Recent Blogs
3 MIN READ
Many people aren’t aware that Microsoft security isn't just about Microsoft, it’s also about the platforms supporting the products we build. This means our reach extends across all operating systems:...
Nov 13, 2025
8 MIN READ
In the evolving cybersecurity landscape, the choice between a unified security platform and a point solution is a strategic one with far-reaching implications. This two-part blog series examines the ...
Nov 13, 2025
In incident response, most business email compromise doesn’t start with “sophisticated zero-day malware.” It starts with configuration gaps: forwarding mail outside the tenant, users clicking through...
Nov 13, 2025
Background
Azure Firewall helps secure your network by filtering traffic and enforcing policies for your workloads and applications. DNS Proxy, a key capability in Azure Firewall, enables the firew...
Nov 12, 2025Recent Discussions
Purview-Retention Policy for Private channels
I have retention policy for Standard & Shared channels together with 2 Years retention period to keep posts for 2 years and remove after that period. Don’t have any policy for Private channels posts/messages, so posts will be available indefinitely . With this https://www.microsoft.com/en-in/microsoft-365/roadmap?id=500380from Microsoft my private channels will also part of the same policy which is applied for standard & Shared channels . in this case how i can retain the posts from private channels indefinitely . Please suggest
Relabeling files won't reflect the Label changes
I am running Microsoft Purview Scanner, where we scanned and applied the Default Label "Internal" to all the documents in the file share for "One Folder". After that has been applied successfully, we realized that some of the Access Controls in the Label called "Internal" need to be updated. So we enabled Access control permissions for this label to include the "Export" option. I thought changes made to a published label would reflect already labeled files. But it doesn't. Even though we opened and closed one file and didn't reflect my changes. Steps we tried: Re-ran scan with the option to re-label existing files (already labeled files) with the same label to see if it reflect new changes. But nothing. We reset the Scan service and restarted the server too. nothing worked. Do anyone know if a Label is applied already to files in file share and we update some of the settings for the same label, with the changes reflect properly? I know it reflects in cloud, but not sure why it can't reflect in file shares
sensor service fails to start
Hello, i've installed MDI on all of our domain controllers and everything went fine. I am trying to install MDI our Entra connect server and our certificate authority server (which are not domain controllers) and the service is continually failing to start. Could someone please point me in the right direction on how to rectify this? I've tried: recreating the service account (3x), checking the service account with Test-ADServiceAccount (works fine from both member servers) verified the service account is given the right to log on as service. The error log is very vague: 2025-11-13 19:05:30.0968 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__49 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName={FQDN of DC}] at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) 2025-11-13 19:05:30.1124 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers [ _domainControllerConnectionDatas={FQDN of DC}] at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDirectoryServicesDomainNetworkCredentialsManager domainNetworkCredentialsManager, IDomainTrustMappingManager domainTrustMappingManager, IRemoteImpersonationManager remoteImpersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)Disable Defender for Cloud Apps alerts
Hi all, we just enabled Defender for Cloud Apps in our environment (about 500 clients). We started with setting about 300 apps to "Unsanctioned". Now we get flooded with alerts. Mainly "Connection to a custom network indicator on one endpoint" and "Multi-stage incident on multiple endpoints" when an URL is blocked on more clients. Is there a possibility to disable the alerts for this kind of blocks? I tried creating a supression rules, but didnt manage to get it working. Dont know if it is not possible or if I made a mistake. As the Defender for Cloud Apps just creates a Indicator for every app i want to block I could click every single Indicator and disable the alert there. But thats a few hundred Indicators and we plan to extend the usage. Can I centrally disable alerts for custom indicators? Thanks & Cheers
Auto-Label Simulation does not simulate your rules exactly
When you’re building an auto-labeling rule and run a simulation, don’t expect it to fully follow your rule. Let me explain. It doesn’t evaluate everything. For example, if your rule says a document must match at least four regex patterns to count as a positive find, the simulation might treat a single match as a positive. Yeah, that’s frustrating. Here’s what works better: Build your Sensitive Information Type (SIT) and test it against individual documents first. Then create a policy that targets a small subset of data. Run the simulation, then turn on the policy. Check the results in Activity Explorer, which shows real production activity. Why can’t the simulation just run the full rule? Good question—we all wish it did.
Purview Activity Explorer - Logs on recommendation to apply Labels
Hi all, for purposes linked to generate statistics, I have the need to monitor how users exploit the feature that recommends them the application of a specific label in Office Apps (this feature is configured in the specific Sensitivity Label with the "Auto-labeling for files and emails" and recommending users to apply that label). I tried look at the logs generated and appearing in the Activity Explorer. In order to monitor what mentioned above, I used the following logic: Filter only on the "Activity" field for "Sensitivity label recommended for file" value (this to monitor instances in which the label has been recommended to users) Filter only on the "How applied" field for "Recommended" value (this to monitor instances in which users actually accepted the recommendation provided to them) then: are the filtering conditions above enough and adequate for the purposes above? are there any other filtering criteria that I should take into account in this regard? Thank you in advance! 😊
Permissions to see and manage sentinel workspace in Defender XDR
Hi Team, One of my customers recently completed their Sentinel → Defender portal migration. Initially, I didn’t have access to view the Defender portal, but after the migration I was assigned the Security Operator role in Entra (via PIM), which now allows me to access the Defender portal.However, when I navigate to: Defender portal → System → Settings → Microsoft Sentinel → Workspaces. I’m unable to view the available workspaces. The portal shows an insufficient permissions error, and I also cannot switch the primary/secondary workspace. Could you please advise on the exact permissions/roles required to: View the Sentinel workspace list in Defender, and Switch the primary workspace? Thanks in advance
How to Unassign Assets from Data Products in Microsoft Purview at Once
Hello, I’ve assigned around 100 assets to a specific data product and would now like to unassign all of them at once, rather than removing them individually. Using the Purview REST API with Python, I was able to retrieve the list of my data products and successfully identify the target data product. However, I haven’t been able to fetch the list of assets currently assigned to it, which prevents me from performing a bulk unassignment. Could anyone please advise how to retrieve and unassign all assets from a data product programmatically?
Content blocked by IT Admin
I am the IT Admin and I keep seeing this Windows Security pop up notification on my system about blocking mtalk.google.com. I do not have this installed nor can I find anything about it in the registry. How can I find and remove this completely to stop these notifications? Driving me crazy....
XDR RBAC missing Endpoint & Vulnerability Management
I've been looking at ways to provide a user with access to the Vulnerability Dashboard and associated reports without giving them access to anything else within Defender (Email, Cloud App etc) looking at the article https://learn.microsoft.com/en-us/defender-xdr/activate-defender-rbac it has a slider for Endpoint Management which I don't appear to have? I have business Premium licences which give me GA access to see the data so I know I'm licenced for it and it works but I can't figure out how to assign permissions. When looking at creating a custom permission here https://learn.microsoft.com/en-us/defender-xdr/custom-permissions-details#security-posture--posture-management it mentions Security Posture Management would give them Vulnerability Management Level Read which is what I'm after but that doesn't appear to be working. The test account i'm using to try this out just gets an error Error getting device data I'm assuming its because it doesn't have permissions of the device details?Blocking email in outlook mobile application via conditional access and Intune
Hello, all. We’re currently experiencing an issue where corporate email remains accessible in the Outlook mobile app on personally owned iOS devices, even after the device either falls out of compliance or undergoes an enterprise wipe. These devices are managed through Intune. Additionally, some users may have personal email accounts configured within the Outlook mobile app already. Below is the conditional access policy currently applied to mobile devices. Any assistance would be appreciated.Cannot update Case number in Microsoft Purview eDiscovery
I can no longer update the Case number under case settings in the new eDiscovery UI. I used to be able to update it via the externalId Graph endpoint but that appears to be deprecated. The error simply reads "update failed" - there is no additional information. Is anyone else having this problem?
Some Fabric Lakehouse tables not appearing in Microsoft Purview after scan
Hi everyone, I’m running into an issue where several tables from a Fabric Lakehouse aren’t appearing in Microsoft Purview after a workspace scan. Here’s the situation: I scanned a Fabric workspace that contains multiple Lakehouses. For most Lakehouses, the tables appear correctly in Purview after the scan. However, for one specific Lakehouse, several tables that I know exist aren’t showing up in the scanned assets — even after adding the Lakehouse as an asset to a data product in the Unified Catalog. What I’ve tried: I rescanned the workspace and the specific Lakehouses. I verified that the tables are persistent (not temporary) and appear under the Tables section in Fabric, not only as files. I confirmed permissions for the Purview connection account. Scan results and errors: After the rescan, the tables still didn’t appear. The scan logs show several ingestion errors with messages like: Failed to ingest asset with type fabric_lakehouse and qualified name [qualified name] due to invalid data payload to data map I checked the error entries to see which assets they point to, and none of them are related to the tables in the Lakehouse in question. There were four of these errors in the last run. Additional context: Some older Lakehouses that had been archived months ago in Fabric still appeared as active in Purview before the rescan, so there may be stale metadata being retained. Notes: I’m aware Fabric scanning in Purview currently has sub-item scanning limitations where item-level metadata is prioritised, and individual tables aren’t always picked up. But given that tables from other Lakehouses appear as expected, and given the ingestion errors (even though the errors do not point to the missing tables), it feels like there may be a metadata sync or processing issue rather than a simple coverage limitation. Question: Has anyone encountered this behaviour or the “invalid data payload to data map” error before? Any guidance on further troubleshooting steps would be appreciated. Thanks in advance!NPS Extension for azure MFA and multiple tenants?
Hi, is it possible to setup one NPS server with the Extension for Azure MFA to authenticate against multiple tenants? The onprem AD has azure ad connector for each domain and the users are in sync with there tenants. Its a RDS setup with one RD Gateway and one NPS server and multiple RD servers. I need email address removed for privacy reasons and email address removed for privacy reasons etc. to authenticate with MFA, but i can only get the users on the tenant thats linked in the NPS Extension for Azure MFA to work. I dont think its possible to setup more than one tenant in one NPS server (Extension for azure MFA). I get this error in the NPS log NPS Extension for Azure MFA: CID:xxxxxxxxxxxxxxx : Access Rejected for user email address removed for privacy reasons with Azure MFA response: AccessDenied and message: Caller tenant:'xxxxxxxxxxxxxxxxxxxxxxx' does not have access permissions to do authentication for the user in tenant:'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',,,xxxxxxxxxxxxxxxxxxxxxx The ID in the Caller tenant and the user tenant in the error is correct, so something have to work? I cat find a way to allow the Caller tenant to access users in the user tenant.Microsoft Compliance Assessment issues - ASD L1
Hi, We are using Microsoft Compliance Assessments in Microsoft Purview In the Microsoft Compliance Manager we have enabled the ASD Essentials Level 1 assessment Under the Microsoft Actions There are 2 actions, one is: Malicious Code Protection - Periodic and Real-Time Scans (SI-0116) The issue that currently the testing status is 'failed low risk' , but the testing status has the date tested as Monday Sep 30 2024, well before we opened the assessment, also with notes that are completely irrelevant to this client and certainly not something we have put in. The information in there is quite long, I can provide a txt file with this information I have checked the documentation and we have implemented the required security configuration With these items set the way they are we have no way to complete the assessment
