Extract user access to Cloud Apps categories.
I’m having some issues with getting report data out of Defender for Cloud App. Short version is I want to get a report (or at the very least an export) of all users accessing sites in the Generative AI category. I can do this manually by following these steps: Open Cloud Discovery Click Discovered apps Enter Gnerative AI in the browser by category I now get a list of discovered sites but to get a list of users who have accessed them I have to: Click each app one at a time In each click Cloud app usage Click Users And finally export all users Imagine how long with would take for a category that has a high amount of usage and how inefficient this would be to provide monthly reporting. I tried to find a way to see in one step user activity for one Cloud App category, but I cannot. Any idea?Cloud app conditional access exceptions
I have a lot of issues with attackers coming from VPN and anonymous IP's. Im trialing a Conditional Access policy to apply Conditional Access App Control. Ive created a Cloud App, Access Policy to blocks using IP address, Category, equals and listing a few categories like VPN and Risky. Then another Access policy to block IP address, Tag, equals Tor, Anonymous, Random, Botnet etc. Testing shows this works. But I've been asked what if we wanted to allow a specific service like NordVPN. How can I achieve this?
SPF, DKIM and DMARC bypassed for guest users
I manage a small non-profit using Microsoft 365 Business Basic. Most of the people on our board of directors are added as unlicensed guest users so that they can participate in Teams chats and meetings and to access our Sharepoint without using up a license. The problem: any email sent from an internal licensed user (or shared mailbox) to one of these guest users completely bypasses our domain's SPF, DKIM and DMARC configuration, resulting in bounced emails (particularly for recipients using gmail). Mail sent from an internal licensed user to any external address NOT registered as a guest user correctly passes SPF, DKIM and DMARC checks. I gather that this is because guest users are viewed as "internal" despite having external email addresses, but it seems like a serious limitation if I cannot reliably send email to anyone who is a guest user. Is there any extra configuration I can do to enable SPF, DKIM and DMARC for email to guest users?Microsoft Defender for Office 365, Shared Mailboxes, and Microsoft 365 Groups
Microsoft Defender for Office 365 (MDO) requires shared mailboxes to be licensed but doesn’t extend the same requirement to Microsoft 365 Groups. Given that Microsoft 365 Groups have group mailboxes and can function very much like shared mailboxes, the difference in licensing is remarkable. Why does this happen? It could be due to internal Microsoft politics, omissions, or just a preference for Groups. Who knows? https://office365itpros.com/2025/08/18/microsoft-defender-for-office-365-2/Defender vulnerability report
I've been working with Defender threat hunting to get stats on vulnerabilities in my environment. Once thing I wanted to do was to track total vulnerabilities over time for specific software rather than just a total. Problem is there doesn't seem to be a field in the DeviceTvmSoftwareVulnerabilities that records data\time when this vulnerability was detected\last seen etc. Without a date when it was seen for it to get a total each day. Ay ideas how I can get this? And no I don't have any other vulnerability scanning tools.Why is WDAC blocking everything.
I have a very new Intune\Entra environment I am using for testing. I've spun up a VM of an early version of Windows 10 so I can test deploying updates from Intune. I also want to test other things but I've hit an issue. For some reason this freshly Entra joined and Intune onboarded machine is blocking every app from running. Get the error "You organization used Windows Defender Application Control to block this app" But I haven't setup any application blocking. I haven't even applied any AV, ASR etc policies. Could it just be a default thing due to using an older version of Win10? Or something else?
Arcihtekt M365 // Ogłoszenie pracy
Kim jesteśmy? Technologia to nasza pasja, ale nie tylko! Wspieramy inicjatywy społeczne, ekologiczne i promujące aktywny styl życia. Jesteśmy laureatem prestiżowych nagród posiadamy certyfikat Great Place to Work, a na co dzień współpracujemy z globalnymi liderami IT - VMware, Fortinet, IBM, HPE, Dell, Hitachi, Microsoft, AWS. Nasz zespół tworzą utalentowani inżynierowie i doświadczeni architekci IT. Dołącz do nas i zostań częścią #ITSFteam! Kogo szukamy? Arhitekta M365, który dołączy do naszego zespołu i będzie odpowiedzialny za projektowanie, wdrażanie oraz zarządzanie rozwiązaniami opartymi na Microsoft 365. Idealny kandydat to osoba z doświadczeniem w architekturze chmurowych rozwiązań Microsoft, posiadająca umiejętność kompleksowego projektowania i optymalizacji procesów w obrębie aplikacji i usług M365, takich jak Teams, Sharepoint, Exchange Online, OneDrive, Power Platform czy Microsoft 365 Copilot. Warto od razu zaznaczyć, będzie to praca w modelu hybrydowym 4/1 w Warszawie. Co oferujemy? Współpaca bezpośrednio z nami na okres długofalowy (5+ lat); Możliwość rozwoju przy pracach dla największych klientów Enterprise w całym kraju; Pakiet medyczny Medicover; Karta Multisport; Program PPK; Lekcje angielskiego; Dodatkowy dzień urlopu z okazji urodzin; Około 8 integracji frmowych w roku :) Jeśli propozycja brzmi interesująco i chciałbyś poznać więcej szczegółów na temat wymagań, bądź zakresu obowiązków — to śmiało aplikuj przez link niżej: https://itsf.traffit.com/public/an/0ed08bcedcd522af2936290b48d33a9e48697565Purview and auditing file modifications
I have full M365 E5 license and use Purview auditing a lot for investigations. I noticed is reports file modified which is create but some of my files would get modified constantly. I'm curious if it can log and provide a report on what exactly was modified. For example: If text was added or deleted, can it tell me what was added or deleted i.e. the actual text and the action (Add\Delete) If an image was pasted into a word document, can it tell me that? If possible, down to a copy of the image that was inserted? If it can't do this level of detail anyone have suggestions of a product that can?Defender For Endpoint let down
I've been liking the Defender for Endpoint and Cloud capabilities but recently tried to do something very basic and found it falls short. In the old days of inline or explicit proxies you would see every request for every link and every object requested on a website. Background loaded ones aswell as a user intentionally clicking a link they are all recorded even including the referral page and the bytes transferred etc. If you wanted to know how much data a user has downloaded from a certain domain it was easy to get because the URL and the transferred bytes, time of the day etc it's all there. Today I noticed in Cloud Apps, Cloud discovery a user was downloading a huge amount of data. Cloud apps say's they downloaded 1TB from Google in a week. Well wonder what that is? Click into the user in Cloud Discovery and it's all just highly summarized. Doesn't show the specific URL's, times, byte transferred etc. Just the total over time and the "base" cloud service. I go into threat hunting and search around experiment a bit and eventually filter for network event to "*google*". Ok now we are getting somewhere I can see lots of googlevideo.com requests. Hmm probably YouTube, so why call it google when its actually YouTube? Are you just using the base domain as the way to identify what cloud service it is? Thats pretty janky. I'll assume its YouTube so how much data did they download in these requests. Was it just an image or a streamed video? Well in threat hunting there is no bytes transferred for each request. How can I tell if a request is a 10kb image or a 100GB video stream?????? Falling short in features here.
Audit booking changes
Have users reporting long-standing discrepancies on room bookings - stuff being cancelled months ago, but not showing anywhere. I remember in the past, being able to audit this. Unfortunately, we now have Purview - a tool we didn't ask for, don't want, but allegedly are forced to use. These are Resources in 365, they have Exchange Mailboxes. Exchange has a tool to search for changes, but demands the subject line. The booking has been removed by the users - and I have no idea if this wants the original 'Booking' or the 'Re: Booking' or the 'FW: booking' or which of the 120 emails were generated. So I'm looking for alternative ways. I believe in the past, I did this via Defender. There WERE activities for Mailbox changes within this audit tool. They appear to be gone - or searching for Mailbox just removes all activities labeled 'Mailbox', I'm not sure. CoPilot gives me an evolving series of deprecated/possibly non-existent cmdlets for powershell, so that's fun. please do not refer me to another terrible marketing 'article'.. I have read so many, learned absolutely nothing useful, and I'm over it. Thank you
