Recent Blogs
12 MIN READ
Member: TysonPaul | Microsoft Community Hub
Reimagining AI at scale: NVIDIA GB300 NVL72 on Azure
Team Blog: Azure Infrastructure
Author: gwaqar
Published: 10/28/2025
Summary: Microsof...
Nov 06, 2025
5 MIN READ
Introduction
As a Microsoft MVP (Most Valuable Professional) specializing in SIEM, XDR, and Cloud Security, I have witnessed the rapid evolution of cybersecurity technologies, especially those de...
Nov 06, 2025
When it comes to securing your multicloud environment, Microsoft Defender Cloud Security Posture Management offers a powerful suite of agentless capabilities. This blog post walks through a fast-star...
Nov 06, 2025
This article is part of The Sentinel data lake Practitioner Series. Part 1 of the series focuses on operationalizing the Sentinel data lake and our strategic vision for the customers. This series is ...
Nov 06, 2025Recent Discussions
MDI AD CS sensor not switching from removed DC
We are in the process of replacing our Domain Controllers. What I found is that the MDI sensor on our PKI server is still stuck with a domain controller which has been demoted and removed from the domain. (Sensor version: 2.250.18972.18405) I guess, if I reinstall the sensor, it will find a new domain controller - but what if it finds a DC that is to be decommissioned? Should I reinstall the sensor until it choses a "new" DC? Thank you in advance, Daniel
Some Fabric Lakehouse tables not appearing in Microsoft Purview after scan
Hi everyone, I’m running into an issue where several tables from a Fabric Lakehouse aren’t appearing in Microsoft Purview after a workspace scan. Here’s the situation: I scanned a Fabric workspace that contains multiple Lakehouses. For most Lakehouses, the tables appear correctly in Purview after the scan. However, for one specific Lakehouse, several tables that I know exist aren’t showing up in the scanned assets — even after adding the Lakehouse as an asset to a data product in the Unified Catalog. What I’ve tried: I rescanned the workspace and the specific Lakehouses. I verified that the tables are persistent (not temporary) and appear under the Tables section in Fabric, not only as files. I confirmed permissions for the Purview connection account. Scan results and errors: After the rescan, the tables still didn’t appear. The scan logs show several ingestion errors with messages like: Failed to ingest asset with type fabric_lakehouse and qualified name [qualified name] due to invalid data payload to data map I checked the error entries to see which assets they point to, and none of them are related to the tables in the Lakehouse in question. There were four of these errors in the last run. Additional context: Some older Lakehouses that had been archived months ago in Fabric still appeared as active in Purview before the rescan, so there may be stale metadata being retained. Notes: I’m aware Fabric scanning in Purview currently has sub-item scanning limitations where item-level metadata is prioritised, and individual tables aren’t always picked up. But given that tables from other Lakehouses appear as expected, and given the ingestion errors (even though the errors do not point to the missing tables), it feels like there may be a metadata sync or processing issue rather than a simple coverage limitation. Question: Has anyone encountered this behaviour or the “invalid data payload to data map” error before? Any guidance on further troubleshooting steps would be appreciated. Thanks in advance!
Unified detection rule management
Hi, I attended the webinar yesterday regarding the new unified custom detection rules in Defender XDR. I was wondering about the management of a library of rules. As with any SOC, our solution has a library of custom rules which we manage in a release cycle for a number of clients in different Tenants. To avoid having to manage rules individually we use the JSON approach, importing the library so it will update rules that we need to tune. Currently I'm not seeing an option to import unified detection rules in Defender XDR via JSON. Is that a feature that will be added? Thanks ZivDoes Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!Microsoft Sentinel device log destination roadmap
I just attended the 11/5/2025 Microsoft webinar "Adopting Unified Custom Detections in Microsoft Sentinel via the Defender Portal: Now Better Than Ever" and my question posted to Q&A was not answered by the team delivering the session. The moderator told us that if our question was not answered we were to post the question in this forum. Here is the question again: "Will firewall and other device logs continue to go to Azure Log Analytics indefinitely? By Indefinitely I mean not changing in the roadmap to something else like Data Lake or Event Grid/Service Bus, etc." Thank you, John
How to offboarding endpoint from Purview
Hi I'm a fresh user of Purview and after creating policies linked to Exchange, I've enabled the onboarding of computer. Unfortunately, all Defender endpoints have been onboarded, and I've not be able to define which one was concerned. Now, I would like to offboard all those devices from purview and only keep them in Defender without any DLP protection. I tried to remove them with the onboarding script, but my endpoints are still present in Purview. How can I completely remove them? Thanks for your help Yohann
Cannot update Case number in Microsoft Purview eDiscovery
I can no longer update the Case number under case settings in the new eDiscovery UI. I used to be able to update it via the externalId Graph endpoint but that appears to be deprecated. The error simply reads "update failed" - there is no additional information. Is anyone else having this problem?
Explorer permission to download an email
Global Admin is allegedly not sufficient access to download an email. So I have a user asking for a copy of her emaill, and I'm telling her 'sorry, I don't have that permission', I'm only global admin' What? The documentation basically forces you to use the new terrible 'role group' system. I see various 'roles' that you need to add to a 'role group' in order to do this.. Some mention Preview, some mention Security Administrator, some mention Security Operator. I've asked copilot 100 different times, and he keeps giving me made up roles. But then linking to the made up role. How is such a basic functionality broken? It makes 0 sense. I don't want to submit this email - it's not malware or anything. I just want to download the **bleep** thing, and I don't want to have to go through the whole poorview process. This is really basic stuff. I can do this on about 10% of my GA accounts. There's no difference in the permissions - it just seems inconsistent.Sentinel to Defender webinar series CANCELLED, will be rescheduled at a later date.
The Sentinel to Defender webinar series has been cancelled. Please visit aka.ms/securitycommunity to sign up for upcoming Microsoft Security webinars and to join the mailing list to be notified of future sessions. We apologize for any inconvenience.Defender for Endpoint - macOS scan takes 1 second
Hello, We use Defender for Endpoint on macOS deployed by Mosyle MDM. However, we noticed when user run quick or full scan that action takes 1 second and that is it - 0 files scanned. This used to work before; I happen to have a screenshot: Now, if I run scan from command line, again the same: We use config profiles from here: https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles mdatp health output: Did anyone have this issue? Thanks!Kql query that search reg key
Hay I created the next kql query but unfraternally i get O devices on the results : // Search for creation, modification, or deletion events for the specified ESU registry key DeviceRegistryEvents | where RegistryKey has_any (@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU", @"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ESU") | project Timestamp, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by Timestamp desc Am I doing something wrong? Thanks Elad.
Hundreds of DSM-Synology NAS work files are intercepted by Defender as threats!
Hi everyone. . . Sorry, long... For a couple of days now, I've been experiencing an annoying, persistent, and unresolvable problem affecting the Synology Drive Client 3.5.2 working folder D:\.SynologyWorkingDirectory. I'm running Windows 11 Pro 64-bit v25H2, and a couple of days ago, I accidentally discovered that Windows Defender has become incredibly slow when launched from its taskbar icon. Once I opened Defender, it presented a report with HUNDREDS (!) of threats, all caused by (temporary?) files in the hidden working folder "D:\.SynologyWorkingDirectory." The vast majority of the threats were eliminated. However, a few were classified as "severe" and warned that Defender may not have been able to completely eliminate the threat. I'm almost certain these aren't real threats, partly because of my extreme care with my browsing habits and behavior, but primarily because there are hundreds of them and they're constantly being created, exclusively in the D:\.SynologyWorkingDirectory folder. Defender, for its part, constantly deletes them, making it incredibly slow, and opening its history is equally slow. I ran a thorough system scan with Defender, both online and offline, but nothing was found. I also ran a scan with MalwareBytes, and nothing was found, perhaps also because the files are quickly deleted by Defender. I therefore suspect that Windows Defender has arbitrarily classified Synology's temporary files as threats. Even deleting Windows Defender's history was a painstaking task due to numerous (!) failed attempts due to the low-level and operational protections in Windows 11 Pro 64-bit v25H2. The only solution was to boot WinRE from a Windows installation USB drive, then delete the scans folder (D:\ProgramData\Microsoft\Windows Defender\Scans) from DOS. I also had to obtain the Bitlocker key, but clearing the history is pointless because it continually recreates itself with new detections! I'm forced to pause Synology Drive Client v3.5.2. How can I get support for this issue? Regards . .Need Powershell Script for consolidated report of Active Directory users
Dear Experts, I need a consolidated report for the following instances for Active Directory users --> 1) All LIVE AD Users with “CREATED ON” header 2) Inactive Users (No Login in 90+ Days) 3) Users with “Password Never Expires” Mark 4) Users Who Never Logged In – Users never logged on 5) Users with Old Passwords (Not Changed in 90+ Days) 6) Disabled User Accounts with “Disabled ON” header 7) Inactive Computers (No Logon in 60+ Days) 8) Disabled Computer Accounts 9) Last User Logged in, on computers 10) ALL Users' with Last Password Change Date Kindly share the powershell script for the same ASAP. ..Ajit
Duplicate file detection
Hi Community, I need to scan multiple windows file servers using Microsoft Purview and one of the asks is to detect and identify duplicate files on those. Can someone please guide how that can be accomplished. What functionality needs to be used and how to go about duplicate detection? Note that this is primarily duplicate finding assignment for files as in office documents and pdfs. Thanks.Entra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!
MS Purview Data Map - Sensitivity Label - Atlas API
Hi Everyone, Can someone confirm if it’s possible to update the Sensitivity label column in the Microsoft Purview Unified Data Catalog using the Atlas API? Since Microsoft Fabric currently does not support the auto-labeling feature in the Data Map, can we apply sensitivity labels to Fabric assets in the catalog through the Atlas API? Regards, BanuMuraliDetecting Duplicate Documents
I am looking for an approach to identify duplicate documents within and across file servers of an organisation. What functionalities would be used for this and preferably if someone can provide a practical, step by step approach it will help. Am relatively new to Purview. Understand this should be probably possible using Information protection, but not clear exactly how. Thanks for help.
