Lightnews — Scholar-powered news

Reposted by Nathan McNulty

Merill Fernando 💚 @merill.net · 1d

👋 Check out this new Microsoft Entra blog post 👇

Your shortcut to Microsoft Entra deployment success

techcommunity.microsoft.com/t5/microsoft...

Your shortcut to Microsoft Entra deployment success

FastTrack has developed created 20+ short, scenario-based videos that guide you step-by-step through Microsoft Entra deployments.

techcommunity.microsoft.com

2 4

Nathan McNulty @nathanmcnulty.com · 2d

Intune now has dedicated security recommendations docs just like Entra 🔥

The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance

Thanks to my collegaue (Josh Gatewood) for pointing this out!

learn.microsoft.com/en-us/intune...

9 26

Nathan McNulty @nathanmcnulty.com · 4d

Require auth strength works too! And even with low, we can do cool things like only prompt for auth strength on low risk when outside countries we operate in and stuff like that :)

1 1

Nathan McNulty @nathanmcnulty.com · 4d

It's a fairly common mistake I see to use non-remedial grant controls in risk based policies...

For example, user risk of medium = Require MFA with Sign-in Frequency of Every time or X hours

This doesn't clear the risk, it will never be cleared, omg, that poor user 😭

4

Nathan McNulty @nathanmcnulty.com · 4d

Did you know Entra ID Protection never automatically clears Medium or High risk?

We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate

User risk = password reset
Sign-in risk = require MFA

learn.microsoft.com/...

2 1 15

Nathan McNulty @nathanmcnulty.com · 5d

A quick glance through these docs, and like many existing migration tools - there's a lot of gotchas to be aware of. Overall, this is going to significantly improve migration and become easier over time.

Very excited to see these new capabilities :)

learn.microsoft.com/...

1 4

Nathan McNulty @nathanmcnulty.com · 5d

It's happening! Converting AD resources to Entra resources is here, and even more docs just arrived 🥳

Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥

learn.microsoft.com/...

1 4 19

Nathan McNulty @nathanmcnulty.com · 8d

They have increased the quality requirements of biometrics over the years, not an issue to the best of my knowledge. We can also raise the bar with ESS.

I think for most orgs that's going to be fine, but I understand why some disallow Biometrics (plus users don't understand and worry about it).

1

Nathan McNulty @nathanmcnulty.com · 9d

🤣

That tagline gets more hilarious every time I read it 🙃

1 2

Nathan McNulty @nathanmcnulty.com · 9d

cyber awareness month is off to a great start...

2 1 11

Nathan McNulty @nathanmcnulty.com · 10d

Hahaha, wow... 😮

If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯

3

Nathan McNulty @nathanmcnulty.com · 10d

If you've been evaluating the new(ish) Defender for Identity sensor (v3.0) that's in preview, there's a new config to support advanced identity detections :)

Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)

learn.microsoft.com/...

4

Nathan McNulty @nathanmcnulty.com · 10d

:(

Nathan McNulty @nathanmcnulty.com · 11d

I just love how predictable cloud is - you can migrate or we'll migrate it for you, but either way, you're moving to the new service that will probably cost you more

2 5

Nathan McNulty @nathanmcnulty.com · 12d

This was postponed, so there's still time... tomorrow is the last day before mandatory MFA for Azure CLI/PowerShell and anything else hitting Azure Resource Manager REST API

1 9

Nathan McNulty @nathanmcnulty.com · 14d

Correct, that's what I meant by "at least user browser profiles" :)

Reposted by Nathan McNulty

Lukas Beran @lukasberan.com · 14d

That's a common and huge security risk that most admins do not know about. I wrote a blog post about it. www.cswrld.com/2024/11/how-...

How to disable Self-Service Password Reset for administrators

Self-service password reset can be a useful feature that allows users to access their account in case they forget their password. On the other hand, it is potentially risky, as...

www.cswrld.com

1 5

Nathan McNulty @nathanmcnulty.com · 14d

Fortunately, someone recently updated the Self-Service Password Reset docs with more clear commands on how to disable SSPR for admins :P

It may look like this will turn off SSPR for the tenant, but I promise this only applies to the admin policy

learn.microsoft.com/...

1 4

Nathan McNulty @nathanmcnulty.com · 14d

In Entra ID, did you know sensitive cloud admins are enabled for Self-Service Password Reset by default, even if you never turn SSPR on?

It also doesn't follow auth method policies, so they can use email and SMS...

You really should disable it

learn.microsoft.com/...

2 8

Nathan McNulty @nathanmcnulty.com · 14d

Please stop using Private browser sessions for cloud admin accounts

Look, we all know we shouldn't be using admin accounts while signed into our productivity account, but if you're gonna do it, at least use browser profiles so you can enforce compliance

learn.microsoft.com/...

1 2 13

Nathan McNulty @nathanmcnulty.com · 17d

A 3 picture story of why you should default quarantine password protected files and enforce SmartScreen without allowing user bypass...

1 4

Nathan McNulty @nathanmcnulty.com · 17d

Yup, I'm really happy they listened to our feedback

I know the reasons for the change, and I can sympathize with them on the struggles, but this was not the right way to handle it :)

1

Nathan McNulty @nathanmcnulty.com · 19d

This is, by far, my favorite Microsoft owned tenant 🤣

13

Nathan McNulty @nathanmcnulty.com · 20d

You know, OSD never broke anyone's leg... just sayin :p

1

Nathan McNulty @nathanmcnulty.com · 21d

😬

1 4