Security and AI Essentials
Protect your organization with AI-powered, end-to-end security.
Defend Against Threats
Get ahead of threat actors with integrated solutions.
Secure All Your Clouds
Protection from code to runtime.
Secure All Access
Secure access for any identity, anywhere, to any resource.
Protect Your Data
Comprehensive data security across your entire estate.
Recent Blogs
Security operations are undergoing significant transformation driven by the introduction of AI and a rapidly evolving threat landscape. With Microsoft Sentinel data lake now generally available, orga...
Nov 05, 2025342Views
0likes
0Comments
Introduction
Microsoft Sentinel is evolving rapidly, transforming to be both an industry-leading SIEM and an AI-ready platform that empowers agentic defense across the security ecosystem. In our re...
Nov 05, 2025150Views
0likes
0Comments
Introduction
Azure Application Gateway Web Application Firewall (WAF) now supports custom HTTP status codes and custom response bodies for blocked requests. This Public Preview feature gives you mo...
Nov 05, 202576Views
0likes
0Comments
3 MIN READ
Simplify hybrid complexity and strengthen your security posture by managing users and groups natively in the cloud.
Nov 04, 2025829Views
0likes
1Comment
Recent Discussions
Do the Entra sync/connect apps ever successfully update themselves?
Last week I had to download and install version 2.5.79.0 of the Entra Connect Sync Agent app on our Entra Connect server because I discovered the installed version was 2.4.21.0 and that version reaches end of support on November 15. Today, I happened to check on the version of the Entra Private Network Connector app on the two servers where we have that installed, and both are running version 1.5.3925.0, which was the latest available version at the time I installed it back in March. That version was from July 2024, and there have been three new releases since then, two of which "may perform auto-update of your connector". One of those servers was a new install, but the other one was an upgrade of the installed version of the Azure Application Proxy client, and while I don't recall which version specifically was installed, I know it was quite out of date. I'm curious: Has anyone ever actually seen either the Entra Connect Sync Agent or Entra Private Network Connector successfully upgrade themselves automatically?Solved
My companies app incorrectly detected as a trojan
Hi Team. I am the developer of a gaming geo fence and your system had falsely detected my app as Trojan:Script/Wacatac.C!ml I need help to remove it as it seems like analysts are no longer checking false detections anymore? ( at least to me it seems automatic now )? My app is a geo fence which creates firewall rules and use npcaap for packet capture to display server locations and the exe is encrypted to help fight against software pirates. Here is an example submission of my exe for my application https://www.microsoft.com/en-us/wdsi/submission/5ab00c91-ea84-4fbb-a739-613316b32dfe Please get an analyst to manually inspect the file and whitelist it as its a pain telling my customers to turn off their anti virus and also its not advice i should have to give to be honest. My company is called sbmmoff ltd https://papagal.bg/eik/207176266/58b9 Website is bflocker.com I really would appreciate a speedy response to resolve the situation and thank you for your time.Solved
Data Explorer does not see Access Controlled items in SharePoint & OneDrive
I have recently started working with sensitivity labels. I have one label that is access controlled (Confidential - Encrypted) that I have published and appears to be working. My question is, when I look in Data Explorer, at that label, it only shows that I have items in Exchange, no items in OneDrive where I have stored files with that label? What am I missing, why can Purview not see files with this label?Solved71Views0likes2Comments
High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello, I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day. Here’s what I’ve observed so far: Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU. I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period. Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines. Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically. Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window: 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state... These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window. The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior. Questions for the community: Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019? Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines? Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender? Any guidance or advice would be really appreciated. Thanks, NikunjSolved
Auto classifcation policy - Sensitivity Lables - SIT - Fabric Delta Tables
Hi Everyone, Can you please anyone confirm, Can I apply sensitivity labels (Through Auto classification Policy) on Fabric Lakehouse delta tables using Purview Data Map. Its quite urgent, could you please confirm it. Regards, BanuMuraliSolved
Customize Synchronization Rule in Entra Connect Sync
Hi Everyone, I want to create a sync rule in Entra Connect Sync client so that only users based on a specific attribute sync to Entra ID and stop all other users in AD from syncing to Entra, how can I do that? Can someone here help me out!Solved84Views0likes2Comments
ASR rules enabled after onboarding Windows server
Hello, I tested onboarding Windows Server 2019 to Defender using local script and noticed that after onboarding some ASR rules are already enabled in Block mode by default: Block Office applications from creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 Block execution of potentially obfuscated scripts 5beb7efe-fd9a-4556-801d-275e5ffc04cc Block Office applications from injecting code into other processes 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block executable content from email client and webmail be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block JavaScript or VBScript from launching downloaded executable content d3e037e1-3eb8-44c8-a917-57927947596d Block all Office applications from creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a I haven't applied any group policies yet to it. The server is domain joined. Could it happen that it pulls the configuration from another place? ThanksSolved
Is it possible to prevent Microsoft Purview from being applied to M365 within the tenant?
Hello. Thank you for viewing my post. I am currently considering trying out Purview to enhance data management within Microsoft Fabric. However, I am facing an issue where I cannot proceed to proof-of-concept testing because the impact on the M365 environment used within the tenant is unknown. I have reviewed Microsoft's official information and understand the following: ・Using Purview features for M365 requires an E5 license ・Using Purview for Fabric requires a pay-as-you-go Purview subscription However, I still haven't confirmed what specific impact it might have on M365. I'm looking for ways to use Purview solely for Fabric, or methods to identify specific operations/settings that could affect M365. I would greatly appreciate any insights you could share.Solved51Views0likes1CommentIncorrect Secure Score recommendation - Remove unnecessary replication permissions
Hi, In our environment, we got the "Remove unnecessary replication permissions for Entra Connect AD DS Connector Account" secure score recommendation. Based on the https://learn.microsoft.com/en-us/defender-for-identity/remove-replication-permissions-microsoft-entra-connect replication permission is needed when PHS is in use. We are using PTA, but PHS is also enabled as a fallback. On the Entra Connect server I ran the following: Import-Module ADSyncDiagnostics Invoke-ADSyncDiagnostics -PasswordSync The result is: Password Hash Synchronization cloud configuration is enabled If I remove the replication permission, we soon receive an alert that password hash sync did not occour. Is it normal? I would say that the sensor should be able to detect PHS usage hence not recommending to remove the permissions. Thank you in advance, DanielSolved
Conditional Access - Non Entra Devices - Exclude from CA
Hey, We are running CA. Everythings runs good. We have one problem. We have a RDS Terminal Server 2022. Employees log from homeoffice into this server to work with our erp or outlook. So here is the problem. Outlook doesnt have access, because this terminal server isn't hybrid joined. Any idea how i can exclude this server from CA? Only idea from me is to exclude OSVersion, but thats not so good solution for me. PeterSolved53Views0likes2Comments
Workload ID Premium, CAP policies with multitenant apps
Hi everyone This is a quote from the documentation at https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity Note Policy can be applied to single tenant service principals that are registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. My question - how is this to be understood: Is there a technical limitation that makes it impossible to protect multitenant apps (meaning service principals in all but the home tenant can not be protected by CAP, even with premium licence) Is this strictly licensing perspective - single licence cover the SP in home tenant, while a separate licence is required in each additional tenant where related Service Principal is present ThanksSolved60Views0likes3CommentsDefender is missing logs for files copied to USB device on Mac devices
Hello, I am currently facing an issue with Defender not logging files copied to USBs. Using the KQL below, I can only see .exe files copied, but nothing when it comes to .pdf, .docx. .zip and other standard file extensions. Has someone come across this issue before? Any help is greatly appreciated let UsbDriveMount = DeviceEvents | where ActionType=="UsbDriveMounted" | extend ParsedFields=parse_json(AdditionalFields) | project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated, ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer | order by DeviceId asc, MountTime desc; let FileCreation = DeviceFileEvents | where InitiatingProcessAccountName != "system" | where ActionType == "FileCreated" | where FolderPath !startswith "C:\\" | where FolderPath !startswith "\\" | project ReportId,DeviceId,InitiatingProcessAccountDomain, InitiatingProcessAccountName,InitiatingProcessAccountUpn, FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied | order by DeviceId asc, TimeGenerated desc; FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId | where FolderPath startswith DriveLetter | where TimeGenerated >= MountTime | partition hint.strategy=native by ReportId ( top 1 by MountTime ) | order by DeviceId asc, TimeGenerated desc | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "") | extend FileHashAlgorithm = 'SHA256'SolvedConditional Access - Block all M365 apps private Mobile Device
Hello, Ive try to block all private mobile phone from accessing all apps from m365, but it wont work. Im testing it at the moment with one test.user@ I create a CA rule: Cloud Apps Include: All Cloud Apps Exclude: Microsoft Intune Enrollment Exclude: Microsoft Intune Conditions Device Platforms: Include: Android Include: iOS Include: Windows Phone Filter for Devices: Devices matching the rule: Exclude filtered devices from Policy device.deviceOwnership -eq "Company" Client Apps Include: All 4 points Access Controls Block Access ----------------------- I take a fresh "private" installed mobile android phone. Download the Outlook App and log in with the test.user@ in the outlook app and everything work fine. What im doing wrong? Pls help. PeterSolved
"Something went wrong. Primary and secondary data missing" when viewing email submission
Does anyone know what causes the "Something went wrong. Primary and secondary data missing" error when viewing an email submission in Microsoft Defender? It happens sporadically, but on I would guess 5% - 10% of our submissions.SolvedCan't update Defender app on macOS
Hello, We started getting this situation where Defender for macOS can't be updated: Microsoft Defender 101.25072 Current Version: 101.25062 Installed: 2025-08-05 Update error: The update could not be installed at this time. Please try again later. Microsoft AutoUpdate is up to date. Operating System Version: 15.6.1 Device managed by Mosyle MDM. All of our active users have been updated to 15.6.1 (and this problem was observed on OS versions from 15.1 to 15.6.1) What could be causing this? And what can we do about it?Solved2.4KViews5likes7CommentsGraph API - Difference in Calendar events between users
Hi All, I have a .NET 3.1 WebApp running an Application Permission Graph API instance. I have noticed some discrepancies when using the .Calendar.CalendarView and .Events extensions. I have found that some events, that should be returned, aren't returned by the API. This is my C# code that I use: ICalendarCalendarViewCollectionPage response = await _graphClient.Users[userId].Calendar.CalendarView .Request(new List { new QueryOption("startDateTime", startDate.ToString("yyyy-MM-ddTHH:mm:ssZ")), new QueryOption("endDateTime", endDate.ToString("yyyy-MM-ddTHH:mm:ssZ")) }) .Header("Prefer", "outlook.timezone=\"Europe/London\"") .GetAsync(); Where startDate is a Monday, and endDate is a Sunday. The UserId is definitely correct as it does return some correct events. For example, I and another colleague are booked onto a Recurring Teams Meeting. Neither of us are the organiser but the organiser does exist in the tenant. When I call the code block above, the meeting IS CORRECTLY returned from that call in the response. But if I switched the UserId to my Colleague's UserId, it won't return that meeting from the API. The meeting DOES show on both of our calendars on Outlook Old & New. I use the old version of outlook, and he uses the new version of outlook. I'd also like to note that some recurring meetings do show up on the faulty user's Calendar View, just certain ones do not, so I'm pretty sure that the fact that the event is recurring doesn't matter. Does anyone have any insight into this? ThanksSolvedDefender email audit - sensitive info in subject line
We are doing security auditing of emails. I'm familiar with the Defender portal, not too in-depth though (have not had time to play around) and not so with Sentinel or KQL yet. In the course of my audits, I have been finding people may encrypt emails but still have sensitive information in the subject line. Common understanding that internal emails would not leave the org so encryption is not mandatory (though I have disagreement on that). So auditing emails going external. In M365 Defender >> Email & Collaboration >> Explorer section, I did a search: keyword: "SSN" sender domain: equals my org recipient domain: equals non of my org What are some sensitive information keywords or phrases in the subject line searches in M365 Defender (security.microsoft.com)? So far I have compiled this list to (sucks M365 Defender does not allow searching with wildcards or patterns): SSN social security TIN DOB account acct passport license DLSolved83Views0likes1Comment
