Browsed by
Category: Azure Ad

Continuous Access Evaluation: Rise of the Claim challenge

Continuous Access Evaluation: Rise of the Claim challenge

Hi, Refresh tokens, Hi lag when Terminating users or setting a new password. Welcome continuous access evaluation (CAE), bye lag (1 hour refresh token) Claim challenge is a mechanism to indicate the token was rejected and a new token needs to be issued. So what are the benefits: User termination or password change/reset: User session revocation will be enforced in near real time. Network location change: Conditional Access location policies will be enforced in near real time. Token export to…

Read More Read More

The Place Beyond the Guests

The Place Beyond the Guests

Restricting guest access is very important. Normally you don’t want a guest user to see the membership of any groups. Of course, there are some situations you don’t want to change this setting. You can simply change this in the user manage external collaboration settings inside the azure ad portal. https://aka.ms/AADRestrictedGuestAccess Or just use PowerShell. Add this setting to your Enrollment template so when enrolling a new customer, this setting will not be forgotten. get-AzureADMSAuthorizationPolicy | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId ‘2af84b1e-32c8-42b7-82bc-daa82404023b’ Conclusion:…

Read More Read More

What Happened to Monitoring External Access to Your Data?

What Happened to Monitoring External Access to Your Data?

Some time ago I wrote a blog about securing your data in which I described that this is only the first step in making sure your data is safe.   For example, whilst working with Teams, did you think about the “shadow users”? These users are not members of your Teams / Microsoft 365 groups but can still somehow access your data.  It’s very easy for an employee to share the whole Teams general folder within the Sharepoint site without you noticing. An employee just has to click on “share” to begin sharing it…

Read More Read More

Basic Authentication and the Last Crusade

Basic Authentication and the Last Crusade

In this blog I’ll show you a new option to disable basic authentication protocols. Like most of you probably know, Microsoft is going to disable basic authentication for ActiveSync, PowerShell, Exchange Web Service, POP3 and IMAP4. You should especially disable POP3 and IMAP basic authentication as soon as possible. Of course, implementing conditional access rules is the way to go. Read my other blog to learn how to automate your conditional access deployment. When not having the proper licensing for…

Read More Read More

The LAPS and the furious!

The LAPS and the furious!

LAPS is a solution that makes sure you have unique administrator passwords on each device which will be changed automatically after a certain time period has passed. It makes sure that when a device is compromised, the attacker has no access to all devices in the company domain. So, life is simple. You make choices and you’ll implement LAPS. LAPS is very easy to deploy within an existing active directory. When going full Microsoft 365, you still need LAPS. There…

Read More Read More

The return of the Azure ad Portal

The return of the Azure ad Portal

Looking back at my blogs, I realized I didn’t tell you the whole story concerning restricting user access to the Azure AD portal. Last night I was talking to Nicola Suter about this and he made me realize there are some additional steps you can take to further improve security. Preventing access to the Azure AD portal itself should be the first step. But there are more ways an attacker can get the information stored here.  The attacker can open…

Read More Read More

The Azure AD portal strikes back

The Azure AD portal strikes back

Reconnaissance is the first phase in hacking. It’s a systematic approach to gather information about your target. It’s up to you to prevent access to the Azure AD administration portal. It’s very easy to implement within the GUI. Search for the Azure AD/user settings, you’ll find the option to restrict access.   Alternatively, you could add this to your tenant enrollment scripts: When a naughty user wants to access the Azure ad portal, the setting you defined kicks in. Conclusion It’s…

Read More Read More

Why only an Exchange Online license’s does not cut it.

Why only an Exchange Online license’s does not cut it.

Everyone is currently using Microsoft Office 365 Exchange Online. With the Corona Virus, surely Microsoft Teams has been added. We just assume that Microsoft has its security in place. But only an Exchange Online and a Microsoft Teams license, is unfortunately not enough. Why buy a license that is almost half more expensive in addition to an Exchange online license? You actually have to ask yourself a simple question. What is cheaper? Opening the newspaper to read, a hacker has had access…

Read More Read More

Intune auto MDM enrollment for devices already Azure AD joined

Intune auto MDM enrollment for devices already Azure AD joined

Today I spend some time to enrol existing azure ad joined devices into Intune. These devices were azure ad joined without Intune enabled/configured. There are 2 ways to make sure the device will be registered in intune Group Policy:  Computer Configuration > Administrative Templates > Windows Components > MDM. 2. Registry: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]“AutoEnrollMDM”=dword:00000001“UseAADCredentialType”=dword:00000001 When you apply these changes. You will notice a new Task is being created in the task scheduler. Give it some time… and…

Read More Read More

Azure Files from anywhere!!

Azure Files from anywhere!!

Normally you will put your data in onedrive/sharepoint/teams. But when you have got a lot of Data which should be archived, you can put it on a Azure File share as an example But of course the SMB port 445, is being blocked outbound on most ISP’s. Of course you can think of solutions with VPN’s. But just a thought, why not using a Https connection to map a network drive to it? With this approach, you can make a…

Read More Read More