Recent Discussions
Exclude Devices from Secure Score
I have a scenario where DevOps devices are spun up in the environment and onboarded to Defender then after very short periods of time never used again. Leaving thousands of devices onboarded which are not in use/live anymore. With the devices being onboarded to DFE this affects the Secure Score significantly, the hosts use a specific host name prefix and we were looking to see if there was a way to have Secure Score exclude these devices as they greatly impact the overall %.
ADR: Audited detections not showing in Microsoft Defender
Hi all, I am trying to figure out why the Attack surface reduction rules report does not show me any audited detections. Specifically, I am testing out the rule Block process creations originating from PSExec and WMI commands in Audit mode. A test was run on the endpoint by starting a WMI process and an event was logged to Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender → Operational. Any ideas?
Defender tagging based on Intune App policy
Will the issue about tagging devices in the security centre with MDE-management ever be resolved? this has been ongoing for over 10 months and will allow us to smoothly tag and group items in the defender section a whole lot easier. For some of our clients we NEED this as the current abilities are so basic and useless considering defenders awful naming method. "Use of dynamic device tagging capabilities in Defender for Endpoint to tag devices with MDE-Management isn't currently supported with security settings management. Devices tagged through this capability don't successfully enroll. This is currently under investigation." https://learn.microsoft.com/en-us/defender-xdr/configure-asset-rulesLittle warning on the new Purview suite for M365BP
Microsoft introduced a highly needed and expected compliance suite add-on for Microsoft 365 Business Premium. Microsoft Purview Suite for Business Premium: $10/user/month Microsoft 365 BP are unable to add Microsoft 365 E5 Compliance suite $12/user/month and forced to move to M365E3 to be able to add this product. So as a Microsoft partner I was delighted to see that Microsoft introduced this new product and made it possible to give SMB customers the tools they need to comply with all kinds of regulations. BUT: What a disappointment it is, this new product. It is a lame strip down version of the E5 Compliance suite and missing essential functionality that regulated SMB customers badly need. What the was going on in de mind of the product manager who is responsible for this product. Besides missing crucial functionality like Compliance Manager, Compliance Portal and Privilege Access Management it also misses in product features. Some examples: Data Loss Prevention: Great for protection your sensitive information leaking out of your organisation, but with a little more investigation, I found out that Administrative Units is not supported Information Protection: Automatic Labels is not supported Insider Risk management: No Adaptive Protection Compliance Manager: No Policies, No Alerts DSPM for AI: No Policies So, Microsoft come on, you can do better than this and embrace SMB’s more seriously and make E5 compliance available like you did with E5 security for M365BP users and stop with this lame and incomplete product. My recommendation to M365BP customers who need Compliance add-on, don’t buy this new suite, unless you don’t need the above functionality.
How to practice SC-200 content on an empty tenant
Hello, I am following the SC 200 course on Microsoft Learn. It is great and everything but my m365 business tenant is empty. I don't have VMs, logs, user activity or anything. I learned some KQL and microsoft provides some datasets for practice. Are there any such data I can load on my tenant for threat hunting and other SC-200 related practices or is there an isolated simulation environment I can use for learning?Share your experience with Microsoft Security Products on Gartner Peer Insights
At Microsoft, we believe the most valuable insights come from those who use our products every day. Your feedback helps other organizations make informed decisions and guides us in delivering solutions that truly meet your needs. We invite you to share your experiences with Microsoft Security products on Gartner Peer Insights. By leaving a review, you’ll help your peers confidently choose the right solutions and contribute to the ongoing improvement of our products and services. Why your review matters Empower others Your honest feedback helps fellow decision-makers understand how Microsoft Security products perform in real-world scenarios. Build community Sharing your experience fosters a community of practitioners who learn from each other’s successes and challenges. Drive innovation Your insights directly influence future product enhancements and features. How to participate Click on the Microsoft Security Product You would be prompted to log in or sign in to the site. Select the Microsoft Security product you know well. Share your experience, highlighting the features and outcomes that mattered most to you. It would take a few minutes to complete the survey. Rules and Guidelines Only Microsoft customers are eligible to submit reviews; partners and MVPs are not. Please refer to the Microsoft Privacy Statement and Gartner’s Community Guidelines and Gartner Peer Insights Review Guide for more information.
Authenticating using ConfidentialClient
Hello, Some of our customers are unable to send out automated emails because support for basic authentication with SMTP is being removed. I am looking at finding a solution and it seems the Graph API is the recommended approach. I have manage to create a working example using `PublicClientApplicationBuilder` however, this class displays a pop-up requiring the user to sign in, since we have automated services with no user interaction, this is not a good solution. I have seen some examples using `ConfidentialClientApplicationBuilder` and this seems idea. However, I have reached multiple dead-ends and everytime receive the error: > Confidential Client flows are not available on mobile platforms or on Mac.See https://aka.ms/msal-net-confidential-availability for details. Please would someone be able to help me. Why do I recieve this error? Whatever I do, whatever project I use, WinForm, Console app and Service I always get this error. I am storing my Client, Tenant and Secret in a database table and here is my code: ``` vb Private Async Function GetAppAuthentication() As Task(Of AuthenticationResult) Dim folderAccess = BLL.L2S.SystemApplicationGateway.GetFolderAccess(mBLL_SY.ReadonlyDbContext) If folderAccess Is Nothing Then Return Nothing End If Dim app = ConfidentialClientApplicationBuilder.Create(folderAccess.Client) _ .WithClientSecret(folderAccess.Secret) _ .WithTenantId(folderAccess.Tenant) _ .Build() Dim scopes As String() = {"https://outlook.office365.com/.default"} Dim result As AuthenticationResult = Await app.AcquireTokenForClient(scopes).ExecuteAsync() Return result End Function ``` I am using .Net Framework 4.7.2, we have Windows Services and WinForms apps and both need to send out emails. The error message is very confusing to me because of course it is not a mobile app, and I have even created a UnitTest that seemingly works fine which again is very confusing to me. This is urgent as this is already causing issues for our customers. Thanks in advanc
Quarantine emails marked as High Confidence Phish are being system released
I have a group of about 20 emails that were in quarantine, and within moments they were released by 'System release' There are multiple different domains being released, and all of them have a High Confidence Phish level. Since it is a system release, I cannot submit anything to Microsoft other than it appears clean. Is anyone else experiencing this?Alert Not Found
We are receiving the following the follow alert from Defender; 2025-08-15T09:26:42-07:00 {SERVERNAME} CEF[6208]0|Microsoft|Azure ATP|##########|AccountEnumerationSecurityAlert|Account enumeration reconnaissance|5|start=2025-08-15T16:23:14.5550516Z app=Ntlm shost=NULL shostfqdn= msg=An actor on NULL performed suspicious account enumeration, exposing 6 existing account names. externalId=2003 cs1Label=url cs1=https://security.microsoft.com/alerts/xx###xxxx-#xx#-####-#x##-##x##x#x#x#x cs2Label=trigger cs2=update But when we go to the URL listed, we get an error that it can't be found. We are able to see other alerts that come in. How do I go about finding the details on this error?
Microsoft Defender Value Report does not have data
Hi, I was to report for the Month end of July 2025. I usually source data from the Monthly Security Report from the Microsoft Defender Reports. But since Aug 1 this has been the result. Any insight on this? I already have made changes to the monthly report, but this helps us greatly since this is a one stop shop for data we use. Thanks in advance.Low success rate of active name resolution NetBIOS (failed rates 80%) andRdpTls (failed rate 90%).
Low success rate of active name resolution Three Domain controllers are failing name resolution using NetBIOS (failed rates 80%), NetworkNameResolverMethod RdpTls (failed rate 90%) however RPC over NTLM and reverse DNS working confirmed by Microsoft support.The three domain controllers are runing windows server 2016 with the installed Azure ATP Sensor on the DCs is version is 2.243 I need assistance how to get this issue resoves on the failing three dc please.Getting Contextual Summary from SIT(Sensitive info types) via PowerShell cmd
Hi, I am using a PowerShell command(Export-ContentExplorerData) to extract data from an SIT. In the response, I am getting most of the data but I am interested in getting the matching primary element from Contextual summary(Content explorer) https://learn.microsoft.com/en-us/powershell/module/exchange/export-contentexplorerdataScheduling attack simulations
I'm starting to use the Defender attack simulation feature. I have approx. 3000 users to target. Leadership don't want to send 3000 tests every month rather divide the people up across 12 months sending smaller monthly batches. The issue of not being enough tests for each individual is there a way to automate the sending of these to even batches of people across 12 months rather than having to set these up manually?Sensor install failing, error log indicates proxy issue
Hi Everyone, I was re-installing a sensor that was stuck on updates and I get an error in the logs - failed connecting to service. The issue can be caused by a transparent proxy configuration From what I can find that's related to either missing certificates or SSL inspection. The proxy works fine for other sensors and I know it's not inspecting this traffic anyway. I found a troubleshooting page that calls out the specific Root CA - "DigiCert Global Root G2" which exists on this machine. https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#proxy-authentication-problem-presents-as-a-connection-error I believe this sChannel error is related The remote server has requested SSL client authentication, but no suitable client certificate could be found. I am stumped at this point, any help is appreciated.Agent install error
Hi Everyone, One of the servers running the agent was failing to update so I attempted a reinstall. During install it fails / rollsback with an error in the log stating "failed connecting to service. The issue can be caused by a transparent proxy configuration". The device does use a proxy set via netsh, and I've tried specifying it on the command line of the install. I have read elsewhere that this can be related to SSL inspection or an issue with Root CAs on the device. I know there is no inspection going on in this case. I have compared the Root CA list on this device to working devices and don't see anything related to Microsoft that is different. Any ideas?Help! Sensitivity label applied to whole tenant mistakenly with Watermark
We create a sensitivity label to have a watermark to be applied on the files on where it assigned but accidentally or due to misconfiguration, the watermark applied to whole tenant and the files, need a solution to automatically removed these watermarks from the files wherever it is applied. Please assist, TIA... .
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp desc
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
The second webinar bridges theory to practice. Now that you know why unification matters, it’s time to learn how to get started. In this foundations panel session hosted by Identity Expert, Merill Fe...
Online
Recent Blogs
- 4 MIN READAs organizations navigate the complexities of modern cloud environments, embedding security early in the architecture lifecycle proves invaluable. For privacy and compliance requirements I will p...Sep 24, 2025
- 7 MIN READIn today’s rapidly evolving threat landscape, cybersecurity demands more than just great technology—it requires great teamwork. That’s the story behind the collaboration between Microsoft Defender Ex...Sep 18, 2025
