Recent Blogs
5 MIN READ
Microsoft Defender Monthly news - March 2026 Edition
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defen...
Mar 02, 2026
Autofill behavior in modern browsers can sometimes feel confusing—especially when suggestions suddenly stop appearing even though data is still being entered correctly. In Microsoft Edge, this behavi...
Mar 01, 2026
This guide provides instructions on how to set up and run Text to Image and Text to Video generation using ComfyUI with an Nvidia H100 GPU on Azure VMs.
ComfyUI is a node-based user interface for S...
Feb 27, 2026
At RSA this year, we’re hosting Ask the Experts: Data & AI Security in the Real World a live, unscripted conversation with Microsoft Security engineers and product leaders who are actively building a...
Feb 27, 2026Recent Discussions
Priority between CIDR and FQDN rules in Microsoft Entra Private Access (GSA)
Hello Question about prioritization between CIDR and FQDN rules in Microsoft Entra Private Access (GSA) Question: Hello everyone, I have a question about how rules are prioritized in Microsoft Entra Private Access (Global Secure Access). In my environment, I configured the following: I created an Enterprise Application using a broad CIDR range (10.10.0.0/16) to represent the entire data center. Within the same environment, I created other Enterprise Applications using specific FQDNs ( app01.company.local, app02.company.local) with specific ports. All rules are in the same Forwarding Profile. I noticed that in the GSA client rules tab there is a “Priority” field, and apparently the rules are evaluated from top to bottom. My question is: When there is an overlap between a broad CIDR rule and a more specific FQDN-based rule, which one takes precedence? Is there some internal technical criterion (DNS resolution first, longest prefix match,), or is the evaluation purely based on the order displayed? Is there a risk that the CIDR rule will capture traffic before the FQDN rule and impact granular access control? I want to make sure my architecture is correct before expanding its use to production. Could someone clarify the actual technical behavior of this prioritization?
Auto-labelling does not support content marking
We’ve hit a limitation with service-side auto-labeling in Purview: when a sensitivity label is applied by an auto-labeling policy, any configured visual markings (headers, footers, watermarks) are not written into the document. A further complication is that there is a requirement which includes a custom script that applies sensitivity labels at the folder level and relies on the service-side engine to cascade those labels down to the folder's contents. This means automation isn't just a 'nice to have' for scale — it is a core dependency of our labeling architecture. The inability to also apply visual markings through this same automated path creates a direct gap in our compliance posture and the MS solution. For environments where visible classification is mandated by regulation, this effectively means we can’t rely on service-side auto-labeling alone, which is a big constraint. I’d really appreciate: Any confirmed best practices/workarounds others are using, and Input from the product team on whether server-side visual markings tied to auto-labeling are being considered / and what to consider meeting this requirement as an alternative
Issue Using Built in Trainable Classifiers in Auto Labelling Policies - Purview
Over the last few days, I have run into issue while configuring Auto labelling policies in Purview specifically when using built in classifiers for eg: Budget, Agreements These classifiers are parr of ready to use. They have been working well for us until recently but now saving an auto labelling rule that includes any of Trainable classifiers getting client side error: 'Could not find rule pack associated with sensitive information type' this is unexpected because: same classifiers eg: Budget worked perfectly just few weeks ago. No changes have made to roll, permissions on our side. Still not sure why showing issue now. Kindly request you, help me with root cause of the cause. Please feel free to post it comments if someone faced same issue in using trainable classifiers in auto labelling policies. Thanks in advance. Regards, BanuMuraliEmail to external(trusted user) not require verify user Identity(with Google or One-time passcode)
Dear Expert and Community, I am starting with MS Purview - Data Loss Prevention. I have one point to clarify and seek your advise / comment / contribute or sharing good practice regarding with below: - Firstly, we can send email to externally user contain sensitive information, it is encryption or blocked (result: worked as expected). If remail encrypt, the external receiver require verify the Identity via sign in with google acc / with a one time password. - Second: we plan sending email to external user (only trusted user / domain). Is it possible, do not require these scope user reverify their Identity again and again? If yes, how to do it? If not - why? Well appreciated for update and supporting. Thanks,Federating Two Domains to Single Google Workspace Org — IssuerUri Conflict
Problem: I'm federating two custom domains (domainA.com and domainB.com) in the same Entra tenant to Google Workspace as the IdP using New-MgDomainFederationConfiguration. Cloud-only tenant, no on-premises AD. domainA.com works perfectly. When attempting to federate domainB.com, I get: 409 Conflict — Request_MultipleObjectsWithSameKeyValue Root cause: Both domains are in the same Google Workspace org. Google always sends the same IssuerUri in every SAML response regardless of which SAML app is used. Entra's global IssuerUri uniqueness constraint blocks the second domain. Workarounds attempted: Modified IssuerUri with unique query parameter — Google's SAML assertion still contains the original IssuerUri, Entra silently rejects it Second Google SAML app — Google sends identical IdP Entity ID regardless Google Legacy SSO profile with domain-specific issuer — only affects Google authentication, not Microsoft-initiated SAML flows Beta Graph API — same constraints MSOnline module — fails with Negotiate/forbidden error Questions: Is there any supported way to federate two domains in the same tenant to the same Google Workspace org? Is there a Graph API equivalent of the legacy -SupportMultipleDomain switch? domainB.com also returns "No matching stub found. Please reset the federation" on every update attempt — is this a known backend issue? We have a support ticket open for 21 days with no engineer response. Any help appreciated!
Convert Hybrid Azure AD Join Device to Azure AD Join Only
Hi , We are in Hybrid state ( SCCM+ Intune =CoManaged ) and Hybrid Azure AD Join . Now as next step moving to cloud only , We are moving device from Hybrid to Azure only State . While testing Manually remove a device from AD domain post reboot noticed that not able to even login with Azure that means loose the complete state ( AD as well as Azure ) , Login with Local account found with DSREGCMD that device is not attached to any . If I just removed the AD domain why this has removed from Azure AD Join as well .What is best way to Remove domain join but keep Azure AD join , Loose Users settings as well. Thanks MSB
IdentityLogonEvents - IsNtlmV1
Hi, I cannot find documentation on how the IdentityLogonEvents table's AdditionalFields.IsNtlmV1 populated. In a demo environment, I intentionally "enforced" NTLMv1 and made an NTLMv1 connection to a domain controller. On the DC's Security log, event ID 4624 shows correct info: Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 On MDI side however it looks like this: (using the following KQL to display relevant info here: IdentityLogonEvents | where ReportId == @"f70dbd37-af8e-4e4e-a77d-b4250f9e0d0b" | extend todynamic(AdditionalFields) | project TimeGenerated, ActionType, Application, LogonType, Protocol,IsNtlmV1 = AdditionalFields.IsNtlmV1 ) TimeGenerated ActionType Application LogonType Protocol IsNtlmV1 Nov 28, 2025 10:43:05 PM LogonSuccess Active Directory Credentials validation Ntlm false Can someone please explain, under which circumstances will the IsNtlmV1 property become "true"? Thank you in advanceHow to add glossary term to domain
Does anyone know how to add a glossary term to a domain using the REST API? What is the correct url? None of these work: url = f"{my_purview_endpoint}/unifiedcatalog/domains/{my_glossary_guid}/glossaryTerms" url = f"{my_purview_endpoint}/datagovernance/catalog/businessdomains/{my_glossary_guid}/glossaryTerms" url = f"{my_purview_endpoint}/businessdomains/{my_glossary_guid}/terms"
PIM
Hello, everyone. I need some help. We already use PIM for Just-in-Time activation of administrative functions in Entra ID, but we would like something more granular. For example, we want certain administrative actions in Microsoft 365, such as accessing sensitive data or performing critical tasks, to only be possible upon specific request and approval, even if the user has already activated the function in PIM. Is this only possible with PIM, or is there another feature in Microsoft 365 for this type of control?PIM
Hello, everyone. I need some help. We already use PIM for Just-in-Time activation of administrative functions in Entra ID, but we would like something more granular. For example, we want certain administrative actions in Microsoft 365, such as accessing sensitive data or performing critical tasks, to only be possible upon specific request and approval, even if the user has already activated the function in PIM. Is this only possible with PIM, or is there another feature in Microsoft 365 for this type of control?Rollback Script for Purview Auto Labels Using PnP/Graph – Anyone Done This?
Hi , I have been working on a rollback script using PnP and Microsoft Graph API to remove a sensitivity label from SharePoint and OneDrive documents through an Enterprise App (service principal). The purpose of this is to avoid a common issue in Purview. When a sensitivity label is applied through auto labeling and later changed manually, Purview reclassifies it as a manual label. After that, even if you run another scan, Purview will not automatically apply an auto label again because the file is now considered to have a user applied label. To prevent this problem, the idea is to make all label changes through a service principal so that the change is not treated as a manual action. This gives us a safe way to roll back labels if something goes wrong and lets us return the files to a clean state so that Purview can apply auto labeling again when needed. This approach would be very helpful during testing or when adjusting label priorities or scopes. My question is the following: Has anyone successfully built something like this? I am looking for examples of removing labels in bulk or replacing one label with another, for example replacing Label A with Label B, using PnP or Graph through a service principal. I do have a script somewhat ready but , I am also getting an error when calling some Graph endpoints that says the operation requires a Premium Purview feature (PAYG). If anyone has found a workaround or can confirm which operations require payment, that would be extremely helpful. Thanks!Priority Handling in GSA Client Forwarding Profile Rules
Hello, I would like to provide feedback and propose a functional improvement regarding priority control for forwarding rules in Global Secure Access (GSA). In our environment, we are using Microsoft Entra Private Access with a combination of CIDR-based rules and FQDN-based rules. We understand that it is not possible to create Enterprise Applications with overlapping IP address ranges. Based on this limitation, our current operational model is as follows: Administrators create Enterprise Applications using CIDR ranges that broadly cover entire datacenter networks. Access for application owners to specific servers and ports is defined using FQDN-based rules. With this type of configuration, when reviewing the list of rules shown in the GSA Client → Forwarding Profile → Rules tab, we can see that each rule is assigned a Priority, and the rules appear to be evaluated sequentially from top to bottom. From this behavior, it is clear that: DNS rules are evaluated first Enterprise Application rules are evaluated next Quick Access rules are evaluated last However, between CIDR-based Enterprise Application rules and FQDN-based Enterprise Application rules, there does not appear to be a clear or explicit priority model. Instead, the position — and therefore the evaluation order — seems to depend on the order in which the Enterprise Applications were created. As a result, even when we intend to apply a more specific FQDN-based rule for a particular host, the broader CIDR-based administrative rule may be evaluated first. In such cases, access can be unintentionally blocked, preventing us from achieving the intended access control behavior. After understanding this mechanism, we have been working around the issue by carefully controlling the creation order of Enterprise Applications — creating host-specific FQDN-based applications first, followed by broader CIDR-based rules. While this approach avoids the issue, it significantly increases administrative complexity and makes long-term management more difficult. Based on this experience, we would strongly appreciate enhancements such as: The ability to manually control rule evaluation order in the UI, or More intelligent and predictable automatic prioritization between FQDN-based and CIDR-based rules Such improvements would greatly enhance usability, predictability, and maintainability of GSA forwarding rule configurations. Thank you for considering this feedback.
deleted sensitivity label
Hello Everyone I want to identify who deleted a sensitivity label from my information protection blade. Actual scenario is I had one label called Internal-1, it is now disappeared, However if I am trying to create label with same name it says label with same name is already available. In actual that is not showing in GUI. I want to know how to search who deleted the label in Audit. Please advice. Thank you
Onboard devices in Purview is grayed out
I’m getting started with Microsoft Purview and running into issues onboarding devices. In the Purview portal, no devices appear, and the “Onboard devices” option is grayed out. I have EMS E5 licenses assigned to all users, and I’m signed in as a Global Admin with Purview Administrator and Security Administrator roles. All devices are managed by Intune and run Windows 11 Enterprise with the latest updates. They are Microsoft Entra joined (AAD joined), show up correctly in Defender, and their Defender onboarding status is active and onboarded. What piece am I missing that would prevent these devices from showing in Purview and keep the onboarding option disabled? Any guidance would be appreciated.
CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)
API scopes created. Added to Connector however only streams observed are from Alerts and Hosts. Detections is not logging? Anyone experiencing this issue? Github has post about it apears to be escalated for feature request. CrowdStrikeDetections. not ingested Anyone have this setup and working?McasShadowItReporting / Cloud Discovery in Azure Sentinel
Hi! I´m trying to Query the McasShadowItReporting Table, for Cloud App DISCOVERYs The Table is empty at the moment, the connector is warning me that the Workspace is onboarded to Unified Security Operations Platform So I cant activate it here I cant mange it via https://security.microsoft.com/, too The Documentation ( https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel#integrating-with-microsoft-sentinel ) Leads me to the SIEM Integration, which is configured for (for a while) I wonder if something is misconfigured here and why there is no log ingress / how I can query themClarification on UEBA Behaviors Layer Support for Zscaler and Fortinet Logs
I would like to confirm whether the new UEBA Behaviors Layer in Microsoft Sentinel currently supports generating behavior insights for Zscaler and Fortinet log sources. Based on the documentation, the preview version of the Behaviors Layer only supports specific vendors under CommonSecurityLog (CyberArk Vault and Palo Alto Threats), AWS CloudTrail services, and GCP Audit Logs. Since Zscaler and Fortinet are not listed among the supported vendors, I want to verify: Does the UEBA Behaviors Layer generate behavior records for Zscaler and Fortinet logs, or are these vendors currently unsupported for behavior generation? As logs from Zscaler and Fortinet will also be get ingested in CommonSecurityLog table only.
Events
in 1 day
Strong access strategy isn’t about initial setup: it’s about keeping operations fast, safe, and scalable as environments constantly change. Learn how Microsoft Security Copilot agent can be used with...
Online
Start your journey to secure AI workloads in the cloud. Learn how Defender for Cloud provides foundational protection for your AI solutions and why it’s essential for modern security strategies.
Wh...
Online