Forum Widgets
Latest Discussions
Save the date - January 26, 2026 - AMA: Best practices for applying Zero Trust using Intune
Join us on January 26 at 10:00 AM PT, to Ask Microsoft Anything (AMA) and get the answers you need to implement the right policies, security settings, device configurations, and more. Never trust, always verify. Tune in for tips and insights to help you secure your endpoints using Microsoft Intune as part of your larger Zero Trust strategy. Find out how you can use Intune to protect both access and data on organization-owned devices and personal devices used for work. Go to aka.ms/AMA/IntuneZeroTrust and select "attend" to add this event to your calendar. Have questions? Submit them early by signing in to Tech Community and posting them on the event page!
Unusual Sign-In Activity E-mail but I cannot identify the account!
Hi, I'm experiencing something quite weird. This morning I got an alert to a personal e-mail address of mine (w********@gmail.com) that a Microsoft account of mine was accessed from an IP address in Brazil. I've attached that e-mail and it lists the account as "ja*****" with no domain name listed. I have two microsoft accounts that I know of that start with "ja". One is a hotmail account and one is registered with my university account. I figured this alert had to do with my university account because that could explain why it never listed a domain name. However, when I checked, neither account have any record of a sign in, successful or unsuccessful, from an IP address in Brazil today. Furthermore, the university account doesn't have the w*******@gmail.com listed as a primary or secondary e-mail account so even if that was the account that alert wouldn't have gone to that e-mail. I contacted Microsoft support hoping that they could try to locate the alert e-mail and confirm what account the alert was about from their end but they told me they don't have the tools for that and they have limited access to their own system. A supervisor told me that at this point my best bet is to either post on the community forums or to go to the police and ask them to track the IP address. I have a vague memory that years ago when I tried to log into my university Microsoft account, it would let me log in as a personal account and as a work account separately but now I can only use it as a work account. I'm wondering if that might be related like maybe someone was able to access my personal account of my university Microsoft account which could explain both the lack of a domain name in the e-mail and the fact that there's no history of it in my work account. This is really bugging me because someone may have accessed an account belonging to me but I'm completely unable to actually confirm that or even the account this is happening to. Thanks!
Scaling Data Governance- Does a Purview in a Day Framework Exist?
Hello Purview Community, I’ve been exploring the available acceleration resources for Microsoft Purview, and one thing I noticed is a potential gap in the "In a Day" workshop series. While we have excellent programs like Power BI in a Day or Fabric in a Day, I haven't yet seen a formalized Purview in a Day framework designed to help organizations jumpstart their governance journey in a single, cohesive session. I am reaching out because my team is currently preparing something in this area that we believe will be very useful to the community and Microsoft in the future. Rather than working in isolation, we want to ensure we are aligned with the official roadmap. I wanted to reach out to the community and the Microsoft product team to ask: Is there an official "In a Day" initiative for Purview currently in the works? If not, who would be the best point of contact to discuss alignment? Looking forward to hearing your thoughts and seeing if we can build something impactful together! #MicrosoftPurview #Purview
Cannot setup phone sign in with Microsoft Authenticator
Hi All, My new Redmi Turbo 4 was working with Microsoft authenticator, but in the past month, it started malfunctioning, so I decided to reset the authenticator app and sign back into it. Now I can't setup the app to do phone sign-in, and the sign in request notifications does not come to the new phone. (old phone is currently still operational). Is there like a shadow ban to chinese android phones?
From “No” to “Now”: A 7-Layer Strategy for Enterprise AI Safety
The “block” posture on Generative AI has failed. In a global enterprise, banning these tools doesn't stop usage; it simply pushes intellectual property into unmanaged channels and creates a massive visibility gap in corporate telemetry. The priority has now shifted from stopping AI to hardening the environment so that innovation can run at velocity without compromising data sovereignty. Traditional security perimeters are ineffective against the “slow bleed” of AI leakage - where data moves through prompts, clipboards, and autonomous agents rather than bulk file transfers. To secure this environment, a 7-layer defense-in-depth model is required to treat the conversation itself as the new perimeter. 1. Identity: The Only Verifiable Perimeter Identity is the primary control plane. Access to AI services must be treated with the same rigor as administrative access to core infrastructure. The strategy centers on enforcing device-bound Conditional Access, where access is strictly contingent on device health. To solve the "Account Leak" problem, the deployment of Tenant Restrictions v2 (TRv2) is essential to prevent users from signing into personal tenants using corporate-managed devices. For enhanced coverage, Universal Tenant Restrictions (UTR) via Global Secure Access (GSA) allows for consistent enforcement at the cloud edge. While TRv2 authentication-plane is GA, data-plane protection is GA for the Microsoft 365 admin center and remains in preview for other workloads such as SharePoint and Teams. 2. Eliminating the Visibility Gap (Shadow AI) You can’t secure what you can't see. Microsoft Defender for Cloud Apps (MDCA) serves to discover and govern the enterprise AI footprint, while Purview DSPM for AI (formerly AI Hub) monitors Copilot and third-party interactions. By categorizing tools using MDCA risk scores and compliance attributes, organizations can apply automated sanctioning decisions and enforce session controls for high-risk endpoints. 3. Data Hygiene: Hardening the “Work IQ” AI acts as a mirror of internal permissions. In a "flat" environment, AI acts like a search engine for your over-shared data. Hardening the foundation requires automated sensitivity labeling in Purview Information Protection. Identifying PII and proprietary code before assigning AI licenses ensures that labels travel with the data, preventing labeled content from being exfiltrated via prompts or unauthorized sharing. 4. Session Governance: Solving the “Clipboard Leak” The most common leak in 2025 is not a file upload; it’s a simple copy-paste action or a USB transfer. Deploying Conditional Access App Control (CAAC) via MDCA session policies allows sanctioned apps to function while specifically blocking cut/copy/paste. This is complemented by Endpoint DLP, which extends governance to the physical device level, preventing sensitive data from being moved to unmanaged USB storage or printers during an AI-assisted workflow. Purview Information Protection with IRM rounds this out by enforcing encryption and usage rights on the files themselves. When a user tries to print a "Do Not Print" document, Purview triggers an alert that flows into Microsoft Sentinel. This gives the SOC visibility into actual policy violations instead of them having to hunt through generic activity logs. 5. The “Agentic” Era: Agent 365 & Sharing Controls Now that we're moving from "Chat" to "Agents", Agent 365 and Entra Agent ID provide the necessary identity and control plane for autonomous entities. A quick tip: in large-scale tenants, default settings often present a governance risk. A critical first step is navigating to the Microsoft 365 admin center (Copilot > Agents) to disable the default “Anyone in organization” sharing option. Restricting agent creation and sharing to a validated security group is essential to prevent unvetted agent sprawl and ensure that only compliant agents are discoverable. 6. The Human Layer: “Safe Harbors” over Bans Security fails when it creates more friction than the risk it seeks to mitigate. Instead of an outright ban, investment in AI skilling-teaching users context minimization (redacting specifics before interacting with a model) - is the better path. Providing a sanctioned, enterprise-grade "Safe Harbor" like M365 Copilot offers a superior tool that naturally cuts down the use of Shadow AI. 7. Continuous Ops: Monitoring & Regulatory Audit Security is not a “set and forget” project, particularly with the EU AI Act on the horizon. Correlating AI interactions and DLP alerts in Microsoft Sentinel using Purview Audit (specifically the CopilotInteraction logs) data allows for real-time responses. Automated SOAR playbooks can then trigger protective actions - such as revoking an Agent ID - if an entity attempts to access sensitive HR or financial data. Final Thoughts Securing AI at scale is an architectural shift. By layering Identity, Session Governance, and Agentic Identity, AI moves from being a fragmented risk to a governed tool that actually works for the modern workplace.Ingesting Windows Security Events into Custom Datalake Tables Without Using Microsoft‑Prefixed Table
Hi everyone, I’m looking to see whether there is a supported method to ingest Windows Security Events into custom Microsoft Sentinel Data Lake–tiered tables (for example, SecurityEvents_CL) without writing to or modifying the Microsoft‑prefixed analytical tables. Essentially, I want to route these events directly into custom tables only, bypassing the default Microsoft‑managed tables entirely. Has anyone implemented this, or is there a recommended approach? Thanks in advance for any guidance. Best Regards, Prabhu KiranNew Blog | Vulnerability Management Dashboard: Microsoft Defender for Endpoint - Updated Release 240
By Nathan Hughes-Smith Introduction As Microsoft Cloud Solution Architects, we get asked by Businesses, IT Managers and Cybersecurity Experts to accurately report on the Vulnerabilities and CVEs in our environments. This could be as easy as just deploying Endpoint Protection updates or as advanced as deploying every category and 3rd Party Updates using Microsoft Defender for Endpoint. Vulnerability Management Dashboard: Microsoft Defender for Endpoint This Spring release involves implementing a cloud-based reporting and visualization solution that brings exposure to active threats into sharp focus. It is intended to provide value to IT Leaders, Stakeholders, Security & Compliance teams, and Operations Teams that are responsible for mitigating CVE documented risks. The reports provide rich drill throughs that enable full understanding of an organization's current data and trends. The data is sourced from Microsoft Defender for Endpoint using API calls, stored in a small serverless Azure SQL instance, and can be accessed from anywhere on any device. Outcomes Dashboard with a summary view that shows CVE vulnerability status for the current month, the previous month, and all prior. These views refresh daily on a desired scheduled time frame. Customization options to exclude specific CVEs and classes of vulnerabilities. Cloud installation that creates a small Azure serverless SQL instance, an Azure Automation Account, and an Azure Service Principal. The Report The report features 8 main pages to use as a starting point, with additional subpages and drill-ins to allow you to get the information the way you need to see it. Summary - View device compliance against CVEs, grouped by the last 3 monthly release cycles. Drill into devices with a specific status in a specific period to get a detailed list of devices and which CVEs have open vulnerabilities currently. Read the full post here: Vulnerability Management Dashboard: Microsoft Defender for Endpoint - Updated Release 2405What are the differences between "eDiscovery Search" and "content search"
Hi, I thought if anybody is able to explain what are the differences with "eDiscovery Case Search" and "Content Search"and what are scenarios when to choose one over other? So far I have understood that eDiscovery Manager can see all Content Searches from tenant, but for eDiscovery Search manager can see only own cases. I have also a feeling that eDiscovery Search is very much slower. At first I'm getting zero findings, while Content Search list all of the items. But then, after some hours eDiscovery Search start finding the same items. As a site note, I'm testing this to find chat messages (Teams and Skype) from already deleted user (inactive mailbox).
