Recent Blogs
14 MIN READ
Member: TysonPaul | Microsoft Community Hub
Triggering Azure Functions from Blob Storage Using Event Grid
Team Blog: Core Infrastructure and Security
Author: AndrewCoughlin
Published: 05/11...
Jun 18, 2026
At its core, Security Copilot is built to enhance every facet of security operations at machine speed. It translates a vast array of inputs (Microsoft’s cloud-scale telemetry, threat intelligence fee...
Jun 18, 2026
14 MIN READ
Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl
How analytics rules, playbooks, workbooks, and hunting evolve in Defender—and why the new toolbelt makes detection engineerin...
Jun 18, 2026
3 MIN READ
Starting today, Microsoft Defender for Office 365 Plan 1 is rolling out to customers with Microsoft 365 E3/G3 and Office 365 E3/G3 licenses, with rollout expected to complete by Fall 2026. For securi...
Jun 17, 2026Recent Discussions
Two sensitivity labels on PDF file
Hi everyone, First time poster here. We encountered an interesting issue yesterday where we had a user come to us with a PDF that had two sensitivity labels attached. In Purview activity explorer, we can see the file hit the DLP policy and the two labels, but when trying to replicate the issue cannot do it, or see how this has been done. Has anyone else encountered a similar issue? We were able to remove labels in our PDF editor but in Office suite once a label is applied, I could not see a way to remove it. We tried applying a label to a Doc file, converting to PDF and then seeing if it was there where it was being asked for another label but it was not, it just let us change the original. Many thanks in advance!
Best approach for contractor block policy
Hello there I need some assistance with your best approach for vendor block policy. I am thinking to create one policy with three rules Block all vendors with the block AD group Vendors to allow emails to approved domains only vendors to send email to external to organisation with ability to send to approve domains Do you think this is a good approach by breaking down into three different rules ? Also I am bit confused with the conditions on the rule 2 and rule 3. what would you your approach with complete breakdown ?
mysignins.microsoft.com failing to save passkeys
Morning. Trying to add passkeys to accounts via mysignins.microsoft.com, it almost universally fails. The failing step is when I go to name it - it just never completes. Same result using BitWarden, Yubikeys, etc. Doing this in Edge, because in Firefox - my existing security methods don't even show up. If I check the audit logs, it will give me two entries - one stating that I failed to register security info, and another about a group management query. NO idea what this is, the only identifier within the logs is my own object ID. Possibly it's related to the group I have assigned to the Passkeys Authentication Methods policy. (which doesn't have any restrictions, but does enforce attestation) CoPilot suggested it may be that the token is expiring, or something with my Edge profile - and to try in private browsing. No change. Doing a review of our conditional access policies to see if Registering Security info is locked down - it WAS locked down to only my region (Canada). This has since been made Report-Only, just in case. Looking at the audit log entry for the failure, there's a correlation ID 9c269291-737f-4c17-b178-b1040834fb3f and performedBy {"AppId":"19db86c3-b2b9-44cc-b339-36da233a3be2","AgentType":0,"BlueprintId":null}. If I try to filter non-int sign-ins based on that Correlation ID, I get nothing. If I use AppId as the RESOURCEId, I get a FAILURE entry with the following error - yet no conditional access policies are applied. The authentication details shows this, which is weird - per=user MFA shouldn't be applied. We don't use this. But there are sign-ins at the exact same moment to the same resource, WITH MFA successful. I can register other methods wiithout issue. I tried creating an explicit CA policy GRANTING access to register sec info, with a TAP. That is the above sign-in. TAP worked.. just NOT for passkey registration. Other weird behaviours: 1. This portal times out so quick. Like... constantly. I have not configured anything to do this, as far as I know. 2. Opening the same portal in Firefox returns no MFA methods. None. No error, of course - it's just blank.
Risky sign-ins not showing anything
Hi, For some time already, I am not sure why but I cannot see anything in risky sign-ins in Identity Protection (MS Entra). Even when I receive a summary email (Microsoft Entra ID Protection Weekly Digest) mentioning there were risky sinn-ings detected. When I click on the risky signings directly in the email to take me to the report, I see no data there at all... When I modify filters to include all, nothing shows up either. It has been like this for few months already. Before, I could see them with no issues. Has anything changed? Or why I can't see any records?
TAP requires step-up MFA when user already has a passkey registered — expected behavior?
Environment Microsoft 365 Business Premium (Entra ID P1) Cloud-only tenant Authentication methods enabled: FIDO2/Passkey only + TAP All other methods disabled (no Authenticator push, no TOTP, no SMS) CA Policy configuration CA001 — Protect Security Info Registration Target: User action — Register security information Grant: Custom authentication strength "Bootstrap and Recovery" (TAP one-time + TAP multi-use + Passkey/FIDO2 + WHfB/Platform credential) Status: On CA002 — Require Phishing-Resistant Authentication Target: All cloud apps (excluding Azure Credential Configuration Endpoint and tested also excluding Microsoft App Access Panel) Grant: Built-in Phishing-resistant MFA Status: On What was tested Scenario 1 — User with no registered methods (only with Platform credential): Admin issues TAP (multi-use, 4 hours) User navigates to aka.ms/mysecurityinfo User authenticates with TAP Result: Access granted — user can register passkey without any step-up, even in a flow authenticating directly to a resource (such as Microsoft Teams in browser) Scenario 2 — User with an existing portable passkey already registered (in MS Authenticator): Admin issues TAP (multi-use, 4 hours) User navigates to aka.ms/mysecurityinfo User authenticates with TAP Result: Entra requests a second factor — specifically the existing passkey — before allowing access to My Security Info. Seems the system enforces CA002 or a platform-level step-up requirement. The TAP is accepted as a first factor, but the platform then requires the existing passkey as a second factor before proceeding. Sign-in log analysis: The behavior does not appear in the Conditional Access tab of the sign-in logs as a CA policy failure — it appears to be enforced at the platform level, not by any configured CA policy. Questions Is it by design that when a user already has a registered MFA-capable method (passkey), the platform enforces step-up authentication before allowing access to My Security Info — even when the user authenticates with a valid TAP? If so, does the correct recovery procedure require the admin to first remove all existing authentication methods before issuing a TAP — so the user has no registered methods and the TAP is accepted without step-up? Is there any way to allow TAP to bypass this step-up requirement for recovery scenarios, without removing existing methods first? Any pointers to official documentation or confirmed behavior would be appreciated.Managed VNET Integration Runtime failing with 502 error.
Good afternoon everyone. I'm a DevOps Engineer who is new to Purview. I used Terraform to deploy a Purview account for a POC for a client, however, I'm having a real issue creating a Managed VNET IR. The private endpoints are all visible and approved and if I check in the shell I can see the IR and the Managed VNET both exist (names sanitized). { "name": "SAMPLENAME", "properties": { "managedVirtualNetwork": { "referenceName": "ManagedVnet-name" }, "typeProperties": { "computeProperties": { "location": "WestEurope" } } } } But in the Purview portal the status shows as failed and if I try update it, I get a popup notification stating that the process timed out due to a 502 error. The URL in the error is " https://api.purview-service.microsoft.com/scan/integrationRuntimes/{NAME}?api-version=2022-02-01-preview" I thought this might be an issue with permissions or that I'm not in the admin role group in my client environment so I did the same process in my local purview account (where I'm global admin and in the Purview Administrators role group) and I'm having exactly the same problem. The managed vnet and IR exist when queried in the cloud shell but the state in the portal shows as failed. I am a "Data source Admin" in both purview accounts but I'm wondering if there's some other role assignment or role group assignment that I'm missing? Thanks in advance. Devon Britton.# Seeking Feedback – Microsoft Purview Governance Domain Metamodel
I've been working on a proposed metamodel for some time to help organisations decide how to structure Governance Domains within Microsoft Purview and would appreciate feedback from others who have implemented Purview at scale. The intention is not to prescribe a single approach, but to describe several governance patterns that seem to emerge in practice. Some additional assumptions I've made: * Numeric prefixes such as `01.01.01` help maintain sort order and readability. * Standardising on three levels appears easier to manage, although Purview supports five levels. * Microsoft guidance suggests keeping Governance Domains to approximately 200. * Governance Domains themselves are relatively flexible and can be renamed or repositioned within the hierarchy. * Data Products currently appear to be bound to the Governance Domain in which they are created and cannot presently be reassigned to another Governance Domain, making early design decisions more important. I'm interested in hearing from organisations already using Governance Domains in production. A few questions for discussion: Have you adopted one of these patterns, or a hybrid approach? Are there Governance Domain types missing from this metamodel? Is the recommendation of standardising on three hierarchy levels sensible, or have you found deeper structures manageable? Are there any Microsoft best practices, roadmap items or implementation experiences that would suggest a different approach? I've attached an infographic illustrating the proposed metamodel and would welcome any thoughts, criticism or lessons learned from real-world implementations.Feature Request: Export ALL to PDF
When exporting from a Review Set, Ii would like to have an option to export ALL documents to PDF. Of most concern is exporting email (with attachments) to PDF. Attachments may have been redacted. But if the email is exported it will include the unredacted attachment. This is not acceptable. They were redacted for a reason. We can force the export to convert the email to PDF by placing a useless redaction on the email. It can be small or large. Can contain text or not. It can be 2 pixels square. It has to be there so we can force the email to convert to PDF for the export. Manually adding a fake / useless redaction to hundreds of emails is an enormous (but currently essential) waste of time. Since the system already knows how to do the conversion, it should be simple to just give us an option to convert ALL emails to PDF. Might slow down the processing, but... It protects the names / numbers / etc. being redacted.Reminder: Next Tuesday 6/23 at 9AM PST we will be hosting an 'Ask Microsoft Anything' session on Tech Community for the Sentinel SIEM Migration Experience!
Join us for a live demo and AMA on the Microsoft Sentinel SIEM migration experience. We’ll show how the experience helps teams move from legacy SIEMs like Splunk and QRadar into Microsoft Sentinel with a more guided, lower-friction path. We’ll cover what it does today, how it works, and the questions customers ask most, then open it up for live Q&A. Link here: Ask Microsoft Anything: The Microsoft Sentinel SIEM Migration Experience Hope to see you there!Terribly lost - what are the basic controlls here?
Hello all. I'm an MSP, looking at methods of securing data in the wake of AI adoption. Obviously, I'm getting pointed to Purview for this. And I've managed to make sense of SOME of it - sensitivity labels, labeling policies, and sensitive info types. The problem I have is that these 'solutions' are spread out amongst 3-4 different 'solutions' - Information Protection, DLP, DSPM (DSPM,, DSPM classic, DSPM for AI 'classic') and it's genuinely just really badly designed. It's done the classic Microsoft move of having the Marketing team build the interface, and caring more about market capture/buzzwords than usability. As is the norm, the documentation quality varies a ton. And between Intune, SharePoint, Entra, Defender, Azure, certifications - I don't actually have time to learn another market-capture tool, which I will use 2% of. We don't license Purview. And I'm not going to license Purview until some effort is put into usability, and the interface is redesigned by native, technical english speakers (no hate, but I've seen first-hand how MBAEnglish-as-a-second-language translates into this sort of opacity). But obviously, we HAVE to use it because a bunch of stuff was pushed into it. Without adding another set of half-automated Microsoft recommendations to my list, and avoiding premium 'solutions' - what are the basic 'solutions' that are required for Data controls, in the face of AI? What exactly was merged into Purview, that existed elsewhere previously? Here is what I've gotten familiar with so far: 1. DLP policies. These are pretty opaque to me, and seem to heavily rely on OTHER 365 products, like Defender for Endpoint, Edge for Business. So again, designed by the marketing team. 2. Sensitivity labels, labeling publishing policies, auto-labeling policies. What am I missing?
ssoSilent() not working across Next.js apps — timed_out or account picker on localhost
Hi everyone, I've been stuck on this for a few days and would really appreciate some guidance from anyone who has dealt with cross-app silent SSO using MSAL.js v5. Here's the setup. We have 3 separate Next.js applications all belonging to the same organisation, all registered under a single Azure Entra ID App Registration with the same clientId and tenantId. In production they all live under the same parent domain — app1.contoso.com, app2.contoso.com, app3.contoso.com — so localStorage is shared between them. On localhost we run them on ports 3000, 3001, and 3002. The goal is simple: if a user is already signed into App 1, opening App 2 in a new tab should silently authenticate them without any popup, redirect, or account picker. Just seamless SSO. Here is how I've set up the msalConfig: export const msalConfig: Configuration = { auth: { clientId: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', authority: 'https://login.microsoftonline.com/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy', redirectUri: 'http://localhost:3001/', postLogoutRedirectUri: '/login', }, cache: { cacheLocation: 'localStorage', storeAuthStateInCookie: true, }, }; export const loginRequest = { scopes: ['openid', 'profile', 'email', 'User.Read'], }; Inside a component called SsoInitializer that sits inside MsalProvider, I scan localStorage for a sibling app's MSAL account on mount. I check both msal.2.account.keys (MSAL v5 format) and msal.account.keys (older format), extract the username/email as a loginHint, and then call ssoSilent(). If no loginHint is found — which is always the case on localhost since different ports are different origins — I still call ssoSilent() without a hint, expecting it to fall back to the Entra session cookie that was set when the user logged into port 3000. instance.ssoSilent({ ...loginRequest, ...(loginHint ? { loginHint } : {}), redirectUri: `${window.location.origin}/silent-callback.html`, }) The silent-callback.html in /public is just a blank HTML page with no scripts, which I believe is the correct approach based on the docs since MSAL v5 uses postMessage to communicate with the iframe. The Azure app registration has the SPA platform selected, all redirect URIs including the /silent-callback.html variants are registered for all three localhost ports, ID tokens are enabled, and User.Read has admin consent. Now here is the problem. When App 1 is logged in on localhost:3000 and I open App 2 on localhost:3001, ssoSilent() fires but one of two things happens: The first failure is a timed_out error — BrowserAuthError: timed_out from BrowserUtils.ts. The server-telemetry key in localStorage shows redirect_bridge_timeout repeated multiple times with cacheHits of 0. This started happening when I had a CDN import of MSAL inside silent-callback.html trying to call handleRedirectPromise(). The CDN download was too slow for the iframe timeout window, so I removed it. The second failure happens after switching to the blank HTML silent-callback page. The timed_out goes away but now ssoSilent() seems to fall through entirely and the Microsoft "Pick an account" full-page redirect opens — which completely defeats the purpose. I've also tried passing prompt: 'none' explicitly in the ssoSilent request. No change. One important observation from DevTools: the Entra session cookie IS present in the browser. The user is fully signed in on port 3000. Based on my understanding of the docs, ssoSilent() without a loginHint should detect this session cookie and authenticate silently. But it's either timing out or showing the account picker. I have a few specific questions I'm hoping someone can help with: First, is ssoSilent() actually supposed to work without a loginHint using only the Entra session cookie? Or does it require a hint and will always show the account picker if multiple accounts are signed in to the browser? Second, what is the correct content of silent-callback.html for MSAL v5 specifically? The blank page causes redirect_bridge_timeout, but adding MSAL scripts causes a different timeout because they load too slowly. Has the iframe handshake mechanism changed between v1/v2 and v5? Third, is there an officially recommended pattern for cross-app silent SSO when developing on localhost with different ports? In production the same-domain setup handles localStorage sharing fine, but on localhost the browser's same-origin policy makes each port completely isolated, so the sibling token scan always returns null. Fourth, does the redirectUri passed to ssoSilent() need to point to a page that actively runs MSAL code, or is a blank page genuinely sufficient for the iframe to complete its handshake in v5? Using azure/msal-browser 5.6.1, azure/msal-react 3.0.20, Next.js 14 App Router, Chrome on Windows 11, single tenant. Any help or a working example from someone who has done this in MSAL v5 would be hugely appreciated. Thanks in advance.Prompted to sign in to Microsoft Defender Platform on W11/W2025 using Entra
Hi Microsoft Defender XDR community, Since around May 18th, our users on devices that are onboarded to Microsoft Defender for Endpoint are being prompted to sign-in to the following application using Entra on login to Windows. Application Microsoft Defender Platform Application ID cab96880-db5b-4e15-90a7-f3f1d62ffe39 Is anyone aware of a change that requires user sign-in to Entra as a requirement for Microsoft Defender for Endpoint? I have tried raising a support topic on this topic. Regards Chris
Ways to fetch quarantine files
We are working with quarantine files and have a few questions: 1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint? 2. Is there a documented method to map an alert or a file SHA-1/SHA-256 hash to the corresponding object in the Defender quarantine store? 3. Is there a way to retrieve quarantined files other than using a PowerShell script through the Live Response API?
Co Authoring with Sensitivity Labels
Hello, I am working with sensitivity labels with my organization. We currently have Standard, Confidential, and Highly Confidential which all are encrypted. I have Co-Authoring turned on but I have some trouble with. We a lot of documents being collaborated on. Standard: Co-Authoring functions normal and Auto-Save is toggled on. Highly Confidential: Custom Permission in Sensitivity Label (View, Edit, Reply, Forward) I asked copilot and it stated even though my permissions are selected custom I have "Edit" on their for my internal users it is reading it as Co authoring; Co-Authoring is on and functioning but internal end users Auto-Save is toggled off and they are being asked to save a copy of the document or excel sheet then upload it again to SharePoint. Why isn't "Auto-Save" toggled on for "Highly Confidential" label? Can it be adjusted so it can be on? Do I have to make adjustments to my permissions in the Sensitivity label? Any help is appreciated. Thank you!
Exempt - Azure CSPM Recommendation
We are implementing creating exemptions on policies through Terraform. Is there a way to exempt this specific Azure CSPM standard policy "Restricted network access should be configured on Internet exposed Function app" through Terraform since it does not have any policyassignmentid and policyid. I think this standard policy cannot be exempted with this code. Please confirm. My understanding is this is Assessment type and has no policy id or policy assessment id. I can exempt through Azure Portal but not from Terraform. Any guidance is greatly appreciated. resource "azurerm_subscription_policy_exemption" "this" { for_each = local.subscription_exemptions name = each.key subscription_id = each.value.resource_id policy_assignment_id = each.value.policy_assignment_id policy_definition_reference_ids = each.value.policy_definition_reference_ids exemption_category = each.value.category expires_on = each.value.expires_on description = "Ticket: ${each.value.ticket} | ${each.value.remediation_plan}" metadata = jsonencode(merge(var.tags, { owner = each.value.owner ticket = each.value.ticket risk_level = each.value.risk_level remediation_plan = each.value.remediation_plan approved_by = each.value.approved_by approval_date = each.value.approval_date environment = var.environment managed_by = "terraform" })) } Thanks, AnshuWindows 11 24H2 Sec Baseline → Broken SSO to on‑prem (Root cause: PKINIT SHA‑1 baseline)
Hi all, I ran into an issue with Entra-joined devices using Windows Hello for Business (Cloud Kerberos Trust) that might help others working with Windows 11 24H2 security baselines. Scenario Windows 11 25H2 devices Entra-joined (not hybrid) Intune-managed Windows Hello for Business (WHfB) enabled Cloud Kerberos Trust configured On-prem AD (Windows Server 2019/2022 DCs) Access to SMB shares / on-prem applications Symptoms SSO to on-prem resources fails Users get credential/PIN prompt instead of SSO Error message: “The system cannot contact a domain controller to service the authentication request” Client-side observations: klist → no tickets (initially) After enabling Cloud Kerberos Trust: klist get krbtgt → works klist get cifs/server.domain → fails Error: 0xc000a100 / 0x3bc4 Hash generation for the specified version and hash type is not enabled on server Root Cause The issue was caused by a Windows 11 24H2 security baseline setting related to Kerberos/PKINIT. The 24H2 baseline introduces a policy for configuring hash algorithms for certificate-based Kerberos authentication (PKINIT). This setting allows environments to disable SHA-1 and require SHA-2 algorithms. [applepie.se] Important detail: This configuration only works if the domain controllers fully support PKINIT with SHA-2, which effectively requires Windows Server 2025 domain controllers across the environment. If SHA-1 is disabled while running: Windows Server 2019 or 2022 DCs Mixed environments then PKINIT authentication fails, which directly impacts: Windows Hello for Business Cloud Kerberos Trust Any passwordless Kerberos-based authentication Why this is difficult to troubleshoot Cloud Kerberos Trust appears correctly configured AzureADKerberos object exists PRT is valid Network connectivity is fine However: Kerberos tickets are not issued correctly Service tickets (CIFS, HTTP, etc.) fail Errors are misleading and point to KDC/hash issues No explicit warning is provided in baseline guidance that mixed environments will break Resolution Revert the baseline change and allow SHA-1 for PKINIT again. Policy location: Computer Configuration → System → Kerberos / KDC → Configure hash algorithms for certificate logon Ensure: SHA-1 is set to Allowed/Default After reverting: Kerberos ticket issuance works SSO to on-prem resources is restored Recommendation Do not disable SHA-1 for PKINIT unless: All domain controllers are Windows Server 2025, and PKINIT SHA-2 support has been fully validated Treat this setting as future hardening, not production-safe for mixed environments today. Takeaway If you experience: WHfB + Cloud Kerberos Trust SSO failures klist get errors with hash generation issues Missing or failing Kerberos service tickets check the PKINIT hash configuration from the 24H2 security baseline first.Anthropic Claude Purview Data Connector showing all users as Guests..
It appears this connector is not mapping fields properly causing internal users to be mapped as "guests", and since prompts/data isn't maintained for guest users the connector is effectively not gathering anything but noise. Unlike the other data connectors, one cannot create field mappings. Also the app being named using the guid of Microsoft's own "dataassessments" service principal I don't think is intended either. Has anybody else experienced this? See below for an example.Microsoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks
While testing WDAC on a fully patched Win11 pro machine - I noticed that kernel audit/block events do not get collected by MDE in the advanced hunting portal, only user mode audit/blocks are collected. Can anyone confirm they see this too and is this by design? My test case is to use a Strict Kernel Mode WDAC policy (as per: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) which is active, using the global secure access client as my test, when the machine boots, the below event is generated locally on the machine: This event is never shown on the MDE advanced hunting portal, though user events do show. Examples of events that are coming through: Not receiving these events centrally for auditing would make deploying a kernel mode wdac control impossible. Would be amazing if Microsoft product team could look into this and resolve as these alerts should be captured as well please to facilitate deployment of more secure controls.Microsoft 365 Developer E5 license lacking endpoints and device on defender portal
Dear Support Team, I am a microsoft certified trainer (MCT). I currently have a Microsoft 365 Developer E5 license assigned to my tenant. However, I have noticed that my Microsoft Defender portal (security.microsoft.com) is missing several critical features. For example, I cannot see the Endpoints or Devices menus, which is preventing me from implementing and testing Microsoft Defender for Endpoint. Additionally, my Azure tenant and Microsoft 365 tenant are separate. This has created challenges when configuring security services such as Microsoft Sentinel (SIEM), as certain prerequisites and integrations require configuration through the Microsoft Defender portal. Due to the missing Defender features, I am unable to complete the necessary setup. I would appreciate your assistance in understanding: Why the Endpoints and Devices sections are unavailable in my Defender portal despite having a Microsoft 365 Developer E5 license. Whether additional licensing, onboarding steps, or tenant configurations are required to enable Microsoft Defender for Endpoint features. How best to integrate or align my separate Azure and Microsoft 365 tenants to support services such as Microsoft Sentinel and Defender XDR. These issues are significantly impacting my ability to evaluate and implement Microsoft's security solutions. I would appreciate any guidance or recommendations to resolve them. Thank you for your assistance. Kind regards, [Your Name]
Events
in 2 hours
Join us for a live demo and AMA on the Microsoft Sentinel SIEM migration experience. We’ll show how the experience helps teams move from legacy SIEMs like Splunk and QRadar into Microsoft Sentinel wi...
Online
in 1 day
Learn how Microsoft Entra Conditional Access, our Microsoft Zero Trust policy engine, protects access for your workforce and for agents by enforcing real‑time adaptive access policies that continuous...
Online