Recent Blogs
3 MIN READ
Microsoft Defender Monthly news - January 2026 Edition
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Def...
Jan 13, 2026
We are excited to announce the Public Preview of IP Network Firewalls for Azure Key Vault Managed HSM in East US, West US, West US 2, West Central US, UK South, and West Europe.
The feature allow...
Jan 13, 2026
Trusted Signing is now Artifact Signing—and it’s officially Generally Available!
Artifact Signing is a fully managed, end-to-end code signing service that makes it easier than ever for Windows app...
Jan 12, 2026
6 MIN READ
Security teams today face an overwhelming challenge: every data point is now a potential security signal, and SOCs are drowning in fragmented, high-volume logs from countless sources - firewalls, clo...
Jan 12, 2026Recent Discussions
Onboarding MDE with Defender for Cloud (Problem)
Hello Community, In our Customer i have a strange problem. We onboarded with Azure Arc server and activate a Defender for Cloud servises only for Endpoint protection. Some of this device onboarded into Microsoft Defender portale, but not appears as a device, infact i don't have opportunity to put them into a group to apply policy. I have check sensor of Azure Arc and all works fine (device are in Azure Arc, are in the defender portal and see them on Intune (managed by MDE)). From Intune portal From Defender portal But in difference from other device into entra ID exists only the enterprise application and not device I show the example of device that works correctly (the same onboarding method) Is there anyone who has or has had this problem? Thanks and Regards, Guido
Is setting an index tag in Azure Defender for Cloud during file write an atomic operation?
Hi, When using Azure Defender for Cloud, is setting an index tag at the same time as writing a file considered an atomic operation? Or is there a propagation delay before the tag becomes fully available and effective for search and policy enforcement? Any insights or official documentation references would be appreciated!Defender for servers (P1)
Hey guys, I enabled my Defender for cloud trial licens (P1) for my Windows servers. They are onboarded and i can see them visually in the (security.microsoft.com) EDR Portal. My enforcement scope is set to Intune - so all my AV policies etc are created there. I want to create a AV Policy for my Windows servers but i can't see the objects in Entra. What is best practice. To register them in Entra manually or should it automaticlly create a object in Entra during the onboarding process? Can't create & assign a AV policy etc until i create a group and put all my servers into that group. Any ideas? Also might be worth mentioning i see that they are managed by "unknown" and not Microsoft Sense? Should i point back the scope to the Defender portal? Whilst my endpoints are managed by Intune.
Alert Tuning (formerly Alert Suppression) Issues
Hello all! I am managing a Microsoft Defender instance and I have created a Custom Detection Rule. I want to tune this Alert so it auto-resolves in ALL scenarios (any host , any user). I have tried using Alert Tuning like so: I have selected ALL service sources , scope is All organization, condition is Alert:Custom and must match Alert Title which is the title of the generated alerts as taken from Advanced Hunting to make sure it is an exact match. I have tried using wildcards in Alert title, adding severity as another indicator, tried doing it directly from a triggered alert as well as from Alert Tuning from settings. Nothing has worked so far. Any input or insights would be greatly appreciated. Cheers!
Change password for krbtgt account
What is the criteria that MDI uses to determine whether the https://learn.microsoft.com/en-us/defender-for-identity/security-posture-assessments/accounts#change-password-for-krbtgt-account recommendation has been completed? I'm working with an org where the passwordLastSet attribute on the krbtgt account says "never", yet this recommendation is showing "Completed".
Force user to reset password in hybrid
Hi, we work in a hybrid environment at the moment, and it has been discovered that if you are using classic AD and reset a user's password and leave the tick-box saying user must change password at next logon, the password reset works! But, if you were to select the tick-box with the intention to make the user change their password, the password does not get reset and the user never gets asked to reset their password? Also, if you try and reset the user's password on AAD, you get the following error message: Because we cannot force the user to reset their password by AD or AAD, we have to tell the user to do it themselves by the classic Ctrl-Alt-Del method or set their personal password for them over the phone. So, what my question is, is why can I not force the user to change their password from either AD or AAD?
MS Defender setting
Hello, I have a question. I'm not an English-speaking country, so please understand any shortcomings. I'm trying to block or alert on specific URLs in Microsoft Defender > Settings > Endpoint > Rules > Indicators. I've completed the setup, but I'd like to customize the screen that appears on the webpage when an alert is triggered. Is there a way to do this? Thank you in advance for your help.Reachability of a domain across multiple tenants
I have a general question about an Entra scenario that we currently need to implement. Our company consists of 3 companies (companyA.com, companyB.com, companyC.com), each with their own MS Tenant. Here, A is the parent company and B and C are subsidiaries. Is it somehow possible, perhaps with Cross Tenant Synchronization from B, C -> A, that users from the subsidiaries can log in with the parent company's domain name in Entra, Teams & Co., and that Teams invitations can also be sent via an email address of the parent company? So I have mailto:email address removed for privacy reasons and I would like this user to also be known as mailto:email address removed for privacy reasons in the Microsoft ecosystem. From a marketing perspective, it is important that all employees log in and are reachable with the same domain. A migration into one tenant is probably not easily possible for legal reasons. Thank you in advance for your assistance. Christian
Unusual Sign-In Activity E-mail but I cannot identify the account!
Hi, I'm experiencing something quite weird. This morning I got an alert to a personal e-mail address of mine (w********@gmail.com) that a Microsoft account of mine was accessed from an IP address in Brazil. I've attached that e-mail and it lists the account as "ja*****" with no domain name listed. I have two microsoft accounts that I know of that start with "ja". One is a hotmail account and one is registered with my university account. I figured this alert had to do with my university account because that could explain why it never listed a domain name. However, when I checked, neither account have any record of a sign in, successful or unsuccessful, from an IP address in Brazil today. Furthermore, the university account doesn't have the w*******@gmail.com listed as a primary or secondary e-mail account so even if that was the account that alert wouldn't have gone to that e-mail. I contacted Microsoft support hoping that they could try to locate the alert e-mail and confirm what account the alert was about from their end but they told me they don't have the tools for that and they have limited access to their own system. A supervisor told me that at this point my best bet is to either post on the community forums or to go to the police and ask them to track the IP address. I have a vague memory that years ago when I tried to log into my university Microsoft account, it would let me log in as a personal account and as a work account separately but now I can only use it as a work account. I'm wondering if that might be related like maybe someone was able to access my personal account of my university Microsoft account which could explain both the lack of a domain name in the e-mail and the fact that there's no history of it in my work account. This is really bugging me because someone may have accessed an account belonging to me but I'm completely unable to actually confirm that or even the account this is happening to. Thanks!
Microsoft Purview Unified Catalog – Draft Data Product Visibility (RBAC)
I have three Entra ID security groups that must be able to see all data products across the estate, including Draft, Unpublished, Published, and Retired: Purview.Admin.Team Purview.Data.Governance Purview.Data.Architecture.Team What I tested I tested assigning these groups to the available Microsoft Purview Unified Catalog roles at both application and governance‑domain scope, including Global Catalog Reader / domain reader roles Governance Domain Owner Data Governance Administrator Data Product Owner Data Steward Observed results Reader roles and Data Governance Administrator allowed users to see the list of data products but not Draft / Unpublished items. Governance Domain Owner and Data Product Owner allowed draft visibility but grant ownership/control. Only assigning the groups as Data Steward on each governance domain consistently allowed visibility of all data product lifecycle states (Draft, Unpublished, Published, Retired) without granting ownership. Current understanding Draft and Unpublished data products are only visible to users assigned domain‑level governance roles Data Steward is the least‑privileged role that provides draft visibility To achieve estate‑wide draft visibility, the groups must be assigned as Data Steward on every governance domain Application‑level roles alone (including Data Governance Administrator) are insufficient Question (seeking confirmation) Is this understanding and solution correct and aligned with Microsoft’s intended Purview Unified Catalog RBAC design, or is there an alternative supported way to provide read‑only draft data product visibility without assigning Data Steward per governance domain?
How to Prevent Workspace Details from Appearing in LAQueryLogs During Cross-Workspace Queries
I’ve onboarded multiple workspaces using Azure Lighthouse, and I’m running cross-workspace KQL queries using the workspace() function. However, I’ve noticed that LAQueryLogs records the query in every referenced workspace, and the RequestContext field includes details about all other workspaces involved in the query. Is there any way to run cross-workspace queries without having all workspace details logged in LAQueryLogs for each referenced workspace?
Microsoft Purview Client side labeling issue
Hello Everyone, I hope this message finds you well. I wanted to share some observations and seek your guidance on an issue I'm encountering with sensitivity label recommendations in Outlook. I have created a label with auto-labeling (Client side) enabled and configured it to identify sensitive information types (SITs) such as SSN and credit card details (Instance count 1- ANY). The curious part is, when I attach a Notepad file in Outlook that contains SSN and credit card information, I do not receive any sensitivity label recommendations in both Outlook desktop and web versions. However, if I paste the same content directly into the email body, I do receive the respective sensitivity label recommendation. Moreover, when I attach a Word document (not labeled) that contains SSN and credit card information, Outlook does not show any recommendation either. Interestingly, if the Word document detects the sensitive content and recommends a label, and I then save the document with the recommended label, attaching it back to Outlook does trigger the label recommendation. Could you please clarify if this behavior is by design or if there might be a missing configuration on my end? Your insights would be greatly appreciated. Thank you!
Microsoft Defender will not let me log in on Windows 11
I have a subscription to the Personal Microsoft 365 plan which includes Microsoft Defender. When I try logging into Microsoft Defender on my Windows PC, I receive an error message stating "Couldn't sign in to Microsoft Defender. Something went wrong-please try again later". I have been having this issue for several months now. I have recently contacted Microsoft Tech support who just directed me to this community. The tech support representative mentioned that others may have experienced similar issues as mine. I would appreciate if anyone could advise. My PC is running Windows 11 and is up to date on updates. All of my 365 applications are also up to date. I have also tried running the repair tool on Microsoft Defender in addition to uninstalling and reinstalling the application. The tech support representative mentioned something to me about the issue could be because I am using a personal email account for my login for Microsoft Defender. I did not fully understand why that would be the issue. I would like to note that I have no issue logging into Microsoft Defender on my Android phone. The problem appears to only occur on my PC and only for the Microsoft Defender app. All other apps that come with my 365 subscription use the same login and appear to be working fine.Microsoft purview auto labeling contextual summary
Hello All, I am not able to see the Contextual summary in service side auto labeling of Microsoft purview information protection. I do have "data classification content viewer role" in my ID. Please let me know if I am missing any thing to see the contextual summary.
Pre-migration queries related to data discovery and file analysis
Hi Team, A scenario involves migrating approximately 25 TB of data from on‑premises file shares to SharePoint. Before the migration, a discovery phase is required to understand the composition of the data. The goal is to identify file types (Microsoft Office documents, PDFs, images, etc.) without applying any labels at this stage. The discovery requirements include: Identification of file types Detection of duplicate or redundant files Identification of embedded UNC paths, macros, and document links Detection of applications running directly from file shares Guidance is needed on which Microsoft Purview components—such as the on‑premises scanner or the Data Map—can support these discovery requirements. Clarification is also needed on whether Purview is capable of meeting all the above needs. Clarification is also needed on whether Purview can detect duplicate or redundant files, and if so, which module or capability enables this. Additionally, since Purview allows downloading only up to 10,000 logs at a time, what would be the best approach to obtain discovery logs for a dataset of this size (25 TB)? Thank you !DSPM for AI Data Risk Assessment Question
Hello everyone, my team is creating a POC for DSPM for AI in order to be ready for actual implementations. We have encountered some unexpected issues that we have found no conclusive answers to in the official articles. Everything that follows is related to the Data Risk Assessment feature that comes with DSPM for AI and its sharepoint site scanning features. First of all, does the assessment feature use both built-in and custom SITs? If this is the case, we need to take into account any custom data types in an actual implementation. Secondly, we have noticed that no assessment type (including the default one) reads all the sites found in the sharepoint admin center. We have noticed that one of them is probably the root site as its format is https://<domain name>/ while every other site looks like https://<domain name>/sites/<site name>, another one was most likely created by an application and there are some that do not appear in the list but do appear in the assessment results. All of these sites except the "root" seem to be up and running, although some show the "request access" page when opening. Third, we have not found a conclusive answer as to what is the difference between the site and item level scan. This is because, item level scan finds and scans even less sites. The configuration is as follows: Default Assessment: All users, All sites (default option) -> Finds 17/19 sites and items scanned do not match the number of items reported to be on the sites in the sharepoint admin center. The issue is that the number of reported unscanned items is 0. Site Level Assessment: All users, All sites (default option) -> Finds 11/19 sites and items scanned do not match the number of items reported to be on the sites in the sharepoint admin center. The issue is that the number of reported unscanned items is 0. Item Level Assessment: All users, No All Sites option. Finds 8/19 sites ->Scans 4/19 sites and items scanned do not match the number of items reported to be on the sites in the sharepoint admin center. The issue is that the number of reported unscanned items is 0. To sum this up, my team's questions are the following: Does this solution use custom SITs in addition to built-in ones? What extra configuration is required to scan ALL sharepoint sites for sensitive info using the Data Risk Assessments? What added value does the Item Level scan provide? Is any extra configuration besides the enterprise app creation required for Item Level scanning on all sites Thank you all in advance!
Events
What is an AMA?
An 'Ask Microsoft Anything' (AMA) session is an opportunity for you to engage directly with Microsoft employees! This AMA will consist of a short presentation followed by taking que...
Online