User Profile
brlgen
Brass Contributor
Joined 5 years ago
User Widgets
Recent Discussions
IdentityLogonEvents stays empty after deploying MDI
I have recently deployed MDI in two different environments/tenants, one almost a month ago and the other last week however this table is completely empty: IdentityLogonEvents Additionally, filtering the "Identities" page for the AD "app" shows no result. The sensor is up to date and has a healthy status. The identity posture page on the "legacy" Defender for Cloud apps does show data concerning LDAP cleartext, RC4 usage... In fact all tables under Apps & Identities are empty except for: IdentityInfo This seems to be very similar issue from a while ago: https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/missing-events-in-identitylogonevents-table-since-26-november-6/m-p/3687903Re: Remote Credential Guard triggers a Pass-the-Hash alert in MDI
Hellojosequintino, Thanks for your answer but this is not what I was looking for. I know how RCG works and why it would trigger an alert. But we are talking about a Microsoft security feature (RCG) to PREVENT PtH and Microsoft Security solution used to DETECT PtH . If these two don't work together then that's something Microsoft should fix. Excluding this from the alert means EVERY server where RCG is enabled on must be excluded, if all servers enforce RCG well then you just made the alert useless. The real solution should come from the MDI team to figure out a way to see how legitimate auth using RCG does not trigger an MDI PtH alert.2.8KViews4likes2CommentsRemote Credential Guard triggers a Pass-the-Hash alert in MDI
Remote Credential guard which has been available since WS2016 and which can be enabled as specified here: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard Will trigger a pass the hash attack alert when used. This might be due how credential guard works, is this a known issue?3KViews2likes5CommentsDear Microsoft, STOP removing features when pushing out "new experiences"
The new My Groups portal experience seems to be GA as the the top banner offering you to go back to the "older" experience is gone. This caused a lot of issues for customers using this in their business processes. Mainly when group owners would invite external guest users that didn't exists yet on the tenant. They would be offered the option to invite such users from the My Groups portal. Very simple very useful. The owners did require guest inviter role for security reasons but that was ok. Fast forward to the current experience. When the user does not exist well too bad time to call IT and tell them something is broken. However in reality for some mysterious reason only known to a hidden product team somewhere at Microsoft the ability for groups owners to invite a user who is not present in the tenant yet is GONE. STOP doing these annoying things, STOP removing functionality present for many years in a product without any warning or alternative, STOP frustrating your customers and users! Thank you Microsoft for improving the user experience.Re: Access Packages requests are taking a ridiculous amount of time to complete all of a sudden
Looks like even my last post was too optimistic about it. This issue seems to be random in both grants and removals of access packages. Did removals of two access packages, one went through instantly the other is stuck in limbo on Submitted. Here is an example of one removal stuck in submitted and not budging. https://imgur.com/CU0fJv8 That's 20 min of nothing happening so far. Can someone at Microsoft please take this seriously without sending us on a merry go round through support all over the world, our customers pay a lot of money for this and its frankly embarrassing when you demo this and see it being stuck for the duration of the demo sometimes without being able to give a good explanation why.1.9KViews0likes1CommentAccess Packages requests are taking a ridiculous amount of time to complete all of a sudden
I noticed this past weeks intermittent delays with access package requests. These used to be granted almost instantly before this however lately it takes a couple of minutes at best and at worst had it happen that some even took more than 24 hours for the Access Packages to be granted! They are either stuck in "Submitted" or "Delivering" for a long time before they are delivered. This is starting to get really annoying honestly as we rely heavily on them and Microsoft Support will sadly offer little help on such intermittent problems. This is in West Europe tenants.Anyone else is seeing this problem?2KViews1like3CommentsCan you install a hybrid worker on an Azure VM in a different subscription?
Say you have subscription A with an automation account and other resources. And subscription B that has VM's only. Is it possible to install a hybrid runbook worker on an Azure VM in subscription B so we can run these runbooks on it using the machine context and the managed identity of the automation account of subscription A? Since you also need aLog Analytics workspace to use a Hybrid Runbook Worker where does thisLog Analytics workspace need to be created?766Views0likes1CommentAzure AD Entitlement Management Extensions feature broken after new user experience
I noticed the user experience changed for creating an extension for a an Entitlement Management Catalog. It has more options now. However trying to create a new extension/logic app fails. Looking in the Azure Monitor activity logs there is no clear error message besides the failure. It seems the updated experience has broken the deployment phase of the logic app. Anyone else noticed this? Btw my account has both Global Administrator and Owner permissions.865Views1like3CommentsSignificant delay between AAD Roles permissions and MSGraph access.
We are using AAD Roles (or even feature level permissions) to give certain Service Principals permissions as they offer less permissions than the relevant MSGraph scopes as we would like to use least privilege principles. However I noticed there is a significant delay between applying an AAD role to a user and that user being able to query the MSGraph API successfully afterwards. We have a case where even after 12 hours after assigning the relevant AAD roles, MSGraph is still throwing unAuthorized errors on requests. Is this due to some cached token lifetime somewhere where MSGraph does not look at this user's AAD roles for a while until this token expires or something?1.1KViews0likes0CommentsRe: Entitlement management "target" info not reflecting information in Azure AD after change
Yes I noticed EM has its own cached data. In fact they added a preview button to "refresh" some data in the catalog because even for group name changes the data gets cached and would show the old name instead.746Views0likes1CommentEntitlement management "target" info not reflecting information in Azure AD after change
I changed the user's displayname in AAD and then I noticed when I extracted user info from the Entitlement Management API using: https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}?$expand=accessPackageAssignment($expand=target) That the target displayname there is still showing the older one. I have waited a couple of hours but nothing has changed. I'm starting to assume that Entitle Management caches some meta data itself but how long would it take before this change would be reflected back to EM. Does anyone know the syncing schedule perhaps on this?843Views0likes3CommentsRe: Verify remote user identity
As Christian mentions you can use SSPR for this. But we went a step further. We created a logic app connected to the incident management system. Whenever a user loses access to their MFA device or other scenario the helpdesk can trigger this logic app by creating a ticket. This sends out a TAP to the users's SSPR email address which is their private email address. Using the "authentication administrator" role the logic app could only create a TAP for a non admin users preventing privilege escalation attacks. Additionally the helpdesk has no permissions to view or edit these emails they can only trigger the logic app by creating an incident.3.1KViews0likes0CommentsFeature Request: Link entities together.
It would be cool if we could link entities together, for instance by linking a service account to a specific server(s). In this way if said account is used somewhere else or differently (different protocol for example) an alert would be generated. This would allow for much tighter control/monitoring of anomalous behavior's.953Views0likes3Comments