Recent Discussions
Little warning on the new Purview suite for M365BP
Microsoft introduced a highly needed and expected compliance suite add-on for Microsoft 365 Business Premium. Microsoft Purview Suite for Business Premium: $10/user/month Microsoft 365 BP are unable to add Microsoft 365 E5 Compliance suite $12/user/month and forced to move to M365E3 to be able to add this product. So as a Microsoft partner I was delighted to see that Microsoft introduced this new product and made it possible to give SMB customers the tools they need to comply with all kinds of regulations. BUT: What a disappointment it is, this new product. It is a lame strip down version of the E5 Compliance suite and missing essential functionality that regulated SMB customers badly need. What the was going on in de mind of the product manager who is responsible for this product. Besides missing crucial functionality like Compliance Manager, Compliance Portal and Privilege Access Management it also misses in product features. Some examples: Data Loss Prevention: Great for protection your sensitive information leaking out of your organisation, but with a little more investigation, I found out that Administrative Units is not supported Information Protection: Automatic Labels is not supported Insider Risk management: No Adaptive Protection Compliance Manager: No Policies, No Alerts DSPM for AI: No Policies So, Microsoft come on, you can do better than this and embrace SMB’s more seriously and make E5 compliance available like you did with E5 security for M365BP users and stop with this lame and incomplete product. My recommendation to M365BP customers who need Compliance add-on, don’t buy this new suite, unless you don’t need the above functionality.Share your experience with Microsoft Security Products on Gartner Peer Insights
At Microsoft, we believe the most valuable insights come from those who use our products every day. Your feedback helps other organizations make informed decisions and guides us in delivering solutions that truly meet your needs. We invite you to share your experiences with Microsoft Security products on Gartner Peer Insights. By leaving a review, you’ll help your peers confidently choose the right solutions and contribute to the ongoing improvement of our products and services. Why your review matters Empower others Your honest feedback helps fellow decision-makers understand how Microsoft Security products perform in real-world scenarios. Build community Sharing your experience fosters a community of practitioners who learn from each other’s successes and challenges. Drive innovation Your insights directly influence future product enhancements and features. How to participate Click on the Microsoft Security Product You would be prompted to log in or sign in to the site. Select the Microsoft Security product you know well. Share your experience, highlighting the features and outcomes that mattered most to you. It would take a few minutes to complete the survey. Rules and Guidelines Only Microsoft customers are eligible to submit reviews; partners and MVPs are not. Please refer to the Microsoft Privacy Statement and Gartner’s Community Guidelines and Gartner Peer Insights Review Guide for more information.
Authenticating using ConfidentialClient
Hello, Some of our customers are unable to send out automated emails because support for basic authentication with SMTP is being removed. I am looking at finding a solution and it seems the Graph API is the recommended approach. I have manage to create a working example using `PublicClientApplicationBuilder` however, this class displays a pop-up requiring the user to sign in, since we have automated services with no user interaction, this is not a good solution. I have seen some examples using `ConfidentialClientApplicationBuilder` and this seems idea. However, I have reached multiple dead-ends and everytime receive the error: > Confidential Client flows are not available on mobile platforms or on Mac.See https://aka.ms/msal-net-confidential-availability for details. Please would someone be able to help me. Why do I recieve this error? Whatever I do, whatever project I use, WinForm, Console app and Service I always get this error. I am storing my Client, Tenant and Secret in a database table and here is my code: ``` vb Private Async Function GetAppAuthentication() As Task(Of AuthenticationResult) Dim folderAccess = BLL.L2S.SystemApplicationGateway.GetFolderAccess(mBLL_SY.ReadonlyDbContext) If folderAccess Is Nothing Then Return Nothing End If Dim app = ConfidentialClientApplicationBuilder.Create(folderAccess.Client) _ .WithClientSecret(folderAccess.Secret) _ .WithTenantId(folderAccess.Tenant) _ .Build() Dim scopes As String() = {"https://outlook.office365.com/.default"} Dim result As AuthenticationResult = Await app.AcquireTokenForClient(scopes).ExecuteAsync() Return result End Function ``` I am using .Net Framework 4.7.2, we have Windows Services and WinForms apps and both need to send out emails. The error message is very confusing to me because of course it is not a mobile app, and I have even created a UnitTest that seemingly works fine which again is very confusing to me. This is urgent as this is already causing issues for our customers. Thanks in advanc
Getting Contextual Summary from SIT(Sensitive info types) via PowerShell cmd
Hi, I am using a PowerShell command(Export-ContentExplorerData) to extract data from an SIT. In the response, I am getting most of the data but I am interested in getting the matching primary element from Contextual summary(Content explorer) https://learn.microsoft.com/en-us/powershell/module/exchange/export-contentexplorerdataSensor install failing, error log indicates proxy issue
Hi Everyone, I was re-installing a sensor that was stuck on updates and I get an error in the logs - failed connecting to service. The issue can be caused by a transparent proxy configuration From what I can find that's related to either missing certificates or SSL inspection. The proxy works fine for other sensors and I know it's not inspecting this traffic anyway. I found a troubleshooting page that calls out the specific Root CA - "DigiCert Global Root G2" which exists on this machine. https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#proxy-authentication-problem-presents-as-a-connection-error I believe this sChannel error is related The remote server has requested SSL client authentication, but no suitable client certificate could be found. I am stumped at this point, any help is appreciated.
Clarification over "dormant" account status
I was looking today at our list of "Remove dormant accounts from sensitive groups" within Microsoft Defender for Identity, and one service account has caused a bit of discussion. The account would only be used on-premise and would never be carrying out authentications out of our estate. In this case would Defender for Identity still see the account as being "dormant", or is the reason because it's not carried out any of those off-estate authentications? Apologies if this is a simple question, but it would be very helpful to know the answer.
Multiple CA on same domain
We're about to deploy a new two-tier Windows PKI in domain which already has a 1-tier Enterprise CA and wonder of possible impacts on the current configurations. Devices and Users are auto-enrolling with the current CA through GPO and what can be the impact of the new CA ? How will the users get the certificate from the old or the new CA selectively? Is it just managed by the template's security settings, which by default allow authenticated users/devices to enroll? What sort of impact can we expect ? thanksConfusing content in several training modules
I have noticed the following content present in several training modules and I can only conclude that there are errors in the example URLs in the content. This slide is from the module called "Phishing website" but I have seen the same example in other modules. Note the following: the two example URLs in the slide are identical except for bold formatting, and this is confusing. Additionally, each example is confusing. In the section below Name, what point is served by the example URL? It seems as though the author wants the reader to understand the difference between URLs with replaced, additional, or missing characters. If we assume the reader believes their bank website may be mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksites.net, because this highlights the additional letter s in the address. But why highlight the other s in the address? And why include .135 in the example? In the section below Domain, it seems as though the author wants to teach the reader about domains (important parts of which one can find on both sides of the last period in a domain). If we assume the reader believes their bank website may be at my mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksite.135.net, because this highlights that 135.net is the part of the address that should receive the reader's focus. And what is the reader supposed to conclude from these two examples being identical? If the point is that the address is suspicious in two ways, then the slide should first introduce mybanksite.net as the correct URL. Most other slides in the training modules are excellent but I cannot feel good about assigning this misleading and confusing content to my users. Am I misunderstanding something?Fetching user/riskyusers/risk_detections info in incremental approach
Hi All, Using @odata.deltaLink I am able to track changes in Microsoft Graph data for users. DeltaLink we can’t get changes related to SIGNINACTIVITY, AUTHENTICATION_METHODS_USER_REGISTRATION_DETAILS , USER_APP_ROLE_ASSIGNMENT. At present risky_users and risky_detections are not supported by delta queries. Any other approach where we can track changes apart from DeltaLink. Note: Apart from storing in DB and comparing.
Meet Your New Cybersecurity Sidekick - Microsoft Security Copilot Agents
Imagine if your security team had a super-smart assistant that never sleeps, learns from every task, and helps stop cyber threats before they become disasters. That’s exactly what Microsoft’s new Security Copilot Agents are designed to do. Why Do We Need Them? Cyberattacks are getting sneakier and faster many now use AI to trick people or break into systems. In fact, 67% of phishing attacks in 2024 used AI. Meanwhile, security teams are drowning in alerts 66 per day on average and 73% of experts admit they’ve missed important ones. That’s where Security Copilot comes in. It’s like having an AI-powered teammate that helps you investigate threats, fix issues, and stay ahead of attackers. What Are Security Copilot Agents? Think of these agents as mini digital coworkers. They’re not just chatbots they’re smart, adaptable tools that: Learn from your feedback Work with your existing Microsoft security tools Help you make faster, better decisions Keep you in control while they handle the heavy lifting They’re built to be flexible and smart unlike traditional automation that breaks when things change. Real-World Examples of What They Do Here are a few of the agents already available: Phishing Triage Agent: Automatically checks if a suspicious email is a real threat or just spam. It explains its reasoning in plain language and learns from your feedback. Alert Triage Agents (in Microsoft Purview): Helps prioritize which security alerts matter most, so your team can focus on the big stuff first. Conditional Access Optimization Agent (in Microsoft Entra): Keeps an eye on who has access to what and flags any gaps in your security policies. Vulnerability Remediation Agent (in Microsoft Intune): Spots the most urgent software vulnerabilities and tells you what to fix first. Threat Intelligence Briefing Agent: Gives you a quick, customized report on the latest threats that could affect your organization. Even More Help from Partners Microsoft is also teaming up with other companies to build even more agents. For example: OneTrust helps with privacy breach responses. Tanium helps analysts make faster decisions on alerts. Fletch helps reduce alert fatigue by showing what’s most important. Aviatrix helps diagnose network issues like VPN or gateway failures. BlueVoyant: helps to assess your SOC and recommends improvements. Why It Matters These agents don’t just save time they help your team stay ahead of threats, reduce stress, and focus on what really matters. They’re like having a team of AI-powered interns who never get tired and are always learning. Learn More 📢 Microsoft Security Blog: Security Copilot Agents Launch 🎥 https://aka.ms/SecurityCopilotAgentsVideoHow to retrieve productName for incidents using Microsoft Graph API?
When using Microsoft Graph Security API, is it possible to get the productName field directly in the incident response (e.g., from /security/incidents endpoint)? Or is it only available at the alert level via /security/incidents/{id}/alerts?
EDR logs explanation
Hello, would it be possible for an expert from this forum to analyze the EDR logs? Could you also explain to me in detail what happened? Furthermore, can you tell me if it is clearly established that the deleted files were deleted by someone physically present on the machine, or if there are other possible explanations? Thanks in advance.
DLP Alerts Issue - Windows Defender
Hi, I am encountering an issue where a single file containing multiple policy matches triggers multiple DLP alerts defined for Exchange. I would prefer to receive just one alert per email, regardless of the number of files or policy/rule matches in Windows Defender. Any suggestions on how to resolve this would be greatly appreciatedNew Blog Post | Migrating from Windows Information Protection to Microsoft Purview
By Edwin Chan Introduction In July 2022 we announced the sunsetting here: Announcing the sunset of Windows Information Protection (WIP) - Microsoft Community Hub of Windows Information Protection (WIP). The last version of windows to ship with WIP will be Win11 24H2, it will be the first version to not include WIP. However, the decryption capabilities will remain. Why are we doing this? Windows Information Protection, previously known as Enterprise Data Protection (EDP), was originally released to help organizations protect enterprise apps and data against accidental data leaks without interfering with the employee experience on Windows. Over time, many of you have expressed a need for a data protection solution that works across heterogenous platforms, and that allows you to extend the same sensitive data protection controls on endpoints that you have for the various SaaS apps and services you rely upon every day. To address these needs, Microsoft has built Microsoft Purview Data Loss Prevention (DLP), which is deeply integrated with Microsoft Purview Information Protection to help your organization discover, classify, and protect sensitive information as it is used or shared. What scenarios are in scope? WIP provided customers with the following key capabilities: Extend data protection to managed and unmanaged devices Protect enterprise data at rest when it's stored on a protected device Restrict which apps, removable drives, printers, network shares, and sites are allowed or restricted from copying, accessing, and storing sensitive data Classify data based upon the app or site where it was created, copied, or downloaded. Granular controls to designate different levels of data access restrictions Remote wipe sensitive data at rest How does deprecation impact WIP users? WIP as an offering is no longer under active feature development. The sunset process will follow the standard Windows client feature lifecycle, which shows which existing features and capabilities are supported and for what timelines. This was announced in July here. Following this deprecation announcement, the Microsoft Endpoint Manager team announced ending support for WIP without enrollment scenario by EOY 2022, which only impacts unmanaged devices. The announcement by the Microsoft Endpoint Manager team is here. Please visit the Microsoft Endpoint Manager announcement for the latest on the decommissioning of MEM’s support for the ‘unenrolled’ scenario. How should you respond to the deprecation notice? If you are using WIP without enrollment, Microsoft will be communicating with you directly about the impact to your devices and the timelines for that impact. Please keep an eye on the message center for the latest updates. Microsoft Endpoint Manager will continue to support WIP with enrollment (managed devices) scenarios for the duration of the OS lifecycle (until 2026) and will continue to offer options to enroll both corporate and personal devices for management (and subsequently to receive WIP policy). How do I start planning for this change? Refer to this chart for a breakdown of WIP capabilities and how they map to Purview: Read the full post here: Migrating from Windows Information Protection to Microsoft Purview
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
The second webinar bridges theory to practice. Now that you know why unification matters, it’s time to learn how to get started. In this foundations panel session hosted by Identity Expert, Merill Fe...
Online
Recent Blogs
- 4 MIN READAs organizations navigate the complexities of modern cloud environments, embedding security early in the architecture lifecycle proves invaluable. For privacy and compliance requirements I will p...Sep 24, 2025
- 7 MIN READIn today’s rapidly evolving threat landscape, cybersecurity demands more than just great technology—it requires great teamwork. That’s the story behind the collaboration between Microsoft Defender Ex...Sep 18, 2025
