Recent Blogs
Plan your move to Defender today
Take advantage of the latest innovations in Microsoft Sentinel SIEM and platform by migrating from the Azure to Defender experience. Not sure where to begin? We’ve ...
Dec 11, 2025
5 MIN READ
Picture this: You’re managing security across Azure, AWS, and GCP. Alerts are coming from every direction, dashboards are scattered and your team spends more time switching portals than mitigating th...
Dec 11, 2025
Learn about the latest features and change announcements across Microsoft Entra.
Dec 10, 2025
5 MIN READ
The updated CAF 4.0 raises expectations around control A2.b - Understanding Threat.
Rather than focusing solely on awareness of common cyber-attacks, the framework now calls for a sector-specific, ...
Dec 10, 2025Recent Discussions
Azure Active Directory | Workbooks | Sign-In Analysis (Preview: AAD & AD FS)
This workbook will help you analyze your organization's sign-ins for both Azure AD and AD FS Sign-Ins This workbook will show you the General Analysis and Error Analysis. General Analysis: :pushpin: Sign-in Activity Summary :pushpin: Sign-in Analysis by Location :pushpin: Sign-in Analysis by Device Error Analysis: :pushpin: Sign-in Activity Summary :pushpin: Top Sign-In Errors by User or IP
Test DLP Policy: On-Prem
We have DLP policies based on SIT and it is working well for various locations such as Sharepoint, Exchange and Endpoint devices. But the DLP policy for On-Prem Nas shares is not matching when used with Microsoft Information Protection Scanner. DLP Rule: Conditions Content contains any of these sensitive info types: Credit Card Number U.S. Bank Account Number U.S. Driver's License Number U.S. Individual Taxpayer Identification Number (ITIN) U.S. Social Security Number (SSN) The policy is visible to the Scanner and it is being logged as being executed MSIP.Lib MSIP.Scanner (30548) Executing policy: Data Discovery On-Prem, policyId: 85........................ and the MIP reports are listing files with these SITs The results Information Type Name - Credit Card Number U.S. Social Security Number (SSN) U.S. Bank Account Number Action - Classified Dlp Mode -- Test Dlp Status -- Skipped Dlp Comment -- No match There is no other information in logs. Why is the DLP policy not matching and how can I test the policy ? thanksWhat are the differences between "eDiscovery Search" and "content search"
Hi, I thought if anybody is able to explain what are the differences with "eDiscovery Case Search" and "Content Search"and what are scenarios when to choose one over other? So far I have understood that eDiscovery Manager can see all Content Searches from tenant, but for eDiscovery Search manager can see only own cases. I have also a feeling that eDiscovery Search is very much slower. At first I'm getting zero findings, while Content Search list all of the items. But then, after some hours eDiscovery Search start finding the same items. As a site note, I'm testing this to find chat messages (Teams and Skype) from already deleted user (inactive mailbox).
Windows Hello passkeys dialog appearing and cannot remove or suppress it.
Hi everyone, I’m dealing with a persistent Windows Hello and passkey issue in Chrome and Brave and yes this is relevant as they're the only browsers having this issue whilst Edge for example is fine, and at this point I’m trying to understand whether this is expected behavior, a bug, or a design oversight. PS. Yes, I'm in contact with related browser support teams but since they seem utterly hopeless i'm asking here, since its at least partially Windows Hello issue. Problem description Even with: Password managers disabled in browser settings, Windows Hello disabled in Chrome/Brave settings, Windows Hello PIN enabled only for device login, Passkeys still stored under chrome://settings/passkeys (which I cannot delete since its used for logging on the device), The devices are connected to Entra ID but this is not required to reproduce the issue although a buisness account configuration creates a Passkey with Windows Hello afaik. Observed behavior When I attempt to sign in on office.com, Windows Hello automatically triggers a dialog offering authentication via passkeys, even though: I don’t want passkeys used for browser logins, passkeys are turned off everywhere they can be, Windows Hello is intended only for local device authentication. The dialog cannot be suppressed, disabled, or hidden(trust me, i tried for weeks). It effectively forces the Windows Hello prompt as a primary option, which causes problems both personally and in business contexts (wrong credential signaling, misleading users that are supposed to use a dedicated password manager solution insted of browser password managers, enforcing an unwanted authentication flow, etc.). What I already verified Many, many, (too many) Windows registry workarounds that never worked. Dug through almost all flags on those browsers. Chrome/Brave → Password Manager: disabled Chrome/Brave → Windows Hello toggle: off Looked through what feels like almost every related option in Windows Settings. Tried gpedit.msc local rules System up to date Windows Hello configured to use PIN, but stores "passkeys used to log on to this device" Why this is a problem Windows Hello automatically assumes that the device-level Windows Hello credentials should always be available as a WebAuthn authenticator. This feels like a big security and UX issue due to: unexpected authentication dialogs, Inability to controll where and how passkey credential are shared to applications, inability to turn the feature off, no administrative or local option to disable Hello for WebAuthn separately from device login. Buisness users either having issues with keeping passwords in order (our buissnes uses a dedicated Password Manager but this behaviour covers its dialog option) or not having PIN to their devices (when I disable windows hello entierly, since when there is no passkeys the option doesn't appear) Questions Is there any supported way to disable Windows Hello as a WebAuthn/passkey option in browsers, while keeping Hello enabled for local device login? Is this expected behavior from the Windows Hello, or is it considered a bug? Are there registry/policy settings (documented or upcoming) that allow disabling the Windows platform authenticator specifically for browsers like Chrome and Brave? Is Microsoft aware of this issue? If so, is it tracked anywhere? Additional notes This issue replicates 100% across (as long as there are passkeys configured): Windows 11 devices i've managed to get my hands on, Chrome and Brave (latest versions), multiple Microsoft accounts and tenants, multiple clean installations. Any guidance or clarification from the Windows security or identity teams would be greatly appreciated. And honestly if there is any more info i could possibly provide PLEASE ask away.Investigating Excel-Initiated Email Activity Without Sent Items Trace
Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook. **What I know:** **Email Characteristics:** - All three emails contained a Word attachment. - No body text was present. - The subject line matched the attachment file name. - Two of the emails were identical. **Recipients:** - Emails were sent to colleagues who originally created the attached documents. **Attachment Details:** - One attachment appeared to be a temporary file (e.g., a3e6....). **System Behavior:** - No suspicious logins detected before or after the event. - Emails were sent via the Outlook.exe process on the user’s machine. - Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs. **In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails):** - Downloaded file: `2057_5_0_word_httpsshredder-eu.osi.office.net_main.html` - Path: `C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html` - Downloaded file: `~$rmalEmail.dotm` - Path: `C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm` I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.Investigating Excel-Initiated Email Activity Without Sent Items Trace
Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook. What I know: Email Characteristics: All three emails contained a Word attachment. No body text was present. The subject line matched the attachment file name. Two of the emails were identical. Recipients: Emails were sent to colleagues who originally created the attached documents. Attachment Details: One attachment appeared to be a temporary file (e.g., a3e6....). System Behavior: No suspicious logins detected before or after the event. Emails were sent via the Outlook.exe process on the user’s machine. Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs. In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails): 1. -Downloaded file: 2057_5_0_word_httpsshredder-eu.osi.office.net_main.html Path: C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html 2. Downloaded file: ~$rmalEmail.dotm Path: C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.
Retention policy for Teams chat not working
Hello All, I have created a Teams chat retention policy under data lifecycle management, it is for 1 month retention. However It is not working, the message older then 1 month are still appearing in chat. Please let me know if I have missed any specific setting in the policy or any prerequisite. I have typically waited for more than 7 days after the 30 days of retention.
Block transfer of labelled data through CLI Apps - Powershell
I have a ticket open with microsoft since mid november, and to date not fixed, still chasing. So we have labelled data, using a custom label intellectual property. We block and alert using it, from uploads to list of urls, to prompt to override, etc. So the label works. Next step is to prevent exfil using Cli apps. This is where the issue is.. Not working. Would you have any idea if this actually works? Has anyone set it up? In settings and then Restricted apps and app groups I have setup the following: Then I created a policy that is applied to my machine and my user to block the move and upload of data that is labelled as Intellectual Property (Sensivity Label) It should block when I am using WinSCP or powershell. It does not. I tried with the restricted app group and with access by restricted apps. None works My machine is in sync
MS Defender 101.25102 update error
I have been trying to update MS Defender for several days now and without luck. I am on a iMac M3 with macOS 26.1. I tried removing and reinstalling the app, but it seems that the uninstall script does not remove the app at all. Yes, I did restart the machine. Does anyone have a solution?MCAS logcollector docker image : 0 logs received
I followed that documentation : https://learn.microsoft.com/en-us/defender-cloud-apps/discovery-docker-ubuntu?tabs=ubuntu My Collector is displaying a connected status in the console : But as you can see, no data was received, and if I do a collector_status -P on my docker : I checked all possible logs files, nothing helped me So if someone can help about that.. Thank you !Purview Data Map – Proposed Domain & Collection Structure
Microsoft Purview Data Map – Proposed Domain & Collection Structure This proposed Microsoft Purview Data Map domain and collection structure ensures that users responsible for specific data assets can be granted precisely scoped permissions—particularly for updating metadata—by mapping Business Units, Departments, Teams, and environments in a clear hierarchy that allows RBAC inheritance to assign the right level of access to the right people. Domain Name Data Catalogue (Short, clear, governance-aligned name to avoid UI truncation and scripting issues.) Collection Path Data Catalogue → Business Units → Departments → Teams → [Prod | Non-Prod] Level 1: Business Units Level 2: Departments (within each Business Unit) Level 3: Teams (within each Department) Optional: Environment segregation under Teams (Prod / Non-Prod) Reasons & Requirements 1. Domain Naming Short, clear name avoids UI truncation and scripting issues. Detailed descriptions stored in metadata; name remains simple for automation and future-proofing. 2. Structure Alignment Alignment with organisational charts and unified governance hierarchy: Business Units → Departments → Teams Provides intuitive navigation and meaningful context for users. 3. Hierarchy Depth Limited to 4–5 levels for usability and RBAC inheritance. Avoids unnecessary complexity while maintaining clarity. 4. Environment Handling Prod / Non-Prod split under Teams for simplicity. Additional environments only if governance differs significantly. 5. RBAC & Ownership Permissions align with organisational roles. Supports the principle of least privilege. 6. Scanning & Policy Scans assigned at Team level for precise governance. Policies inherit from higher levels for consistency. Selective scanning preferred for cost efficiency. 7. Best Practice Compliance Matches Microsoft guidance: short names, shallow hierarchy, environment segregation. Clear distinction between governance path and technical hierarchy. Role Assignment in Collections Data Curator Role Designed for users who: Edit and update metadata. Manage business context for assets within the collection. Assign to: Data Owners (Directorate level). Data Stewards (Team level). Data Product Owners / Asset Managers (for their own assets). Why at Collection Level? RBAC in Purview inherits down the collection hierarchy: Assign at Team collection → edit metadata for all assets in that Team. Assign at Group or Directorate level → edit metadata for all child collections. Ensures least privilege and ownership-based editing. Best Practice Read-only roles (Data Reader) applied broadly for transparency. Data Curator scoped to the lowest level where the user has responsibility (usually Team). Avoid assigning Data Curator at the root unless absolutely necessary.
Exclude File Hash's from Data leak/Insider policy
Absolute long shot, but is there any way to exclude file Hashes from the attachments part of a data leak policy, we use a service for our signatures and due to the way it works the images in it keep getting picked up as part of sending external with attachment, the image name changes, but the SHA-256 stays the same. Anyone have any idea if this is or ever will be possible?KQL query to report on Audit/Block status of Network Protection
Anyone know how to run a query using KQL in the defender portal to return the status of Network Protection - Audit or Block mode? The following query returns the results but "IsCompliant" = 1 when Network Protection is on in either Audit or Block mode. I thought the context might help but for this SCID it is always empty. DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-96" The information is available within the portal when you drill into the device - configuration management - effective settings - but this is not scalable when needing to check across a large estate. How could you query this via KQL or another way to generate on a report on overall estate health and configuration? Long term would be great to report on this in a powerBi dashboard. ThanksMDE use of Certificate based IoC not working
I have been trying to use MDE IoC with certificates as per the following link: https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates#create-an-indicator-for-certificates-from-the-settings-page This is on a demo tenant with full M365 E5 licenses and vulnerability trial enabled just in case. Test devices are: windows 11 with latest updates - domain joined and managed by Intune MDE onboarded and active with AV Network protection in block mode Cloud delivered protection enabled File hash enabled In defender portal - settings - endpoints advanced settings - all options enabled I am testing with Firefox - the installer and the application .exe after installation. I have extracted the leaf certificate from both these .exe's using the helpful information in the following link: https://www.linkedin.com/pulse/microsoft-defender-missing-manual-how-actually-create-adair-collins-paiye/ Then uploaded the certs into defender portal - settings - endpoints - IoC - certificates - set to Block and remediate Issue: Its been 24h and nothing happens on the client devices. In the defender portal - assets - devices - device timeline - I can see the firefox processes but at no point is the installer or application blocked. Have I miss understood how the feature works? Has anyone else managed to get this to work? Advice appreciated. Thanks Warren
Issue with Microsoft Purview Governance/Business Domains invisible/not found
I was wondering if anybody has experienced such issue? After new Purview update and introducing Governance domains instead of business domains in data catalog, I cannot see the previously established business/governance domains but can still see the data products I had previously created under legacy business domains. - I have Purview admin and data governance admin tenant level as well but still the issue persists. - I cannot create new governance domains since I get cyclic dependency error - Have tried different web browsers no luck so far! - Any similar experience and potential tip/workaround for this issue? #Purview #governance_domains
