This post introduces the MicrosoftCloudWorkloadActivity KQL function and shows how to hunt token-based activity of workload identities across Microsoft cloud workloads. It covers key parameters, filtering strategies, and example queries for detecting unusual usage and anomalies, especia...
Linked Identities in Microsoft Defender unlock new opportunities for visibility and management of multiple accounts, including scenarios with separated privileged users. I’ve worked on several integrations of this feature across community tools and want to highlight some use cases.
In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at atta...
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and thre...
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation Teams. In addition, it also brings new capabilities for creating custom detections. In this blog post, I will show some options on how to im...
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This has been used, for example as part of the NOBELIUM attack path. Abuse of privileged Workload identities for exfiltration and privilege esca...
Workload identities should be covered by lifecycle management and processes to avoid identity risks such as over-privileged permissions but also inactive (stale) accounts. Regular review of the provisioned non-human identities and permissions should be part of identity operations. In th...
Workload identities will be used by applications, services or cloud resources for authentication and accessing other services and resources. Especially, organizations which follows a DevOps approach and high automation principals needs to manage those identities at scale and implement p...
Restricted Management Administrative Unit (RMAU) allows to protect objects from modification by Azure AD role members on directory-level scope. Management permissions will be restricted to granted Azure AD roles on scope of the particular RMAU. In this blog post, we will have a look on ...
Live Response in Microsoft 365 Defender can be used to execute PowerShell scripts on protected devices for advanced incident investigation. But it can be also abused by Security Administrators for privilege escalation, such as creating (Active Directory) Domain Admin account or “phishin...
Conditional Access and Entitlement Management plays an essential role to apply Zero Trust principles of “Verify explicitly“ and “Use least-privilege access“ to Privileged Identity and Access. In this article, I like to describe, how this features can be use to secure access to privilege...
Microsoft has been released a feature to automate on- and off-boarding tasks for Azure AD accounts. Lifecycle workflows offers built-in workflow templates but also the option to integrate Logic Apps as custom extensions. In this blog post, I would like to give an example, how to use thi...
Microsoft is using Keychain to store cached Azure AD tokens for “logged in” Edge profiles on macOS devices. Apple’s integrated password management system offers “encryption at rest” and built-in security features. Nevertheless, options to exfiltrate user’s token and abuse them for token...
AADOps is a personal study and research project which sets out to demonstrate how operationalization of Azure AD in Azure DevOps could look like. In this blog post, I’ve set the scope on the scenario to build automation and lifecycle management of Conditional Access - as Zero Trust poli...
Cloud Managed Service Providers and many other organizations are mostly interested to manage their environment(s) ‘as code’ which enables advanced automation and scaling options. For some time, there has been improvements in programmatic access but also community-driven projects for aut...
FIDO2 Security Keys are a passwordless and strong authentication method to sign-in to Windows devices and can be used for single sign-on (SSO) access to cloud and on-premises resources. This second part of my “Hybrid FIDO2” article covers the on-boarding process with “Temporary Access P...
Microsoft has announced the GA of FIDO2 support in Azure AD at Ignite Spring 2021. Previously, passwordless authentication in hybrid environments was only possible by implementing Windows Hello for Business (WHfB). The first of a two part blog post, gives you an overview about FIDO2 sec...
Recently, Microsoft added new categories for sign-in logs which finally included non-interactive, managed or service principals in Azure AD. In this blog post I will describe the configuration steps to forward the new collections to Azure Sentinel, some considerations from my first test...
Microsoft introduced Privileged Access Groups in Azure AD and PIM recently. I like to give an overview of current challenges in managing privileged access outside of Azure AD admin roles (for example in Azure DevOps, Intune or MDATP RBAC) and where PAG seems to offer new management capa...
In this blog post I will share my research results of identity security in Azure AD B2B scenarios. This includes some security considerations on missing sign-in (failure) events and enforcement of Conditional Access and risk-based policies for invited users.
Cloud Identity Summit will be take place on October 22th as global virtual event. Find out more about this free Azure community event in my latest announcement.
End-users are able to reset their passwords as part of the Azure AD „self-service password reset“ (SSPR) service. Including an option to write back passwords resets from Azure AD to on-premises AD. Consideration of security aspects and detection of any suspicious activity in the passwor...
Am 23.10.2020 wird eine ganztägige Community-Veranstaltung zu Themen rund um Azure AD in Koblenz statt finden. Der Cloud Identity Summit setzt dabei besonders den Fokus auf den Austausch unter den Teilnehmern und Vorträge für Identity Experten.
Administrative Units (AUs) allow organizations to delegate admin permission to a custom scope and segment (such as region, department, business units) within a single Azure AD tenant. In this blog post I like to share my experience including use cases, considerations and limitations of ...
Every created Azure AD tenant has default configurations by Microsoft. These settings should be reviewed and cross checked with your security requirements, strategy of self-services and governance. Using Secure Score and few settings needs particular attention.
Popular phishing attacks are using illicit consent grant to gain company or user data. In this article we will cover the detection (with Microsoft Cloud App Security and Azure Sentinel) and mitigation with the latest feature of Azure AD.
I have speaking about Azure AD B2C at the local .NET user group. You can find my slides here.
Improve security and usability of privileged access in Azure even if you don’t use (as recommended) a dedicated devices. This blog post give you some recommendations and advices to protect privileged identity, session and browser. This can be use as part of your PAW/Admin workstation im...
Microsoft strongly recommends to implement emergency access accounts. This article gives an overview and step-by-step guide to configure and monitor this type of accounts!
Microsoft is using Keychain to store cached Azure AD tokens for “logged in” Edge profiles on macOS devices. Apple’s integrated password management system offers “encryption at rest” and built-in security features. Nevertheless, options to exfiltrate user’s token and abuse them for token...
GitHub Enterprise is more than a platform to manage developer’s code in a repository. It will be also used to automate deployment of cloud resources and manage infrastructure-as-code. This blog post gives you an overview about ingest audit data, write analytics rules and automate respon...
FIDO2 Security Keys are a passwordless and strong authentication method to sign-in to Windows devices and can be used for single sign-on (SSO) access to cloud and on-premises resources. This second part of my “Hybrid FIDO2” article covers the on-boarding process with “Temporary Access P...
Microsoft has announced the GA of FIDO2 support in Azure AD at Ignite Spring 2021. Previously, passwordless authentication in hybrid environments was only possible by implementing Windows Hello for Business (WHfB). The first of a two part blog post, gives you an overview about FIDO2 sec...
Microsoft offers several solutions and services for securing (hybrid) identities and protecting access to workloads such as Azure, Office 365 or other integrated apps in Azure Active Directory. I like to give an overview about data sources or signals that should be considered for monito...
In the recent weeks, I’ve worked together with Sami Lamppu on the first section of a playbook about common attack and defense scenarios in Azure AD. In this article I would like to talk about the motivation, objective of the document and invite everyone from the community to participate...
Microsoft introduced Privileged Access Groups in Azure AD and PIM recently. I like to give an overview of current challenges in managing privileged access outside of Azure AD admin roles (for example in Azure DevOps, Intune or MDATP RBAC) and where PAG seems to offer new management capa...
In this blog post I will share my research results of identity security in Azure AD B2B scenarios. This includes some security considerations on missing sign-in (failure) events and enforcement of Conditional Access and risk-based policies for invited users.
End-users are able to reset their passwords as part of the Azure AD „self-service password reset“ (SSPR) service. Including an option to write back passwords resets from Azure AD to on-premises AD. Consideration of security aspects and detection of any suspicious activity in the passwor...
Administrative Units (AUs) allow organizations to delegate admin permission to a custom scope and segment (such as region, department, business units) within a single Azure AD tenant. In this blog post I like to share my experience including use cases, considerations and limitations of ...
Every created Azure AD tenant has default configurations by Microsoft. These settings should be reviewed and cross checked with your security requirements, strategy of self-services and governance. Using Secure Score and few settings needs particular attention.
Popular phishing attacks are using illicit consent grant to gain company or user data. In this article we will cover the detection (with Microsoft Cloud App Security and Azure Sentinel) and mitigation with the latest feature of Azure AD.
Improve security and usability of privileged access in Azure even if you don’t use (as recommended) a dedicated devices. This blog post give you some recommendations and advices to protect privileged identity, session and browser. This can be use as part of your PAW/Admin workstation im...
Do you want to know how to implement a ZeroTrust security model with Microsoft 365? Take a look on my link collection to learn more about the modern approach to cybersecurity.
Microsoft strongly recommends to implement emergency access accounts. This article gives an overview and step-by-step guide to configure and monitor this type of accounts!
This post introduces the MicrosoftCloudWorkloadActivity KQL function and shows how to hunt token-based activity of workload identities across Microsoft cloud workloads. It covers key parameters, filtering strategies, and example queries for detecting unusual usage and anomalies, especia...
Linked Identities in Microsoft Defender unlock new opportunities for visibility and management of multiple accounts, including scenarios with separated privileged users. I’ve worked on several integrations of this feature across community tools and want to highlight some use cases.
In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at atta...
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and thre...
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation Teams. In addition, it also brings new capabilities for creating custom detections. In this blog post, I will show some options on how to im...
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This has been used, for example as part of the NOBELIUM attack path. Abuse of privileged Workload identities for exfiltration and privilege esca...
Workload identities should be covered by lifecycle management and processes to avoid identity risks such as over-privileged permissions but also inactive (stale) accounts. Regular review of the provisioned non-human identities and permissions should be part of identity operations. In th...
Workload identities will be used by applications, services or cloud resources for authentication and accessing other services and resources. Especially, organizations which follows a DevOps approach and high automation principals needs to manage those identities at scale and implement p...
Restricted Management Administrative Unit (RMAU) allows to protect objects from modification by Azure AD role members on directory-level scope. Management permissions will be restricted to granted Azure AD roles on scope of the particular RMAU. In this blog post, we will have a look on ...
FIDO2 Security Keys are a passwordless and strong authentication method to sign-in to Windows devices and can be used for single sign-on (SSO) access to cloud and on-premises resources. This second part of my “Hybrid FIDO2” article covers the on-boarding process with “Temporary Access P...
Microsoft has announced the GA of FIDO2 support in Azure AD at Ignite Spring 2021. Previously, passwordless authentication in hybrid environments was only possible by implementing Windows Hello for Business (WHfB). The first of a two part blog post, gives you an overview about FIDO2 sec...
Do you want to know how to implement a ZeroTrust security model with Microsoft 365? Take a look on my link collection to learn more about the modern approach to cybersecurity.
In this article I like to give you an overview about resources that helps you to visualize and document your Azure cloud solutions and environments
Collection of various resources and study guides of Azure Architecture & Design Patterns
This post introduces the MicrosoftCloudWorkloadActivity KQL function and shows how to hunt token-based activity of workload identities across Microsoft cloud workloads. It covers key parameters, filtering strategies, and example queries for detecting unusual usage and anomalies, especia...
Linked Identities in Microsoft Defender unlock new opportunities for visibility and management of multiple accounts, including scenarios with separated privileged users. I’ve worked on several integrations of this feature across community tools and want to highlight some use cases.
In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at atta...
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and thre...
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation Teams. In addition, it also brings new capabilities for creating custom detections. In this blog post, I will show some options on how to im...
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This has been used, for example as part of the NOBELIUM attack path. Abuse of privileged Workload identities for exfiltration and privilege esca...
Workload identities should be covered by lifecycle management and processes to avoid identity risks such as over-privileged permissions but also inactive (stale) accounts. Regular review of the provisioned non-human identities and permissions should be part of identity operations. In th...
Workload identities will be used by applications, services or cloud resources for authentication and accessing other services and resources. Especially, organizations which follows a DevOps approach and high automation principals needs to manage those identities at scale and implement p...
This post introduces the MicrosoftCloudWorkloadActivity KQL function and shows how to hunt token-based activity of workload identities across Microsoft cloud workloads. It covers key parameters, filtering strategies, and example queries for detecting unusual usage and anomalies, especia...
Linked Identities in Microsoft Defender unlock new opportunities for visibility and management of multiple accounts, including scenarios with separated privileged users. I’ve worked on several integrations of this feature across community tools and want to highlight some use cases.
In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at atta...
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and thre...
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation Teams. In addition, it also brings new capabilities for creating custom detections. In this blog post, I will show some options on how to im...
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This has been used, for example as part of the NOBELIUM attack path. Abuse of privileged Workload identities for exfiltration and privilege esca...
Workload identities should be covered by lifecycle management and processes to avoid identity risks such as over-privileged permissions but also inactive (stale) accounts. Regular review of the provisioned non-human identities and permissions should be part of identity operations. In th...
Workload identities will be used by applications, services or cloud resources for authentication and accessing other services and resources. Especially, organizations which follows a DevOps approach and high automation principals needs to manage those identities at scale and implement p...
Over the past 3 months, I spoke at community events and set my focus on research work. Unfortunately, there was no time left for blogging. But I’m planning to share the results of the recent community work also on my blog. Therefore I like to start with an overview and recap of my commu...
In the recent weeks, I’ve worked together with Sami Lamppu on the first section of a playbook about common attack and defense scenarios in Azure AD. In this article I would like to talk about the motivation, objective of the document and invite everyone from the community to participate...
Thank you all for congratulations and the kind words in the recent days! On the weekend, I’ve used the opportunity to look back on my (Azure) learning journey and previous community experiences.
Cloud Identity Summit will be take place on October 22th as global virtual event. Find out more about this free Azure community event in my latest announcement.
Am 23.10.2020 wird eine ganztägige Community-Veranstaltung zu Themen rund um Azure AD in Koblenz statt finden. Der Cloud Identity Summit setzt dabei besonders den Fokus auf den Austausch unter den Teilnehmern und Vorträge für Identity Experten.
The year is nearly over… now is a great time to look back and see what’s next in the upcoming year.
I have speaking about Azure AD B2C at the local .NET user group. You can find my slides here.
Microsoft introduced Privileged Access Groups in Azure AD and PIM recently. I like to give an overview of current challenges in managing privileged access outside of Azure AD admin roles (for example in Azure DevOps, Intune or MDATP RBAC) and where PAG seems to offer new management capa...
In the recent years many organizations used the Microsoft Enterprise Agreement (EA) portal (or APIs) for creation and initial setup of their subscriptions. I like to give an overview about security considerations and preventation of (potential) privilege escalation to „takeover“ subscri...
Administrative Units (AUs) allow organizations to delegate admin permission to a custom scope and segment (such as region, department, business units) within a single Azure AD tenant. In this blog post I like to share my experience including use cases, considerations and limitations of ...
Improve security and usability of privileged access in Azure even if you don’t use (as recommended) a dedicated devices. This blog post give you some recommendations and advices to protect privileged identity, session and browser. This can be use as part of your PAW/Admin workstation im...
Microsoft strongly recommends to implement emergency access accounts. This article gives an overview and step-by-step guide to configure and monitor this type of accounts!
Restricted Management Administrative Unit (RMAU) allows to protect objects from modification by Azure AD role members on directory-level scope. Management permissions will be restricted to granted Azure AD roles on scope of the particular RMAU. In this blog post, we will have a look on ...
Live Response in Microsoft 365 Defender can be used to execute PowerShell scripts on protected devices for advanced incident investigation. But it can be also abused by Security Administrators for privilege escalation, such as creating (Active Directory) Domain Admin account or “phishin...
Conditional Access and Entitlement Management plays an essential role to apply Zero Trust principles of “Verify explicitly“ and “Use least-privilege access“ to Privileged Identity and Access. In this article, I like to describe, how this features can be use to secure access to privilege...
Microsoft has been released a feature to automate on- and off-boarding tasks for Azure AD accounts. Lifecycle workflows offers built-in workflow templates but also the option to integrate Logic Apps as custom extensions. In this blog post, I would like to give an example, how to use thi...
This post introduces the MicrosoftCloudWorkloadActivity KQL function and shows how to hunt token-based activity of workload identities across Microsoft cloud workloads. It covers key parameters, filtering strategies, and example queries for detecting unusual usage and anomalies, especia...
Linked Identities in Microsoft Defender unlock new opportunities for visibility and management of multiple accounts, including scenarios with separated privileged users. I’ve worked on several integrations of this feature across community tools and want to highlight some use cases.
In this article, I would like to point out options to identify, monitor and avoid persistent access on Managed Identities privileges by adding federated credentials on User-Assigned Managed Identities (UAMI) from malicious or unauthorized entities. We will also have a quick look at atta...
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of Workload Identities in Microsoft Entra. This time, we will start to automate the incident response for tackling malicious activities and thre...
In this article I like to give you an overview about resources that helps you to visualize and document your Azure cloud solutions and environments
Collection of various resources and study guides of Azure Architecture & Design Patterns
In this blog post I will share my research results of identity security in Azure AD B2B scenarios. This includes some security considerations on missing sign-in (failure) events and enforcement of Conditional Access and risk-based policies for invited users.
I have speaking about Azure AD B2C at the local .NET user group. You can find my slides here.
AADOps is a personal study and research project which sets out to demonstrate how operationalization of Azure AD in Azure DevOps could look like. In this blog post, I’ve set the scope on the scenario to build automation and lifecycle management of Conditional Access - as Zero Trust poli...
Cloud Managed Service Providers and many other organizations are mostly interested to manage their environment(s) ‘as code’ which enables advanced automation and scaling options. For some time, there has been improvements in programmatic access but also community-driven projects for aut...
AADOps is a personal study and research project which sets out to demonstrate how operationalization of Azure AD in Azure DevOps could look like. In this blog post, I’ve set the scope on the scenario to build automation and lifecycle management of Conditional Access - as Zero Trust poli...
Cloud Managed Service Providers and many other organizations are mostly interested to manage their environment(s) ‘as code’ which enables advanced automation and scaling options. For some time, there has been improvements in programmatic access but also community-driven projects for aut...
Microsoft is using Keychain to store cached Azure AD tokens for “logged in” Edge profiles on macOS devices. Apple’s integrated password management system offers “encryption at rest” and built-in security features. Nevertheless, options to exfiltrate user’s token and abuse them for token...
GitHub Enterprise is more than a platform to manage developer’s code in a repository. It will be also used to automate deployment of cloud resources and manage infrastructure-as-code. This blog post gives you an overview about ingest audit data, write analytics rules and automate respon...
Conditional Access and Entitlement Management plays an essential role to apply Zero Trust principles of “Verify explicitly“ and “Use least-privilege access“ to Privileged Identity and Access. In this article, I like to describe, how this features can be use to secure access to privilege...
Microsoft has been released a feature to automate on- and off-boarding tasks for Azure AD accounts. Lifecycle workflows offers built-in workflow templates but also the option to integrate Logic Apps as custom extensions. In this blog post, I would like to give an example, how to use thi...
In the recent years many organizations used the Microsoft Enterprise Agreement (EA) portal (or APIs) for creation and initial setup of their subscriptions. I like to give an overview about security considerations and preventation of (potential) privilege escalation to „takeover“ subscri...
Recently, Microsoft added new categories for sign-in logs which finally included non-interactive, managed or service principals in Azure AD. In this blog post I will describe the configuration steps to forward the new collections to Azure Sentinel, some considerations from my first test...
Microsoft offers several solutions and services for securing (hybrid) identities and protecting access to workloads such as Azure, Office 365 or other integrated apps in Azure Active Directory. I like to give an overview about data sources or signals that should be considered for monito...
Microsoft offers several solutions and services for securing (hybrid) identities and protecting access to workloads such as Azure, Office 365 or other integrated apps in Azure Active Directory. I like to give an overview about data sources or signals that should be considered for monito...
Over the past 3 months, I spoke at community events and set my focus on research work. Unfortunately, there was no time left for blogging. But I’m planning to share the results of the recent community work also on my blog. Therefore I like to start with an overview and recap of my commu...
GitHub Enterprise is more than a platform to manage developer’s code in a repository. It will be also used to automate deployment of cloud resources and manage infrastructure-as-code. This blog post gives you an overview about ingest audit data, write analytics rules and automate respon...
Live Response in Microsoft 365 Defender can be used to execute PowerShell scripts on protected devices for advanced incident investigation. But it can be also abused by Security Administrators for privilege escalation, such as creating (Active Directory) Domain Admin account or “phishin...
