Recent Blogs
In certain occasions you may want to confirm what is the state of your devices or a subset of your devices in EntraID and cross reference this with the device status you see in Defender for Endpoint....
Oct 22, 2025
Post 1: The Hidden Threats in the AI Supply Chain
Your AI Supply Chain Is Under Attack — And You Might Not Even Know It
Imagine deploying a cutting-edge AI model that delivers flawless prediction...
Oct 22, 2025
11 MIN READ
Azure Integrated HSM marks a major shift in how cryptographic keys are handled—moving from centralized clusters… to local, tamper‑resistant modules embedded directly in virtual machines. This new m...
Oct 22, 2025
This blog provides a detailed guide on securing and hardening Active Directory Certificate Services (ADCS), emphasizing best practices based on extensive Microsoft customer engagements. It covers fou...
Oct 21, 2025Recent Discussions
Sentinel Data Connector: Google Workspace (G Suite) (using Azure Functions)
I'm encountering a problem when attempting to run the GWorkspace_Report workbook in Azure Sentinel. The query is throwing this error related to the union operator: 'union' operator: Failed to resolve table expression named 'GWorkspace_ReportsAPI_gcp_CL' I've double-checked, and the GoogleWorkspaceReports connector is installed and updated to version 3.0.2. Has anyone seen this or know what might be causing the table GWorkspace_ReportsAPI_gcp_CL to be unresolved? Thanks!
Microsoft Defender on Android (MAM-WE)
We are asking our users to install Microsoft Defender on their BYO devices but are running into issues with certain (not all) Android devices - they are getting the below error. What could be wrong? Their devices are not enrolled - we do not use MDM for personal devices. They are installing the regular Defender app from the public Play Store.
How does the super user functionality in Azure Rights Management?
We have recently performed labeling tests with Microsoft Purview on emails and Office documents. However, a question arises about what happens when a user encrypts a document or email and it becomes necessary to recover that information. I understand that the super user functionality must be enabled via PowerShell to access encrypted content, but how is this functionality actually used in practice? What steps should I follow to recover encrypted documents and emails using the super user?
Feature request: Get rid of "Welcome to new Microsoft Purview portal" screen
Any new user of Purview DGS will be shown this screen: I strongly believe this should be an admin led tenant-wide decision, and not an 'any new user on it's own decision'. The screen is confusing and completely unnecessary for new users with "Global Catalog Reader" permissions only. The problem with this screen is that it results in some users landing in the classic portal, while all documentation and training materials that we share are based on the new portal. My suggestions would be to move this option to 'settings'. After all, as Microsoft, you want your users to use the new portal too, right? P.S. in the meantime, please get rid of the homepage and move all that under a 'getting started' page: Catalog homepage improvements are urgently needed | Microsoft Community HubSharing Best Practices and Experiences
Hi everyone! I’m opening this space for us to discuss everything related to Microsoft Entra — implementation, management, and best practices. The goal is to create a community where we can share experiences, exchange tips, and discuss procedures that make working with Entra ID, Entra Permissions Management, Entra ID Governance, and the rest of the Entra ecosystem easier. 🔹 What challenges have you faced in identity and access management? 🔹 Any configuration, automation, or integration tips worth sharing? 🔹 How are you applying Microsoft’s recommended security practices? If you’re just getting started, check out this Microsoft Learn article on the Microsoft Entra fundamentals. Let’s build an active and collaborative community around Microsoft Entra!
MTO Portal MFA Prompt Not Loading
Hi We are using the mto portal to hunt across multiple tenants. My team get the "loading completed with errors" message and the prompt for "MFA Login Required". When they select this the window to authenticate opens and then closes instantly. When selecting the tenant name they can authenticate in a new tab directly to Defender in this tenant without any issue (but this does not carry over to the MTO portal). The old behaviour was that they selected "MFA Login Required" and they could authenticate to the tenants they needed to at that time. Is this happening to anyone else? Does anyone have any tips for managing multiple Defender instances using MTO? Thanks
Cannot delete a tag added through an Asset rule
Hello, We had created in the past an asset rule to assign a tag to a few machines. Now we are trying to remove the tag but we can't find the right way. We have delete the Asset rule. (it was turned off more than 2 months ago) When I go to the machine details and click on 'Manage tags', I can see a section called 'Manual tags' (there I can add remove tags from the console) and a section called 'Rule-based tags' with the description 'Rule-based tags are automatically added to devices based on rules that you create. You can add, edit or delete a rule in Manage rules.' Going through powershell and the API, it doesn't work either. Even getting the details from a machine only shows the manual tags. How do we remove then such a tag ? Thanks in advance for your help. MarcBug using streaming API related to new type of event 'CloudProcessEvents'
Hi community, recently i've been trying to send XDR events/logs to a storage account via streaming API option. The problem comes when this bad request appears: This problem is related with a new schema that have been added recently to XDR Advanced Hunting. As you can see the new type of event 'CloudProcessEvents' is not supported via API but it doesnt appear in type of event at the configuration to unselect it. Can someone help?Differentiate actual DfC/DfE license usage on Windows systems
Trying to understand on how the Windows endpoint(server/laptops) licenses are being used in my environment and for that, trying to figure out how to check the number of on-prem/azure cloud systems deployed with Microsoft Defender for Endpoint or Defender for server P2 license? Like where and how can i see which are the assets that are getting configured DfS license and which systems have been configured with MS DfE?Alert Rule Fails on Dynamic Field Parsing in DeviceTvmInfoGathering
Hi, Need Help: Alert Rule Fails but Hunting Query Works (Dynamic Fields Issue) Alert Rule Query Fails When Using parse_json on AdditionalFields — Any Workarounds? Need to get alert when avmode is disabled. KQL: DeviceTvmInfoGathering | where isnotempty(AdditionalFields) | where Timestamp > ago(1h) | extend AF = parse_json(AdditionalFields) | where AF has "AvMode" | extend AvMode = tostring(AF.AvMode) | where AvMode == "2" | extend ReportId = tolong(abs(hash(DeviceId))) | project Timestamp, ReportId, DeviceId, DeviceName, OSPlatform, AvModeBad quality of Defender / Intunesdocubannoying
Whenever i need learning.microsoft.com, i found their describing A) very often menulinks, which does not exist (guess its rearranged) B) very often mistakes happen: in this article https://learn.microsoft.com/en-us/defender-endpoint/android-configure-mam several parameters are described with an integer value and the same parameter a Seconds time at the same place as boolean. And so many mistakes morebi found. Well: some companies wanna earn money maybe doing training with their customers, which is necessary onlY, as the docu is unreadable or written so boring that you fall a sleep and understand nothing. Please do more qualityNeed report query for Vulnerable devices
Im looking for the query that generates the graph in the built in report that is found under Reports > Endpoints > Vulnerable devices The picture below is from the documentation https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-vulnerable-devices-report The issue with building the query by myself is that the table DeviceTvmSoftwareVulnerabilities does not contain Timestamp, if i join in the DeviceTvmSoftwareVulnerabilitiesKB then there is a PublishedDate atleast.
SecureScore bugs
There needs to be a way to submit feedback for SecureScore. There's so many outdated links within the 'implementation' tab, and so many quirks. For example, the 'enable safe attachments' policy will fail if you use a custom Quarantine policy, even if it IS admin-only. Feels kinda sketchy to be setting these to 'Resolved through Alternate Mitigation' when you actually haven't. Another example - the Outbound Spam filter specifies no limits for emails. However the documentation DOES. This should be part of the SecureScore recommendation, no? Not sure if this is the right hub - but this is where the doc links for feedback.Identity, access, and agent governance—Microsoft Entra at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across identity and access management to the forefront, with sessions focused on Zero Trust, agent governance, and securing AI-powered apps. Featured sessions: BRK243: Microsoft Entra: What's new in secure access on the AI frontier Strengthen your Zero Trust foundation, manage and govern the rising tide of agents, and enable AI to accelerate your success. BRK265: Secure access for AI agents with Microsoft Entra Discover, manage, govern, and protect agent identities and access—just as you do for human identities. LAB549: Strengthen your identity security posture with Conditional Access Learn safe rollout patterns and use the CA Optimization Agent (Security Copilot in Entra) to find and fix gaps with one-click and phased enforcement. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions Why attend: Ignite is the best place to learn about new Microsoft Entra capabilities for agentic AI, identity governance, and secure access. We will also share its vision for the future of identity and agent management. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >My companies app incorrectly detected as a trojan
Hi Team. I am the developer of a gaming geo fence and your system had falsely detected my app as Trojan:Script/Wacatac.C!ml I need help to remove it as it seems like analysts are no longer checking false detections anymore? ( at least to me it seems automatic now )? My app is a geo fence which creates firewall rules and use npcaap for packet capture to display server locations and the exe is encrypted to help fight against software pirates. Here is an example submission of my exe for my application https://www.microsoft.com/en-us/wdsi/submission/5ab00c91-ea84-4fbb-a739-613316b32dfe Please get an analyst to manually inspect the file and whitelist it as its a pain telling my customers to turn off their anti virus and also its not advice i should have to give to be honest. My company is called sbmmoff ltd https://papagal.bg/eik/207176266/58b9 Website is bflocker.com I really would appreciate a speedy response to resolve the situation and thank you for your time.
Secure score not improving after implementing ASR
I need some help on the following; Improving secure score for one of our customers. For example, the secure score is improving for identity. I implemented user risk and sign in risk CA policies on the 14th and on the 18th defender is increasing the secure score However i also implemented ASR rules 23rd of september but it still says ASR are recommended actions. Etcetera. I powershelled into one of the targeted endpoints and confirmed the ASR rules are active on the machine. Connector is on The are using Crowdstrike as primary AV. Can the 2 AVs work together so the score gets updated for device? Would i need to manually create exeptions for every rule? I hope not.. Thank you in advance. Regards, AndrewDo the Entra sync/connect apps ever successfully update themselves?
Last week I had to download and install version 2.5.79.0 of the Entra Connect Sync Agent app on our Entra Connect server because I discovered the installed version was 2.4.21.0 and that version reaches end of support on November 15. Today, I happened to check on the version of the Entra Private Network Connector app on the two servers where we have that installed, and both are running version 1.5.3925.0, which was the latest available version at the time I installed it back in March. That version was from July 2024, and there have been three new releases since then, two of which "may perform auto-update of your connector". One of those servers was a new install, but the other one was an upgrade of the installed version of the Azure Application Proxy client, and while I don't recall which version specifically was installed, I know it was quite out of date. I'm curious: Has anyone ever actually seen either the Entra Connect Sync Agent or Entra Private Network Connector successfully upgrade themselves automatically?Question Malware modify, delete, corrupt files
What are the names of types of malware that acess, modify, delete, or corrupt PC hdd and ssd files (Windows files and personal files, games, music, executables, ISO, IMG, RAR, ZIP, 7Z)? Does all malware have the potential to do this? In this case, how are the malware QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml), Caller.exe (DrWeb detects Trojan.DownLoader47.36298), and Caller.exe (VBA32 detects TrojanPSW.Rhadamanthys) classified?
