#conditionalaccess — Public Fediverse posts

🔒 Blocking Device Code Flow in M365, full mini-toolkit now on GitHub:

1️⃣ Audit script => verify zero legitimate usage before blocking (all 4 Entra sign-in log types)
2️⃣ CA policy JSON => ready to import, just replace your break-glass group ID

🔗 https://github.com/Bluewal/m365-intune-scripts/tree/main/entra/device-code-flow

#infosec #Microsoft365 #EntraID #ConditionalAccess #BlueTeam #PowerShell

🔒 Blocking Device Code Flow in M365, full mini-toolkit now on GitHub:

1️⃣ Audit script => verify zero legitimate usage before blocking (all 4 Entra sign-in log types)
2️⃣ CA policy JSON => ready to import, just replace your break-glass group ID

🔗 https://github.com/Bluewal/m365-intune-scripts/tree/main/entra/device-code-flow

#infosec #Microsoft365 #EntraID #ConditionalAccess #BlueTeam #PowerShell

🚨 EvilTokens / AiTM attacks are actively abusing Device Code Flow to bypass MFA in M365 tenants.

Before blocking it via Conditional Access — verify it's actually unused in your environment.

Script queries all 4 Entra sign-in log types via Microsoft Graph:
✅ No results → safe to block immediately
⚠️ Results found → review before deploying

🔗 https://github.com/Bluewal/m365-intune-scripts/blob/main/entra/device-code-flow/Invoke-DeviceCodeFlowAudit.ps1

#infosec #Microsoft365 #EntraID #ConditionalAccess #BlueTeam #PowerShell

🚨 Entra ID External MFA (old name was External Authentication Methods) is now Generally Available.

Custom Controls is being deprecated on 30 Sept 2026.

Here's how to check your usage.

https://thedxt.ca/2026/03/microsoft-entra-id-external-mfa/

#Entra #MFA #M365 #Microsoft #Microsoft365 #ConditionalAccess

𝐇𝐨𝐰 𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐀𝐫𝐞 𝐄𝐯𝐚𝐥𝐮𝐚𝐭𝐞𝐝 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃

Understanding how Conditional Access policies are evaluated in Microsoft Entra ID is absolutely essential if you are involved in their creation or management.

I often encounter fundamental misunderstandings regarding how the evaluation of Conditional Access policies takes place. Many administrators are accustomed to systems like firewalls, where there is an order or priority for evaluating created rules. However, it does not work this way with Conditional Access policies in Microsoft Entra ID. Applying the same principle to Conditional Access policies will very likely lead to significant security risks.

Read my blog post bellow 👇 👇
https://www.cswrld.com/2026/02/how-conditional-access-policies-are-evaluated-in-microsoft-entra-id/

#cswrld #entraid #securitytips #conditionalaccess

𝐇𝐨𝐰 𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐀𝐫𝐞 𝐄𝐯𝐚𝐥𝐮𝐚𝐭𝐞𝐝 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃

Understanding how Conditional Access policies are evaluated in Microsoft Entra ID is absolutely essential if you are involved in their creation or management.

I often encounter fundamental misunderstandings regarding how the evaluation of Conditional Access policies takes place. Many administrators are accustomed to systems like firewalls, where there is an order or priority for evaluating created rules. However, it does not work this way with Conditional Access policies in Microsoft Entra ID. Applying the same principle to Conditional Access policies will very likely lead to significant security risks.

Read my blog post bellow 👇 👇
https://www.cswrld.com/2026/02/how-conditional-access-policies-are-evaluated-in-microsoft-entra-id/

#cswrld #entraid #securitytips #conditionalaccess

𝐇𝐨𝐰 𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐀𝐫𝐞 𝐄𝐯𝐚𝐥𝐮𝐚𝐭𝐞𝐝 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃

Understanding how Conditional Access policies are evaluated in Microsoft Entra ID is absolutely essential if you are involved in their creation or management.

I often encounter fundamental misunderstandings regarding how the evaluation of Conditional Access policies takes place. Many administrators are accustomed to systems like firewalls, where there is an order or priority for evaluating created rules. However, it does not work this way with Conditional Access policies in Microsoft Entra ID. Applying the same principle to Conditional Access policies will very likely lead to significant security risks.

Read my blog post bellow 👇 👇
https://www.cswrld.com/2026/02/how-conditional-access-policies-are-evaluated-in-microsoft-entra-id/

#cswrld #entraid #securitytips #conditionalaccess

𝐇𝐨𝐰 𝐂𝐨𝐧𝐝𝐢𝐭𝐢𝐨𝐧𝐚𝐥 𝐀𝐜𝐜𝐞𝐬𝐬 𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐀𝐫𝐞 𝐄𝐯𝐚𝐥𝐮𝐚𝐭𝐞𝐝 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐄𝐧𝐭𝐫𝐚 𝐈𝐃

Understanding how Conditional Access policies are evaluated in Microsoft Entra ID is absolutely essential if you are involved in their creation or management.

I often encounter fundamental misunderstandings regarding how the evaluation of Conditional Access policies takes place. Many administrators are accustomed to systems like firewalls, where there is an order or priority for evaluating created rules. However, it does not work this way with Conditional Access policies in Microsoft Entra ID. Applying the same principle to Conditional Access policies will very likely lead to significant security risks.

Read my blog post bellow 👇 👇
https://www.cswrld.com/2026/02/how-conditional-access-policies-are-evaluated-in-microsoft-entra-id/

#cswrld #entraid #securitytips #conditionalaccess

RE: https://infosec.exchange/@franklesniak/115572191076370399

#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity

RE: https://infosec.exchange/@franklesniak/115572191076370399

#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity

RE: https://infosec.exchange/@franklesniak/115572191076370399

#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity

RE: https://infosec.exchange/@franklesniak/115572191076370399

#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity

Last week #Microsoft published #MC1123830 where they announced #Entra #ConditionalAccess updates indicating that #AzureDevOps (ADO) will be separated from Azure Resource Manager (ARM). This means that you might have to update your policies in order to allow access to #ADO.

Last week #Microsoft published #MC1123830 where they announced #Entra #ConditionalAccess updates indicating that #AzureDevOps (ADO) will be separated from Azure Resource Manager (ARM). This means that you might have to update your policies in order to allow access to #ADO.

Last week #Microsoft published #MC1123830 where they announced #Entra #ConditionalAccess updates indicating that #AzureDevOps (ADO) will be separated from Azure Resource Manager (ARM). This means that you might have to update your policies in order to allow access to #ADO.

Last week #Microsoft published #MC1123830 where they announced #Entra #ConditionalAccess updates indicating that #AzureDevOps (ADO) will be separated from Azure Resource Manager (ARM). This means that you might have to update your policies in order to allow access to #ADO.

𝗛𝗼𝘄 𝘁𝗼 𝗯𝗹𝗼𝗰𝗸 𝘂𝗻𝗸𝗻𝗼𝘄𝗻 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗻𝘁𝗿𝗮 𝗜𝗗

Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.

This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it's a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.

What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.

📺 Watch my YouTube video bellow 👇 👇
https://youtu.be/vFhQgwXmqTo

#cswrld #videotutorial #entraid #conditionalaccess #platforms #blocking

𝗛𝗼𝘄 𝘁𝗼 𝗯𝗹𝗼𝗰𝗸 𝘂𝗻𝗸𝗻𝗼𝘄𝗻 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗻𝘁𝗿𝗮 𝗜𝗗

Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.

This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it's a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.

What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.

📺 Watch my YouTube video bellow 👇 👇
https://youtu.be/vFhQgwXmqTo

#cswrld #videotutorial #entraid #conditionalaccess #platforms #blocking

𝗛𝗼𝘄 𝘁𝗼 𝗯𝗹𝗼𝗰𝗸 𝘂𝗻𝗸𝗻𝗼𝘄𝗻 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗻𝘁𝗿𝗮 𝗜𝗗

Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.

This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it's a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.

What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.

📺 Watch my YouTube video bellow 👇 👇
https://youtu.be/vFhQgwXmqTo

#cswrld #videotutorial #entraid #conditionalaccess #platforms #blocking

𝗛𝗼𝘄 𝘁𝗼 𝗯𝗹𝗼𝗰𝗸 𝘂𝗻𝗸𝗻𝗼𝘄𝗻 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗻𝘁𝗿𝗮 𝗜𝗗

Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.

This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it's a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.

What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.

📺 Watch my YouTube video bellow 👇 👇
https://youtu.be/vFhQgwXmqTo

#cswrld #videotutorial #entraid #conditionalaccess #platforms #blocking

This week there are a lot of changes coming down to Windows 11 and Entra. You know, the foundation of everything.

https://link.publicate.it/pub/05c7133d58fd8d
#M365 #Entra #windows11 #conditionalaccess

Authentication Strengths in Microsoft Entra ID allows you to granularly define authentication requirements for different situations.

Before authentication strengths were available, authentication requirements were defined globally for the entire tenant, and then conditional access policies could just say that multi-factor authentication was required, for example. But it was not possible to define what type of multifactor authentication was required. So anything that was available globally could be used by all users in all situations.

Which was not optimal. There are situations where a less secure authentication method like SMS or TOTP might be enough. But there are situations where we only want to use very secure authentication methods like FIDO2 when someone is logging into a global admin account for example.

Such granularity was not possible before. If SMS authentication was enabled for a given tenant, even the global admin could use SMS for authentication.

Watch my YouTube video bellow for more details 👇 👇
https://youtu.be/8sIX19pbdho

#cswrld #cybersecurity #entraid #authentication #authenticationstrength #conditionalaccess

RECOMMENDED CONDITIONAL ACCESS POLICIES IN MICROSOFT ENTRA ID

Conditional access policies in Microsoft Entra ID allow for very granular security management. The problem is that organizations usually do not have conditional access policies properly defined. There tend to be blind spots, policies don’t cover all applications, all users, and all scenarios.

Many organizations have conditional access policies defined but do not think about them properly. This is because they often target only specific applications or specific users. And when I ask them why the MFA policy only targets Office 365 for example, they tell me they don’t use anything else. Or when I ask why they only target one group of users, they tell me that other users don’t use cloud services.

But that’s just the wrong approach. You are not primarily protecting the services from your users, but from attackers. And just because you don’t use anything other than Office 365 doesn’t mean an attacker will not use it. Or just because some users don’t use cloud services doesn’t mean those accounts can’t be exploited by an attacker. If those apps or accounts exist in the cloud, they need to be protected whether regular users use them or not. Attackers are looking for the most insecure places, the weakest links.

📺 Watch my YouTube video bellow where I talk about the conditional access policies that I recommend implementing 👇 👇
https://youtu.be/LtIgFBDJzXs

#cswrld #videotutorial #entraid #conditionalaccess #recommendation

#powershell #microsoftgraph #conditionalaccess Automating Sign-In Analysis with PowerShell and Microsoft Graph http://dlvr.it/TFZ30N via PlanetPowerShell

Conditional Access is hard - gaps can exist and you won’t even know.

Never mind trying to keep on top of all the different policies and apps you have in place due to changing requirements over the years.

That’s why, aligning your policies to user personas is a great way to simplify your setup.

https://learn.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-architecture

#conditionalaccess #iam #entraid

What are your biggest Entra (AzureAD) Conditional Access questions or pain points? I'm working on a giant Conditional Access post for the #TrustedSec blog -- would welcome your inputs!
#Microsoft #Entra #AzureAD #Azure #ConditionalAccess #conditionalaccesspolicies

What are your biggest Entra (AzureAD) Conditional Access questions or pain points? I'm working on a giant Conditional Access post for the #TrustedSec blog -- would welcome your inputs!
#Microsoft #Entra #AzureAD #Azure #ConditionalAccess #conditionalaccesspolicies

What are your biggest Entra (AzureAD) Conditional Access questions or pain points? I'm working on a giant Conditional Access post for the #TrustedSec blog -- would welcome your inputs!
#Microsoft #Entra #AzureAD #Azure #ConditionalAccess #conditionalaccesspolicies

What are your biggest Entra (AzureAD) Conditional Access questions or pain points? I'm working on a giant Conditional Access post for the #TrustedSec blog -- would welcome your inputs!
#Microsoft #Entra #AzureAD #Azure #ConditionalAccess #conditionalaccesspolicies

What are your biggest Entra (AzureAD) Conditional Access questions or pain points? I'm working on a giant Conditional Access post for the #TrustedSec blog -- would welcome your inputs!
#Microsoft #Entra #AzureAD #Azure #ConditionalAccess #conditionalaccesspolicies

What’s you biggest #conditionalaccess configuration pet peeve?

Mine is not having a policy to manage guest accounts - especially as the default in #ms365 is to allow guests to invite guests 🤯

Looking for this magic crowd knowledge! I seem to recall news somewhere (here, LinkedIn, newsletter, maybe?), that #EntraID would support #Passkeys during the MFA registration prompt when signing in. Like the experience to enroll your Authenticator app. Sadly, I can't rediscover this :sad_panda: Would anybody have an idea or pointer? Maybe @merill

Any pointers, boosts, etc welcome! Thaks!

Edit: OF COURSE one finds what one searchs less than an hour after asking other people. Well, thanks for reading anyways!
https://mc.merill.net/message/MC718260

(Caveat is, I'm not sure if this is really what I thought it meant originally).

#Passkey #microsoft #ConditionalAccess

Anybody having weird issues with Microsoft CAP policies? We have a CAP that is supposed to enforce MFA on the Admin Portals and for some reason today it it's hitting all Microsoft like Office 365. We just started getting bombarded with users not being able to log in because we enforce stricter MFA for Admins. #microsoft #azure #entraID #conditionalaccess #cap

Authentication Strengths in Microsoft Entra ID allows you to granularly define authentication requirements for different situations.

Before authentication strengths were available, authentication requirements were defined globally for the entire tenant, and then conditional access policies could just say that multi-factor authentication was required, for example. But it was not possible to define what type of multifactor authentication was required. So anything that was available globally could be used by all users in all situations.

Which was not optimal. There are situations where a less secure authentication method like SMS or TOTP might be enough. But there are situations where we only want to use very secure authentication methods like FIDO2 when someone is logging into a global admin account for example.

Such granularity was not possible before. If SMS authentication was enabled for a given tenant, even the global admin could use SMS for authentication.

📺 𝐖𝐚𝐭𝐜𝐡 𝐭𝐡𝐞 𝐫𝐞𝐜𝐨𝐫𝐝𝐢𝐧𝐠 𝐨𝐧 𝐦𝐲 𝐏𝐚𝐭𝐫𝐞𝐨𝐧 https://www.patreon.com/posts/microsoft-entra-105282804?utm_medium=clipboard_copy&utm_source=copyLink&utm_campaign=postshare_creator&utm_content=join_link

The recording is also available in Czech language on
𝐅𝐨𝐫𝐞𝐧𝐝𝐨𝐫𝐬 https://www.forendors.cz/p/646afdb06ee2fa16eeabe6c7c27a8627
𝐇𝐞𝐫𝐨𝐡𝐞𝐫𝐨
https://herohero.co/cswrld/post/bceroxowdykkdqmwkexieitgvtiobpq

👍Share, like, comment!

#entraid #authentication #authenticationstrengths #conditionalaccess #cybersecurity #recommendations #tips #videotutorial

One of the most popular posts on my blog is an article about recommended conditional access policies in Microsoft Entra ID https://www.cswrld.com/2024/02/recommended-conditional-access-policies-in-microsoft-entra-id/

In this article, I describe the most important conditional access policies that every organization should have implemented.

I have received a lot of positive feedback on the article, for which I am very grateful! However, people also wrote that they would like more details about the configuration of each policy if possible, and that they would like more details about the configuration of other conditional access policies as well.

So I made a very detailed video of over an hour, describing in detail a total of 28 conditional access policies that I recommend to consider deploying in all organizations, regardless of their size.

Cloud identity security is absolutely critical, and unfortunately I regularly see security gaps in conditional access policies.

📺Watch the recording on my Patreon https://www.patreon.com/posts/recommended-in-105019232?utm_medium=clipboard_copy&utm_source=copyLink&utm_campaign=postshare_creator&utm_content=join_link

The recording is also available in Czech language on
Forendors https://www.forendors.cz/p/d4210cfb79de8b0c2cdfcfd4c3a7b5b2
Herohero https://herohero.co/cswrld/post/bceroxowdykkdsviexrujbiknuqywrxa

👍Share, like, comment!

#conditionalaccess #entraid #cybersecurity #recommendations #tips

Microsoft Entra ID Token Protection is a security feature within Microsoft Entra's Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

Microsoft Entra ID Token Protection is a security feature within Microsoft Entra's Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

Microsoft Entra ID Token Protection is a security feature within Microsoft Entra's Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

Microsoft Entra ID Token Protection is a security feature within Microsoft Entra's Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

Microsoft Entra ID Token Protection is a security feature within Microsoft Entra's Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

Microsoft has rolled out so-called Microsoft-managed conditional access policies in November 2023. The policies will be automatically enabled very soon. Do you know what is the impact of the policies on your tenant?

These managed policies are intended to cover the most important identity security scenarios within Microsoft Entra ID. But obviously can negatively impact existing users and administrators if the company if not ready for the rollout.

Check my today's blog post to see the impact of the policies. 👇👇

https://www.cswrld.com/2024/04/microsoft-managed-conditional-access-policies/

#conditionalaccess #entraid #microsoft #identitysecurity #tips

Authentication Strengths in Microsoft Entra ID allows you to granularly define authentication requirements for different situations.

It is possible to define different groups of authentication methods and then associate them with conditional access policies.

Do you want to know more about authentication strengths in Microsoft Entra ID, how to use it and what are the recommended authentication methods to allow? Read my article bellow 👇👇

https://www.cswrld.com/2024/03/microsoft-entra-id-authentication-strengths-explained/

#entraid #conditionalaccess #policies #mfa #authenticationstrength

Evaluation of Conditional Access Policies in Microsoft Entra ID is relatively simple and straightforward. But what many administrators don't realize are the background dependencies between different services, called service dependencies.

Do you know the difference between early-bound and late-bound dependencies? Read the details on my blog 👇👇
https://www.cswrld.com/2024/02/service-dependencies-in-conditional-access-policies/

#entraid #conditionalaccess #authentication #dependencies

I'd like to point out this really interesting article on the topic: 𝐓𝐨𝐤𝐞𝐧 𝐓𝐡𝐞𝐟𝐭 𝐓𝐚𝐥𝐤.

Key points and topics covered:

- Primary Refresh Tokens (PRT) on all operating system platforms have been hardened against theft from day one. The level of protection depends on operated system capabilities, with Windows offering the strongest protection.

- First line of defense against token theft is protecting your devices by deploying endpoint protections, device management, MFA (and moving towards phishing-resistant credentials), and antimalware

You can reduce token theft by carefully orchestrating Entra ID security products:

▶Addressing token theft of sign-in session artifacts: Conditional Access: Token protection policy offers cryptographic protection against replay of stolen tokens.

▶Addressing token theft of app session artifacts: block usage of stolen access tokens and workload cookies outside of your corporate network by using Conditional Access.

▶Detecting token theft: enable risk detections with Microsoft Entra ID Protection to elevate user risk when token theft is suspected.

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/addressing-data-exfiltration-token-theft-talk/ba-p/3915337

#microsoft #microsoftsecurity #entraid #azuread #azure #idp #token #tokentheft #cloudsecurity #identity #prt #cookies #identityprotection #mfa #cae #conditionalaccess #refreshtoken #token

I'd like to point out this really interesting article on the topic: 𝐓𝐨𝐤𝐞𝐧 𝐓𝐡𝐞𝐟𝐭 𝐓𝐚𝐥𝐤.

Key points and topics covered:

- Primary Refresh Tokens (PRT) on all operating system platforms have been hardened against theft from day one. The level of protection depends on operated system capabilities, with Windows offering the strongest protection.

- First line of defense against token theft is protecting your devices by deploying endpoint protections, device management, MFA (and moving towards phishing-resistant credentials), and antimalware

You can reduce token theft by carefully orchestrating Entra ID security products:

▶Addressing token theft of sign-in session artifacts: Conditional Access: Token protection policy offers cryptographic protection against replay of stolen tokens.

▶Addressing token theft of app session artifacts: block usage of stolen access tokens and workload cookies outside of your corporate network by using Conditional Access.

▶Detecting token theft: enable risk detections with Microsoft Entra ID Protection to elevate user risk when token theft is suspected.

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/addressing-data-exfiltration-token-theft-talk/ba-p/3915337

#microsoft #microsoftsecurity #entraid #azuread #azure #idp #token #tokentheft #cloudsecurity #identity #prt #cookies #identityprotection #mfa #cae #conditionalaccess #refreshtoken #token

I'd like to point out this really interesting article on the topic: 𝐓𝐨𝐤𝐞𝐧 𝐓𝐡𝐞𝐟𝐭 𝐓𝐚𝐥𝐤.

Key points and topics covered:

- Primary Refresh Tokens (PRT) on all operating system platforms have been hardened against theft from day one. The level of protection depends on operated system capabilities, with Windows offering the strongest protection.

- First line of defense against token theft is protecting your devices by deploying endpoint protections, device management, MFA (and moving towards phishing-resistant credentials), and antimalware

You can reduce token theft by carefully orchestrating Entra ID security products:

▶Addressing token theft of sign-in session artifacts: Conditional Access: Token protection policy offers cryptographic protection against replay of stolen tokens.

▶Addressing token theft of app session artifacts: block usage of stolen access tokens and workload cookies outside of your corporate network by using Conditional Access.

▶Detecting token theft: enable risk detections with Microsoft Entra ID Protection to elevate user risk when token theft is suspected.

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/addressing-data-exfiltration-token-theft-talk/ba-p/3915337

#microsoft #microsoftsecurity #entraid #azuread #azure #idp #token #tokentheft #cloudsecurity #identity #prt #cookies #identityprotection #mfa #cae #conditionalaccess #refreshtoken #token

I'd like to point out this really interesting article on the topic: 𝐓𝐨𝐤𝐞𝐧 𝐓𝐡𝐞𝐟𝐭 𝐓𝐚𝐥𝐤.

Key points and topics covered:

- Primary Refresh Tokens (PRT) on all operating system platforms have been hardened against theft from day one. The level of protection depends on operated system capabilities, with Windows offering the strongest protection.

- First line of defense against token theft is protecting your devices by deploying endpoint protections, device management, MFA (and moving towards phishing-resistant credentials), and antimalware

You can reduce token theft by carefully orchestrating Entra ID security products:

▶Addressing token theft of sign-in session artifacts: Conditional Access: Token protection policy offers cryptographic protection against replay of stolen tokens.

▶Addressing token theft of app session artifacts: block usage of stolen access tokens and workload cookies outside of your corporate network by using Conditional Access.

▶Detecting token theft: enable risk detections with Microsoft Entra ID Protection to elevate user risk when token theft is suspected.

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/addressing-data-exfiltration-token-theft-talk/ba-p/3915337

#microsoft #microsoftsecurity #entraid #azuread #azure #idp #token #tokentheft #cloudsecurity #identity #prt #cookies #identityprotection #mfa #cae #conditionalaccess #refreshtoken #token

𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗻𝘁𝗿𝗮 𝗣𝗿𝗶𝘃𝗮𝘁𝗲 𝗔𝗰𝗰𝗲𝘀𝘀: 𝗔𝗻 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆-𝗖𝗲𝗻𝘁𝗿𝗶𝗰 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗡𝗲𝘁𝘄𝗼𝗿𝗸 𝗔𝗰𝗰𝗲𝘀𝘀 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻

Private Access in Microsoft's SSE solution offers secure, controlled access to private resources using Zero Trust principles, expanded from the existing Entra ID Application Proxy. It supports a range of protocols, authentication methods, and anomaly detection, all benefiting from Microsoft's extensive global network.

Find out more info:

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-private-access-an-identity-centric-zero-trust/ba-p/3905451

Here's a summarized breakdown of the provided information:

1️⃣Private Access in Microsoft's SSE Solution:

✔️Built on Zero Trust principles.

✔️Verifies every user and enforces least privilege.

✔️Grants access only to needed private applications and resources.

2️⃣Expansion of Entra ID Application Proxy:

✔️Private Access extends capabilities of Entra ID Application Proxy in Microsoft Entra.

✔️Evolves into a comprehensive Zero Trust Network Access (ZTNA) solution.

✔️Shares connectors but offers expanded functionalities.

3️⃣Access to Any Private Resource:

✔️Simplifies and secures access to private resources on any port and protocol.

✔️Policies enable secure, segmented, and granular access to corporate network apps.

✔️Covers on-premises, cloud-based applications, and more.

4️⃣Granular Access Controls and Anomaly Detection:

✔️Conditional Access policies offer per-app, least privilege controls.

✔️Contextual information about users, devices, and locations enhances policies.

✔️Anomalies or changes trigger session termination or stronger authentication.

5️⃣Secure Access Across Ports and Protocols:

✔️Private Access enables secure entry to applications, regardless of location.

✔️Works with various protocols, including RDP, SSH, SMB, FTP, TCP, and UDP.

6️⃣Diverse Authentication Methods:

✔️Supports single sign-on (SSO) via SAML, http headers, or legacy Kerberos.

✔️No need for application modifications.

7️⃣Microsoft's Global Network Advantage:

✔️Private Access utilizes Microsoft's vast global network for delivery.

✔️Enhanced security and faster access compared to traditional VPNs.

✔️Optimized connection for hybrid and remote work scenarios.

#microsoft #entra #sse #ZTNA #ZeroTrustNetworkAccess #ZeroTrust #sso #saml #mfa #conditionalaccess #azuread #securityserviceedge #vpn #azure #cloud #cloudsecurity

#ConditionalAccess in #EntraID should be a score skill if you are involved in securing MS cloud environments. More and more of their technologies are using it, and it provides such an extensive set of controls.

How often do you audit and review if you have CA policy gaps in your organization to meet best practices?

See best practices and report here:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/workbook-conditional-access-gap-analyzer

#microsoft #security #entra #entraid #azuread #o365 #office365 #conditionalaccess #cloudsecurity #identity