Want to earn an Exclusive Security Tech Community Badge? Take our quick survey!
Hey there Security Tech Community! As we prepare for Microsoft Ignite, we’re building a focused, practitioner-led security roundtable and we want your input to ensure it reflects the most relevant and pressing topics in the field. We invite you to take a short survey and share the security topics, trends, and technical questions you want to see covered. Your input will directly influence the structure and substance of the Ignite Security Roundtable. The first 5 people to post a screenshot for proof of survey completion in the comments below will receive this "Microsoft Security Star" Badge to add to their Tech Community profile! TAKE THE SURVEY NOW: https://aka.ms/IgniteSecurityRoundtableSurvey2025
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp desc
Getting Contextual Summary from SIT(Sensitive info types) via PowerShell cmd
Hi, I am using a PowerShell command(Export-ContentExplorerData) to extract data from an SIT. In the response, I am getting most of the data but I am interested in getting the matching primary element from Contextual summary(Content explorer) https://learn.microsoft.com/en-us/powershell/module/exchange/export-contentexplorerdata
Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?
Meet Your New Cybersecurity Sidekick - Microsoft Security Copilot Agents
Imagine if your security team had a super-smart assistant that never sleeps, learns from every task, and helps stop cyber threats before they become disasters. That’s exactly what Microsoft’s new Security Copilot Agents are designed to do. Why Do We Need Them? Cyberattacks are getting sneakier and faster many now use AI to trick people or break into systems. In fact, 67% of phishing attacks in 2024 used AI. Meanwhile, security teams are drowning in alerts 66 per day on average and 73% of experts admit they’ve missed important ones. That’s where Security Copilot comes in. It’s like having an AI-powered teammate that helps you investigate threats, fix issues, and stay ahead of attackers. What Are Security Copilot Agents? Think of these agents as mini digital coworkers. They’re not just chatbots they’re smart, adaptable tools that: Learn from your feedback Work with your existing Microsoft security tools Help you make faster, better decisions Keep you in control while they handle the heavy lifting They’re built to be flexible and smart unlike traditional automation that breaks when things change. Real-World Examples of What They Do Here are a few of the agents already available: Phishing Triage Agent: Automatically checks if a suspicious email is a real threat or just spam. It explains its reasoning in plain language and learns from your feedback. Alert Triage Agents (in Microsoft Purview): Helps prioritize which security alerts matter most, so your team can focus on the big stuff first. Conditional Access Optimization Agent (in Microsoft Entra): Keeps an eye on who has access to what and flags any gaps in your security policies. Vulnerability Remediation Agent (in Microsoft Intune): Spots the most urgent software vulnerabilities and tells you what to fix first. Threat Intelligence Briefing Agent: Gives you a quick, customized report on the latest threats that could affect your organization. Even More Help from Partners Microsoft is also teaming up with other companies to build even more agents. For example: OneTrust helps with privacy breach responses. Tanium helps analysts make faster decisions on alerts. Fletch helps reduce alert fatigue by showing what’s most important. Aviatrix helps diagnose network issues like VPN or gateway failures. BlueVoyant: helps to assess your SOC and recommends improvements. Why It Matters These agents don’t just save time they help your team stay ahead of threats, reduce stress, and focus on what really matters. They’re like having a team of AI-powered interns who never get tired and are always learning. Learn More 📢 Microsoft Security Blog: Security Copilot Agents Launch 🎥 https://aka.ms/SecurityCopilotAgentsVideoDevice Stuck on Restart Screen After Update - Error Code: ATTEMPTED WRITE TO READONLY MEMORY
Hi everyone, I’m experiencing an issue with my Windows device that started after a recent update. For the past three days, my device has been stuck on a restart screen with the following error message: Your device ran into a problem and needs to restart. We'll restart for you. For more information about this issue and possible fixes, visit https://www.windows.com/stopcode If you call a support person, give them this info: Stop Code: ATTEMPTED WRITE TO READONLY MEMORY I’ve tried restarting the device multiple times, but it keeps returning to this screen. I’m unable to access my system or troubleshoot further. Has anyone else encountered this issue after an update? Any suggestions on how to resolve this would be greatly appreciated. Thank you in advance for your help!
How to: Enabling MFA for Active Directory Domain Admins with Passwordless Authentication
Administer on premise Active Directory Using Azure Passwordless Authentication removing Domain Admins passwords Hello Guys, I am here just to demonstrate that today is technically possible (Proof of Concept): Configure a modern MFA solution to access on prem Windows 10 PC Use that solution to protect privileged accounts passwords Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks) Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential Have only one identity with one strong credential Same credential can be used on prem and in cloud (if needed) Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On) Obtain above with a sort of simplicity and costs control I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept. It’s up to you to integer this work into your security posture and evaluate impacts. No direct or indirect guarantee is given, and this cannot be considered official documentation. The content is provided “As Is”. Have look more deeply above points: Many customers asked me, after they have used Azure/Office 365 MFA: is it possible to use something like that to log on to the domain/on prem resources. The solution is today present : the use a security key (FIDO2) : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises. Please have a look also at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-deployment. I wanted to demonstrate that this solution can protect also Domain Admins group to protect high privileged accounts (important notice about is present in this document : (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-faqs – “FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?”). After having substituted the password with one MFA credential (private key + primary factor) (here more information : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless) we can configure a way to make the password not necessary for domain administration, very long and complex, and disabled: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy With other MFA tool (e.g. Windows Hello for Business), if we want to use different PAWs (secured workstations from which the Administrator connects with privileged accounts https://docs.microsoft.com/en-us/security/compass/privileged-access-devices) we need to configure and enroll the solution machine per machine (create different private keys one for any windows desktop). With the described solution below the enrollment happens only once (the private key is only one per identity and is portable and only present inside the USB FIDO key) and is potentially usable on all secure desktop/PAWs in the domain. The dream is: to have one identity and one strong credential: this credential (private key installed in the FIDO physical key) is protected by a second factor (what you know (PIN) or what you are (biometric), it is portable and usable to consume services and applications on premises and in cloud To connect using RDP to another/third system after this kind of strong authentication is performed on the physical PC a password is needed (but we really want to eradicate the use of a password)….So.. We can use a Windows 10 / Windows 2016 and afterwards feature (Remote Credential Guard https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard) to remove this limitation. If you have a certain hybrid infrastructure already in place (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-hybrid-identity, https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains, etc.), the activation of this solution is simple and there are no important added costs (a FIDO key costs around 20 / 30 euros) The solution is based on 3 important features: AzureAD/Fido Keys, Remote Credential Guard and primarily Active Directory SCRIL Feature [ https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy#transition-into-a-passwordless-deployment-step-3 : "...SCRIL setting for a user on Active Directory Users and Computers. When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: the do not know their password. their password is 128 random bits of data and is likely to include non-typable characters. the user is not asked to change their password domain controllers do not allow passwords for interactive authentication ...] Chapter 1 – Enable Passwordless authentication and create your key Enable the use of FIDO Keys for Passwordless authentication. In Azure AD \ Security \ Authentication methods, enable the use of a security key for a specific group and set the keys settings in accordance with the HW provider of the key (in my case Force Attestation and Key Restriction set to off). Confirm Hybrid Device Join. Confirm your Windows 10 2004+ PC are Hybrid Device Joined. Confirm users and all involved groups are hybrid Confirm all involved users or groups are correctly replicated by AD Connect, have Azure Active Directory properly configured and login in cloud works correctly Implement Kerberos Server to foster on prem SSO (Single Sign On) for on prem resources follow this guidance https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises Enroll the key. Please don’t use Incognito Web Mode (sign out already connected users and use “switch to a different account”). If during enrollment errors come up, check if any user is already signed into the browser (in the new Edge use “Browse as Guest” that is different from “Incognito Mode”). Login to Office.com with the user you want to provide the USB KEY and reach My Account page In My Account page open Security Info and initialize the USB Key. https://mysignins.microsoft.com/security-info If not completed before, enable MFA authentication by using a phone (SMS) or Authenticator App (in this case the user was not already provided of MFA , so the systems automatically make you enroll the authenticator app in your phone) Now, because you have an MFA tool, you can create/enroll a security key: add method / USB Key. The browser challenges you to insert a key.. to inject your identity into it Create a new PIN ! Confirm touching the key Name the key Done - security Key is enrolled with your identity Perform an Office365 Passwordless Authentication Verify you are able to sign on to O365 using the Key w/o the use of a password. Please use Microsoft Edge, if already logged click right corner and “browse as a guest” Please remember to click in “Sign in Options” to trigger key authentication : Well done: you are logged in the cloud Passwordless! Chapter 2 – Enable on prem multifactor login Deploy a GPO – Group Policy Object- to enable FIDO2 on prem login with Windows 10 2004+. In your on prem environment we can enable the use of USB key credential provider (Windows has multiple credential providers: password, usb key, smartcard, et.). Enable and link this setting to your Windows 10 2004+ machines. Restart involved machines. Now you will see a new icon to login to the PC. Clicking on sign in option you can use this new credential provides – FIDO security key - . Insert the Usb key, type the PIN… On some FIDO Keys you can avoid PIN with biometric (fingerprint). You can use the same identity/credential in all the PC with the FIDO credential provider enabled. Remember that currently for on prem sign on only one user per key is available (you can’t have multiple identity on the same usb key). Please note that this kind of authentication is recognized by Azure/O365 cloud as one already claimed MFA so when you open your preferred application the connection is in SSO (you don’t have to re-authenticate or perform another strong auth). Please note that with the same key you can login to the cloud applications using MFA from external computers w/o any modifications (like kiosks, byod computers, etc). Please note that you have access to all on prem services because the Kerberos server we installed above is useful to foster the obtention of Kerberos tickets for on prem AD service consumption Chapter 3 – Use FIDO KEYS to protect privileged users (Domain Admins) and De-materialize their password. Now we are going to enable a FIDO key for the Domain Admin or configure FIDO KEYS to work with privileged users. The default security policy doesn't grant Azure AD permission to sign high privilege accounts on to on-premises resources. To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (e.g. CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>). Remove all privileged groups you want to use with FIDO KEYS. Consider one user might be member of different groups, so remove all wanted user is member of. I removed all groups with the exception of Domain Controllers .. Make the test user member of Domain Admins group Wait AD Connect Sync Time (normally at least of 30 min) Now enroll the FIDO Usb Key for the privileged account following Chapter 1 of this guide Now test the Login with the Domain Admin using the FIDO KEY and check the possibility to be authenticated to onprem services (e.g. Fileshares, MMC - ADUC Consoles, etc.). Try the high privilege like creating a new user…. Now that we have one alternative way to Sign In on prem and in cloud (instead of password) we can work on password eradication. Obviously, every application we want to use must not use passwords (work in SSO with AD or Azure AD). This is not a problem for a privileged accounts because these should not have any application access nut only accesses to administrative consoles We will enable SCRIL policy (Smart Card is required for interactive logons) for the privileged user: Smart Card is required for interactive logon = the user password is reset and made random and complex, unknown by humanity, the use of password for interactive login is disabled Test you can’t access with password anymore To complete and strengthen the password eradication we want to prevent the use of the password also for network authentications using the NTLM protocol, so we are going to make the user member of “protected users” group https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group. This because if a bad guy reset that user’s password, he/she might use the NTLM protocol to log on using password, bypassing interactive log on. Protected Users disables the entire usability of NTLM protocol that is not needed to common AD administration. If you don’t want to disable NTLM protocol and If you have Domain Functional Level 2016 you can also enable NTLM rolling to make NTLM password hash to cycle every login and improve the password eradication https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection (Rolling public key only user's NTLM secrets) Probably you want to use that user to log in to privileged systems with Remote Desktop. By default, Remote Desktop Protocol requests the use of passwords … Here we don’t have a password to write because the password is unknown by humanity….. so … how to? The simplest way to solve the above problem is to use Remote Credential Guard feature if you have the needed requirements (..Windows 10, version 1607 or Windows Server 2016.. or above) https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection To enable it on the server we want to connect to, just add this registry key using the example command reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD From the client where we used the FIDO login, just run RDP with the parameter /RemoteGuard Now also the RDP remote authentication performs well without passwords!!! Now we signed in a Domain Controller using a MFA key and is no more possible to use a password for domain administration. Update1: using temporary access password might be possible to never assign even a beginning password to a Domain Admin neither need a phone authentication. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass As detailed above, create a Domain Admin on prem, immediately enable SCRIL and Protected Users, wait AD connect sync time, create a temporary password for that admin user (the temporary password can only be used to enable an MFA credential w/o using a Phone and w/o the risk of someone else accessing applications during the configuration phase). We recommend to maintain Azure Global Admins and Active Directory Domain Admins identities separately, so don't make synced Domain Admins member of Azure Global Admins role.Low reputation
I am an independent developer, and I've been unable to publish https://github.com/teamatica on the Microsoft Store for about https://teamatica.org/history-en.txt — it keeps getting rejected due to "10.2.10 Security": I realize this is because I'm not well-known, but how can I build a reputation when it’s impossible? Microsoft blocks the download: Microsoft even prevents it from being opened: Sure, I could provide a step-by-step guide on https://teamatica.org/check-digital-signature-dark-en.gif my app, but, as experience has shown, users don’t trust unfamiliar apps (and rightly so!), because Microsoft has conditioned them for years to avoid running unknown software: "Make sure you trust before you open it" and "Running this app might put your PC at risk". Don't get me wrong: as a regular user, I fully support these security measures because they truly work and help. But as an independent developer, I don’t know what to do :( My app doesn't engage in cryptojacking, doesn't initiate unauthorized network activity, and https://app.any.run/tasks/0faaf878-0f1f-49fc-a6a4-2c197bd9ac48 to users — it doesn't transmit any data to me and/or third parties, doesn't use telemetry and/or monitoring tools, doesn't track actions and/or location, doesn't have built-in diagnostics and/or analytics, doesn't request privilege escalation, doesn't collect statistics and doesn't learn from personal data. My app passes all the necessary https://www.microsoft.com/en-us/wdsi/filesubmission: And I can’t afford an https://ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/ since I’m an individual, not an organization: But my app gets blocked anyway. So... does anyone have any ideas on what I can do in my situation?
