I generally enjoy your work Zach, but this may be my favourite comic of yours.
26.07.2025 17:30
π 4
π 0
π¬ 0
π 0
I generally enjoy your work Zach, but this may be my favourite comic of yours.
Should this graphic be updated given that βapproved appsβ is being deprecated in Conditional Access? learn.microsoft.com/en-us/entra/...
I think Cryptomator is available in the UK. If you know similar software feel free to comment.
cryptomator.org/for-individu...
A screenshot of the new profile editor in office.com
Starting today you can udpate your profile in #Microsoft365 using a new and modern profile editor (replacing the #Delve experience). Go to office.com, search for your name and click on it and find the "Update your profile" button. The team is eager for feedback!
XML in LDAP teaches you to see God in a new way
802.1x what are you doing step bro you shouldn't be a fucking LDAP attribute
π
Will there perhaps be more info available at an airlift soon?
Not as long as you might think :).
I just sent out this week's Entra newsletter π
entra.news/p/entra-n...
Yes, and I wouldnβt set them up any other way (SSO or bust!). But the reliance on another entire overlay network, with additional network endpoints and additional security monitoring/vulnerability management seems like an area for improvement. The Kaseya breach still haunts meβ¦
If we have the GSA agent already on the endpoint, then why have another privileged control path? Just do RDP/VNC/SSH/Something else with the existing secure path, all secured by Entra ID Conditional Access.
If this isnβt on their roadmap, along with integrating Azure Arc, then maybe it should be π
I would, for example, love to have a remote support agent on endpoint PCs, and enforce access over the GSA network. Current remote support products like TeamViewer, Beyond Trust Remote Support and ScreenConnect all require a separate agent, which adds a net new security boundary to an Org.
Oh donβt get me wrong, the network connector has its place, and leveraging the prior App Proxy was a good call. I think a good SASE/SSE product needs to have all three connectivity options. Agent service, Network Connector, and integration with existing networks.
I think the real endgame here is moving from having Entra Private Network Connectors, to using a local agent on the systems themselves as the connection. Then firewalling everything else. Ala Tailscale, Cloudflared, or Azure Arc Remote Access. The sooner GSA moves to away from a central connectorβ¦
Back in the day, we would compose an email, put billg@microsoft.com in the To field, "Fire me, I'm irresponsible" on the subject line, and just leave it front and centre on their screen, before 3) locking it for them.
I was eventually reprimanded for starting that trend.
NTLM v1 is removed from the latest version of Windows
Oh by the way
A good write up on how Credential Guard prevented an common attack. isc.sans.edu/diary/Creden.... If you haven't looked at this in a while, now is a great time to start. learn.microsoft.com/en-us/window.... Kudos to @syfuhs.net and the team for doing all the hard work on this. #infosec
This is pretty awesome - require PIM activation before you can RDP to a server, access a credential vault, etc.
This could even be done with approval workflow and authentication contexts to enforce very strong restrictions π₯
learn.microsoft.com/...
Iβm a fan of adding βSCβ and βESβ. Imo it makes it more versatile if changes are being made via Graph or directly in Intune.
Okay, the self-service site to get your account verified is almost ready to go.
But it's too late over here in Australia, and I'm not brave enough to hit publish on a new site and go to bed π
So the plan is to launch this π tomorrow!
Stay tuned...
One of the highest importance things in Security is thinking as a Graph not a List. Owning Twitter doesn't get you Twitter. It gets you everything that trusts Twitter.
John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
medium.com/@johnlatwc/d...
If, like me, you're retaining your account to prevent someone else from scooping it up, you should go delete all of these. Settings and privacy > Security and account access > Apps and sessions > Connected apps
i think i may start doing 'skytalks' on how not to get fucked when starting a company, getting investment, and building a team
there's a lot of folks in infosec and adjacent industries that have stars in their eyes and brilliant ideas, but have no idea what a bad deal looks like
Platform SSO for macOS
Microsoft Intune now allows you to configure Platform SSO (Single Sign-On) for Apple macOS devices. Platform SSO is an extension to the existing Microsoft Enterprise SSO plug-in that brought single sign-on (SSO) to macOS using Microsoft Entra ID accounts.
"Management" asks for changing default fonts, or right-click menu's, or moving the start button are unsustainable.
Say "No".
Empower your users with training or KB's.
Stop assuming you know what every individual needs to be productive.
#SomeExclusionsApply
Depends on the date, is it before or after 2023-07-11?
A screenshot from a login screen with two SSO buttons, one for Azure AD, one for Entra ID
Which do I pick for SSO?!?
#EntraID vs #AzureAD
A win for repairability!
Not so much for security π«£
If you like using #kql then this is an absolute must! Mark and Team did a great job with the book and applying that to doing the missions in #kc7 is just nerdy fun! Have you tried it yet?
