Recent Discussions
Exclude Devices from Secure Score
I have a scenario where DevOps devices are spun up in the environment and onboarded to Defender then after very short periods of time never used again. Leaving thousands of devices onboarded which are not in use/live anymore. With the devices being onboarded to DFE this affects the Secure Score significantly, the hosts use a specific host name prefix and we were looking to see if there was a way to have Secure Score exclude these devices as they greatly impact the overall %.
Defender tagging based on Intune App policy
Will the issue about tagging devices in the security centre with MDE-management ever be resolved? this has been ongoing for over 10 months and will allow us to smoothly tag and group items in the defender section a whole lot easier. For some of our clients we NEED this as the current abilities are so basic and useless considering defenders awful naming method. "Use of dynamic device tagging capabilities in Defender for Endpoint to tag devices with MDE-Management isn't currently supported with security settings management. Devices tagged through this capability don't successfully enroll. This is currently under investigation." https://learn.microsoft.com/en-us/defender-xdr/configure-asset-rules
ADR: Audited detections not showing in Microsoft Defender
Hi all, I am trying to figure out why the Attack surface reduction rules report does not show me any audited detections. Specifically, I am testing out the rule Block process creations originating from PSExec and WMI commands in Audit mode. A test was run on the endpoint by starting a WMI process and an event was logged to Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational. Any ideas?
How to practice SC-200 content on an empty tenant
Hello, I am following the SC 200 course on Microsoft Learn. It is great and everything but my m365 business tenant is empty. I don't have VMs, logs, user activity or anything. I learned some KQL and microsoft provides some datasets for practice. Are there any such data I can load on my tenant for threat hunting and other SC-200 related practices or is there an isolated simulation environment I can use for learning?Secure Score - Secure Home Folders in macOS
I've performed the recommended manual remediation action (sudo chmod -R og-rw /Users/) on my Macs but Secure Score doesn't recognize it. I have noticed this occurring for a few item. We have also remediated some things through InTune but still seem to have no movement on the SecureScore. Is this a glitch within or am I missing something altogether. ThanksNew Blog Post | How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook
How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook - Azure Cloud & AI Domain Blog (azurecloudai.blog) I’ve known Troy Hunt for a number of years and his contributions to the security and privacy industry have been hugely valuable and much appreciated by the masses. HaveIBeenPwned is a great resource developed and maintained by Troy. It provides the ability to query against its database to expose domains or user accounts that have been caught up in any of the number of reported industry data breaches. Wouldn’t it be nice, then, to have this data available for your Microsoft Sentinel investigations? Fortunately, Troy provides an API for his service. I’ve provided a Microsoft Sentinel Playbook that takes email addresses associated with an Incident and submits them through the API and returns a quick note to the Comments tab in the Incident as to whether or not the email address(es) has been compromised.
Little warning on the new Purview suite for M365BP
Microsoft introduced a highly needed and expected compliance suite add-on for Microsoft 365 Business Premium. Microsoft Purview Suite for Business Premium: $10/user/month Microsoft 365 BP are unable to add Microsoft 365 E5 Compliance suite $12/user/month and forced to move to M365E3 to be able to add this product. So as a Microsoft partner I was delighted to see that Microsoft introduced this new product and made it possible to give SMB customers the tools they need to comply with all kinds of regulations. BUT: What a disappointment it is, this new product. It is a lame strip down version of the E5 Compliance suite and missing essential functionality that regulated SMB customers badly need. What the was going on in de mind of the product manager who is responsible for this product. Besides missing crucial functionality like Compliance Manager, Compliance Portal and Privilege Access Management it also misses in product features. Some examples: Data Loss Prevention: Great for protection your sensitive information leaking out of your organisation, but with a little more investigation, I found out that Administrative Units is not supported Information Protection: Automatic Labels is not supported Insider Risk management: No Adaptive Protection Compliance Manager: No Policies, No Alerts DSPM for AI: No Policies So, Microsoft come on, you can do better than this and embrace SMB’s more seriously and make E5 compliance available like you did with E5 security for M365BP users and stop with this lame and incomplete product. My recommendation to M365BP customers who need Compliance add-on, don’t buy this new suite, unless you don’t need the above functionality.Want to earn an Exclusive Security Tech Community Badge? Take our quick survey!
Hey there Security Tech Community! As we prepare for Microsoft Ignite, we’re building a focused, practitioner-led security roundtable and we want your input to ensure it reflects the most relevant and pressing topics in the field. We invite you to take a short survey and share the security topics, trends, and technical questions you want to see covered. Your input will directly influence the structure and substance of the Ignite Security Roundtable. The first 5 people to post a screenshot for proof of survey completion in the comments below will receive this "Microsoft Security Star" Badge to add to their Tech Community profile! TAKE THE SURVEY NOW: https://aka.ms/IgniteSecurityRoundtableSurvey2025Share your experience with Microsoft Security Products on Gartner Peer Insights
At Microsoft, we believe the most valuable insights come from those who use our products every day. Your feedback helps other organizations make informed decisions and guides us in delivering solutions that truly meet your needs. We invite you to share your experiences with Microsoft Security products on Gartner Peer Insights. By leaving a review, you’ll help your peers confidently choose the right solutions and contribute to the ongoing improvement of our products and services. Why your review matters Empower others Your honest feedback helps fellow decision-makers understand how Microsoft Security products perform in real-world scenarios. Build community Sharing your experience fosters a community of practitioners who learn from each other’s successes and challenges. Drive innovation Your insights directly influence future product enhancements and features. How to participate Click on the Microsoft Security Product You would be prompted to log in or sign in to the site. Select the Microsoft Security product you know well. Share your experience, highlighting the features and outcomes that mattered most to you. It would take a few minutes to complete the survey. Rules and Guidelines Only Microsoft customers are eligible to submit reviews; partners and MVPs are not. Please refer to the Microsoft Privacy Statement and Gartner’s Community Guidelines and Gartner Peer Insights Review Guide for more information.
Authenticating using ConfidentialClient
Hello, Some of our customers are unable to send out automated emails because support for basic authentication with SMTP is being removed. I am looking at finding a solution and it seems the Graph API is the recommended approach. I have manage to create a working example using `PublicClientApplicationBuilder` however, this class displays a pop-up requiring the user to sign in, since we have automated services with no user interaction, this is not a good solution. I have seen some examples using `ConfidentialClientApplicationBuilder` and this seems idea. However, I have reached multiple dead-ends and everytime receive the error: > Confidential Client flows are not available on mobile platforms or on Mac.See https://aka.ms/msal-net-confidential-availability for details. Please would someone be able to help me. Why do I recieve this error? Whatever I do, whatever project I use, WinForm, Console app and Service I always get this error. I am storing my Client, Tenant and Secret in a database table and here is my code: ``` vb Private Async Function GetAppAuthentication() As Task(Of AuthenticationResult) Dim folderAccess = BLL.L2S.SystemApplicationGateway.GetFolderAccess(mBLL_SY.ReadonlyDbContext) If folderAccess Is Nothing Then Return Nothing End If Dim app = ConfidentialClientApplicationBuilder.Create(folderAccess.Client) _ .WithClientSecret(folderAccess.Secret) _ .WithTenantId(folderAccess.Tenant) _ .Build() Dim scopes As String() = {"https://outlook.office365.com/.default"} Dim result As AuthenticationResult = Await app.AcquireTokenForClient(scopes).ExecuteAsync() Return result End Function ``` I am using .Net Framework 4.7.2, we have Windows Services and WinForms apps and both need to send out emails. The error message is very confusing to me because of course it is not a mobile app, and I have even created a UnitTest that seemingly works fine which again is very confusing to me. This is urgent as this is already causing issues for our customers. Thanks in advanc
Quarantine emails marked as High Confidence Phish are being system released
I have a group of about 20 emails that were in quarantine, and within moments they were released by 'System release' There are multiple different domains being released, and all of them have a High Confidence Phish level. Since it is a system release, I cannot submit anything to Microsoft other than it appears clean. Is anyone else experiencing this?Alert Not Found
We are receiving the following the follow alert from Defender; 2025-08-15T09:26:42-07:00 {SERVERNAME} CEF[6208]0|Microsoft|Azure ATP|##########|AccountEnumerationSecurityAlert|Account enumeration reconnaissance|5|start=2025-08-15T16:23:14.5550516Z app=Ntlm shost=NULL shostfqdn= msg=An actor on NULL performed suspicious account enumeration, exposing 6 existing account names. externalId=2003 cs1Label=url cs1=https://security.microsoft.com/alerts/xx###xxxx-#xx#-####-#x##-##x##x#x#x#x cs2Label=trigger cs2=update But when we go to the URL listed, we get an error that it can't be found. We are able to see other alerts that come in. How do I go about finding the details on this error?
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp desc
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
The second webinar bridges theory to practice. Now that you know why unification matters, it’s time to learn how to get started. In this foundations panel session hosted by Identity Expert, Merill Fe...
Online
Recent Blogs
- 4 MIN READAs organizations navigate the complexities of modern cloud environments, embedding security early in the architecture lifecycle proves invaluable. For privacy and compliance requirements I will p...Sep 24, 2025
- 7 MIN READIn today’s rapidly evolving threat landscape, cybersecurity demands more than just great technology—it requires great teamwork. That’s the story behind the collaboration between Microsoft Defender Ex...Sep 18, 2025
