Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

admin

39 Topics

Admin access management in Azure Cloud Solution Provider (CSP) subscriptions
Understand security recommendations specific to admin access management of Azure in CSP, which align with Least privileged access principle of Zero trust framework.
sbhat2022
Mar 05, 2025 Place Microsoft Security Blog
7.2KViews
1like
2Comments
Evolving the Windows User Model – Introducing Administrator Protection
Previously, in part one, we outlined the history of the multi-user model in Windows, how Microsoft introduced features to secure it, and in what ways we got it right (and wrong). In the final part of this series, we will describe how Microsoft intends to raise the security bar via its new Administrator protection (AP) feature. Core Principles for Administrator Protection As the main priority, Administrator protection aims to provide a strong security boundary between elevated and non-elevated user contexts. There are several additional usability goals that we will cover later, but for security, Administrator protection can be summarized by the following five principles: Users operate within the Principle of Least Privilege Administrator privileges only persist for the duration of the task for which they were invoked Strong separation between elevated and non-elevated user accounts, except for paths of intentional access Elevation actions must be explicit (e.g. no silent elevations) Allowing a more granular use of elevated privileges by applications, rather than the “up-front” elevation practice common in User Account Control (UAC) Specifically, principles two and three represent major changes to the existing design of the Windows user model, while principles one and four are intent on fulfilling promises of previous features (standard user and, to a lesser extent, UAC) and rolling back changes which degraded security (auto-elevation), respectively. What Does Administrator Protection Fix and How? Administrator protection is nearly as much about what it removes as to what it adds. Recall, beginning with Windows Vista, the split-token administrator user type was added to allow a user to run as both standard user and administrator depending on the level of privilege required for a specific task. It was originally seen to make standard user more viable for wide-spread adoption and to enforce the Principle of Least Privilege. However, the features did not fully live up to expectations as UAC bypasses were numerous following the release of Windows 7. As a refresher, when a user was configured as a split-token admin, they would receive two access tokens upon logon – a full privilege, “elevated” administrator token with admin group policy set to “Enabled” and a restricted, “unelevated” access token with admin group policy set to “DenyOnly”. Depending on the required run level of an application, one token or the other would be used to create the process. Administrator protection changes the paradigm via System Managed Administrator Accounts (SMAA) – a local administrator account which is linked to a specific standard user account. Upon elevation, if a SMAA does not exist already it is created. Each SMAA is a separate user profile and member of the Administrators group. It is a local account named via the following scheme utilizing extra digits in the unlikely event of a collision: Local Account: WIN-ABC123\BobFoo SMAA: WIN-ABC123\admin_BobFoo Or on collision: Local Account: WIN-ABC123\BobFoo (the account to be SMAA-linked) Local Account: WIN-ABC123\admin_BobFoo (another standard user account, oddly named) SMAA: WIN-ABC123\admin1_BobFoo Similarly, for domain accounts, the scheme remains the same, except the SMAA will still be a local account: Domain Account: Redmond\BobFoo SMAA: WIN-ABC123\admin_BobFoo To ensure these accounts can’t be abused, they are created as password-less accounts with additional logon restrictions to ensure only specific, SYSTEM processes are permitted to logon as the SMAA. Specifically, following an elevation request, a logon request is made via the Local Security Authority (LSA), and the following conditions are checked: Access Check. Call NtAccessCheck, including both an ACE for the SYSTEM account and a SYSTEM IL mandatory ACE with no read up, no write up, and no execute up. The access check must pass. Process Path. Call NtOpenProcess with the caller’s PID to obtain a process handle, then check the process image path via QueryFullProcessImageName. Compare the path to the hardcoded allow-list of binaries that are allowed to logon SMAA accounts. The astute reader may notice that process path checks are not enforceable security boundaries in Windows; rather, the check is a defense-in-depth measure to prevent SYSTEM processes such as WinLogon or RDP from exposing SMAA logon surface to the user. In fact, Process Execution Block (PEB) spoofing was a class of UAC bypass in which a trusted image path was faked by a malicious process. However, in this case the PEB is not queried, but instead the kernel EPROCESS object is used to query the image path. As such, the process path check will be used alongside an allowlist to prevent current and future system components from misusing SMAA. Splitting the Hive A major design compromise made with the split-token administrator model was that both “halves” of the user shared a common profile. Despite each token being appropriately restricted in its use, both restricted and admin-level processes could access shared resources such as the user file system and the registry. As such, improper access restrictions on a given file or registry key would allow a restricted user the ability to influence a privileged process. In fact, improper access controls on shared resources were the source of many classic UAC bypasses. As an example, when the Event Viewer application, “eventvwr.exe”, attempts to launch “mmc.exe” as a High Integrity Level (IL) process, it searches two registry locations to find the executable path (1): HKCU\Software\Classes\mscfile\shell\open\command HKCR\mscfile\shell\open\command In most circumstances, the first registry location does not exist, so the second is used to launch the process. However, an unprivileged process running within the restricted user context can create the missing key; this would then allow the attack to run any executable it wished at High IL. As a bonus for the attacker, this attack was silent as Event Viewer is a trusted Windows application and allows for “auto-elevation” meaning no UAC prompt would be displayed. $registryPath = "HKCU:\Software\Classes\mscfile\shell\open\command" $newValue = "C:\Windows\System32\cmd.exe" # Check if the registry key exists if (-not (Test-Path $registryPath)) { # Create the registry key if it doesn't exist New-Item -Path "HKCU:\Software\Classes\mscfile\shell\open" -Name "command" -Force | Out-Null `}` # Set the registry value Set-ItemProperty -Path $registryPath -Name "(default)" -Value $newValue # Run mmc.exe to auto-elevate cmd.exe Start-Process “mmc.exe” Similarly, the Windows Task Scheduler – which configures processes to run periodically – could be exploited to run arbitrary commands or executables in an elevated context. These attacks worked similarly in that they used writable local environment variables to overload system variables such as %WINDIR% to allow an attack to execute arbitrary applications with elevated privileges – with SilentCleanup being a particular favorite (2). Such attacks were attractive as an unprivileged process could also trigger the scheduled task to run at any time. New-ItemProperty -Path "HKCU:\Environment" -Name "windir" -Value "cmd.exe /k whoami & " -PropertyType ExpandString; schtasks.exe /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I As separate-but-linked accounts, each with its own profile, registry hives are no longer shared. Thus, classic UAC bypasses, such as the registry key manipulation and environment variable (like many things in Windows, environment variables are backed in the registry) overloading attacks are mitigated. As an added benefit administrator tokens can now be created on-demand and discarded just as quickly, thus limiting exposure of the privileged token to the lifetime of the requesting process. Rolling Back Auto-Elevations When auto-elevation was added in Windows 7, it was primarily done so to improve the user experience and allow simpler administration of a Windows machine. Unfortunately, despite several restrictions placed on applications allowed to auto-elevate, the feature introduced a huge hole in the Windows security model and opened a number of new avenues for UAC bypass. Most prevalent of these bypasses were those which exploited the auto-elevating COM interface IFileOperation. Attackers would leverage this interface to write malicious DLLs to secure locations – a so-called “DLL Hijacking” attack. The attack would work whenever a process met all of the conditions for auto-elevation but ran at the Medium Integrity Level (IL). The malicious process would inject code into the target process and request the DLL payload be written to a secure path via IFileOperation. Whenever the DLL was loaded by an elevated process, the malicious code would be run, giving the attacker full privileges on the system. With Administrator protection, auto-elevation is removed. Users will notice an increase in consent prompts, though many fewer than the Vista days as much work has been done to clean up elevation points in most workflows. Additionally, users and administrators will have the option to configure elevation prompts as “credentialed” (biometric/password/PIN) via Windows Hello or simply confirmation prompts. This simple change trades some user convenience for a reduction in attack surface of roughly 92 auto-elevating COM interfaces, 11 DLL Hijacks, and 23 auto-elevating apps. Of the 79 known UAC bypasses tested, all but one are now fully or partially mitigated. The remaining open issue around token manipulation attacks has been assigned MSRC cases and will be addressed. It should be noted that not all auto-elevations have been removed. Namely, the Run and RunOnce registry keys found in the HKEY_LOCAL_MACHINE hive will still auto-elevate as needed. Appropriately, these keys are ACL’d such that only an administrator can modify them. Improving Useability Administrator protection is not limited to security-focused changes only – improved useability is also a major focal point of the feature. Chief amongst the areas targeted for improvement is the removal of unnecessary elevations and “dead-ends”. Specifically, dead-ends occur when a functional pathway which requires administrator privileges does not account for a user operating as a standard user and thus presents no elevation path at all, resulting in the user interface either displaying the setting as disabled or not at all. In such cases, a so-called “over-the-shoulder” elevation is required – the same underlying mechanism used when elevating to the SMAA user in AP. Such scenarios represent huge inconvenience for non-Administrator accounts in both AP and non-AP enabled configurations. One example of this scenario was the group policy editor (gpedit.exe). When launching as a standard user, an error prompt would be displayed, and the app would be launched in an unusable state. More Work To Be Done Administrator protection represents a huge jump in the security of the Windows OS. However, as always, there is more work to be done. While AP has mitigated large classes of vulnerabilities, some remain, albeit in a diminished state. DLL hijacking attacks prior to AP primarily relied on abusing the auto-elevating IFileOperation COM interface to write a malicious DLL to a secure path. As auto-elevation has been removed, this path no longer exists. However, situations where an unsigned DLL is loaded from an insecure path still represent a potential AP bypass. Note that the user will still be prompted for elevation in such a scenario but may not be aware that a malicious DLL is being included in the process. Token manipulation bypasses such as those shown by James Forshaw and splinter_code, remain a class of potential exploitation. Elevation prompts are shown only before creation of an elevated token, not use. Therefore, should additional pathways be discovered where an elevated token can be obtained by a malicious process, AP would not be positioned to stop it from silently elevating. However, MSRC cases for known variants of token manipulation/reuse attack have been filed and fixes are currently in-development. Lastly, attacks which rely on obtaining a UIAccess capability from another running process are partially mitigated by AP. Previously, UAC bypass attacks would launch an auto-elevating app, such as mmc.exe, and then obtain a UIAccess-enabled token — a token which gives a lower-privileged process the ability to manipulate the UI of a higher-privileged process, typically used for accessibility features. With AP enabled, all attempts to launch an elevated process would be met with a consent prompt which an attacker would be unable manipulate with a UIAccess token alone. However, in situations where a user has previously elevated a running process, an attack would be able to obtain a UIAccess token and manipulate the UI with no additional consent prompts. This list is not exhaustive, it is likely edge cases will pop up which will require attention. Fortunately Administrator protection is covered by the Windows Insider Bug Bounty Program and internal efforts by MORSE and others will continue to identify remaining issues. A Welcome Security Boundary We In MORSE review quite a few features in Windows and are big fans of Administrator protection. It addresses many gaps left by UAC today and adds protections which for all intents and purposes simply did not exist before. The feature is far from complete, usability improvements are needed, and there are some remaining bugs which will take time to resolve. However, the short-term inconvenience, is worth long term security benefit to users. While Administrator protection will certainly experience some growing pains, even in its current state, it’s a leap forward for user security. Going forward, we encourage those users who prioritize strong security to give Administrator protection a try. If you encounter an issue, send us feedback using the feedback tool. Lastly, for app developers, we ask they update their applications to support Administrator protection, as it will eventually become the default option in Windows. References UAC Bypass – Event Viewer – Penetration Testing Lab Tyranid's Lair: Exploiting Environment Variables in Scheduled Tasks for UAC Bypass Tyranid's Lair: Bypassing UAC in the most Complex Way Possible! Bypassing UAC with SSPI Datagram Contexts Administrator protection on Windows 11 | Microsoft Community Hub
spoofy
Feb 03, 2025 Place Microsoft Security Blog
4KViews
6likes
0Comments
Evolving the Windows User Model – A Look to the Past

spoofy
Jan 23, 2025 Place Microsoft Security Blog
2.3KViews
4likes
0Comments
Strengthen your data security posture in the era of AI with Microsoft Purview
Organizations face challenges with fragmented data security solutions and the amplified risks due to generative AI. We are now introducing Microsoft Purview Data Security Posture Management (DSPM) in public preview, which provides comprehensive visibility into sensitive data, contextual insights, and continuous risk assessment. DSPM is integrated with Microsoft 365 and Windows devices, leveraging generative AI through Security Copilot for deeper investigations and efficient risk management, and provides several capabilities across centralized visibility, actionable policy recommendations, and continuous risk assessment to enhance data security.
TalhahMir
Nov 22, 2024 Place Microsoft Security Blog
18KViews
3likes
0Comments
Update on the Deprecation of Admin Audit Log Cmdlets
We would like to inform you that the Admin Audit Log cmdlets will now be deprecated separately from the Mailbox Audit Log cmdlets, with the final date set for September 15, 2024.
acondeMSFT
Sep 25, 2024 Place Microsoft Security Blog
15KViews
3likes
6Comments
Onboard to Azure Arc with Security in Mind
Azure Arc allows you to manage on-premises resources like servers from Azure. This is a powerful feature that can help streamline the management process of hybrid environments, but it also further blurs the security boundary between your on-premises landscape and Azure. In this article we discuss some tipes for ensuring that the onboarding to Azure Arc is done with security in mind.
Simone_Oor
Sep 09, 2024 Place Microsoft Security Blog
9.3KViews
11likes
13Comments
Important Announcement: Deprecation of AdminAuditLog and MailboxAuditLog Cmdlets
We are working towards streamlining the audit log search experience of our customers by deprecating four older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog.
ColbyBoone
Jun 26, 2024 Place Microsoft Security Blog
40KViews
1like
39Comments
How to enforce usage of Privileged Access Workstations for Admins
You probably already came across the challenge to enforce the use of a dedicated administrative workstation. Here is what you can do.
Sascha Windrath
May 08, 2024 Place Microsoft Security Blog
19KViews
7likes
5Comments
Admin guide to auditing and reporting for the AIP Unified Labeling client
Learn about how to implement the auditing solution from Microsoft Purview for Azure Information Protection Unified Labeling client users.
yangchen
Jan 25, 2024 Place Microsoft Security Blog
12KViews
4likes
3Comments
Navigating the New Frontier: Information Security in the Era of M365 Copilot
Explore the intersection of AI and security in our latest feature, where Microsoft Purview meets M365 Copilot. Dive into the critical role of sensitivity labels, advanced data classification, and encryption in shaping a secure digital workspace. Gain expert insights from industry professionals and discover practical strategies for balancing innovative AI tools with rigorous security protocols.
adahmedmsft
Jan 24, 2024 Place Microsoft Security Blog
7KViews
12likes
1Comment

"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/OverflowNav\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageView/MessageViewInline\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/Pager/PagerLoadMore\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageUnreadCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageViewCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageViewCount-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/kudos/KudosCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/kudos/KudosCount-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRepliesCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1744658874334"}],"cachedText({\"lastModified\":\"1744658874334\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1744658874334"}]},"CachedAsset:pages-1744407424976":{"__typename":"CachedAsset","id":"pages-1744407424976","value":[{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1744407424976,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":"en","possibleValues":["en-US"]}},"deleted":false},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"CachedAsset:theme:customTheme1-1744407424407":{"__typename":"CachedAsset","id":"theme:customTheme1-1744407424407","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#1E1E1E","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1744658874334","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1744658874334","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:text:en_US-pages/tags/TagPage-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-pages/tags/TagPage-1744658874334","value":{"tagPageTitle":"Tag:\"{tagName}\" | {communityTitle}","tagPageForNodeTitle":"Tag:\"{tagName}\" in \"{title}\" | {communityTitle}","name":"Tags Page","tag":"Tag: {tagName}"},"localOverride":false},"Category:category:microsoft-security-product":{"__typename":"Category","id":"category:microsoft-security-product","entityType":"CATEGORY","displayId":"microsoft-security-product","nodeType":"category","depth":4,"title":"Microsoft Security","shortTitle":"Microsoft Security","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:microsoft-security-blog":{"__typename":"Blog","id":"board:microsoft-security-blog","entityType":"BLOG","displayId":"microsoft-security-blog","nodeType":"board","depth":5,"conversationStyle":"BLOG","title":"Microsoft Security Blog","description":"","avatar":null,"profileSettings":{"__typename":"ProfileSettings","language":null},"parent":{"__ref":"Category:category:microsoft-security-product"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security-product"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"boardPolicies":{"__typename":"BoardPolicies","canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"shortTitle":"Microsoft Security Blog","tagPolicies":{"__typename":"TagPolicies","canSubscribeTagOnNode":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","args":[]}},"canManageTagDashboard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","args":[]}}}},"CachedAsset:quilt:o365.prod:pages/tags/TagPage:board:microsoft-security-blog-1744984043166":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/tags/TagPage:board:microsoft-security-blog-1744984043166","value":{"id":"TagPage","container":{"id":"Common","headerProps":{"removeComponents":["community.widget.bannerWidget"],"__typename":"QuiltContainerSectionProps"},"items":[{"id":"tag-header-widget","layout":"ONE_COLUMN","bgColor":"var(--lia-bs-white)","showBorder":"BOTTOM","sectionEditLevel":"LOCKED","columnMap":{"main":[{"id":"tags.widget.TagsHeaderWidget","__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"},{"id":"messages-list-for-tag-widget","layout":"ONE_COLUMN","columnMap":{"main":[{"id":"messages.widget.messageListForNodeByRecentActivityWidget","props":{"viewVariant":{"type":"inline","props":{"useUnreadCount":true,"useViewCount":true,"useAuthorLogin":true,"clampBodyLines":3,"useAvatar":true,"useBoardIcon":false,"useKudosCount":true,"usePreviewMedia":true,"useTags":false,"useNode":true,"useNodeLink":true,"useTextBody":true,"truncateBodyLength":-1,"useBody":true,"useRepliesCount":true,"useSolvedBadge":true,"timeStampType":"conversation.lastPostingActivityTime","useMessageTimeLink":true,"clampSubjectLines":2}},"panelType":"divider","useTitle":false,"hideIfEmpty":false,"pagerVariant":{"type":"loadMore"},"style":"list","showTabs":true,"tabItemMap":{"default":{"mostRecent":true,"mostRecentUserContent":false,"newest":false},"additional":{"mostKudoed":true,"mostViewed":true,"mostReplies":false,"noReplies":false,"noSolutions":false,"solutions":false}}},"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"}],"__typename":"QuiltContainer"},"__typename":"Quilt"},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1744407232151":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1744407232151","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"planner","params":{"categoryId":"Planner"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoft-endpoint-manager"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-q-l-server","params":{"categoryId":"SQL-Server"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"SMB"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.community_banner","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1744658874334","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.community_banner-en-1744407457870":{"__typename":"CachedAsset","id":"component:custom.widget.community_banner-en-1744407457870","value":{"component":{"id":"custom.widget.community_banner","template":{"id":"community_banner","markupLanguage":"HANDLEBARS","style":".community-banner {\n a.top-bar.btn {\n top: 0px;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0px;\n background: #0068b8;\n color: white;\n padding: 10px 0px;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0px !important;\n font-size: 14px;\n }\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.community_banner","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_community_banner_community-banner_1x9u2_1 {\n a.custom_widget_community_banner_top-bar_1x9u2_2.custom_widget_community_banner_btn_1x9u2_2 {\n top: 0;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0;\n background: #0068b8;\n color: white;\n padding: 0.625rem 0;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0 !important;\n font-size: 0.875rem;\n }\n}\n","tokens":{"community-banner":"custom_widget_community_banner_community-banner_1x9u2_1","top-bar":"custom_widget_community_banner_top-bar_1x9u2_2","btn":"custom_widget_community_banner_btn_1x9u2_2"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.HeroBanner-en-1744407457870":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-1744407457870","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node"},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-1744407457870":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-1744407457870","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n\n.social-share {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n\n.sharing-options {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 43px;\n border-radius: 0px 7px 7px 0px;\n}\n.linkedin-icon {\n border-top-right-radius: 7px;\n}\n.linkedin-icon:hover {\n border-radius: 0;\n}\n.social-share-rss-image {\n border-bottom-right-radius: 7px;\n}\n.social-share-rss-image:hover {\n border-radius: 0;\n}\n\n.social-link-footer {\n position: relative;\n display: block;\n margin: -2px 0;\n transition: all 0.2s ease;\n}\n.social-link-footer:hover .linkedin-icon {\n border-radius: 0;\n}\n.social-link-footer:hover .social-share-rss-image {\n border-radius: 0;\n}\n\n.social-link-footer img {\n width: 40px;\n height: auto;\n transition: filter 0.3s ease;\n}\n\n.social-share-list {\n width: 40px;\n}\n.social-share-rss-image {\n width: 40px;\n}\n\n.share-icon {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n\n.share-icon:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n\n.share-icon:hover .label {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n\n.label {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 10px;\n top: 50%;\n transform: translateY(-50%);\n height: 40px;\n border-radius: 0 6px 6px 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px 5px 20px 8px;\n margin-left: -1px;\n}\n.linkedin {\n background-color: #0474b4;\n}\n.facebook {\n background-color: #3c5c9c;\n}\n.twitter {\n background-color: white;\n color: black;\n}\n.reddit {\n background-color: #fc4404;\n}\n.mail {\n background-color: #848484;\n}\n.bluesky {\n background-color: white;\n color: black;\n}\n.rss {\n background-color: #ec7b1c;\n}\n#RSS {\n width: 40px;\n height: 40px;\n}\n\n@media (max-width: 991px) {\n .social-share {\n display: none;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_105bp_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_105bp_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_105bp_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_105bp_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_105bp_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n.custom_widget_MicrosoftFooter_social-share_105bp_138 {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n.custom_widget_MicrosoftFooter_sharing-options_105bp_146 {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 2.6875rem;\n border-radius: 0 0.4375rem 0.4375rem 0;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-top-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-bottom-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 {\n position: relative;\n display: block;\n margin: -0.125rem 0;\n transition: all 0.2s ease;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 img {\n width: 2.5rem;\n height: auto;\n transition: filter 0.3s ease;\n}\n.custom_widget_MicrosoftFooter_social-share-list_105bp_188 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195 {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover .custom_widget_MicrosoftFooter_label_105bp_207 {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n.custom_widget_MicrosoftFooter_label_105bp_207 {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 0.625rem;\n top: 50%;\n transform: translateY(-50%);\n height: 2.5rem;\n border-radius: 0 0.375rem 0.375rem 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 1.25rem 0.3125rem 1.25rem 0.5rem;\n margin-left: -0.0625rem;\n}\n.custom_widget_MicrosoftFooter_linkedin_105bp_156 {\n background-color: #0474b4;\n}\n.custom_widget_MicrosoftFooter_facebook_105bp_237 {\n background-color: #3c5c9c;\n}\n.custom_widget_MicrosoftFooter_twitter_105bp_240 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_reddit_105bp_244 {\n background-color: #fc4404;\n}\n.custom_widget_MicrosoftFooter_mail_105bp_247 {\n background-color: #848484;\n}\n.custom_widget_MicrosoftFooter_bluesky_105bp_250 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_rss_105bp_254 {\n background-color: #ec7b1c;\n}\n#custom_widget_MicrosoftFooter_RSS_105bp_1 {\n width: 2.5rem;\n height: 2.5rem;\n}\n@media (max-width: 991px) {\n .custom_widget_MicrosoftFooter_social-share_105bp_138 {\n display: none;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_105bp_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_105bp_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_105bp_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_105bp_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58","c-list":"custom_widget_MicrosoftFooter_c-list_105bp_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_105bp_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_105bp_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107","social-share":"custom_widget_MicrosoftFooter_social-share_105bp_138","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_105bp_146","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_105bp_156","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_105bp_169","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_105bp_188","share-icon":"custom_widget_MicrosoftFooter_share-icon_105bp_195","label":"custom_widget_MicrosoftFooter_label_105bp_207","linkedin":"custom_widget_MicrosoftFooter_linkedin_105bp_156","facebook":"custom_widget_MicrosoftFooter_facebook_105bp_237","twitter":"custom_widget_MicrosoftFooter_twitter_105bp_240","reddit":"custom_widget_MicrosoftFooter_reddit_105bp_244","mail":"custom_widget_MicrosoftFooter_mail_105bp_247","bluesky":"custom_widget_MicrosoftFooter_bluesky_105bp_250","rss":"custom_widget_MicrosoftFooter_rss_105bp_254","RSS":"custom_widget_MicrosoftFooter_RSS_105bp_1"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1744658874334","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagsHeaderWidget-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagsHeaderWidget-1744658874334","value":{"tag":"{tagName}","topicsCount":"{count} {count, plural, one {Topic} other {Topics}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1744658874334","value":{"title@userScope:other":"Recent Content","title@userScope:self":"Contributions","title@board:FORUM@userScope:other":"Recent Discussions","title@board:BLOG@userScope:other":"Recent Blogs","emptyDescription":"No content to show","MessageListForNodeByRecentActivityWidgetEditor.nodeScope.label":"Scope","title@instance:1722894000155":"Recent Discussions","title@instance:1727367112619":"Recent Blog Articles","title@instance:1727367069748":"Recent Discussions","title@instance:1727366213114":"Latest Discussions","title@instance:1727899609720":"","title@instance:1727363308925":"Latest Discussions","title@instance:1737115580352":"Latest Articles","title@instance:1720453418992":"Recent Discssions","title@instance:1727365950181":"Latest Blog Articles","title@instance:bmDPnI":"Latest Blog Articles","title@instance:IiDDJZ":"Latest Blog Articles","title@instance:1721244347979":"Latest blog posts","title@instance:1728383752171":"Related Content","title@instance:1722893956545":"Latest Skilling Resources","title@instance:dhcgCU":"Latest Discussions"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Planner":{"__typename":"Category","id":"category:Planner","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SQL-Server":{"__typename":"Category","id":"category:SQL-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:SMB":{"__typename":"Category","id":"category:SMB","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-endpoint-manager":{"__typename":"Category","id":"category:microsoft-endpoint-manager","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Conversation:conversation:3947126":{"__typename":"Conversation","id":"conversation:3947126","topic":{"__typename":"BlogTopicMessage","uid":3947126},"lastPostingActivityTime":"2025-03-05T14:16:11.146-08:00","solved":false},"User:user:1526674":{"__typename":"User","uid":1526674,"login":"sbhat2022","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-8.svg?time=0"},"id":"user:1526674"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zOTQ3MTI2LTUyMDA2OGkzREQ3NTM3NThFMjJDQTVD?revision=29\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zOTQ3MTI2LTUyMDA2OGkzREQ3NTM3NThFMjJDQTVD?revision=29","title":"AdminAccessCSP.png","associationType":"TEASER","width":1097,"height":617,"altText":null},"BlogTopicMessage:message:3947126":{"__typename":"BlogTopicMessage","subject":"Admin access management in Azure Cloud Solution Provider (CSP) subscriptions","conversation":{"__ref":"Conversation:conversation:3947126"},"id":"message:3947126","revisionNum":29,"uid":3947126,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:1526674"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Understand security recommendations specific to admin access management of Azure in CSP, which align with Least privileged access principle of Zero trust framework. \n \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":7243},"postTime":"2023-11-21T08:44:53.105-08:00","lastPublishTime":"2023-11-21T08:44:53.105-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" This blog outlines security recommendations for Azure Cloud Solution Provider (CSP) environments specific to admin access management, aligning with the least privileged access principle of Zero trust framework. \n \n What is Azure Cloud Solution Provider (CSP)? \n Azure Cloud Solution Provider (CSP) offers industry-specific solutions bundled with Microsoft products and provides managed services. CSP program enables partners to provision, manage Azure resources for customers, and provide technical and billing support. \n \n Why is it critical to safeguard Azure CSP admin access? \n Considering the threats are targeting technology service providers, which are privileged in their downstream customer tenants, as a method to gain access to their downstream customers (Microsoft blog post), it is important for both Customers and Partners to ensure the right level of access to required resources are granted only for the duration needed. This enables partners to reduce the likelihood and impact of security breaches and protect their customers' data and services in the cloud. \n \n Admin privileges for Azure in the CSP program \n The following diagram includes two levels of admin privileges for Azure in CSP. \n \n \n \n DAP and AOBO admin privileges highlighted in yellow are granted when a partner establishes a reseller relationship with a customer and creates a CSP subscription. \n \n In the following sections, we will focus specifically on the standing privileged admin access that is granted implicitly, understand the risks associated with these, and give the recommended solutions. \n \n 1. Tenant-level admin privileges \n This grants partner access to customers' tenants. Based on type and access granted, delegated access allows a partner to perform administrative functions, such as adding and managing users, resetting passwords, and managing user licenses. \n \n Delegated Admin Privileges - DAP \n This access is granted when customers accept partner center invite for reseller relationship where 'Include delegated administration privileges for Azure Active Directory and Office 365' is enabled. When a customer grants a delegated administration privilege to a partner: \n \n The Admin Agent group is assigned to the Global administrator role in the customer's Azure AD tenant. \n The Helpdesk Agent group is assigned to the Helpdesk administrator role in the customer's Azure AD tenant. \n \n As DAP results in the standing assignment of privileged Global administrator role of customer tenant to Admin Agent group of partner, the recommendation is to migrate to Granular Delegated Admin Privileges - GDAP. \n \n What is GDAP - Granular Delegated Admin Privileges? \n GDAP is a security feature that allows granting partners with the least privileged access following the Zero Trust principles. It lets partners configure granular and time-bound access to their customers' workloads. The GDAP relationship request specifies: \n • The CSP partner tenant \n • The roles to delegate \n • Duration in days \n Refer to the \"Recommendation\" section for additional information on DAP to GDAP transition. \n \n 2. Subscription-level admin privileges \n This grants partner access to customers' Azure CSP subscriptions. This access allows a partner to provision and manage their Azure resources. \n \n Admin On Behalf Of - AOBO \n Granted when CSP partner provisions a new Azure subscription for the customer. Admin Agents group under the CSP partner tenant is automatically assigned AOBO access granting Owner role under the subscription. \n \n AOBO does not allow flexibility to create distinct groups that work with different customers. \n As AOBO results in permanent assignment of privileged Owner role of CSP subscription to members of partner Admin Agents group, this access should be made available to only required users and used with caution. For regular operations which may not require partner users to have the owner role of subscription, granular timebound access must be granted for example using Azure Lighthouse. \n \n What is Azure Lighthouse? \n With Azure Lighthouse, Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken for what duration. \n Using Azure Lighthouse, you can assign distinct groups to different customers to have the appropriate level of access and improve security by limiting privileged access to customers' resources only to required members. To further minimize standing assignments for privileged roles, eligible authorizations can be used to grant additional roles only on a just-in-time basis. \n Guidelines to ensure the least privileged access assignment: \n \n Identify and review if Delegated Admin Privilege (DAP) is in use. This information can be extracted with the help of one of the following approaches. \n \n Through Partner center portal \n https://learn.microsoft.com/en-us/partner-center/customers-revoke-admin-privileges#customers-can-find-which-partners-have-delegated-admin-privileges \n https://learn.microsoft.com/en-us/partner-center/dap-faq#what-is-dap-monitoring-the-administrative-relationships-dashboard \n Through Partner Center API \n List the delegated admin customers of a partner - Partner app developer | Microsoft Learn \n Get delegated admin relationship statistics - Partner app developer | Microsoft Learn \n \n Identify and review AOBO access granted to foreign principals. This information can be extracted with help of one of the following approaches. \n \n Azure portal \n https://learn.microsoft.com/en-us/partner-center/partner-earned-credit-troubleshoot#how-to-verify-aobo-permissions \n Sample PowerShell script \n https://learn.microsoft.com/en-us/partner-center/partner-earned-credit-troubleshoot#sample-scripts \n \n Plan to transition to the least privileged approach to manage customer tenants where possible. \n \n DAP to GDAP \n Granular delegated admin privileges (GDAP) \n Microsoft-led transition from DAP to GDAP - Partner Center | Microsoft Learn \n AOBO to Azure Lighthouse \n Azure Lighthouse and the Cloud Solution Provider program \n \n Consider minimizing the number of permanent assignments using just-in-time access using Azure AD Privileged Identity Management wherever possible. For example - In Azure Lighthouse using eligible authorizations or Just in time access for security group memberships of GDAP. \n \n Create eligible authorizations - Azure Lighthouse | Microsoft Learn \n https://learn.microsoft.com/en-us/partner-center/gdap-faq#how-will-gdap-work-with-privileged-identity-management-in-microsoft-entra \n \n Consider creating alert for privileged Azure role assignments to monitor any unexpected access assignments. \n \n Alert on privileged Azure role assignments | Microsoft Learn \n Configure security alerts for Azure roles in Privileged Identity Management | Microsoft Learn \n \n Recommended to implement SIEM solution such as Microsoft Sentinel that can correlate and monitor logs such as Azure AD admin audit logs and sign-in logs, Azure Activity logs, Office 365 unified audit log etc. to identify potential suspicious activities of tactics like Privilege Escalation, Credential Access, Persistence or Impact. \n \n \n Additional References: \n \n Customer security best practices: \n \n Customer security best practices - Partner Center | Microsoft Learn \n \n Partner security best practices: \n \n Cloud Solution Provider security best practices - Partner Center | Microsoft Learn \n Partner security requirements - Partner Center | Microsoft Learn \n Partner security requirements FAQ - Partner Center | Microsoft Learn \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"7707","kudosSumWeight":1,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zOTQ3MTI2LTUyMDA2OGkzREQ3NTM3NThFMjJDQTVD?revision=29\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zOTQ3MTI2LTUyMDA2OGkzREQ3NTM3NThFMjJDQTVD?revision=29\"}"}}],"totalCount":2,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4370453":{"__typename":"Conversation","id":"conversation:4370453","topic":{"__typename":"BlogTopicMessage","uid":4370453},"lastPostingActivityTime":"2025-02-03T14:31:11.705-08:00","solved":false},"User:user:2053691":{"__typename":"User","uid":2053691,"login":"spoofy","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yMDUzNjkxLTUxMzAyOGlGNkIwNzUzOEMwMUVCODM4"},"id":"user:2053691"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWdFczRlTA?revision=6\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWdFczRlTA?revision=6","title":"url_upload.jpg","associationType":"COVER","width":4928,"height":3264,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLVVHWXpZRA?revision=6\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLVVHWXpZRA?revision=6","title":"clipboard_image-1-1737752828400.png","associationType":"BODY","width":444,"height":282,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWpnYlF6RQ?revision=6\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWpnYlF6RQ?revision=6","title":"clipboard_image-2-1737752828407.png","associationType":"BODY","width":785,"height":553,"altText":""},"BlogTopicMessage:message:4370453":{"__typename":"BlogTopicMessage","subject":"Evolving the Windows User Model – Introducing Administrator Protection","conversation":{"__ref":"Conversation:conversation:4370453"},"id":"message:4370453","revisionNum":6,"uid":4370453,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:2053691"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":4037},"postTime":"2025-01-28T09:58:40.959-08:00","lastPublishTime":"2025-02-03T14:31:11.705-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Previously, in part one, we outlined the history of the multi-user model in Windows, how Microsoft introduced features to secure it, and in what ways we got it right (and wrong). In the final part of this series, we will describe how Microsoft intends to raise the security bar via its new Administrator protection (AP) feature. \n Core Principles for Administrator Protection \n As the main priority, Administrator protection aims to provide a strong security boundary between elevated and non-elevated user contexts. There are several additional usability goals that we will cover later, but for security, Administrator protection can be summarized by the following five principles: \n \n Users operate within the Principle of Least Privilege \n Administrator privileges only persist for the duration of the task for which they were invoked \n Strong separation between elevated and non-elevated user accounts, except for paths of intentional access \n Elevation actions must be explicit (e.g. no silent elevations) \n Allowing a more granular use of elevated privileges by applications, rather than the “up-front” elevation practice common in User Account Control (UAC) \n \n Specifically, principles two and three represent major changes to the existing design of the Windows user model, while principles one and four are intent on fulfilling promises of previous features (standard user and, to a lesser extent, UAC) and rolling back changes which degraded security (auto-elevation), respectively. \n What Does Administrator Protection Fix and How? \n Administrator protection is nearly as much about what it removes as to what it adds. Recall, beginning with Windows Vista, the split-token administrator user type was added to allow a user to run as both standard user and administrator depending on the level of privilege required for a specific task. It was originally seen to make standard user more viable for wide-spread adoption and to enforce the Principle of Least Privilege. However, the features did not fully live up to expectations as UAC bypasses were numerous following the release of Windows 7. \n As a refresher, when a user was configured as a split-token admin, they would receive two access tokens upon logon – a full privilege, “elevated” administrator token with admin group policy set to “Enabled” and a restricted, “unelevated” access token with admin group policy set to “DenyOnly”. Depending on the required run level of an application, one token or the other would be used to create the process. \n Administrator protection changes the paradigm via System Managed Administrator Accounts (SMAA) – a local administrator account which is linked to a specific standard user account. Upon elevation, if a SMAA does not exist already it is created. Each SMAA is a separate user profile and member of the Administrators group. It is a local account named via the following scheme utilizing extra digits in the unlikely event of a collision: \n \n Local Account: WIN-ABC123\\BobFoo \n SMAA: WIN-ABC123\\admin_BobFoo \n \n Or on collision: \n \n Local Account: WIN-ABC123\\BobFoo (the account to be SMAA-linked) \n Local Account: WIN-ABC123\\admin_BobFoo (another standard user account, oddly named) \n SMAA: WIN-ABC123\\admin1_BobFoo \n \n Similarly, for domain accounts, the scheme remains the same, except the SMAA will still be a local account: \n \n Domain Account: Redmond\\BobFoo \n SMAA: WIN-ABC123\\admin_BobFoo \n \n To ensure these accounts can’t be abused, they are created as password-less accounts with additional logon restrictions to ensure only specific, SYSTEM processes are permitted to logon as the SMAA. Specifically, following an elevation request, a logon request is made via the Local Security Authority (LSA), and the following conditions are checked: \n \n Access Check. Call NtAccessCheck, including both an ACE for the SYSTEM account and a SYSTEM IL mandatory ACE with no read up, no write up, and no execute up. The access check must pass. \n \n \n Process Path. Call NtOpenProcess with the caller’s PID to obtain a process handle, then check the process image path via QueryFullProcessImageName. Compare the path to the hardcoded allow-list of binaries that are allowed to logon SMAA accounts. \n \n The astute reader may notice that process path checks are not enforceable security boundaries in Windows; rather, the check is a defense-in-depth measure to prevent SYSTEM processes such as WinLogon or RDP from exposing SMAA logon surface to the user. In fact, Process Execution Block (PEB) spoofing was a class of UAC bypass in which a trusted image path was faked by a malicious process. However, in this case the PEB is not queried, but instead the kernel EPROCESS object is used to query the image path. As such, the process path check will be used alongside an allowlist to prevent current and future system components from misusing SMAA. \n Splitting the Hive \n A major design compromise made with the split-token administrator model was that both “halves” of the user shared a common profile. Despite each token being appropriately restricted in its use, both restricted and admin-level processes could access shared resources such as the user file system and the registry. As such, improper access restrictions on a given file or registry key would allow a restricted user the ability to influence a privileged process. In fact, improper access controls on shared resources were the source of many classic UAC bypasses. \n As an example, when the Event Viewer application, “eventvwr.exe”, attempts to launch “mmc.exe” as a High Integrity Level (IL) process, it searches two registry locations to find the executable path (1): \n \n HKCU\\Software\\Classes\\mscfile\\shell\\open\\command \n HKCR\\mscfile\\shell\\open\\command \n \n In most circumstances, the first registry location does not exist, so the second is used to launch the process. However, an unprivileged process running within the restricted user context can create the missing key; this would then allow the attack to run any executable it wished at High IL. As a bonus for the attacker, this attack was silent as Event Viewer is a trusted Windows application and allows for “auto-elevation” meaning no UAC prompt would be displayed. \n $registryPath = \"HKCU:\\Software\\Classes\\mscfile\\shell\\open\\command\"\n\n$newValue = \"C:\\Windows\\System32\\cmd.exe\"\n\n\n\n# Check if the registry key exists\n\nif (-not (Test-Path $registryPath)) {\n\n # Create the registry key if it doesn't exist\n\n New-Item -Path \"HKCU:\\Software\\Classes\\mscfile\\shell\\open\" -Name \"command\" -Force | Out-Null\n\n`}`\n\n# Set the registry value\n\nSet-ItemProperty -Path $registryPath -Name \"(default)\" -Value $newValue\n\n# Run mmc.exe to auto-elevate cmd.exe\n\nStart-Process “mmc.exe” \n \n Similarly, the Windows Task Scheduler – which configures processes to run periodically – could be exploited to run arbitrary commands or executables in an elevated context. These attacks worked similarly in that they used writable local environment variables to overload system variables such as %WINDIR% to allow an attack to execute arbitrary applications with elevated privileges – with SilentCleanup being a particular favorite (2). Such attacks were attractive as an unprivileged process could also trigger the scheduled task to run at any time. \n New-ItemProperty -Path \"HKCU:\\Environment\" -Name \"windir\" -Value \"cmd.exe /k whoami & \" -PropertyType ExpandString; schtasks.exe /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I \n \n As separate-but-linked accounts, each with its own profile, registry hives are no longer shared. Thus, classic UAC bypasses, such as the registry key manipulation and environment variable (like many things in Windows, environment variables are backed in the registry) overloading attacks are mitigated. As an added benefit administrator tokens can now be created on-demand and discarded just as quickly, thus limiting exposure of the privileged token to the lifetime of the requesting process. \n Rolling Back Auto-Elevations \n When auto-elevation was added in Windows 7, it was primarily done so to improve the user experience and allow simpler administration of a Windows machine. Unfortunately, despite several restrictions placed on applications allowed to auto-elevate, the feature introduced a huge hole in the Windows security model and opened a number of new avenues for UAC bypass. \n Most prevalent of these bypasses were those which exploited the auto-elevating COM interface IFileOperation. Attackers would leverage this interface to write malicious DLLs to secure locations – a so-called “DLL Hijacking” attack. The attack would work whenever a process met all of the conditions for auto-elevation but ran at the Medium Integrity Level (IL). The malicious process would inject code into the target process and request the DLL payload be written to a secure path via IFileOperation. Whenever the DLL was loaded by an elevated process, the malicious code would be run, giving the attacker full privileges on the system. \n With Administrator protection, auto-elevation is removed. Users will notice an increase in consent prompts, though many fewer than the Vista days as much work has been done to clean up elevation points in most workflows. Additionally, users and administrators will have the option to configure elevation prompts as “credentialed” (biometric/password/PIN) via Windows Hello or simply confirmation prompts. This simple change trades some user convenience for a reduction in attack surface of roughly 92 auto-elevating COM interfaces, 11 DLL Hijacks, and 23 auto-elevating apps. Of the 79 known UAC bypasses tested, all but one are now fully or partially mitigated. The remaining open issue around token manipulation attacks has been assigned MSRC cases and will be addressed. \n It should be noted that not all auto-elevations have been removed. Namely, the Run and RunOnce registry keys found in the HKEY_LOCAL_MACHINE hive will still auto-elevate as needed. Appropriately, these keys are ACL’d such that only an administrator can modify them. \n Improving Useability \n Administrator protection is not limited to security-focused changes only – improved useability is also a major focal point of the feature. Chief amongst the areas targeted for improvement is the removal of unnecessary elevations and “dead-ends”. Specifically, dead-ends occur when a functional pathway which requires administrator privileges does not account for a user operating as a standard user and thus presents no elevation path at all, resulting in the user interface either displaying the setting as disabled or not at all. In such cases, a so-called “over-the-shoulder” elevation is required – the same underlying mechanism used when elevating to the SMAA user in AP. Such scenarios represent huge inconvenience for non-Administrator accounts in both AP and non-AP enabled configurations. \n One example of this scenario was the group policy editor (gpedit.exe). When launching as a standard user, an error prompt would be displayed, and the app would be launched in an unusable state. \n \n \n \n More Work To Be Done \n Administrator protection represents a huge jump in the security of the Windows OS. However, as always, there is more work to be done. While AP has mitigated large classes of vulnerabilities, some remain, albeit in a diminished state. \n DLL hijacking attacks prior to AP primarily relied on abusing the auto-elevating IFileOperation COM interface to write a malicious DLL to a secure path. As auto-elevation has been removed, this path no longer exists. However, situations where an unsigned DLL is loaded from an insecure path still represent a potential AP bypass. Note that the user will still be prompted for elevation in such a scenario but may not be aware that a malicious DLL is being included in the process. \n Token manipulation bypasses such as those shown by James Forshaw and splinter_code, remain a class of potential exploitation. Elevation prompts are shown only before creation of an elevated token, not use. Therefore, should additional pathways be discovered where an elevated token can be obtained by a malicious process, AP would not be positioned to stop it from silently elevating. However, MSRC cases for known variants of token manipulation/reuse attack have been filed and fixes are currently in-development. \n Lastly, attacks which rely on obtaining a UIAccess capability from another running process are partially mitigated by AP. Previously, UAC bypass attacks would launch an auto-elevating app, such as mmc.exe, and then obtain a UIAccess-enabled token — a token which gives a lower-privileged process the ability to manipulate the UI of a higher-privileged process, typically used for accessibility features. With AP enabled, all attempts to launch an elevated process would be met with a consent prompt which an attacker would be unable manipulate with a UIAccess token alone. However, in situations where a user has previously elevated a running process, an attack would be able to obtain a UIAccess token and manipulate the UI with no additional consent prompts. \n This list is not exhaustive, it is likely edge cases will pop up which will require attention. Fortunately Administrator protection is covered by the Windows Insider Bug Bounty Program and internal efforts by MORSE and others will continue to identify remaining issues. \n A Welcome Security Boundary \n We In MORSE review quite a few features in Windows and are big fans of Administrator protection. It addresses many gaps left by UAC today and adds protections which for all intents and purposes simply did not exist before. The feature is far from complete, usability improvements are needed, and there are some remaining bugs which will take time to resolve. However, the short-term inconvenience, is worth long term security benefit to users. While Administrator protection will certainly experience some growing pains, even in its current state, it’s a leap forward for user security. \n Going forward, we encourage those users who prioritize strong security to give Administrator protection a try. If you encounter an issue, send us feedback using the feedback tool. Lastly, for app developers, we ask they update their applications to support Administrator protection, as it will eventually become the default option in Windows. \n References \n \n UAC Bypass – Event Viewer – Penetration Testing Lab \n Tyranid's Lair: Exploiting Environment Variables in Scheduled Tasks for UAC Bypass \n Tyranid's Lair: Bypassing UAC in the most Complex Way Possible! \n Bypassing UAC with SSPI Datagram Contexts \n Administrator protection on Windows 11 | Microsoft Community Hub \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"14721","kudosSumWeight":6,"repliesCount":0,"readOnly":true,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWdFczRlTA?revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLVVHWXpZRA?revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWpnYlF6RQ?revision=6\"}"}}],"totalCount":3,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":{"__typename":"UploadedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzcwNDUzLWdFczRlTA?revision=6"},"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4369642":{"__typename":"Conversation","id":"conversation:4369642","topic":{"__typename":"BlogTopicMessage","uid":4369642},"lastPostingActivityTime":"2025-01-23T15:06:36.945-08:00","solved":false},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLXM5M09BUg?revision=7\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLXM5M09BUg?revision=7","title":"Seurity-Texture-TechScan-Orange-04.jpg","associationType":"COVER","width":4096,"height":2304,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLUlLMFUzQg?revision=7\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLUlLMFUzQg?revision=7","title":"Designer.jpg","associationType":"TEASER","width":1024,"height":1024,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLWo3Ylp1RA?revision=7\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLWo3Ylp1RA?revision=7","title":"clipboard_image-1-1737588907957.png","associationType":"BODY","width":249,"height":208,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLVZQc1Zjdg?revision=7\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLVZQc1Zjdg?revision=7","title":"image.png","associationType":"BODY","width":602,"height":394,"altText":""},"BlogTopicMessage:message:4369642":{"__typename":"BlogTopicMessage","subject":"Evolving the Windows User Model – A Look to the Past","conversation":{"__ref":"Conversation:conversation:4369642"},"id":"message:4369642","revisionNum":7,"uid":4369642,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:2053691"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":2317},"postTime":"2025-01-23T13:41:33.079-08:00","lastPublishTime":"2025-01-23T15:06:36.945-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Early in 2024, the MORSE team investigated the new Administrator protection (AP) feature in Windows. Believing context is important to understand the decisions that shape the Windows security model, MORSE committed to sharing our thoughts on this new and compelling feature. \n From its earliest days, Windows was designed around the concept that a computer and its user were indistinguishable entities, freely sharing all resources within the system and its configuration. On single-user systems such as this, the user was free to manipulate the system in any way they saw fit. In other words, the machine, its primary user, and its administrator were one and the same – a paradigm common to other operating systems at that time. Features seen commonly today such as user accounts and file access privileges simply did not exist in 16-bit Windows. In fact, these features would not be seen until over fifteen years following the release of Windows 1.0. In the first of this two-part series, we will revisit the history of Windows and its user model to better understand how the OS evolved and to contextualize the decisions made by Microsoft from the mid-80s to today. \n Even someone with a basic knowledge of computer security can see the issues inherent in running a system with full administrator privileges and no user isolation. Yet, even with the eventual introduction of features such as user account types, discretionary access controls (DAC), and User Account Control (UAC), decisions made in the interest of application compatibility and user experience would have long-lasting, negative impacts on the security of Windows. In the second part, we will introduce how Microsoft addresses the limitations of past designs, by diving into some of the technical details of Windows’ new Administrator protection feature, how it differs from UAC, and how AP paves the way forward to a more secure future. \n Early History of Windows \n Windows 1.0 was the first major release of the operating system, designed as a graphical shell over MS-DOS, becoming available in 1985. Designed as a 16-bit, single-user operating system and somewhat rudimentary in its design, the user was often required to tinker with system files manually to configure their system. Microsoft would continue Windows development upon this same model, through Windows 3.11 in 1993, until the release of its new 32-bit operating system – the eponymous Windows 95. \n While Windows 95 would prove to be a major commercial success, it did not deviate much from its single-user origins, despite added support for “user profiles”, which contained desktop layouts, Start menu shortcuts and other personalized settings. Yet, no isolation mechanisms existed to prevent users from accessing each other’s files and settings. Microsoft would continue to iterate across major releases, mostly focused on the user experience, from Windows 95 to Windows 98 and finally to Windows ME. In parallel, however, Microsoft was developing its first true multi-user operating system. \n A New Multi-User Model \n Windows NT versions, later rebranded as Windows 2000, were targeted as an enterprise-level operating system and included isolated user accounts by design. In addition, it offered a “standard user” type account, which limited the actions available to the user such as the inability to install software or modify system files, to complement the omnipotent “Administrator” account, which behaved much more like the traditional Windows single-user systems. Standard user accounts also allowed for administration via immutable system policies. All such isolation mechanisms were made possible by the adoption of the NTFS file system which provided access control lists (ACL) on files and directories. NTFS ACLs allowed system and configuration files to only be writable to an Administrator and for standard users to protect their files from other non-Administrator accounts. However, it would still be a couple of years before these changes found their way into a consumer-facing Windows product. \n In 2001, Microsoft released Windows XP to much critical acclaim. As a product, it unified enterprise and consumer Windows to a single NT kernel-based platform. This unification brought strict user accounts to the consumer Windows experience for the first time, including the ability to run without administrator privileges. The transition was not without challenges, however, as the Windows application ecosystem was largely designed around the old single-user model. Attempts to run or even install the average Windows 9x application on XP as a standard user would often prove to be a difficult endeavor. Given users would rightly expect their software to work seamlessly from Windows 9x to XP, Microsoft made the decision to default all user accounts to Administrator – a decision that would have major security ramifications over the following decades. \n Administrator Everywhere \n As the vast majority of consumer desktops ran with most or all users as administrator accounts, third party developers were not incentivized to migrate their legacy applications to standard user accounts. Further, with the near-immediate commercial success of Windows XP, new software products, from both third parties and Microsoft themselves, defaulted to the full-administrator status quo. For enterprise users, the story was much the same: employees running as standard user were often unable to operate their PC. Simple operations, such as opening the system clock required a superfluous, upfront front administrator check, normally only required when changing the time. The challenges of running as a standard user resulted in many IT teams allowing exceptions for employees to run completely unmanaged as full Administrators. \n In the rare case malware could not gain system-wide control via exploitation of network-facing applications such as browsers, instant messengers, or email clients, it could leverage the large local attack surface for privilege escalation within the many processes running within the Administrator context of a user. In fact, third-party application developers often took advantage of this paradigm by having their software surreptitiously download and install additional, unrelated programs. This environment led to a proliferation of adware, bloatware, and root-kit-level malware. \n Microsoft would eventually release Service Pack 2 to address many of the security issues plaguing the OS. However, despite introducing security features that would have made Windows XP the most secure consumer operating system available, with nearly all users still running as Administrator, many of the benefits of the updated security model were negligible in practice. \n UAC and Other Improvements \n Windows Vista arrived in the various customer segments over a two-month period beginning in late 2006, releasing with a major focus on security. While the public reception was mixed, primarily due to user experience concerns, it introduced several impactful security features including user account control (UAC), user interface privilege isolation (UIPI), and mandatory integrity controls (MIC). Vista truly represented the security leap forward that Windows XP Service Pack 2 intended to be. \n Mandatory Integrity Controls \n Prior to Vista, there was no concept of trust levels among applications running under the same user account; if an account was an Administrator, then all processes running within the context of that user also had Administrator privileges. “Integrity levels (IL)” were introduced to processes (and other securable objects) to define a minimum level of trust a user must have to access the process (or, again, other securable objects). Windows defined five integrity levels as seen in Figure 1. \n \n Examples of how a Vista system ran under MIC were system and service accounts such as Local System, Local Service, and Network Service running applications at System level integrity; Administrators and Backup Operators running at High IL; and authenticated standard users running at Medium IL. Low and Untrusted IL were reserved for Everyone (World) and Anonymous user accounts, respectively. \n While MIC didn’t directly address the widespread use of overpowered user accounts, it did provide a necessary tool for making the standard user account useable – enter UAC. \n User Account Control \n User Account Control is a feature all Windows users have interacted with at one point or another –the ubiquitous consent prompt that appears when an administrator-level action is requested. Intended as a feature to prevent the installation of unwanted software and changes to critical system settings that plagued XP, UAC allowed users to operate as standard users during normal usage, selectively “elevating” to an administrator context when required and without the need to switch to another account. \n \n Split-User Tokens \n Under the hood, UAC worked by providing a user with two access tokens: a low-privilege, restricted token and a full-privilege, administrator token. When a process was created by a user, the user’s token was provided to define the security context within which the process would run. When the process attempted to access a securable object, such as a file, a registry key, or even another process, the access token would be compared to the “security descriptor” of the securable object to determine if access is granted or denied. \n Since split-token users were granted two tokens, they could choose which context they wished to run a given process. Most applications would run under the restricted token, defaulting to a Medium IL, and denying any access that required administrator privileges. However, two paths existed for an application to run within an administrator context or “elevated”: 1) the application would request an elevated context upon startup via its process manifest or 2) the user would explicitly choose to “Run as Administrator”. Such elevated processes would run as High IL, which, due to security boundaries implemented by MIC, guaranteed they could not be tampered with by less-than-High IL processes, even when running under the same user context. \n The UAC Consent Dialog \n As mentioned, the UAC consent dialog is how most users experience the feature. When an application requested an elevated context, again, either via the application manifest or explicitly by the user, a dialog would be shown. The dialog would show information about which application was requesting the elevation along with the publisher, file location, and a colored banner that indicated the signature type for a binary: blue for OS-signed, green for trusted publishers, yellow for unknown or unsigned binaries, and red for known bad publishers (along with a “block” dialog). By default, all UAC consent dialogs were displayed on the secure desktop, a separate desktop from the user’s interactive desktop, and accessible only to SYSTEM processes, thus preventing Medium IL malware from spoofing the prompt. Lastly, users could opt via policy to “Always Notify” and to “Never Notify” upon elevation request – a de facto on/off switch for the feature. \n Criticisms \n Overall, critical reception to UAC was mixed. While UAC proved to be extremely successful in moving the Windows application ecosystem towards running as standard user, some consumers criticized the high number of consent prompts which resulted from the feature. Often, users would be confronted with multiple prompts for seemingly mundane tasks such as changing the time. Yet, UAC, combined with several other security features of Vista, led to a drastic reduction in the volume of malware compared to Windows XP. \n Alongside the user experience issues, there were concerns that the feature itself was not sufficiently robust. Following its public release, security researchers debated the utility of UAC, with some even questioning the necessity of UAC's existence altogether. Microsoft’s stance was more explicit: UAC was a security feature but not a security boundary. In fact, the company would publicly remind users on multiple occasions that UAC was never intended to be more than a convenience feature to allow more users to run as standard user [i] [ii]. Given it was not a hard boundary, reported UAC bypasses to MSRC would not receive fixes or be factored into bug case severity judgements. \n Two Steps Forward, One Step Back \n By the time Windows 7 had rolled around, Microsoft had determined it needed to address perceived usability issues around UAC by eliminating unnecessary elevation prompts and fixing paths that generated multiple prompts. Microsoft implemented these changes in three ways 1) auto-elevation, 2) expanded notification levels, and 3) refactoring high-volume prompts. However, the first two would result in a greatly expanded universe of UAC bypasses, eroding whatever unofficial security gains were made previously by the introduction of UAC. \n Auto-Elevation \n In Windows Vista any application which requested elevation would display a UAC prompt, even for built-in applications like Control Panel and Explorer. Administrator users who wanted to change system settings or move files around in protected directories would often see multiple consecutive UAC prompts while doing so. Windows 7 introduced the concept of “auto-elevation” for trusted applications, allowing them to start fully elevated without a UAC prompt. \n Windows would consider an application “trusted” if it met the following criteria: \n \n Signed by a certificate authority in the Trusted Publisher certificate store \n An application manifest which declared the “autoElevate” attribute set to “true” \n An executable located in a trusted directory, writable only by an Administrator, such as Windows\\System32 or Program Files. Not all directories under Windows\\System32 are considered secure, for example System32\\Spool and System32\\Tasks are explicitly denied \n \n Importantly, auto-elevation would also work for applications trying to activate high privilege COM classes. If the COM class was marked for auto-elevation, and the above criteria were met, the application would be allowed to activate the COM class as fully elevated. \n Notification Levels \n Windows 7 would also add two additional notification levels to work alongside auto-elevation, giving users more options for how often UAC prompts are displayed: \n \n Notify me only when programs try to make changes to my computer \n Notify me only when programs try to make changes to my computer, without using the Secure Desktop \n \n The two options skip UAC prompts for applications approved for auto-elevation. The latter option would also change any prompts that were displayed to be on the user’s interactive desktop instead of the secure desktop. Windows 7 retained the “Always notify” level, which would continue to show UAC prompts for elevation requests even if the application was allowed to auto-elevate. However, the default notification level would change from “Always notify” to “Notify me only when programs try to make changes to my computer”. \n UAC Exploitation \n While auto-elevation was intended to provide a middle ground for users who wanted more control over the frequency of UAC notifications, it also had the side effect of creating holes in the elevation design. Attackers would find numerous ways to abuse the auto-elevation paths to elevate their privileges without showing a UAC prompt to the user. \n Attack methods varied, but most malware relied on the use of unprivileged, Medium IL processes to trick an auto-elevating COM interface into performing some privileged operation on its behalf. In particular, the IFileOperation COM interface was highly abused. As a result of compatibility and user experience choices made in Vista for MIC, a process could interact with any other process of the same or lower integrity level within the same user context. Consequently, trusted applications like \"explorer.exe\" ran at Medium Integrity Level (IL) but could auto-elevate through IFileOperation COM activation. This resulted in these applications becoming prime targets for malware. In such attacks, the trusted process would be attacked from Medium IL via a code injection attack such as process hollowing to run malicious code which abused the silently elevated IFileOperation interface to drop additional malicious files across a user’s system in order to further escalate or gain persistence, often via “DLL hijacking” attacks. From the COM broker’s perspective, the tampered process would appear as “explorer.exe” or whatever trusted application was targeted, which fulfils all auto-elevation requirements despite the fact the actual in-memory code has been modified. Additional variations of this attack would evolve over time such that anti-virus detection was much more difficult. \n New attacks would continue to be uncovered through Windows 8 and up to the current Windows 11. While auto-elevated COM interfaces remained a highly abused target, other attacks such as registry key manipulation, environment variable expansion, and token manipulation would be discovered and refined to the point that UAC bypasses became unremarkable – and with it, UAC becoming highly ineffective at whatever incremental security gains it had introduced. In fact, the UACME GitHub repo contains some 79 examples of UAC bypass affecting one or more versions from Windows 7 to current. According to MITRE data, at least seven identified and one unidentified threat groups have been observed using UAC bypasses during in-the-wild exploitation. MITRE also identifies over 40 specific malware variants utilizing such bypasses. \n In our next blog post, we will discuss how Administrator protection aims to provide a strong security boundary between elevated and non-elevated user contexts and dig into some of the technical specifics regarding how the feature works. \n \n [i] Security Features vs. Convenience - Windows Vista Team Blog - The Windows Blog \n [ii] User Account Control: Inside Windows 7 User Account Control | Microsoft Learn ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"18260","kudosSumWeight":4,"repliesCount":0,"readOnly":true,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLXM5M09BUg?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLUlLMFUzQg?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLWo3Ylp1RA?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLVZQc1Zjdg?revision=7\"}"}}],"totalCount":4,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":{"__typename":"UploadedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MzY5NjQyLXM5M09BUg?revision=7"},"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4298277":{"__typename":"Conversation","id":"conversation:4298277","topic":{"__typename":"BlogTopicMessage","uid":4298277},"lastPostingActivityTime":"2024-11-22T09:21:55.704-08:00","solved":false},"User:user:425859":{"__typename":"User","uid":425859,"login":"TalhahMir","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS00MjU4NTktMTM4MDYxaTI3M0U1M0JEREIwNEI1MzI"},"id":"user:425859"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LWJWUE1oeg?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LWJWUE1oeg?revision=11","title":"Screenshot 2024-11-18 030742.png","associationType":"COVER","width":1346,"height":906,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LUlqSHIxOA?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LUlqSHIxOA?revision=11","title":"clipboard_image-1-1731927342254.png","associationType":"BODY","width":1933,"height":1086,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LUN0V216Uw?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LUN0V216Uw?revision=11","title":"clipboard_image-2-1731927342276.png","associationType":"BODY","width":1689,"height":949,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LXdENDhMcA?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LXdENDhMcA?revision=11","title":"clipboard_image-3-1731927342286.png","associationType":"BODY","width":1728,"height":973,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTI0ZVQwYg?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTI0ZVQwYg?revision=11","title":"image.png","associationType":"BODY","width":1744,"height":984,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTE0UFVwSw?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTE0UFVwSw?revision=11","title":"clipboard_image-5-1731927342320.png","associationType":"BODY","width":1134,"height":640,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTdCbkNxTw?revision=11\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTdCbkNxTw?revision=11","title":"clipboard_image-6-1731927342338.png","associationType":"BODY","width":1413,"height":742,"altText":""},"BlogTopicMessage:message:4298277":{"__typename":"BlogTopicMessage","subject":"Strengthen your data security posture in the era of AI with Microsoft Purview","conversation":{"__ref":"Conversation:conversation:4298277"},"id":"message:4298277","revisionNum":11,"uid":4298277,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:425859"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Organizations face challenges with fragmented data security solutions and the amplified risks due to generative AI. We are now introducing Microsoft Purview Data Security Posture Management (DSPM) in public preview, which provides comprehensive visibility into sensitive data, contextual insights, and continuous risk assessment. DSPM is integrated with Microsoft 365 and Windows devices, leveraging generative AI through Security Copilot for deeper investigations and efficient risk management, and provides several capabilities across centralized visibility, actionable policy recommendations, and continuous risk assessment to enhance data security. ","introduction":"Explore how the new Microsoft Purview Data Security Posture Management can help you take your data security program to the next level","metrics":{"__typename":"MessageMetrics","views":17684},"postTime":"2024-11-19T05:47:09.394-08:00","lastPublishTime":"2024-11-22T09:21:55.704-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" In today's complex digital landscape, organizations are often challenged with fragmented solutions, where visibility into sensitive data and its use may be siloed across different systems. Recent studies show that 21% of decision-makers cite the lack of consolidated and comprehensive visibility caused by disparate tools as their biggest challenge to an effective security posture[1]. This results in a lack of centralized understanding of risks when combined with an overwhelming volume of alerts, creates gaps in protective controls and inefficiencies in mitigating data security incidents. Ultimately, this hinders the organization’s ability to strengthen its data security posture. \n Moreover, these challenges are only getting amplified with the rapid adoption of generative AI (GenAI) as organizations are racing to address data risks such as data leaks, data theft, data oversharing, and data compliance for GenAI use. 84% of organizations agree they need to do more to protect against the risky use of AI tools[2], making data security top of mind. \n A key component of a strong data security posture is comprehensive and correlated visibility into type, location, and volume of sensitive data and user activities around the data. “By 2026, more than 20% of organizations will deploy DSPM technology, due to the urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks\".[3] Without this level of visibility and continuous risk assessment, businesses remain vulnerable to undetected data misuse, operational inefficiencies, and alert fatigue. \n To meet this customer need, today we are excited to announce the public preview of Microsoft Purview Data Security Posture Management (DSPM) to provide visibility into data security risks and recommend controls to protect data. DSPM offers contextual insights into data, its usage, and continuous risk assessment of your evolving data landscape, helping to mitigate data risks and strengthen your data security posture. \n DSPM is natively integrated with Microsoft 365 and Windows devices and does not require any additional agents or plugins, making it very easy to get started for both existing and new Purview customers. With DSPM, customers can discover risks, apply protections, as well as investigate and mitigate data security risks all within an integrated and seamlessly connected experience without having to stitch together multiple different products. And finally, DSPM leverages the power of generative AI through its deep integration with Security Copilot. With this integration, you can easily uncover risks that might not be immediately apparent and drive efficient and richer investigations - all in natural language. Data security admins can leverage DSPM as a starting point for a better understanding of their data security risks through: \n \n Centralized visibility: DSPM correlates signals from Information Protection (MIP), Insider Risk Management (IRM), and Data Loss Prevention (DLP) to provide top data security insights. Without DSPM, data security teams would have to spend time correlating insights across data and user context, which can lead to blind spots, inaccurate assessments, or different interpretations and prioritization of risks. With DSPM, your teams have a shared understanding of key risks provided through a series of analytics reports providing insights across location and type of sensitive data, risky user activities, and common exfiltration channels, as well as sensitive data detected in GenAI interactions. \n \n \n \n Policy recommendations: In addition to providing insights, DSPM also provides actionable recommendations on policies that can make your data security program more effective. DSPM will provide scenario-based policy recommendations for Insider Risk Management and DLP, enabling teams to create integrated DLP and IRM policies with just a few clicks. For example, DSPM can help you create an IRM policy that identifies risky behavior such as downgrading labels in documents followed by exfiltration, and a DLP policy to block that exfiltration at the same time. You can further fine-tune these policies through the existing policy experience in DLP and IRM. \n \n \n \n Continuous risk assessment and trends: DSPM also brings a view of historical trends and insights based on sensitivity labels applied, sensitive assets covered by at least one DLP policy, and potentially risky users. This supports the scale and continuous improvement of your data security program by helping your teams discover new data risks and understand if existing strategies and policies are being effective. \n \n \n \n Supercharge DSPM with Security Copilot \n With Security Copilot embedded in DSPM, organizations can gain more out of DSPM by accessing GenAI-powered insights in natural language. Data Security teams can conduct deeper investigations to better understand potential risks to their data. DSPM can help teams get started and prioritize their efforts through: \n \n Starting suggested prompts: These are contextually relevant insights for the top data risks in your organizations such as ‘Which sensitive files were shared outside the org from SharePoint last week?”. Right in the DSPM experience, your teams can see five categories such as ‘alerts to prioritize’, ‘sensitive data leaks detected’, ‘devices at risk’, and ‘risky sequenced activity’. \n Follow-up prompts: Building on the response to these starting prompts or user-entered open prompt, Copilot provides suggested prompts to guide you through a recommended path of investigation. \n Open prompts: You can further customize your analysis by using open prompts allowing you to explore investigations in many directions across data sets, alerts, users, and activities. \n \n Security Copilot in DSPM enables teams to discover previously unseen risks and accelerate data security by suggesting scenarios and prompts that can help triage and prioritize risks. Through these guided investigations, Copilot makes it easy to onboard newer team members and drive greater efficiency for experienced team members. \n \n Let’s walk through a scenario to make DSPM real. We know that a data security admin receives around 60 alerts per day and can address only 50% of those alerts the same day. With so much to do, admins often don’t have time to assess which alerts to prioritize or to proactively identify improvements that would strengthen the organization’s data security posture. In this scenario, Anna is data security admin in an organization working on the very confidential project Obsidian, and she is focused on checking if there are data exfiltration risks to that project’s sensitive information. \n \n On the DSPM reports, she can verify locations with unprotected files classified as ‘Project Obsidian,’ as well as the top risky user activities involving this project. These insights will help Anna fine-tune policies and identify abnormal behavior, such as departing users performing exfiltration activities with Project Obsidian data that exceed the organization’s average. \n To go deeper into the risks she identified, she can ask Security Copilot ‘Which sensitive files were shared outside the org last week classified as Project Obsidian?’ to understand what specific data was impacted, and she can continue the investigation with suggested or open prompts. \n And to then take quick actions to improve protections on Project Obsidian, Anna will find at the top of DSPM overview page an integrated recommendation for IRM and DLP policies to prevent sequential activities that might leak sensitive data, triggered by risks on this project. \n \n \n This is just the start! Currently, DSPM provides insights across your Microsoft 365 workloads and Windows devices. In the future, you will see us continue to add additional value to help you better understand and strengthen your data security posture across your data estate. Learn more about DSPM in our documentation and deep dive video. This capability will be available in public preview within the coming weeks. \n \n Enhancing data security posture for Generative AI usage \n As the adoption of GenAI grows, so is the need and urgency to protect data in GenAI. To do so, organizations can use DSPM for AI (previously known as Microsoft Purview AI Hub), now in general availability. DSPM for AI is designed to help organizations secure, govern, and identify risks in the use of AI applications, including Microsoft's Copilot and other third-party AI tools. DSPM for AI offers ready-to-use policies to prevent data loss in AI prompts and it integrates with Microsoft's broader Purview features like sensitivity labeling, auditing, and data classification. \n Today, we are also announcing the public preview of the new oversharing assessment for Microsoft 365 Copilot in DSPM for AI, to help customers discover sensitive information and locations with potential oversharing risk based on existing patterns. This report will also provide recommendations on how to protect sensitive data with labeling or permissions, and actionable alerts to monitor drift away from these policies and permissions, and it will reflect the new risky GenAI usage detection from IRM and Communication Compliance. Learn about our announcement for IRM in this blog. \n \n This view leverages new Purview capabilities that aim to enable better data permission and protection configurations that will strongly impact data security around GenAI usage. Today we are announcing Purview DLP for Microsoft 365 Copilot, a new capability that provides data security admins with enhanced control over sensitive information shared with and by M365 Copilot, preventing it from processing files based on their sensitivity label and reducing risk of accidental oversharing of sensitive information. Learn more about this capability and our other DLP announcements in this blog. \n Streamlining data security across solutions \n Protecting your organization’s crucial data and ensuring stronger data security is a practice that permeates other focus areas of your organization’s cybersecurity, such as cloud-native application protection. Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP) that leverages sensitive data insights from Microsoft Purview to provide capabilities that help you reduce risks for moving and interacting with sensitive data across hybrid and multi-cloud applications, improving threat detection and accelerating incident response. These capabilities include risk-based recommendations to strengthen data workload configurations, as well as identification and remediation of data risks in cloud environments with attack path analysis, allowing businesses to better prioritize vulnerabilities on their cloud applications and minimize operational inefficiencies. \n In conclusion, DSPM and the other capabilities discussed in this blog represent a step forward in empowering organizations to securely unlock the potential of their data and make it easier than ever to navigate the complexities of data protection with confidence. Stay tuned for more updates, and don’t hesitate to explore these new features to see how they can enhance your organization’s data security posture. \n Getting Started \n You can get started with DSPM by visiting the Microsoft Purview portal. Microsoft 365 E5 customers will see DSPM in the tenants in the next couple of weeks. If you don’t have Microsoft 365 E5 subscription, you can activate your free trial, Microsoft 365 E3 subscription is required. \n To leverage the Security Copilot capabilities, contact your sales team to purchase SCUs (Security Copilot Units) and start exploring them in DSPM. \n Additional Resources: \n \n Stay up to date on our Microsoft Purview features through the Microsoft 365 Roadmap for Microsoft Purview. To learn more about Microsoft Purview, visit the product page or technical documentation. \n To learn more about Microsoft Defender for Cloud, visit the product page or technical documentation. \n \n \n [1] Microsoft Data Security Index annual report highlights evolving generative AI security needs | Microsoft Security Blog [2] Data security as a foundation for secure AI adoption – Microsoft Security (August 2024) [3] Gartner®, Innovation Insight: Data Security Posture Management (March 2023). GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"12644","kudosSumWeight":3,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LWJWUE1oeg?revision=11\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LUlqSHIxOA?revision=11\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LUN0V216Uw?revision=11\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LXdENDhMcA?revision=11\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTI0ZVQwYg?revision=11\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTE0UFVwSw?revision=11\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LTdCbkNxTw?revision=11\"}"}}],"totalCount":7,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PXhyNURHekFzNG5vLzE3MzIyOTYwOTYzNDZ8MHwyNTsyNXx8","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://www.youtube.com/watch?v=xr5DGzAs4no/1732296096346","thumbnail":"https://i.ytimg.com/vi/xr5DGzAs4no/hqdefault.jpg","uploading":false,"height":240,"width":320,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":{"__typename":"UploadedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk4Mjc3LWJWUE1oeg?revision=11"},"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4172019":{"__typename":"Conversation","id":"conversation:4172019","topic":{"__typename":"BlogTopicMessage","uid":4172019},"lastPostingActivityTime":"2024-09-24T17:14:54.699-07:00","solved":false},"User:user:188612":{"__typename":"User","uid":188612,"login":"acondeMSFT","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xODg2MTItNTkzNDM3aTVCQTg3N0JBMkJBRjVEOTc"},"id":"user:188612"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTcyMDE5LTU5MzY5M2kxNTE5RkEyRDU2MDk1MDlD?revision=4\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTcyMDE5LTU5MzY5M2kxNTE5RkEyRDU2MDk1MDlD?revision=4","title":"MSFT_SCI_EndtoEnd_Security_Visibility_03.jpg","associationType":"TEASER","width":539,"height":301,"altText":null},"BlogTopicMessage:message:4172019":{"__typename":"BlogTopicMessage","subject":"Update on the Deprecation of Admin Audit Log Cmdlets","conversation":{"__ref":"Conversation:conversation:4172019"},"id":"message:4172019","revisionNum":4,"uid":4172019,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:188612"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" We would like to inform you that the Admin Audit Log cmdlets will now be deprecated separately from the Mailbox Audit Log cmdlets, with the final date set for September 15, 2024. \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":15461},"postTime":"2024-06-20T09:30:54.562-07:00","lastPublishTime":"2024-06-20T09:30:54.562-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" We wanted to provide you with an important update to the deprecation schedule for the two Admin Audit Log cmdlets, as part of our ongoing commitment to improve security and compliance capabilities within our services. The two Admin Audit Log cmdlets are: \n \n Search-AdminAuditLog \n New-AdminAuditLog \n \n As communicated in a previous blog post, the deprecation of Admin Audit Log (AAL) and Mailbox Audit Log (MAL) cmdlets was initially planned to occur simultaneously on April 30 th , 2024. However, to ensure a smooth transition and to accommodate the feedback from our community, we have revised the deprecation timeline. \n We would like to inform you that the Admin Audit Log cmdlets will now be deprecated separately from the Mailbox Audit Log cmdlets, with the final date set for September 15, 2024. \n This change allows for a more phased approach, giving you additional time to adapt your processes to the new Unified Audit Log (UAL) cmdlets, which offer enhanced functionality and a more unified experience. \n What This Means for You \n \n The Admin Audit Log cmdlets will be deprecated on September 15, 2024. \n The Mailbox Audit Log cmdlets will have a separate deprecation date, which will be announced early next year. \n We encourage customers to begin transitioning to the Unified Audit Log (UAL) cmdlet i.e. Search-UnifiedAuditLog as soon as possible. Alternatively, you can explore using the Audit Search Graph API, which is currently in Public Preview and is expected to become Generally Available by early July 2024. \n \n Next Steps \n If you are currently using any one or both of the above-mentioned Admin Audit Log cmdlets, you will need to take the following actions before September 15, 2024: \n \n \n For Search-AdminAuditLog, you will need to replace it with Search-UnifiedAuditLog in your scripts or commands. To get the same results as Search-AdminAuditLog, you will need to set the RecordType parameter to ExchangeAdmin. For example, if you want to search for all Exchange admin actions in the last 30 days, you can use the following command: \n \n Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) \n \n \n For New-AdminAuditLogSearch, you will need to use the Microsoft Purview Compliance Portal to download your audit log report. The portal allows you to specify the criteria for your audit log search, such as date range, record type, user, and action. You can also choose to receive the report by email or download it directly from the portal. You can access the portal here: Home Microsoft Purview. More details on using the Compliance portal for audit log searching can be found here. \n \n \n \n Differences between UAL and AAL cmdlets \n As you move from AAL to UAL cmdlets, you may notice some minor changes between them. In this section, we will show you some important differences in the Input and Output of the UAL cmdlet from the AAL cmdlets. \n Input Parameter Differences \n Admin Audit Log (AAL) cmdlets include certain parameters that are not directly available in the Unified Audit Log (UAL) cmdlets. However, we have identified suitable alternatives for most of them within the UAL that will allow you to achieve similar functionality. \n Below are the 4 parameters that are supported in the AAL and their alternatives in UAL (if present). \n \n \n \n \n \n AAL Parameter \n \n \n Current AAL use example \n \n \n New UAL equivalent example \n \n \n Note \n \n \n \n \n Cmdlets \n \n \n Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Cmdlets Set-Mailbox \n \n \n Search-UnifiedAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 \n -Operations Set-Mailbox \n \n \n \n The “Cmdlets” parameter in AAL can be substituted with the “Operations” parameter in UAL. This will allow you to filter audit records based on the operations performed. \n \n \n \n \n \n ExternalAccess \n \n \n Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -ExternalAccess $false \n \n \n Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate 05/20/2024 -EndDate 05/28/2024 \n -FreeText “ExternalAccess-false” \n \n \n While UAL does not have a direct “ExternalAccess” parameter, you can use the “FreeText” parameter to filter for external access by including relevant keywords and terms associated with external user activities \n \n \n \n \n IsSuccess \n \n \n Search-AdminAuditLog -Cmdlets Set-Mailbox -Parameters MaxSendSize,MaxReceiveSize \n -StartDate 01/24/2024 -EndDate 02/12/2024 -IsSuccess $true \n \n \n Not Supported \n \n \n This property was always True in AAL because only the logs that succeeded were returned. Hence using or not using this parameter made no difference in the returned result set. Therefore, this property is not supported anymore in the Search-UnifiedAuditLog cmdlet. \n \n \n \n \n StartIndex \n \n \n Search-AdminAuditLog -StartDate 05/20/2024 -EndDate 05/28/2024 -Resultsize 100 -StartIndex 99 \n \n \n Not Supported \n \n \n In AAL, you can use the \"StartIndex\" parameter to pick the starting index for the results. UAL doesn't support this parameter. Instead, you can use the pagination feature of Search-UnifiedAuditLog cmdlet to get a specific number of objects with the SessionId, SessionCommand and ResultSize parameter. \n \n \n \n \n \n Please Note: The SessionId that is returned in the output of Search-AdminAuditLog is a system set value and the SessionId that is passed as an input along with the Search-UnifiedAuditLog cmdlet is User set value. This parameter may have the same name but perform different functions for each cmdlet. \n \n Output Differences \n There are differences how the Audit Log output is displayed in AAL vs UAL cmdlets. UAL has an enhanced set of results with enhanced properties in JSON format. In this section we point out a few major differences that should ease your migration journey. \n \n \n \n \n Property in AAL \n \n \n Equivalent Property in UAL \n \n \n \n \n CmdletName \n \n \n Operations \n \n \n \n \n ObjectModified \n \n \n Object Id \n \n \n \n \n Caller \n \n \n UserId \n \n \n \n \n Parameters \n \n \n AuditData > Parameters \n NOTE: All the parameters and the values passed will be present as a JSON \n \n \n \n \n ModifiedProperties \n \n \n AuditData > ModifiedProperties \n NOTE: Modified values will be only present in case the verbose mode is enabled using Set-AdminAuditLogConfig cmdlet. \n \n \n \n \n ExternalAccess \n \n \n AuditData > ExternalAccess \n \n \n \n \n RunDate \n \n \n CreationDate \n \n \n \n \n \n We are here to help We are committed to providing you with the best tools and services to manage your Exchange Online environment and welcome your questions or feedback about this change. Please feel free to contact us through a comment on this blog post or reaching out by email at AdminAuditLogDeprecation[at]service.microsoft.com. We are always happy to hear from you and assist in any way we can. \n The Exchange Online Team ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"7005","kudosSumWeight":3,"repliesCount":6,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTcyMDE5LTU5MzY5M2kxNTE5RkEyRDU2MDk1MDlD?revision=4\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4114267":{"__typename":"Conversation","id":"conversation:4114267","topic":{"__typename":"BlogTopicMessage","uid":4114267},"lastPostingActivityTime":"2024-09-08T22:42:50.929-07:00","solved":false},"User:user:1808473":{"__typename":"User","uid":1808473,"login":"Simone_Oor","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-11.svg?time=0"},"id":"user:1808473"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEyMGkyQUE1RTM4MkIwQjJCOUM0?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEyMGkyQUE1RTM4MkIwQjJCOUM0?revision=16","title":"CLO22_RemoteHome_028.jpg","associationType":"TEASER","width":7603,"height":5069,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTY5OWlEMzZFNUM2MENENjAzQjJF?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTY5OWlEMzZFNUM2MENENjAzQjJF?revision=16","title":"Simone_Oor_0-1713289525668.png","associationType":"BODY","width":1665,"height":122,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwNmk3REExRTAwMDI5NjU2N0RD?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwNmk3REExRTAwMDI5NjU2N0RD?revision=16","title":"Simone_Oor_1-1713168835585.png","associationType":"BODY","width":1378,"height":754,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwN2lBQzVBNkREOEM2ODg0RDlC?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwN2lBQzVBNkREOEM2ODg0RDlC?revision=16","title":"Simone_Oor_2-1713168835600.png","associationType":"BODY","width":1379,"height":638,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwOGlEREVENkQwMThBOUYwNjNC?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwOGlEREVENkQwMThBOUYwNjNC?revision=16","title":"Simone_Oor_3-1713168835611.png","associationType":"BODY","width":1379,"height":269,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwOWlFRDRERDcwMkUwQjM4M0U1?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwOWlFRDRERDcwMkUwQjM4M0U1?revision=16","title":"Simone_Oor_4-1713168835622.png","associationType":"BODY","width":1379,"height":353,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTcwMGkwQjMxQ0E0NTI1NDlGQjU0?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTcwMGkwQjMxQ0E0NTI1NDlGQjU0?revision=16","title":"Simone_Oor_0-1713289779888.png","associationType":"BODY","width":1998,"height":1225,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExMWk5QUUwMDQ4MDY0MTIzQkM5?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExMWk5QUUwMDQ4MDY0MTIzQkM5?revision=16","title":"Simone_Oor_6-1713168835637.png","associationType":"BODY","width":857,"height":335,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExNGlDQzk2MzM3NjEyMDhFN0Q5?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExNGlDQzk2MzM3NjEyMDhFN0Q5?revision=16","title":"Simone_Oor_7-1713168835642.png","associationType":"BODY","width":1723,"height":730,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExM2lFNjhDMUFFQjMwQjVDNTA3?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExM2lFNjhDMUFFQjMwQjVDNTA3?revision=16","title":"Simone_Oor_8-1713168835649.png","associationType":"BODY","width":1181,"height":798,"altText":null},"BlogTopicMessage:message:4114267":{"__typename":"BlogTopicMessage","subject":"Onboard to Azure Arc with Security in Mind","conversation":{"__ref":"Conversation:conversation:4114267"},"id":"message:4114267","revisionNum":16,"uid":4114267,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:1808473"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n Azure Arc allows you to manage on-premises resources like servers from Azure. This is a powerful feature that can help streamline the management process of hybrid environments, but it also further blurs the security boundary between your on-premises landscape and Azure. \n \n In this article we discuss some tipes for ensuring that the onboarding to Azure Arc is done with security in mind. \n \n \n \n \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":9304},"postTime":"2024-04-17T09:00:00.032-07:00","lastPublishTime":"2024-04-17T09:00:00.032-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Introduction \n Azure Arc allows certain on-premises resources, typically servers, to be managed from Azure, depending on the configuration mode selected and currently available features. \n \n While this allows for a more integrated approach to hybrid environments, it also further blurs the administrative boundary between on-premises and cloud. \n \n This increases the risk that a vulnerability on either side lowers the level of security across the entire plane. This article contains tips for managing this risk and approaching Arc Onboarding with security in mind. \n \n It focuses only on servers. The link below contains information about the full range of Azure Arc: \n Azure Arc overview - Azure Arc | Microsoft Learn. \n \n Azure Arc and its service principal \n Onboarding to Azure Arc can be done using a service principal in Entra ID for authentication. \n \n Service principals can be thought of as “service accounts” in Azure. \n \n One way of generating this service principal is from the Azure Arc blade in the Azure portal. Navigate to Azure Arc / Management / Service principals. Below one such an entry: \n \n \n Here the scope of the service principal (for example the resource group “RG-ARC”) and the Arc-specific roles can be assigned. Most common is the “Azure Connected Machine Onboarding” role, as shown above. \n \n These options ensure that the powers of this service principal are restricted. It is critical that the service principal does not get any other privileges, because this principal will be exposed across all machines that will be onboarded. Local administrators of those machines, and any threat actor that compromises the machines, can access the secret, even if it is encrypted as suggested below. \n \n By constraining the service principal using the “scope” and the “role”, we avoid accidental administrative exposure of the Azure environment. \n \n But what about the secret? \n Creating a service principal within the Azure Arc blade generates a text file with the value of its “secret”. Think of this as the password of the service principal. By default, it will have a very short lifetime, although a longer lifetime can be configured during creation of the service principal (the service principal is only needed at the time of onboarding to Azure Arc, not for subsequent communications). \n \n Note that it is also possible to upload a (public key) certificate as an alternative authentication mechanism, but here we focus on the secret. \n \n Onboarding a machine to Azure Arc requires download and installation of the Azure Arc agent installer (AzureConnectedMachineAgent.msi). Once this has run, we can use the azcmagent.exe utility to onboard the machine: \n \n CD 'C:\\Program Files\\AzureConnectedMachineAgent' \n \n .\\azcmagent.exe connect ` \n --resource-name <My Computer Name> ` \n --service-principal-id <the client id of the service principal>` \n --service-principal-secret <the secret of the service principal>` \n --resource-group <the resource group we scoped for the service pr> ` \n --tenant-id <the tenant id> ` \n --location <the region> ` \n --subscription-id <the subscription id> ` \n --cloud AzureCloud \n \n The above is a simple example, suitable for one machine. \n \n For bigger deployments, this public Microsoft document explains how to deploy at scale using Group Policies: \n Connect machines at scale using Group Policy with a PowerShell script - Azure Arc | Microsoft Learn \n \n And: \n GitHub - Azure/ArcEnabledServersGroupPolicy: Guidance and sample code to perform at-scale onboarding of servers to Arc via Group Policy \n \n At a high-level, this solution comprises the components shown here: \n \n \n The script DeployGPO.ps1 is only run once. It creates the Group Policy Object (GPO) and populates the share with the artifacts used by the GPO, for example- the script EnableAzureArc.ps1 (that will be executing on each machine that digests the GPO). \n \n What about the secret? Will it be hardcoded in plain text in the script on the share and therefore be readable by anyone with access to the share? \n \n This is where it gets interesting. \n \n Amongst the items provided by Microsoft in the above link is a PowerShell module named AzureArcDeployment.psm1. The makers of this module have done something very cool here, and created a custom type that can be called from any PowerShell session that loads the module. \n Here a partial screen shot (the full module is amongst the artifacts downloadable from the links above): \n \n \n Notice the class “DpapiNgUtil” and its methods “ProtectBase64” and “UnprotectBase64”. \n The DeployGPO.ps1 script uses this class (or “type”) to take the plain text secret and convert it into an encrypted blob on the share (partial screenshot): \n \n \n The script that runs on all endpoints that get the GPO, EnableAzureArc.ps1, will decrypt, “unprotect”, the secret, as long as these machines’ accounts in AD are member of the groups used to encrypt the secret. \n \n \n This magic is possible thanks to “DPAPI NG” or Data Protection API Next Gen, which has been around since Windows 8 (what can we say, the name stuck). To cut a long story short, this allows DPAPI to be a joint effort between your local machine and the domain controller, which is why we can use the AD group memberships as a factor. \n \n Why this is interesting \n The objective is to avoid any “uninvited guests” to the Azure Arc party in the form of machines that are not supposed to be there, for example to avoid any unintended data- or code sharing. \n \n DeployGPO.ps1 as it is downloaded from the links above, allows all members of “Domain Controllers” and “Domain Computers” to decrypt the secret by adding the SID’s of these groups to the “descriptor” fed into [DpapiUtil]::ProtectBase64. \n This means that only domain-joined machines can be onboarded to Azure Arc, as they are the only ones that can get to the secret of the service principal. \n \n However, we can imagine creating our own version of DeployGPO.ps1 and instead use our own custom AD group’s SID, say “Allowed to Arc”, and place only specific machine accounts into that group. \n \n This can then serve as a double protection layer for ensuring systems go to the right resource group or subscription in Azure. To clarify this, in the Cloud Adoption Framework shown below, DC’s may only go into the Identity subscription, as administrative access to this area is strictly limited. Accidentally onboarding them to any other landing zone may cause lower-level Azure administrators to gain access to them. \n \n The DPAPI technique described can be used in conjunction with correct GPO linking to ensure systems are properly directed into the right area in Azure. \n \n What is an Azure landing zone? - Cloud Adoption Framework | Microsoft Learn \n \n Azure Arc Modes \n To further protect machines onboarded to Azure Arc, the configuration of the agent should be considered. \n \n The Azure Arc agent has different modes (config.mode). The mode on each machine can be checked using the azcmagent.exe utility, as shown here: \n \n \n The command above is: C:\\Program Files\\AzureConnectedMachineAgent> azcmagent config list \n \n The default is full mode, and this may be what is required in order to manage on-premises machines from Azure, for example for running custom extensions and other code on these machines from Azure. \n \n For example, full mode also allows anyone with the right RBAC role in Azure to execute Azure Automation Runbooks against on-premises Azure Arc enabled machines (by including them in a Hybrid Worker Group). These Runbooks can launch scripts that run in System context. This merits repeating, especially for domain controllers: System context. This means full control of the system, and in the case of a domain controller, Active Directory itself and with it the rest of the environment. \n \n Also deserving attention is the Run Command capability, described here: \n How to remotely and securely configure servers using Run command (Preview) - Azure Arc | Microsoft Learn. \n \n This screenshot shows the output of “whoami” run against an Azure Arc-enabled DC: \n \n \n All that said, today we still see many customers onboard machines to Azure Arc for the sole purpose of monitoring (the Azure Monitor Agent for on-premises machines requires that these are Azure Arc-enabled). In that case, the more secure option is to change the mode to monitor only: \n \n \n The command above is: C:\\Program Files\\AzureConnectedMachineAgent> azcmagent config set config.mode monitor \n \n As can be seen above, this white-lists only certain extensions. When configured like this, script executions such as those with Azure Automation Runbooks can no longer be run on this Arc-enabled on-premises machine. \n \n A useful reference can be found here: Security overview - Azure Arc | Microsoft Learn. \n \n Conclusion \n The tips in this article can help you correctly scope, configure, and direct systems into the right areas, so that they are not unnecessarily exposed as part of the Azure Arc onboarding. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"9498","kudosSumWeight":11,"repliesCount":13,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEyMGkyQUE1RTM4MkIwQjJCOUM0?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTY5OWlEMzZFNUM2MENENjAzQjJF?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwNmk3REExRTAwMDI5NjU2N0RD?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwN2lBQzVBNkREOEM2ODg0RDlC?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwOGlEREVENkQwMThBOUYwNjNC?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTEwOWlFRDRERDcwMkUwQjM4M0U1?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTcwMGkwQjMxQ0E0NTI1NDlGQjU0?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExMWk5QUUwMDQ4MDY0MTIzQkM5?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExNGlDQzk2MzM3NjEyMDhFN0Q5?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTE0MjY3LTU3MTExM2lFNjhDMUFFQjMwQjVDNTA3?revision=16\"}"}}],"totalCount":10,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4036537":{"__typename":"Conversation","id":"conversation:4036537","topic":{"__typename":"BlogTopicMessage","uid":4036537},"lastPostingActivityTime":"2024-06-26T11:03:13.092-07:00","solved":false},"User:user:2266152":{"__typename":"User","uid":2266152,"login":"ColbyBoone","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yMjY2MTUyLTU0NDQyNWk4QzA4RDEwRjA5NzVCOUU2"},"id":"user:2266152"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDM2NTM3LTU0NDYzOGlBMTE1NTFCRTQzRDNGNDhB?revision=8\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDM2NTM3LTU0NDYzOGlBMTE1NTFCRTQzRDNGNDhB?revision=8","title":"MSFT_SCI_EndtoEnd_Security_Visibility_02.jpg","associationType":"TEASER","width":539,"height":301,"altText":null},"BlogTopicMessage:message:4036537":{"__typename":"BlogTopicMessage","subject":"Important Announcement: Deprecation of AdminAuditLog and MailboxAuditLog Cmdlets","conversation":{"__ref":"Conversation:conversation:4036537"},"id":"message:4036537","revisionNum":8,"uid":4036537,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:2266152"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" We are working towards streamlining the audit log search experience of our customers by deprecating four older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":39573},"postTime":"2024-01-26T09:00:00.032-08:00","lastPublishTime":"2024-06-26T11:03:13.092-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" [UPDATE 4/18: We are writing to inform you that the AdminAuditLog & MailboxAuditLog changes that was scheduled for April 30th has been postponed until further notice. We apologize for any inconvenience this may cause you and we appreciate your patience and understanding] \n \n [ Update 6/26] \n Further details related to Admin Audit log Cmdlets Found here : \n https://aka.ms/AdminAuditCmdletBlog \n \n Dear customers, \n \n We are writing to inform you about an upcoming change that will affect the way you access and manage your Exchange Online audit logs. Starting from April 30, 2024, we will be deprecating the following four cmdlets in the Exchange Online V3 module: \n \n Search-AdminAuditLog \n Search-MailboxAuditLog \n New-AdminAuditLogSearch \n New-MailboxAuditLogSearch \n \n These cmdlets will no longer be available for use after this date, and you will need to switch to a Search-UnifiedAuditLog cmdlet or Microsoft Purview portal to access your audit logs. \n \n Why are we deprecating these cmdlets? \n We are working towards streamlining the audit log search experience of our customers by deprecating four older cmdlets in favor of a single, more powerful cmdlet: Search-UnifiedAuditLog. This cmdlet has been in use for a long time and offers several advantages, including: \n \n Support for a wider variety of record types. \n More filtering options to refine your search. \n A range of output formats to suit your needs. \n \n To make things simpler and more efficient, it’s recommended to use Search-UnifiedAuditLog from now on. You can learn more about this cmdlet and its usage here: Search-UnifiedAuditLog (ExchangePowerShell) | Microsoft Learn \n \n What do you need to do if you are using the deprecated cmdlets? \n If you are currently using any or all the above-mentioned cmdlets, you will need to take the following actions before April 30, 2024: \n \n For Search-AdminAuditLog, you will need to replace it with Search-UnifiedAuditLog in your scripts or commands. To get the same results as Search-AdminAuditLog, you will need to set the RecordType parameter to ExchangeAdmin. For example, if you want to search for all Exchange admin actions in the last 30 days, you can use the following command: \n Search-UnifiedAuditLog -RecordType ExchangeAdmin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) \n \n For Search-MailboxAuditLog, you may also replace it with Search-UnifiedAuditLog. You can use the Exchange Online PowerShell V2 module to query the unified audit log for Exchange-related events. The cmdlet allows you to filter the results by record type, date range, user, and operation. For example, if you want to search for all Exchange mailbox actions in the last 30 days, you can use the following command: Search-UnifiedAuditLog -RecordType ExchangeItem -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) \n \n You can also export the results to a CSV file for further analysis. To use the cmdlet, you need to have the View-Only Audit Logs or Audit Logs role assigned. You can learn more about the cmdlet here: Search-UnifiedAuditLog. \n \n For New-MailboxAuditLogSearch and New-AdminAuditLogSearch you will need to use the Microsoft Purview portal to download your audit log report. The portal allows you to specify the criteria for your audit log search, such as date range, record type, user, and action. You can also choose to receive the report by email or download it directly from the portal. You can access the portal here: Microsoft Purview \n \n We are also working on a new Audit Search API using Microsoft Graph which is expected to become available in Public Preview by February 2024. This will allow our customers to programmatically access the new async Audit Search experience, which also provides improved reliability and search completeness. \n \n Note on default enablement of Auditing based on SKU: \n \n To use the Search-UnifiedAuditLog command, auditing needs to be enabled for your tenant. Auditing is by default only enabled for the following SKUs: \n \n A1/A3/A5/Edu \n O365E1/E3/E5 \n Defender \n \n If you are using any different SKU, you will need to enable the Auditing manually by following the steps as mentioned here: https://learn.microsoft.com/en-us/purview/audit-log-enable-disable. Please note To ensure you have access to the last 90 days of logs once the cmdlets are deprecated, it’s crucial to enable auditing before January 31st. If you enable auditing after this date, you’ll only have access to logs from the day you activate it and onwards. \n \n We are here to help \n We understand that this change may cause some inconvenience or disruption to your workflows, and we apologize for any inconvenience this may cause. We are committed to providing you with the best tools and services to manage your Exchange Online environment, and we appreciate your understanding and cooperation. \n \n If you have any questions or feedback about this change, please feel free to contact us through our support channels or post a comment on this blog post. We are always happy to hear from you and assist you in any way we can. \n \n Sincerely, \n The Exchange Online Team ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"5448","kudosSumWeight":1,"repliesCount":39,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDM2NTM3LTU0NDYzOGlBMTE1NTFCRTQzRDNGNDhB?revision=8\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4067207":{"__typename":"Conversation","id":"conversation:4067207","topic":{"__typename":"BlogTopicMessage","uid":4067207},"lastPostingActivityTime":"2024-05-08T08:55:28.837-07:00","solved":false},"User:user:195196":{"__typename":"User","uid":195196,"login":"Sascha Windrath","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xOTUxOTYtNTUzMzkyaUVGQkQ4MzY0MDhBOEQ4Njk"},"id":"user:195196"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUzM2kzMTFBMDU3QUI1QTRFREJG?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUzM2kzMTFBMDU3QUI1QTRFREJG?revision=15","title":"image002.png","associationType":"TEASER","width":1203,"height":659,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUyMWlEQzdFQkM2NDREQUM1ODYy?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUyMWlEQzdFQkM2NDREQUM1ODYy?revision=15","title":"image002.png","associationType":"BODY","width":1203,"height":659,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3Nzg2MGk2OUZEMjQ2NEU5NjU2NzEx?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3Nzg2MGk2OUZEMjQ2NEU5NjU2NzEx?revision=15","title":"Blog2a.png","associationType":"BODY","width":1147,"height":317,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3Nzg0MGlBNTAzOTkwRTIxN0MwNTA3?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3Nzg0MGlBNTAzOTkwRTIxN0MwNTA3?revision=15","title":"Blog2b.png","associationType":"BODY","width":1285,"height":585,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ4M2lEMDk3RjZBNDE0RjQzN0U4?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ4M2lEMDk3RjZBNDE0RjQzN0U4?revision=15","title":"image004.png","associationType":"BODY","width":881,"height":206,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ4NGlCMDA3MTQwMDg5M0QwODFD?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ4NGlCMDA3MTQwMDg5M0QwODFD?revision=15","title":"image006.png","associationType":"BODY","width":962,"height":496,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ5Mmk4QjA0QzdDQkEwMTNCRDdD?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ5Mmk4QjA0QzdDQkEwMTNCRDdD?revision=15","title":"image007.png","associationType":"BODY","width":1518,"height":403,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUwM2k2ODAxOTg3QzkwODlCOUQ0?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUwM2k2ODAxOTg3QzkwODlCOUQ0?revision=15","title":"image010.png","associationType":"BODY","width":573,"height":784,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxN2kxOEExNzE0QkJBNzM3MjZG?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxN2kxOEExNzE0QkJBNzM3MjZG?revision=15","title":"image011.png","associationType":"BODY","width":1576,"height":378,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxOGlBQzRFOEI0MTg0OENBNUM5?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxOGlBQzRFOEI0MTg0OENBNUM5?revision=15","title":"image013.png","associationType":"BODY","width":812,"height":314,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxOWlGRTlGMzBEMzc1RDc1NEI5?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxOWlGRTlGMzBEMzc1RDc1NEI5?revision=15","title":"image015.png","associationType":"BODY","width":861,"height":999,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUyMGlEN0FDNjBFMjY3NTI1NUI2?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUyMGlEN0FDNjBFMjY3NTI1NUI2?revision=15","title":"image017.png","associationType":"BODY","width":1490,"height":270,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU3MGlBQ0YxQzNDRkIzOUQ2MzU4?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU3MGlBQ0YxQzNDRkIzOUQ2MzU4?revision=15","title":"image022.png","associationType":"BODY","width":416,"height":556,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUzOWkwQkE0NDkwOEQ0REJCRUVE?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUzOWkwQkE0NDkwOEQ0REJCRUVE?revision=15","title":"image024.png","associationType":"BODY","width":449,"height":447,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0Mmk1RTFFNjZDNzQxQUEwMEMy?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0Mmk1RTFFNjZDNzQxQUEwMEMy?revision=15","title":"image026.png","associationType":"BODY","width":471,"height":648,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0M2lGNEIzM0U4ODFFNjBENjkw?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0M2lGNEIzM0U4ODFFNjBENjkw?revision=15","title":"image028.png","associationType":"BODY","width":421,"height":223,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0NGkxQzczRDRGN0YyOEEzRkJG?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0NGkxQzczRDRGN0YyOEEzRkJG?revision=15","title":"image030.png","associationType":"BODY","width":802,"height":378,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0NWlCNjExNTBERDRENzM3MTUz?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0NWlCNjExNTBERDRENzM3MTUz?revision=15","title":"image032.png","associationType":"BODY","width":636,"height":1420,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU1N2lCODhCRUZGQzZGMkEyMDZE?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU1N2lCODhCRUZGQzZGMkEyMDZE?revision=15","title":"image035.png","associationType":"BODY","width":411,"height":476,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU1OGkzMzQ3RTRDRTg5QjIyMTQy?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU1OGkzMzQ3RTRDRTg5QjIyMTQy?revision=15","title":"image038.png","associationType":"BODY","width":730,"height":821,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2MGk4MUQ4QzdCNjFFOTE2QjM5?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2MGk4MUQ4QzdCNjFFOTE2QjM5?revision=15","title":"image037.png","associationType":"BODY","width":953,"height":240,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2MWkyQkQ0QkNGM0YyRDBFODMy?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2MWkyQkQ0QkNGM0YyRDBFODMy?revision=15","title":"image040.png","associationType":"BODY","width":1208,"height":963,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2M2kxODNEOEYzMUMwN0Q5M0Ew?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2M2kxODNEOEYzMUMwN0Q5M0Ew?revision=15","title":"image042.png","associationType":"BODY","width":933,"height":853,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2NWkyQUJEOUE3MjA3MUM3OTJD?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2NWkyQUJEOUE3MjA3MUM3OTJD?revision=15","title":"image044.png","associationType":"BODY","width":1207,"height":396,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2Nmk1Q0M3QzFDN0UzRTZBOTA1?revision=15\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2Nmk1Q0M3QzFDN0UzRTZBOTA1?revision=15","title":"image046.png","associationType":"BODY","width":799,"height":992,"altText":null},"BlogTopicMessage:message:4067207":{"__typename":"BlogTopicMessage","subject":"How to enforce usage of Privileged Access Workstations for Admins","conversation":{"__ref":"Conversation:conversation:4067207"},"id":"message:4067207","revisionNum":15,"uid":4067207,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:195196"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" You probably already came across the challenge to enforce the use of a dedicated administrative workstation. Here is what you can do. \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":19084},"postTime":"2024-05-03T14:23:26.448-07:00","lastPublishTime":"2024-05-08T08:55:28.837-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Intro \n \n You probably already came across the challenge to make sure that administrators using a highly privileged administrative role in Entra ID or an Azure RBAC role which allows control over sensitive resources should be only allowed if administrators use a dedicated administrative workstation. At Microsoft we call those devices Privileged Access Workstations (PAW). PAWs are highly restricted and protected devices with the single purpose to secure and protect the admin’s credentials following Zero Trust and Clean Source Principle. Now, the issue is that Admins could either employ that device or simply ignore it and use their office computers instead, which seems to be much more convenient. The same applies for the attackers, because admins not using a PAW makes their life much easier as they would have a direct attack path at hand. This is not what you want! (This article assumes you already have implemented a PAW for cloud services management.) \n \n \n \n \n So, how do you make sure that highly privileged users must use their PAWs for working with highly privileged roles in Azure? \n Let me show you some cool things to get there, as there are several technologies involved like Conditional Access, Microsoft Graph and some others like Microsoft Graph Explorer, PowerShell and a bit of Kusto for monitoring queries to give you a more complete picture. Let’s get started. \n \n Solution Summary \n \n What we do here is using Conditional Access with a block rule to deny all logons from non-PAW-devices targeting all members of a certain Entra ID security group. Since there is no way at this time to set the ExtensionAttribute1 via the Entra ID Portal we explore two options to set this attribute. One is using Graph Explorer, and the other one is using PowerShell. \n Interested? Let’s get started. \n \n Mission \n \n First of all, we set the stage for our main actors. \n \n PAWDevice1 – Privileged Administrative Workstation (PAW) Entra ID device. \n Admin1 – Privileged administrative Entra ID account. \n PAW-Users – Entra ID security group having Admin1 as member. \n \n Mission: We want to make sure that Admin1 can only login using their PAW. \n \n Scenario 1: This is what we are going to do in this article. Starting with a very small scope (the user) to verify how this is working. \n \n \n Scenario 2: Targeting roles would set the scope to all activated roles. In the picture below the user has no role enabled. By using PIM to enable a privileged role the user would be in scope for the Conditional Access policy where the activated role of the user would be in the targeted roles list. Then, when the user tries to access a resource which is in the liste of target resources Conditional Access would kick in. \n \n \n Surely, you could combine both scenarios. Again: Before widening the scope of a very restrictive Conditional Access policy, do some monitoring first using the Report-Only mode and always make sure you have working Break-Glass Accounts. \n \n Now, how do we enable Conditional Access to distinguish between a PAW and an Office device to enforce PAW usage and how do we target the right users or roles? \n \n First goal – ‘Tagging’ the PAW device \n \n First task is setting the ExtensionAttribute1 for the PAW device object in Entra ID. We are going to use Microsoft Graph Explorer and PowerShell for this task. \n A brief explanation of the ExtensionAttribute1 attribute: Microsoft Entra ID offers a set of 15 extension attributes with predefined names on the user and device resources. These properties were initially custom attributes provided in on-premises Active Directory (AD) and Microsoft Exchange. However, they can now be used for more than syncing on-premises AD and Microsoft Exchange data to Microsoft Entra ID through Microsoft Graph. \n \n Getting started with Microsoft Graph Explorer \n \n Let’s start using Microsoft Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer). It is a great tool to dig deeper into all the information Microsoft Graph can provide you with. Besides, and this is very helpful, you can exactly determine the Microsoft Graph permissions needed for certain Microsoft Graph related operations via the tab “Modify permissions”. \n Speaking of “permissions for Microsoft Graph Explorer”. You might have to set permissions for the tasks you want to perform within the app, because it performs tasks on your behalf. We deal with this just a little bit further down the line. \n Now, let’s first find our device using Microsoft Graph Explorer. \n The first thing we need to do when starting to use Microsoft Graph Explorer is to log on using credentials for the tenant in which the device is managed, because if not logged on you only would see the “Sample Tenant”! And yes, it is highly recommended that we use a PAW for the tasks below. \n In Microsoft Graph Explorer make sure you are using the latest features by selecting “Beta”. \n \n \n Then we change the address line to: \n https://graph.microsoft.com/beta/devices \n This should give you a list of all devices from Entra ID. \n Important: If you have never used Microsoft Graph Explorer before, it might throw an error when running this query for devices, because that app is not automatically allowed to perform tasks on your behalf. \n The error looks like this: \n \n \n \n As you can see it says that this app does not have sufficient privileges. \n In this case you would need to consent for the permissions you need. \n \n Consent to delegated permissions for Microsoft Graph Explorer \n To be allowed to consent to permissions needed by this application within Entra ID you have to elevate to either Global Administrator or Security Administrator Entra ID role. \n Entra ID Account (your account) permission needed for consenting: microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin \n \n How to consent \n Click on the tab “Modify permissions”. \n It will show you exactly which permissions are needed to query for devices or even do more. \n \n \n \n It is always highly recommended to use least privilege. For reading device information we must consent to “Device.Read.All”. The button “Consent” is in the same line at the right-hand side and you will be prompted to consent as shown below. \n \n \n \n Tick the box “Consent on behalf of your organization” and then click on the button “Accept”. \n Now “Modify permission” should look like this: \n \n \n \n Now re-run the query. You should get a list of all devices in the “Response preview” \n \n Find PAWDevice1 \n \n Now, we want to query for PAWDevice1. \n For that we change the address to include a filter. \n ================================================================================= \n Tip: as soon as you enter a ? at the end of the web address it will show you a list of available commands to use. \n https://graph.microsoft.com/beta/devices?$filter=displayName eq 'PAWDevice1' \n \n \n \n ================================================================================= \n After running the query filtering for the display name of the device we get a single device entry with all its attributes as a result. Here we can also verify that none of the extension attributes has a value set. \n \n \n \n What we need now is the value for “id”, which is the ObjectID of this device. Don’t confuse the value “id” with the value “deviceId” which is also in the list of values. \n We copy the Object ID into VS Code (or any other editor), because we need it for setting the ExtensionAttribute1 for this device. \n \n Set ExtensionAttribute1 for PAWDevice1 \n \n Open Microsoft Graph Explorer in your web browser and log on with your Entra ID account of your tenant. Make sure that you have the Entra ID role “Intune Administrator” activated to perform the task of setting the device’s ExtensionAttribute1. \n Entra ID Account (your account) permission needed for this task: microsoft.directory/devices/extensionAttributeSet1/update \n (see reference for role permissions here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json#intune-administrator) \n The next operation we perform is a PATCH operation. Remember we had to consent to certain permissions for the GET operation. Now we need to consent for permissions for the PATCH operation (if not already done). \n The URL needed for the next step is built of two parts: \n \n https://graph.microsoft.com/beta/devices \n The unique device ID GUID. Remember: That ID should have been copied into the editor VS Code (or any other editor you like). \n \n After we enter the URL including the device id like this (mind that each device ID is unique), switch to PATCH on the left-hand side and select the “Modify permissions” tab, you’ll likely see the below: \n \n \n \n Here we need to consent to “Directory.AccessAsUser.All” permissions. \n What does that mean in terms of permissions? \n The description says “Allows the app to have the same access to information in your work or school directory as you do.” We ask the app to do something for us. And it does it for us with the same permissions we have at that moment. \n \n After consenting, click on the tab “Request body” and enter the following JSON code to update the value for ExtensionAttribute1. \n \n {\n \"extensionAttributes\": {\n \"extensionAttribute1\": \"PAW\"\n }\n} \n \n After entering the JSON code click on the blue button (upper right-hand side) “Run query”. \n \n It should show this if successful: \n \n \n \n If we change from PATCH back to GET we can just click on Run query and it will show us the device entry again. \n Now we scroll down to look for the value of ExtensionAttribute1. \n Now it has the value “PAW. \n \n \n Wasn’t that fun! This was an exercise to give you some hands-on experience on Microsoft Graph Explorer. This tool is especially helpful when trying to get the right information for automating such tasks via PowerShell. \n \n Setting ExtensionAttribute1 with PowerShell \n \n When using PowerShell to access Microsoft Graph it is a similar process when it comes to consenting to permissions needed for an application which will then act on behalf of the user. In this case it is another application than for Graph Explorer. Its name is Microsoft Graph Command Line Tools. The former name was Microsoft Graph PowerShell and it had been changed to the new name in May 2023. \n With this script and the correct activated role (same as for Graph Explorer) we can easily set a device’s ExtensionAttribute1 value or instead we could even do it as bulk for an Entra ID device group. \n To be able to run the script we want to make sure we have the following PowerShell modules installed on our device. \n \n Microsoft.Graph.Authentication \n Microsoft.Graph.Identity.DirectoryManagement \n Microsoft.Graph.Groups \n \n More information on how to install the modules: https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0 \n \n PowerShell Code for Set-DeviceExtensionAttribute.ps1 \n \n <#\n.SYNOPSIS\n Sets the ExtensionAttribute1 on devices.\n\n.DESCRIPTION\n \n.PARAMETER TargetGroup\n Assign the ExtensionAttribute1 to all devices in a group\n\n.PARAMETER DeviceName\n Assign the ExtensionAttribute1 to a specific device\n\n.PARAMETER ExtensionAttributeValue\n The string value of the extension attribute. Default in this script is \"PAW\"\n\n.EXAMPLE\n Set-DeviceExtensionAttribute -DeviceName mydevice -ExtensionAttributeValue \"PAW\"\n Set-DeviceExtensionAttribute -TargetGroup DeviceGroupName -ExtensionAttributeValue \"PAW\"\n\n.NOTES\n\nDisclaimer\n The sample scripts provided here are not supported under any Microsoft\n standard support program or service. All scripts are provided AS IS without\n warranty of any kind. Microsoft further disclaims all implied warranties\n including, without limitation, any implied warranties of merchantability or\n of fitness for a particular purpose. The entire risk arising out of the use\n or performance of the sample scripts and documentation remains with you. In\n no event shall Microsoft, its authors, or anyone else involved in the\n creation, production, or delivery of the scripts be liable for any damages\n whatsoever (including, without limitation, damages for loss of business\n profits, business interruption, loss of business information, or other\n pecuniary loss) arising out of the use of or inability to use the sample\n scripts or documentation, even if Microsoft has been advised of the\n possibility of such damages.\n#>\n\n[CmdletBinding()]\nparam (\n [Parameter(ParameterSetName = 'GroupAssign', Mandatory = $True)]\n [String]\n $TargetGroup,\n [Parameter(ParameterSetName = 'DeviceAssign', Mandatory = $True)]\n [String]\n $DeviceName, #not case-sensitive\n [Parameter()]\n [String]\n $ExtensionAttributeValue = \"PAW\"\n)\n\n# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n#region Functions\n# ////////////////////////////////////////////////////////////////////\n\nfunction Connect-ToGraph {\n\n $Parameter = @{\n 'Scopes' = \"Device.ReadWrite.All\"\n }\n \n try {\n Connect-MgGraph @Parameter \n }\n \n catch {\n Write-Error -Exception $_.Exception\n break\n \n }\n\n}\n\nFunction Set-DeviceExtensionAttribute {\n\n [cmdletbinding(DefaultParameterSetName = 'All')]\n param (\n [Parameter(Mandatory, ParameterSetName = 'DeviceId')]\n [String]\n $DeviceId, \n [Parameter(Mandatory = $true)]\n [String]\n $ExtensionAttributeValue\n )\n\n $graphApiVersion = \"Beta\"\n $Resource = \"devices/$DeviceId\" \n $Uri = \"https://graph.microsoft.com/$graphApiVersion/$($Resource)\"\n\n $JSON = @\"\n {\n \"extensionAttributes\": {\n \"extensionAttribute1\": \"$ExtensionAttributeValue\"\n }\n}\n\"@\n # Important. The last curly bracket in the above JSON must be without any space before it! \n\n try {\n \n Invoke-MgGraphRequest -Uri $Uri -Method PATCH -Body $JSON -ContentType 'application/json'\n\n Write-Host\n Write-Host \"Success - Wait a moment until changes have been synced to the tenant.\" -ForegroundColor Green\n }\n catch {\n Write-Host \"PATCH operation failed with error.\"\n Write-Host \"Error: \" $Error\n Write-Host \"=============================================\"\n Write-Host \"JSON BODY: $JSON\"\n Write-Host \"URI: $uri\"\n }\n}\n\nFunction Get-Devices {\n param(\n [Parameter(Mandatory, ParameterSetName = 'GroupName')]\n [string] $GroupName\n\n )\n\n try {\n Write-Host \"Getting Group '$GroupName'.\"\n $Group = Get-MgGroup -Filter \"displayName eq '$GroupName'\" -ErrorAction SilentlyContinue\n if ($Group) {\n $GroupMembers = Get-MgGroupMember -GroupId $Group.Id\n return $GroupMembers\n }\n else {\n Write-Host \"Group '$GroupName' NOT FOUND in tenant!\" -ForegroundColor Red\n return $false\n }\n }\n catch {\n return $false\n }\n\n}\n\n#endregion Functions\n\n# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n#region MAIN\n# ////////////////////////////////////////////////////////////////////\n\n\nConnect-ToGraph\n\n# Setting the value for a single device\nif ($DeviceName) {\n Write-Host \"Getting Device '$DeviceName'.\"\n $Device = Get-MgDevice -Filter \"DisplayName eq '$DeviceName'\" -ErrorAction SilentlyContinue\n if ($Device.Id) {\n Set-DeviceExtensionAttribute -DeviceId $Device.id -ExtensionAttributeValue $ExtensionAttributeValue\n }\n else {\n Write-Host \"Device '$DeviceName' does not exist.\" -ForegroundColor Red\n }\n}\n\n# Setting the value for all member devices of an Entra ID security group\nIf ($TargetGroup) {\n $Devices = Get-Devices -GroupName $TargetGroup\n\n foreach ($Device in $Devices) {\n\n Set-DeviceExtensionAttribute -DeviceId $Device.id -ExtensionAttributeValue $ExtensionAttributeValue\n\n }\n}\n#endregion MAIN \n \n When running the script for the first time and if we did not consent for any permission for Microsoft Graph Command Line Tools the following consent prompt will appear. \n Again, here you tick the box “Consent on behalf of your organization” and click the button “Accept”. \n \n \n \n The scope for the permissions is defined in the script function “Connect-ToGraph”. \n \n $Parameter = @{\n 'Scopes' = \"Device.ReadWrite.All\"\n } \n \n Overview of Function Set-DeviceExtensionAttribute \n The main function in this script is “Set-DeviceExtensionAttribute”. \n It performs what we did using Graph Explorer. \n \n It builds up the URI: \n \n $graphApiVersion = \"Beta\"\n $Resource = \"devices/$DeviceId\"\n $Uri = \"https://graph.microsoft.com/$graphApiVersion/$($Resource)\" \n \n \n It creates the JSON: \n \n $JSON = @\"\n {\n \"extensionAttributes\": {\n \"extensionAttribute1\": \"$ExtensionAttributeValue\"\n }\n}\n\"@@ \n \n \n It runs the PATCH operation: \n \n Invoke-MgGraphRequest -Uri $Uri -Method PATCH -Body $JSON -ContentType 'application/json' \n \n Conditional Access \n Brief overview \n \n First a brief overview of the elements of Conditional Access policies we use for our POC. \n We have four main sections to be considered for our policy: \n \n Assignment to Users, groups or directory roles \n Target resources we want to protect ( in our case this will be applications) \n The condition under which the policy is applied \n The grant control will be set to BLOCK \n \n Important: You want to move slowly and carefully because you don’t want to lock yourself and everyone else out. \n \n Prerequisites \n \n First we must make sure that you have the appropriate permissions to create Conditional Access policies. \n To Create a device-based Conditional Access policy our account must have one of the following permissions in Microsoft Entra: \n \n Global administrator \n Security administrator \n Conditional Access administrator \n \n Create Policy \n \n Let’s move on to create the device-based Conditional Access policy. \n Open the Microsoft Entra Admin Center and browse to \n Protection > Conditional Access \n \n \n \n Link: https://entra.microsoft.com/#blade/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/fromNav/ \n Under ConditionalAccess click on “Policies” and then on “New policy” \n \n \n \n Policy Name \n \n First we give it a name and call it “PAW-Block-Device-Filter” \n \n \n \n Assignments \n \n Let’s first decide who will be excluded from this Conditional Access Policy. \n \n Break Glass Accounts (validated emergency accounts if everyone is locked out – those accounts must be excluded from all CA policies) \n Entra ID Connect Account(s) – (Accounts for AD user synchronization) \n Your account – During testing phase \n \n Who to include in this Conditional Access Policy: \n We only target the group “PAW-Users”. \n \n Important note: We do not want to include any roles in this example/demo configuration, because this could have an instant impact on all members of a targeted role (that is tenant wide. Example: If you would target the role Global Administrators the Conditional Access policy would be effective for all user accounts who currently are having the role active -> except the ones in the list of excluded users/groups) and for a start we only want to target our Admin1 account which is member of PAW-Users. Remember this is for demonstrating how the approach works. \n \n Target resources \n \n We want to enforce usage of a PAW device for Microsoft admin portals in Entra targeting PAW-Users. There is a handy way to do this. \n (see also the related Microsoft Learn article for more information: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals \n Under Target resources we select “Cloud apps” from the pull-down menu. Then we select the radio button “Select apps” and under “Select” we clock on the link with the name “None”. (That is because at this point in time no app had been selected.) \n \n \n \n \n Should look like this now: \n \n \n \n Conditions \n \n The condition we define tells Conditional Access when to be applied. Keep in mind that we only target the members of the group PAW-Users. No Entra ID roles. \n Condition: The condition defines the rules under which the Conditional Access policy engine applies what is configured under “Grant”. \n To configure the condition click on “0 conditions selected” in the category “Conditions”. \n \n \n \n The condition uses a device filter. To configure the device filter first click on “Yes” under “Configure”. Then select the radio button “Exclude filtered devices from policy”. \n Now we configure the filter. Under “Property” select the pull-down menu and select ExtensionAttribute1 as value. Operator must be set to “Equals” and the value must be “PAW”. \n To finish the configuration, click on the button “Done”. \n \n \n \n Grant control \n \n To configure the Grant control to block access we select the radio button “Block access” and then click on the button “Select”. \n \n \n \n The whole policy would read: \n When members of the group PAW-Users log on to one of the Microsoft admin portals and their logon is coming from a device that has not set ExtensionAttribute1 to “PAW” the logon will be denied. If they logon from a device with ExtenstionAttribute1 set to “PAW” then the logon will be allowed. \n Important: For the start we only set this Condition Access policy to Report-only. \n That mode doesn’t block anything but allows for monitoring before introducing a restrictive policy like this. \n \n Monitoring Conditional Access policies in Report-only mode \n \n To be able to use Kusto (Link: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query) queries on Entra ID Sign-In logs you must configure Entra ID to store Sign-In logs in a Log Analytics workspace. When done you can easily query for Sign-In events where the new policy would have blocked a logon attempt for the targeted users. \n Here is an example of a short Kusto query to find all cases where a Conditional Access policy which is set to Report-only would have blocked a logon attempt. \n \n SigninLogs\n| extend CAP = parse_json(ConditionalAccessPolicies)\n| mv-expand CAP\n| extend DeviceName = parse_json(DeviceDetail)\n| where CAP.result contains \"reportOnlyFailure\"\n| project TimeGenerated, UserDisplayName, ConditionalAccessPolicyName=CAP.displayName, DeviceDisplayName=DeviceName.displayName, ResultDescription, Location, IPAddress, NetworkLocationDetails, ResourceDisplayName\n| sort by TimeGenerated desc\n \n \n Now we could test the new created Conditional Access policy with the test user Admin1. \n Testing it out \n \n Let's try to logon with user Admin1 to a Microsoft admin portal of your choice. Say, we would try the Azure Portal. Let’s also assume that this user account has already gone through the process of registering for MFA. \n In the browser type in “portal.azure.com”. Logon will be allowed as long as the Conditional Access policy is set to Report-only. \n In Log Analytics you could see the following when using the Kusto query from above: \n \n \n \n If we enable the Conditional Access policy (set it from “Report-Only” to “ON”), Admin1 would not be allowed to log on from a device that has not set ExtensionAttribute1. In that case the account Admin1 would see the following: \n \n \n \n I hope this blog was helpful and it could give you some insights and ideas on how to make your environment more secure. Thanks for reading. \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"24019","kudosSumWeight":7,"repliesCount":5,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUzM2kzMTFBMDU3QUI1QTRFREJG?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUyMWlEQzdFQkM2NDREQUM1ODYy?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3Nzg2MGk2OUZEMjQ2NEU5NjU2NzEx?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3Nzg0MGlBNTAzOTkwRTIxN0MwNTA3?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ4M2lEMDk3RjZBNDE0RjQzN0U4?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ4NGlCMDA3MTQwMDg5M0QwODFD?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTQ5Mmk4QjA0QzdDQkEwMTNCRDdD?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUwM2k2ODAxOTg3QzkwODlCOUQ0?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxN2kxOEExNzE0QkJBNzM3MjZG?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxOGlBQzRFOEI0MTg0OENBNUM5?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUxOWlGRTlGMzBEMzc1RDc1NEI5?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUyMGlEN0FDNjBFMjY3NTI1NUI2?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU3MGlBQ0YxQzNDRkIzOUQ2MzU4?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTUzOWkwQkE0NDkwOEQ0REJCRUVE?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE1","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0Mmk1RTFFNjZDNzQxQUEwMEMy?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE2","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0M2lGNEIzM0U4ODFFNjBENjkw?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE3","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0NGkxQzczRDRGN0YyOEEzRkJG?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE4","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU0NWlCNjExNTBERDRENzM3MTUz?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE5","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU1N2lCODhCRUZGQzZGMkEyMDZE?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDIw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU1OGkzMzQ3RTRDRTg5QjIyMTQy?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDIx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2MGk4MUQ4QzdCNjFFOTE2QjM5?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDIy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2MWkyQkQ0QkNGM0YyRDBFODMy?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDIz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2M2kxODNEOEYzMUMwN0Q5M0Ew?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2NWkyQUJEOUE3MjA3MUM3OTJD?revision=15\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI1","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDY3MjA3LTU3MTU2Nmk1Q0M3QzFDN0UzRTZBOTA1?revision=15\"}"}}],"totalCount":25,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:3610727":{"__typename":"Conversation","id":"conversation:3610727","topic":{"__typename":"BlogTopicMessage","uid":3610727},"lastPostingActivityTime":"2024-01-25T15:34:57.146-08:00","solved":false},"User:user:1413305":{"__typename":"User","uid":1413305,"login":"yangchen","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xNDEzMzA1LTUwNzMxOGk3QUVBN0M2NjFDREJBNUFG"},"id":"user:1413305"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zNjEwNzI3LTM5OTMzN2k5QTVDQUI5RjA4MDMzMzEx?revision=6\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zNjEwNzI3LTM5OTMzN2k5QTVDQUI5RjA4MDMzMzEx?revision=6","title":"yangchen_0-1661544832158.png","associationType":"BODY","width":1725,"height":898,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zNjEwNzI3LTQ1ODA1NGk1M0ExNUE3N0MzQ0EwNUM4?revision=6\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zNjEwNzI3LTQ1ODA1NGk1M0ExNUE3N0MzQ0EwNUM4?revision=6","title":"yangchen_1-1680728303166.png","associationType":"BODY","width":2770,"height":1221,"altText":null},"BlogTopicMessage:message:3610727":{"__typename":"BlogTopicMessage","subject":"Admin guide to auditing and reporting for the AIP Unified Labeling client","conversation":{"__ref":"Conversation:conversation:3610727"},"id":"message:3610727","revisionNum":6,"uid":3610727,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:1413305"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Learn about how to implement the auditing solution from Microsoft Purview for Azure Information Protection Unified Labeling client users. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":12268},"postTime":"2022-09-01T09:00:00.039-07:00","lastPublishTime":"2024-01-25T15:34:57.146-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n Auditing and reporting play important roles in the security and compliance strategy for many organizations. With the continued expansion of the technology landscape that has an ever-increasing number of systems, endpoints, operations, and regulations, it becomes even more important to have a comprehensive logging and reporting solution in place. \n \n For customers of the Azure Information Protection (AIP) Unified Labeling client, the experience is fully integrated with the auditing solution from Microsoft Purview. Audit events generated from the unified labeling client are included within the Office 365 activity log and the Microsoft 365 unified audit log for your organization. These events can be exported to a reporting solution or SIEM. Additionally, the information in the Microsoft 365 unified audit logs is available in the Activity explorer, showing reports with up to 30 days of data. \n \n In this blog post, we address: \n \n The various AIP events in the Office 365 activity log \n The labeling events in the unified audit log, and how to work with the Activity explorer to get a granular view of AIP events in the unified audit log \n How to continuously export data from the unified audit log to Azure Log Analytics \n How to set up a customizable dashboard to make sense of the AIP events, built as a workbook on top of Azure Log Analytics \n \n Customers transitioning from the AIP Analytics solution [which will be fully retired by September 30, 2022] to Microsoft Purview will find this blog post helpful. \n \n 1. Audit events from the AIP Unified Labeling client \n The AIP Unified Labeling client includes the Add-in for Office, the Scanner, the Viewer for Windows, the client PowerShell, and the Classify-and-Protect shell extension for Windows. All these components generate audit events that show up in the Office 365 activity logs and can be queried using the Office 365 Management Activity API. \n \n The five events (also called “AuditLogRecordType”) specific to AIP listed below, and more details about each can be found within the API reference. \n \n \n \n \n \n Value \n \n \n Member name \n \n \n Description \n \n \n \n \n 93 \n \n \n AipDiscover \n \n \n Azure Information Protection (AIP) scanner events. \n \n \n \n \n 94 \n \n \n AipSensitivityLabelAction \n \n \n AIP sensitivity label events. \n \n \n \n \n 95 \n \n \n AipProtectionAction \n \n \n AIP protection events. \n \n \n \n \n 96 \n \n \n AipFileDeleted \n \n \n AIP file deletion events. \n \n \n \n \n 97 \n \n \n AipHeartBeat \n \n \n AIP heartbeat events. \n \n \n \n \n \n The raw events are useful during a deep investigation but are too complex for an administrator trying to explore AIP activity or search for specific events; the unified audit log and the Activity explorer are better suited for this purpose. The AIP Unified Labeling client activities in the Office 365 activity log are parsed and standardized into the unified audit log. The AipSensitivityLabelAction in the Office 365 activity log is further split and mapped to standardized labeling events in the unified audit log and Activity explorer: \n \n Sensitivity label applied \n Sensitivity label changed \n Sensitivity label removed \n Sensitivity label file read \n \n This standardization also provides consistency to queries and reporting as your organization makes the transition from the AIP Add-in to Office built-in labels. \n \n 2. View, query and detect audit events in Activity explorer \n \n \n The Activity explorer in the compliance portal provides a graphical interface to view events in the unified audit log. As the administrator of your tenant, you can use the Activity explorer queries to determine whether the policies and controls implemented in your organization are effective. The Activity explorer allows you to detect actions being taken for up to 30 days and clearly see when and how sensitive data is being handled within your organization. \n \n There are more than 30 filters in the Activity explorer to help refine the data you see. To see AIP-specific activity, set the following filters: \n \n Activity type: \n \n Label applied \n Label changed \n Label removed \n Label file read \n \n \n Application: \n \n Microsoft Azure Information Protection Word Add-In \n Microsoft Azure Information Protection Excel Add-in \n Microsoft Azure Information Protection PowerPoint Add-In \n Microsoft Azure Information Protection Outlook Add-in \n \n \n \n You might not see all the options in the filter, or you might see more; the filter values depend on what activities are captured for your tenant. For more information about the Activity explorer, read the get started guide. \n \n 3. Continuously export data from the unified audit log to Azure Log Analytics \n The Activity explorer provides an out-of-the-box solution within the Microsoft Purview portal to help customers understand the sensitivity of their data estate. However, customers looking for more query flexibility, longer retention, and the ability to create custom dashboards will need to export the data out of Microsoft Purview. The recommended storage solution is Azure Log Analytics. \n \n Azure Log Analytics is an interactive workspace that enables ingestion and storage of massive amounts of data, indexes the data, and allows complex querying through an interface or API using the Kusto Query Language. \n \n The Microsoft Purview Information Protection connector was introduced into Sentinel on January 9, 2023. The Microsoft Purview Information Protection connector streams data to a log analytics table (MicrosoftPurviewInformationProtection) and contains events related to Azure Information Protection. These events are similar to what used to show up within the Azure Information Protection log analytics table (InformationProtectionLogs_CL) and can be stored in the same log analytics workspace. The Microsoft Purview Information Protection connector must be enabled within Microsoft Sentinel to see events populate in log analytics going forward. Guidance on how to adjust transition queries to the new connector within log analytics can be found here: Migrate analytics from Azure Information Protection to Microsoft Purview Information Protection. \n \n \n \n \n \n NOTE 1: Rights Management Service (RMS) events that were previously available in AIP Analytics will not be accessible from the unified audit log. These events will be added back later and enriched with more relevant information to make these events complete and useful. \n \n \n \n \n \n 4. Set up a customizable dashboard with a workbook in Azure Log Analytics \n \n \n Once the data is available within Azure Log Analytics, you can create your own custom dashboard using Azure workbooks. Use the template and guide we have provided on GitHub as a start point; the template provides the same charts and datapoints that are in the AIP Analytics experience. \n \n You’re all set! Explore the tools and the out-of-the-box solutions and give us your feedback. \n \n \n \n \n \n NOTE 2: The workbook queries can be edited and additional queries can be added to meet the needs of the organization. Sample PowerShell queries are shared on Github to help your organization get started. \n Microsoft Purview Information Protection connector is the only supported pathway to continuously export audit data into Azure Log Analytics. \n \n \n \n \n \n References: \n \n Microsoft Purview auditing solutions \n Search the audit log in the Microsoft Purview compliance portal \n Use a PowerShell script to search the Microsoft Purview unified audit log \n Labeling actions reported in Activity explorer \n What are the Office 365 Management APIs? \n Office 365 Management Activity API reference \n \n Additional resources \n \n MIP & Compliance One Stop Shop Resource Page: https://aka.ms/mipc/OSS \n Read all the latest MIP updates and blogs at: https://aka.ms/MIPblog \n Join MIP & Compliance preview programs at: https://aka.ms/MIPC/Previews \n \n \n \n \n \n \n \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"8113","kudosSumWeight":4,"repliesCount":3,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zNjEwNzI3LTM5OTMzN2k5QTVDQUI5RjA4MDMzMzEx?revision=6\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0zNjEwNzI3LTQ1ODA1NGk1M0ExNUE3N0MzQ0EwNUM4?revision=6\"}"}}],"totalCount":2,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4035789":{"__typename":"Conversation","id":"conversation:4035789","topic":{"__typename":"BlogTopicMessage","uid":4035789},"lastPostingActivityTime":"2024-01-24T13:24:32.981-08:00","solved":false},"User:user:2132411":{"__typename":"User","uid":2132411,"login":"adahmedmsft","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0yMTMyNDExLTUyNTI1NGk0QTQ2NUE1NTBGQzhENjZE"},"id":"user:2132411"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDM1Nzg5LTU0NTM0OWk3NUJGQTI4RjM4MEM0QUYx?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDM1Nzg5LTU0NTM0OWk3NUJGQTI4RjM4MEM0QUYx?revision=12","title":"MSFT_SCI_Threat_Protection_02.jpg","associationType":"TEASER","width":539,"height":301,"altText":null},"BlogTopicMessage:message:4035789":{"__typename":"BlogTopicMessage","subject":"Navigating the New Frontier: Information Security in the Era of M365 Copilot","conversation":{"__ref":"Conversation:conversation:4035789"},"id":"message:4035789","revisionNum":12,"uid":4035789,"depth":0,"board":{"__ref":"Blog:board:microsoft-security-blog"},"author":{"__ref":"User:user:2132411"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Explore the intersection of AI and security in our latest feature, where Microsoft Purview meets M365 Copilot. Dive into the critical role of sensitivity labels, advanced data classification, and encryption in shaping a secure digital workspace. Gain expert insights from industry professionals and discover practical strategies for balancing innovative AI tools with rigorous security protocols. \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":7021},"postTime":"2024-01-24T09:00:00.026-08:00","lastPublishTime":"2024-01-24T13:24:32.981-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Microsoft Purview with M365 Copilot integration marks a critical juncture in the journey of AI-enhanced productivity tools. As businesses increasingly rely on these technologies, understanding and implementing robust security measures becomes paramount. \n \n Microsoft Purview enhances Copilot's capabilities and offers a multi-faceted approach to security that cannot be overstated. \n \n Some of these core capabilities include: \n \n Sensitivity labels: that ensure data categorization aligns with organizational security policies. This plays a crucial role in preventing unintended disclosures. \n Advanced data classification: that aids in the identification and protection of sensitive information. \n Encryption in transit and at rest: this ensures that data, whether stored or in transit, remains secure from unauthorized access. \n Comprehensive auditing: auditing capabilities in Microsoft Purview play a critical role in enhancing security. They provide detailed logs and reports on data access and activities, allowing organizations to track, review, and analyze how their data is being handled. This not only aids in identifying potential security breaches but also ensures compliance with regulatory standards by maintaining a transparent record of data usage. \n \n To learn more about Microsoft Purview and the extensive list of capabilities please go here. \n \n Insights from the field \n With customer interactions on a near daily basis between myself and my Microsoft security colleagues @Melissaabd and @SanchuSankar, we have identified some insights that are relevant and important to mention here. \n \n A fundamental recommendation is using Sensitivity labels in Purview. Sensitivity labels are pivotal for maintaining data security and compliance, especially when using AI tools like M365 Copilot. Sensitivity labels enable organizations to classify and protect data based on its sensitivity. By applying them, businesses can control who has access to different types of information, which can reduce the risk of accidental or unauthorized data exposure. This system of categorization aligns seamlessly with organizational security policies and establishes that data is handled appropriately and in compliance with regulatory requirements. Sensitivity labels thus form a fundamental part of a data security strategy, safeguarding sensitive information while facilitating its use efficiently. \n \n Another key insight revolves around questions that are often asked about balancing the innovative features of Copilot with the need for stringent security protocols. Microsoft Purview provides that balance, offering peace of mind through: \n \n Continuous monitoring, which provides the ability to track how, when, and by whom data is accessed, and offers invaluable insights into potential security threats. \n Compliance management ease, which Microsoft Purview provides by simplifying compliance through the adaption to each of your various standards and requirements needs. \n \n \n To effectively leverage Purview and Microsoft 365 Copilot, businesses should \n \n Conduct Regular Security Audits: Regular audits of how Copilot and Purview are used can identify potential security gaps. \n Employee Training: Ensuring staff are well-versed in Microsoft 365 Copilot and Purview capabilities. This is crucial for both maximizing productivity and maintaining security. \n Adapt and Evolve: As AI and security landscapes evolve, so should the strategies to manage them. \n \n \n The collaboration of Microsoft Purview and M365 Copilot represents a significant advancement in the realm of AI-driven productivity tools when paired with robust security measures. As businesses navigate this landscape, staying informed, vigilant, and proactive is key to reaping the benefits of AI while safeguarding invaluable data resources. \n \n For more detailed information and insights, you can read more on Microsoft's website here. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"3988","kudosSumWeight":12,"repliesCount":1,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMXwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDM1Nzg5LTU0NTM0OWk3NUJGQTI4RjM4MEM0QUYx?revision=12\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"CachedAsset:text:en_US-components/community/Navbar-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1744658874334","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Small and Medium Businesses","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","s-q-l-server":"SQL Server","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Planner","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune and Configuration Manager","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","outlook":"Outlook","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1744658874334","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1744658874334","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1744658874334","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1744658874334","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1744658874334","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagSubscriptionAction-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagSubscriptionAction-1744658874334","value":{"success.follow.title":"Following Tag","success.unfollow.title":"Unfollowed Tag","success.follow.message.followAcrossCommunity":"You will be notified when this tag is used anywhere across the community","success.unfollowtag.message":"You will no longer be notified when this tag is used anywhere in this place","success.unfollowtagAcrossCommunity.message":"You will no longer be notified when this tag is used anywhere across the community","unexpected.error.title":"Error - Action Failed","unexpected.error.message":"An unidentified problem occurred during the action you took. Please try again later.","buttonTitle":"{isSubscribed, select, true {Unfollow} false {Follow} other{}}","unfollow":"Unfollow"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListTabs-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListTabs-1744658874334","value":{"mostKudoed":"{value, select, IDEA {Most Votes} other {Most Likes}}","mostReplies":"Most Replies","mostViewed":"Most Viewed","newest":"{value, select, IDEA {Newest Ideas} OCCASION {Newest Events} other {Newest Topics}}","newestOccasions":"Newest Events","mostRecent":"Most Recent","noReplies":"No Replies Yet","noSolutions":"No Solutions Yet","solutions":"Solutions","mostRecentUserContent":"Most Recent","trending":"Trending","draft":"Drafts","spam":"Spam","abuse":"Abuse","moderation":"Moderation","tags":"Tags","PAST":"Past","UPCOMING":"Upcoming","sortBymostRecent":"Sort By Most Recent","sortBymostRecentUserContent":"Sort By Most Recent","sortBymostKudoed":"Sort By Most Likes","sortBymostReplies":"Sort By Most Replies","sortBymostViewed":"Sort By Most Viewed","sortBynewest":"Sort By Newest Topics","sortBynewestOccasions":"Sort By Newest Events","otherTabs":" Messages list in the {tab} for {conversationStyle}","guides":"Guides","archives":"Archives"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1744658874334","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1744658874334","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/OverflowNav-1744658874334","value":{"toggleText":"More"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewInline-1744658874334","value":{"bylineAuthor":"{bylineAuthor}","bylineBoard":"{bylineBoard}","anonymous":"Anonymous","place":"Place {bylineBoard}","gotoParent":"Go to parent {name}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Pager/PagerLoadMore-1744658874334","value":{"loadMore":"Show More"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1744658874334","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1744658874334","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1744658874334","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1744658874334","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageUnreadCount-1744658874334","value":{"unread":"{count} unread","comments":"{count, plural, one { unread comment} other{ unread comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageViewCount-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageViewCount-1744658874334","value":{"textTitle":"{count, plural,one {View} other{Views}}","views":"{count, plural, one{View} other{Views}}"},"localOverride":false},"CachedAsset:text:en_US-components/kudos/KudosCount-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/kudos/KudosCount-1744658874334","value":{"textTitle":"{count, plural,one {{messageType, select, IDEA{Vote} other{Like}}} other{{messageType, select, IDEA{Votes} other{Likes}}}}","likes":"{count, plural, one{like} other{likes}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRepliesCount-1744658874334","value":{"textTitle":"{count, plural,one {{conversationStyle, select, IDEA{Comment} OCCASION{Comment} other{Reply}}} other{{conversationStyle, select, IDEA{Comments} OCCASION{Comments} other{Replies}}}}","comments":"{count, plural, one{Comment} other{Comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1744658874334","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1744658874334":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1744658874334","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false}}}},"page":"/tags/TagPage/TagPage","query":{"nodeId":"board:microsoft-security-blog","tagName":"admin"},"buildId":"s9moxZsn7wIy4-roQIBP-","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.1.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/tags/TagsHeaderWidget/TagsHeaderWidget.tsx","./components/messages/MessageListForNodeByRecentActivityWidget/MessageListForNodeByRecentActivityWidget.tsx","./components/tags/TagSubscriptionAction/TagSubscriptionAction.tsx","./components/external/components/ExternalComponent.tsx","../shared/client/components/common/List/ListGroup/ListGroup.tsx","./components/messages/MessageView/MessageView.tsx","./components/messages/MessageView/MessageViewInline/MessageViewInline.tsx","../shared/client/components/common/Pager/PagerLoadMore/PagerLoadMore.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=TagPage","strategy":"afterInteractive"}]}