent of adding controls, such as masking or adding "no forwarding, no printing," and so on. Possible? Advisable?
Purview Data Quality Dashboard/ Report - Refresh
Hi All, Currently I am getting all blank in Purview Data quality dashboard, before two months dashboard shows all values across each data quality dimensions and showed graph for each quadrant in a dashboard. After two months when checked the dashboard everything is blank nothing is shown in the report. (Note : I have created two governance domain and each domain has five data products assigned with data assets, implemented data quality rules on top of each data assets that time scores were reflected in the Purview data quality dashboard), but suddenly now it all went blank scores showing as 'blank' Note : None of the data quality assessment were not deleted during that two months, data quality rules are still active and its still showing scores at data asset level. But its not showing in the dashboard currently. Can you please help me to sort out, is there any refresh policy associated for Purview Data quality dashboard.
eDiscovery case (Premium) and on-premise file share content
We have E5 license and Purview eDiscovery premium. We have a need to create eDiscovery case with on-premise file share data source. As part of this configuration, we have done the following: Installed a graph connector agent on the on-premise file share with azure app registration with the appropriate permissions. In Microsoft 365 admin center, configured file share data source linking to file share graph connector above. The files on the file server were successfully indexed. No issues. However, in the next step, while creating an eDiscovery case (Premium), we don't see "Add Graph Connector as a data source within a case" to add the above graph connector. What are we missing? The user has Global Administrator permissions.Exclude Devices from Secure Score
I have a scenario where DevOps devices are spun up in the environment and onboarded to Defender then after very short periods of time never used again. Leaving thousands of devices onboarded which are not in use/live anymore. With the devices being onboarded to DFE this affects the Secure Score significantly, the hosts use a specific host name prefix and we were looking to see if there was a way to have Secure Score exclude these devices as they greatly impact the overall %.
Device Tables are not ingesting tables for an orgs workspace
Device Tables are not ingesting tables for an orgs workspace. I can confirm that all devices are enrolled and onboarded to MDE (Microsoft defender for endpoint) I had placed an EICAR file on one of the machine which bought an alert through to sentinel,however this did not invoke any of the device related tables . Workspace i am targeting Workspace from another org with tables enabled and ingesting data Microsoft Defender XDR connector shows as connected however the tables do not seem to be ingesting data; I run the following; DeviceEvents | where TimeGenerated > ago(15m) | top 20 by TimeGenerated DeviceProcessEvents | where TimeGenerated > ago(15m) | top 20 by TimeGenerated I receive no results; No results found from the specified time range Try selecting another time range Please assist As I cannot think where this is failingADR: Audited detections not showing in Microsoft Defender
Hi all, I am trying to figure out why the Attack surface reduction rules report does not show me any audited detections. Specifically, I am testing out the rule Block process creations originating from PSExec and WMI commands in Audit mode. A test was run on the endpoint by starting a WMI process and an event was logged to Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational. Any ideas?Email OTP not working for guest users
We have to enable MFA using Email for some guest users accessing some of our Entra applications. Guest users are from other Microsoft tenants, B2B collaboration users. We have it all set up in the Authentication methods and in Conditional access policies. Also excluded this user's security group from System-preferred multifactor authentication. When the guest user connects to the application or to the tenant portal, it's still prompting to register for MFA using authenticator App. how can we make it to use an email one-time code please ? Issue: Screenshots of the settings below:
Defender tagging based on Intune App policy
Will the issue about tagging devices in the security centre with MDE-management ever be resolved? this has been ongoing for over 10 months and will allow us to smoothly tag and group items in the defender section a whole lot easier. For some of our clients we NEED this as the current abilities are so basic and useless considering defenders awful naming method. "Use of dynamic device tagging capabilities in Defender for Endpoint to tag devices with MDE-Management isn't currently supported with security settings management. Devices tagged through this capability don't successfully enroll. This is currently under investigation." https://learn.microsoft.com/en-us/defender-xdr/configure-asset-rulesHow to practice SC-200 content on an empty tenant
Hello, I am following the SC 200 course on Microsoft Learn. It is great and everything but my m365 business tenant is empty. I don't have VMs, logs, user activity or anything. I learned some KQL and microsoft provides some datasets for practice. Are there any such data I can load on my tenant for threat hunting and other SC-200 related practices or is there an isolated simulation environment I can use for learning?
MFA breakglass account recommendations?
Hi folks. Looking at the new Authentication Methods settings, and trying to consider the scenario where someone disables all of these methods by accident. We require MFA on all accounts (using the 'require MFA' param of Conditional Access). If these are all disabled, there's no MFA method available... Trying to think of ways around this, for that situation. Things I've considered - cert based auth, telephone auth, etc - all require the corresponding auth method to be enabled. How should this be handled?Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hubneed to create monitoring queries to track the health status of data connectors
I'm working with Microsoft Sentinel and need to create monitoring queries to track the health status of data connectors. Specifically, I want to: Identify unhealthy or disconnected data connectors, Determine when a data connector last lost connection Get historical connection status information What I'm looking for: A KQL query that can be run in the Sentinel workspace to check connector status OR a PowerShell script/command that can retrieve this information Ideally, something that can be automated for regular monitoring Looking at the SentinelHealth table, but unsure about the exact schema,connector, etc Checking if there are specific tables that track connector status changes Using Azure Resource Graph or management APIs Ive Tried multiple approaches (KQL, PowerShell, Resource Graph) however I somehow cannot get the information I'm looking to obtain. Please assist with this, for example i see this microsoft docs page, https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health#supported-data-connectors however I would like my query to state data such as - Last ingestion of tables? How much data has been ingested by specific tables and connectors? What connectors are currently connected? The health of my connectors? Please helpConditional Access - Block all M365 apps private Mobile Device
Hello, Ive try to block all private mobile phone from accessing all apps from m365, but it wont work. Im testing it at the moment with one test.user@ I create a CA rule: Cloud Apps Include: All Cloud Apps Exclude: Microsoft Intune Enrollment Exclude: Microsoft Intune Conditions Device Platforms: Include: Android Include: iOS Include: Windows Phone Filter for Devices: Devices matching the rule: Exclude filtered devices from Policy device.deviceOwnership -eq "Company" Client Apps Include: All 4 points Access Controls Block Access ----------------------- I take a fresh "private" installed mobile android phone. Download the Outlook App and log in with the test.user@ in the outlook app and everything work fine. What im doing wrong? Pls help. Peter
Unified SecOps XDR
Hi, I am reaching out to community to seek understanding regarding Unified SecOps XDR portal for Multi-tenant Multi-workspace. Our organization already has a Azure lighthouse setup. My question is if M365 lighthouse license also required for the Multi-tenant Multi-workspace in unified SecOps XDR portal?How to resolve "AADST55203" error: Multi-factor authentication configuration blocked
{ "error": "access_denied", "error_description": "AADSTS55203: Configuring multi-factor authentication method is blocked. Trace ID: Correlation ID: Timestamp: 2025-09-17 20:48:30Z", "error_codes": [ 55203 ], "timestamp": "2025-09-17 20:48:30Z", "trace_id": "", "correlation_id": "", "suberror": "provider_blocked_by_rep" } SMS authentication method was previously configured in our B2C Entra and was functioning correctly until last week, when it suddenly stopped working. Currently, users can only authenticate via email. Conditional Access policy is also in place that requires Multi-Factor Authentication (MFA).Secure Score - Secure Home Folders in macOS
I've performed the recommended manual remediation action (sudo chmod -R og-rw /Users/) on my Macs but Secure Score doesn't recognize it. I have noticed this occurring for a few item. We have also remediated some things through InTune but still seem to have no movement on the SecureScore. Is this a glitch within or am I missing something altogether. Thanks
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
Security Compute Units (SCUs) are the required resource units that power Microsoft Security Copilot, ensuring dependable and consistent performance across both standalone and embedded product experie...
Online