Recent Blogs
6 MIN READ
In this article
Introduction
Relationships and dependencies between Entra ID, Billing Accounts and Subscriptions
Identity and Roles
Billing Account and Subscription Creation
Summary
I...
Oct 24, 2025
This milestone streamlines the deployment of on-premises identity security by unifying our endpoint and identity protection into a single sensor, pre-installed and ready for activation on Domain Cont...
Oct 23, 2025
This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is im...
Oct 22, 2025
In certain occasions you may want to confirm what is the state of your devices or a subset of your devices in EntraID and cross reference this with the device status you see in Defender for Endpoint....
Oct 22, 2025Recent Discussions
[DevOps] dps.sentinel.azure.com no longer responds
Hello, Ive been using Repository connections in sentinel to a central DevOps for almost two years now. Today i got my first automated email on error for a webhook related to my last commit from the central repo to my Sentinel intances. Its a webhook that is automticly created in connections that are made the last year (the once from 2 years ago dont have this webhook automaticly created). The hook is found in devops -> service hooks -> webhooks "run state change" for each connected sentinel However, after todays run (which was successfull, all content deployed) this hook generates alerts. It says it cant reach: (EU in my case) eu.prod.dps.sentinel.azure.com full url: https://eu.prod.dps.sentinel.azure.com/webhooks/ado/workspaces/[REDACTED]/sourceControls/[REDACTED] So, what happened to this domain? why is it no longer responding and when was it going offline? I THINK this is the hook that sets the status under Sentinel -> Repositories in the GUI. this success status in screenshoot is from 2025/02/06, no new success has been registered in the receiving Sentinel instance. For the Sentinel that is 2 year old and dont have a hook in my DevOps that last deployment status says "Unknown" - so im fairly sure thats what the webhook is doing. So a second question would be, how can i set up a new webhook ? (it want ID and password of the "Azure Sentinel Content Deployment App" - i will never know that password....) so i cant manually add ieather (if the URL ever comes back online or if a new one exists?). please let me know.
Question malwares
Are the following malware programs that modify, damage, corrupt, or delete various files from your PC? all malware types operates malicious operations in files? Trojan:Win32/Wacatac.C!ml, Trojan.DownLoader47.36298, TrojanPSW.Rhadamanthys, Trojan.Win32.Agent.xcajyl? When a free antivirus program like Kaspersky Free and Microsoft Defender Free doesn't have a malware signature database and it doesn't appear in a complete scan, is it still active and all protection barriers have been breached? without signature is dead antivirus?Question malware detected Defender for Windows 10
Why did my Microsoft Defender detect a malicious file in AppData\Roaming\Secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml) during a full scan and the Kaspersky Free and Malwarebytes Free scans didn't detect it? Was it maliciously modifying, corrupting, or deleting various files on my PC before detection? I sent it to Virus Total, the hash: 935cd9070679168cfcea6aea40d68294ae5f44c551cee971e69dc32f0d7ce14b Inside the same folder as this DLL, there's another folder with a suspicious file, Caller.exe. I sent it to Virus Total, and only one detection from 72 antivirus programs was found, with the name TrojanPSW.Rhadamanthys. VT hash: d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
Ingest IOC from Google Threat Intelligence into Sentinel
Hi all, I'm string to ingest IOCs from Google Threat Intelligence into Sentinel. I follow the guide at gtidocs.virutotal.com/docs/gti4sentinel-guide API KEY is correct. PS: I'm using standard free public API (created in Viru Total) Managed Identitity has been configured using the correct role. When I run the Logic APP, I received an HTTP error 403 "code": "ForbiddenError", "message": "You are not authorized to perform the requested operation" What's the problem ?? Regards, HA
Issue when ingesting Defender XDR table in Sentinel
Hello, We are migrating our on-premises SIEM solution to Microsoft Sentinel since we have E5 licences for all our users. The integration between Defender XDR and Sentinel convinced us to make the move. We have a limited budget for Sentinel, and we found out that the Auxiliary/Data Lake feature is sufficient for verbose log sources such as network logs. We would like to retain Defender XDR data for more than 30 days (the default retention period). We implemented the solution described in this blog post: https://jeffreyappel.nl/how-to-store-defender-xdr-data-for-years-in-sentinel-data-lake-without-expensive-ingestion-cost/ However, we are facing an issue with 2 tables: DeviceImageLoadEvents and DeviceFileCertificateInfo. The table forwarded by Defender to Sentinel are empty like this row: We created a support ticket but so far, we haven't received any solution. If anyone has experienced this issue, we would appreciate your feedback. Lucas
Updates or ETA on expanded Fabric compatibility in Purview?
My organsiation has been developing a greenfields data platform in Fabric since late 2024. We had also provisionally selected Purview as our enterprise data catalogue, expecting that it would in due course be enhanced to be fully compatible with Fabric data repositories. At this point over 12 months later, we are still unable to: Scan our warehouse (the primary repsitory for silver & gold, in our platform) contents in order to make them discoverable as data assets, augment with curated business metadata, automate discovery and classification of sensitive data, etc. Profile the data in our warehouse in order to set up data quality rules and scans. It seems we still cannot even do this for semantic models (?) Given warehouses are hardly new (their Synapse predecessors have been around for years), and especially given they have a SQL endpoint, we're really surprised that nearly two years since Fabric went GA, Purview still isn't compatible with what is surely one of the two fundamental Fabric repositories. We've been making enquiries with our MS contacts, and frequently checking the Purview Roadmap ('What's new in Microsoft Purview') but still haven't seen any indication of if/when warehouses will be supported. Our Head of Data is pretty much out of patience and is asking if we need to go to market for another tool... can the MS folk on here shed any light on these compatibility/functionality gaps with Microsoft's own data platform?
How does the super user functionality in Azure Rights Management?
We have recently performed labeling tests with Microsoft Purview on emails and Office documents. However, a question arises about what happens when a user encrypts a document or email and it becomes necessary to recover that information. I understand that the super user functionality must be enabled via PowerShell to access encrypted content, but how is this functionality actually used in practice? What steps should I follow to recover encrypted documents and emails using the super user?
Windows Authentication for Entra ID for SQL MI
Hi Team, I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql There are two options. Options 1 Modern interactive flow Options 2 Incoming trust-based flow Proceeding with Option 2 (Incoming trust-based flow) the authentication flow works some as the following Step Action From To Network Connection 1 Initiate Connection Client (Windows Server 2016) - - 2 Request Kerberos TGT Client Domain Controller (Windows 2012) On-premises network 3 Issue TGT Domain Controller Client On-premises network 4 Request Service Ticket via Kerberos Proxy Client Microsoft Entra ID (via proxy) ExpressRoute (Microsoft peering) 5 Issue Service Ticket Microsoft Entra ID Client ExpressRoute (Microsoft peering) 6 Submit Service Ticket Client Azure SQL Managed Instance ExpressRoute (private peering) 7 Validate Ticket and Exchange for Token Azure SQL Managed Instance Microsoft Entra ID Azure internal network 8 Authenticate User and Grant Access Azure SQL Managed Instance Client ExpressRoute (private peering) If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server Many Thanks !Microsoft Defender on Android (MAM-WE)
We are asking our users to install Microsoft Defender on their BYO devices but are running into issues with certain (not all) Android devices - they are getting the below error. What could be wrong? Their devices are not enrolled - we do not use MDM for personal devices. They are installing the regular Defender app from the public Play Store.Sharing Best Practices and Experiences
Hi everyone! I’m opening this space for us to discuss everything related to Microsoft Entra — implementation, management, and best practices. The goal is to create a community where we can share experiences, exchange tips, and discuss procedures that make working with Entra ID, Entra Permissions Management, Entra ID Governance, and the rest of the Entra ecosystem easier. 🔹 What challenges have you faced in identity and access management? 🔹 Any configuration, automation, or integration tips worth sharing? 🔹 How are you applying Microsoft’s recommended security practices? If you’re just getting started, check out this Microsoft Learn article on the Microsoft Entra fundamentals. Let’s build an active and collaborative community around Microsoft Entra!Question many malwares types and files
What are the names of types of malware that acess, modify, delete, or corrupt PC hdd and ssd files (Windows files and personal files, games, music, executables, ISO, IMG, RAR, ZIP, 7Z)? Does all malware have the potential to do this? In this case, how are the malware QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml), Caller.exe (DrWeb detects Trojan.DownLoader47.36298), and Caller.exe (VBA32 detects TrojanPSW.Rhadamanthys) classified?
High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello, I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day. Here’s what I’ve observed so far: Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU. I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period. Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines. Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically. Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window: 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state... These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window. The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior. Questions for the community: Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019? Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines? Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender? Any guidance or advice would be really appreciated. Thanks, NikunjCustom SITs fine tunned in MIP
Hello Everyone, Currently working on MS Purview Solutions greenfield deployment project for one of the customer for on-premise data and M365 data. I have created few custom SITs classifiers with regex pattern in the MIP portal almost 3 months ago and it's classifying the data as expected but with some false positives. All of them are fine-tuned to prevent false positives. It's scanning and classifying the newly created M365 data as expected. However it's not reclassifying the previously classified false positive data. How can I forcefully rescan/reclassify the false positive M365 data. I just want to reclassify the data with fine-tuned custom SITs to correctly classify the data before labelling. One more question related to on-prem scanners. I have started the on-prem scanners to scan all the SharePoint sites and Fileshares for any sensitive information. Initially its ran full scan and later it's started as incremental scan. Above scan started before creating the custom SITs and labels. Now I want run a full scan just to classify the data with recommending the labels based on the sensitive data instead of enforcing and applying the label. Can someone throw some light which options need to be select for just recommending the label instead of applying the label. Current configuration as shown below: Any help really appreciated. Regards Anand Sunka
Content Explorer does not show Access Controlled Encrypted files
I have start working with labels, in Data Explorer, When I select a Sensitivity Label that has access permissions (Confidential - Encrypted, in my case), I only see items with that label in Exchange, not in OneDrive or SharePoint. I know I have files with this sensitivity label saved there! What am I missing?Secure your data—Microsoft Purview at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across data security, compliance, and AI. This year’s sessions and labs will help you prevent data exfiltration, manage insider risks, and enable responsible AI adoption across your organization. Featured sessions: BRK250: Preventing data exfiltration with a layered protection strategy Learn how Microsoft Purview enables a layered approach to data protection, including AI and non-AI apps, devices, browsers, and networks. BRK257: Drive secure Microsoft 365 Copilot adoption using Microsoft Purview Discover built-in safeguards to prevent data loss and insider risks as you scale Copilot and agentic AI. LAB548: Prevent data exposure in Copilot and AI apps with DLP Configure DLP policies to protect sensitive data across Microsoft 365 services and AI scenarios. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions. Why attend: Ignite is your chance to see the latest Purview features, connect with product experts, and get hands-on with new compliance and data protection tools. Microsoft will also preview future enhancements for agentic AI and unified data governance. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Connect with peers and security leaders through these signature security experiences: Security Leaders Dinner—CISOs and VPs connect with Microsoft leaders. CISO Roundtable—Gain practical insights on secure AI adoption. Secure the Night Party—Network in a relaxed, fun setting. Register for Microsoft Ignite >Modernize security operations to secure agentic AI—Microsoft Sentinel at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across SecOps, data, cloud, and AI—and how to get more from the Microsoft capabilities you already use. This year, Microsoft Sentinel takes center stage with sessions and labs designed to help you unify data, automate response, and leverage AI-powered insights for faster, more effective threat detection. Featured sessions: BRK235: Power agentic defense with Microsoft Sentinel Explore Microsoft Sentinel’s platform architecture, graph intelligence, and agentic workflows to automate, investigate, and respond with speed and precision. BRK246: Blueprint for building the SOC of the future Learn how to architect a modern SOC that anticipates and prevents threats using predictive shielding, agentic AI, and graph-powered reasoning. LAB543: Perform threat hunting in Microsoft Sentinel Dive deep into advanced threat hunting, KQL queries, and proactive investigation workflows to sharpen your security operations. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions. Why attend: Ignite is your opportunity to see the latest innovations in Microsoft Sentinel, connect with experts, and gain hands-on experience. Sessions will also touch on future directions for agentic AI and unified SOC operations, as outlined in Microsoft’s broader security roadmap. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Connect with peers and security leaders through these signature security experiences: Security Leaders Dinner—CISOs and VPs connect with Microsoft leaders. CISO Roundtable—Gain practical insights on secure AI adoption. Secure the Night Party—Network in a relaxed, fun setting. Register for Microsoft Ignite >
