azd + maester = π²
Soon β’οΈ
02.03.2026 06:49
π 1
π 0
π¬ 0
π 0
azd + maester = π²
Soon β’οΈ
If you have considered using my script to create software passkeys using ESTSAUTH cookies on a pentest or red team exercise, I have published a more secure option for you ;)
Create an Azure Key Vault, grant yourself Key Vault Crypto Officer, and run this:
github.com/nathanmcn...
There is absolutely no way I could have written a test harness, not to mention automated bug fix and re-test, and then left it for 4 hours
Guaranteed weeks of testing during my free time cut down to a couple of days of reviewing and approving
So freaking cool π
Game changer - use cap locks for voice to speak :)
This includes certificate profiles for all 4 platforms in Intune, no targets by default, but -AssignIntunePolicies assigns to all devices
Also has optional deployment of Defender for Key Vault, Log Analytics, and downgrade to Key Vault Standard (for testing, $1/mo)
Have fun! :)
Don't have PKI but want to use TLS inspection in Global Secure Access?
This script sets up Azure Key Vault Premium (HSM backed keys, $5/month), creates the CA certificate in Key Vault, gets the CSR from GSA, signs it with Key Vault, and adds it to GSA π₯
github.com/nathanmcn...
3οΈβ£ Bug fixes and optimization
- Now uses IndexedDB for better performance with large data sets
- Changed export schedules to 7 days to reduce risk of data loss if a run fails
- Fixed a few logic/timing issues
4οΈβ£ Documentation updates
- Setup instructions for Azure and GitHub
2οΈβ£ New modal layout and tooltips
- Reflowed the modal to group CVEs by devices
- Added tooltip to contain device details
- Optional enrichment with Advanced Hunting data (use -IncludeAdvancedHunting), adds EPSS scores and description tooltips to all CVE IDs
New features for my Defender Reporting solution :)
1οΈβ£ Azure deployment option
- Automation runbook exports vulnerability data and builds the dashboard, compressed data stored in blob storage
- Optional Container App hosts dashboard using Entra auth
github.com/nathanmcn...
| where ['authenticationDetails'][0]['succeeded'] == true and ['authenticationDetails'][1]['succeeded'] == true
| where AuthMethod != "Previously satisfied" or MfaMethod != "Previously satisfied"
| distinct userPrincipalName,tostring(AuthMethod),tostring(AuthMethodDetail),tostring(MfaMethod)
Now you can run queries! :)
SigninLogs
| extend AuthMethod = ['authenticationDetails'][0]['authenticationMethod']
| extend AuthMethodDetail = ['authenticationDetails'][0]['authenticationMethodDetail']
| extend MfaMethod = ['authenticationDetails'][1]['authenticationMethod']
Now go to dataexplorer.azure.com/ and set up your free cluster if you've never done that before. Once you have created the cluster and database, right click on the database, select Get data, select Local file, create a table for SigninLogs, select it, add your JSON, and import.
Ever need to find out what Entra authentication methods your users are using but don't have Log Analytics/Sentinel? :)
It's not as difficult as you might think! To get started, log into the Entra portal, go to Sign-in logs, set the date range to 1 month, then download the JSON:
So, uhh, "winget install node" might not do what you think π¬
Someone pointed this out to me thinking it might be a name squatting type attack, lol. Doesn't look like it is on the surface, but be careful out there ;)
It may not be the most comprehensive testing, but it's pretty awesome kicking off an assessment of all the cmdlets, parameters, etc. and having it verify the results are all in the correct formats, no warnings/errors, etc
About to let it run wild in a dev tenant, wish me luck π
First of three legs on my way to WPNinjas US in Dallas. Only 13 hours of travel to go... π€ͺ
It'll totally be worth it to see everyone, hopefully help some folks with work, career, and family :)
I'm way behind on planning, so hmu if you're going to be there!
lol, sadly I think that's a whole different team, but who knows :p
Haha, I think @intunesuppteam.bsky.social would know the right folks to help fix that typo :)
I often make this mistake with Filter for devices in Conditional Access... and I bet you are doing it too π€ͺ
To target unregistered devices, you probably want to do INCLUDE with trustType/isCompliant NotEquals <value>
Go double check your policies ;)
learn.microsoft.com/...
Hey folks, just jumping on a live Entra Chat to talk about all the Ignite announcements with @merill.net, @naunheim.cloud, Martin Sandren, and Ru Campbell!
Come join us at riverside.fm/studio/entra...
Today's letter is brought to you by... :)
Hope whatever spurred this thought is all clear and good β€οΈ
SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED π³
Nice! It's a huge upgrade, and let me know if you run into any issues - I know the team and might be able to help :)
I also have some cool stuff coming early December that you might like :p
Guess I could have included the documentation :P
learn.microsoft.com/en-us/entra/...
Fancy - looks like we'll have the ability to block Agents based on use cases and agent risk
Curious to see if this goes the way of Workload Identity Premium after Preview
Like MDE, I'd expect any Advanced Auditing policies defined by GPO would override these settings
Just turned it on, time to wait and see how conflicts are handled :P
Defender for Identity can now automatically configure Windows Event Auditing on your Domain Controllers when using the new v3 sensor π₯³
learn.microsoft.com/...
Nice! Not dumb, just sometimes the way they store the data doesn't make any sense when viewed from outside of whatever their internal design/architecture is.
Sometimes there's a good reason for why they did things a certain way, sometimes nobody knows, lol
I'll have to look later when I can get some time on my laptop, but look for the Service Principal AppID for Entitlement management: ec245c98-4a90-40c2-955a-88b727d97151
I bet we see this in Audit Logs, but not sure about stored in Graph on the assignments...
I bet you would have to use /beta for this
There's a bunch of stuff in here where you have to use both APIs to do things...
Like expiration is only in /beta but you can't do Verified ID in /beta...... So you have to hit /v1.0/ then patch/put /beta/ :-/