Nathan McNulty
@nathanmcnulty.com
Loves Jesus, loves others | Husband, father of 4, security solutions architect, love to learn and teach | Microsoft MVP | @TribeOfHackers | 🐘infosec.exchange@nathanmcnulty
Fancy - looks like we'll have the ability to block Agents based on use cases and agent risk
Curious to see if this goes the way of Workload Identity Premium after Preview
Curious to see if this goes the way of Workload Identity Premium after Preview
November 18, 2025 at 9:04 PM
Fancy - looks like we'll have the ability to block Agents based on use cases and agent risk
Curious to see if this goes the way of Workload Identity Premium after Preview
Curious to see if this goes the way of Workload Identity Premium after Preview
Like MDE, I'd expect any Advanced Auditing policies defined by GPO would override these settings
Just turned it on, time to wait and see how conflicts are handled :P
Just turned it on, time to wait and see how conflicts are handled :P
November 18, 2025 at 2:10 AM
Like MDE, I'd expect any Advanced Auditing policies defined by GPO would override these settings
Just turned it on, time to wait and see how conflicts are handled :P
Just turned it on, time to wait and see how conflicts are handled :P
Defender for Identity can now automatically configure Windows Event Auditing on your Domain Controllers when using the new v3 sensor 🥳
learn.microsoft.com/...
learn.microsoft.com/...
November 18, 2025 at 2:10 AM
Defender for Identity can now automatically configure Windows Event Auditing on your Domain Controllers when using the new v3 sensor 🥳
learn.microsoft.com/...
learn.microsoft.com/...
We can now change Source of Authority on Contacts as well 🔥
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
November 3, 2025 at 10:24 PM
We can now change Source of Authority on Contacts as well 🔥
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
A 138 character cmdlet in a production PowerShell module 🫠
November 2, 2025 at 9:06 PM
A 138 character cmdlet in a production PowerShell module 🫠
Everybody is always worried about emergency access, but what about emergency shutdown? 😏
October 30, 2025 at 8:55 PM
Everybody is always worried about emergency access, but what about emergency shutdown? 😏
Just casually dropping nuanced licensing details on step 7 of a how to guide, as one does 🤷♂️
October 21, 2025 at 4:48 AM
Just casually dropping nuanced licensing details on step 7 of a how to guide, as one does 🤷♂️
I demand to speak to a manager! :P
October 19, 2025 at 2:46 AM
I demand to speak to a manager! :P
Ahh yes, Blizzard Antivirus, my favorite of all the Antivirus products 🤣
October 15, 2025 at 12:03 AM
Ahh yes, Blizzard Antivirus, my favorite of all the Antivirus products 🤣
I can't stop laughing 😂
October 14, 2025 at 5:02 PM
I can't stop laughing 😂
Intune now has dedicated security recommendations docs just like Entra 🔥
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
October 10, 2025 at 4:49 AM
Intune now has dedicated security recommendations docs just like Entra 🔥
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
Did you know Entra ID Protection never automatically clears Medium or High risk?
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
October 7, 2025 at 10:45 PM
Did you know Entra ID Protection never automatically clears Medium or High risk?
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
A quick glance through these docs, and like many existing migration tools - there's a lot of gotchas to be aware of. Overall, this is going to significantly improve migration and become easier over time.
Very excited to see these new capabilities :)
learn.microsoft.com/...
October 7, 2025 at 5:30 AM
A quick glance through these docs, and like many existing migration tools - there's a lot of gotchas to be aware of. Overall, this is going to significantly improve migration and become easier over time.
Very excited to see these new capabilities :)
learn.microsoft.com/...
It's happening! Converting AD resources to Entra resources is here, and even more docs just arrived 🥳
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
October 7, 2025 at 5:30 AM
It's happening! Converting AD resources to Entra resources is here, and even more docs just arrived 🥳
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
cyber awareness month is off to a great start...
October 3, 2025 at 2:12 AM
cyber awareness month is off to a great start...
Hahaha, wow... 😮
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
October 2, 2025 at 4:47 AM
Hahaha, wow... 😮
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
If you've been evaluating the new(ish) Defender for Identity sensor (v3.0) that's in preview, there's a new config to support advanced identity detections :)
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
October 1, 2025 at 10:09 PM
If you've been evaluating the new(ish) Defender for Identity sensor (v3.0) that's in preview, there's a new config to support advanced identity detections :)
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
I just love how predictable cloud is - you can migrate or we'll migrate it for you, but either way, you're moving to the new service that will probably cost you more
October 1, 2025 at 4:52 AM
I just love how predictable cloud is - you can migrate or we'll migrate it for you, but either way, you're moving to the new service that will probably cost you more
This was postponed, so there's still time... tomorrow is the last day before mandatory MFA for Azure CLI/PowerShell and anything else hitting Azure Resource Manager REST API
September 30, 2025 at 6:42 AM
This was postponed, so there's still time... tomorrow is the last day before mandatory MFA for Azure CLI/PowerShell and anything else hitting Azure Resource Manager REST API
Fortunately, someone recently updated the Self-Service Password Reset docs with more clear commands on how to disable SSPR for admins :P
It may look like this will turn off SSPR for the tenant, but I promise this only applies to the admin policy
learn.microsoft.com/...
It may look like this will turn off SSPR for the tenant, but I promise this only applies to the admin policy
learn.microsoft.com/...
September 28, 2025 at 2:03 AM
Fortunately, someone recently updated the Self-Service Password Reset docs with more clear commands on how to disable SSPR for admins :P
It may look like this will turn off SSPR for the tenant, but I promise this only applies to the admin policy
learn.microsoft.com/...
It may look like this will turn off SSPR for the tenant, but I promise this only applies to the admin policy
learn.microsoft.com/...
In Entra ID, did you know sensitive cloud admins are enabled for Self-Service Password Reset by default, even if you never turn SSPR on?
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
September 28, 2025 at 2:03 AM
In Entra ID, did you know sensitive cloud admins are enabled for Self-Service Password Reset by default, even if you never turn SSPR on?
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
Please stop using Private browser sessions for cloud admin accounts
Look, we all know we shouldn't be using admin accounts while signed into our productivity account, but if you're gonna do it, at least use browser profiles so you can enforce compliance
learn.microsoft.com/...
Look, we all know we shouldn't be using admin accounts while signed into our productivity account, but if you're gonna do it, at least use browser profiles so you can enforce compliance
learn.microsoft.com/...
September 27, 2025 at 9:33 PM
Please stop using Private browser sessions for cloud admin accounts
Look, we all know we shouldn't be using admin accounts while signed into our productivity account, but if you're gonna do it, at least use browser profiles so you can enforce compliance
learn.microsoft.com/...
Look, we all know we shouldn't be using admin accounts while signed into our productivity account, but if you're gonna do it, at least use browser profiles so you can enforce compliance
learn.microsoft.com/...
A 3 picture story of why you should default quarantine password protected files and enforce SmartScreen without allowing user bypass...
September 25, 2025 at 4:52 AM
A 3 picture story of why you should default quarantine password protected files and enforce SmartScreen without allowing user bypass...
This is, by far, my favorite Microsoft owned tenant 🤣
September 23, 2025 at 12:57 AM
This is, by far, my favorite Microsoft owned tenant 🤣
