Skip to content

Security

Break glass accounts and Azure AD Security Defaults

Security Defaults is the best thing since sliced bread. I mean, come on! It will enforce MFA for everybody, will block that dirty legacy authentication, and even gives you features that you normally would pay big money for (Azure AD Identity Security). Good enough for a lot of (smaller) organizations out there. Today’s post is about that feature and the use of break-glass accounts. For a lot of folks, this post might be obvious, as this is their daily job… 

Goodbye legacy SSPR and MFA settings. Hello Authentication Methods Policies!

I’ve got some exciting news to share today. Microsoft has launched a public preview called “Authentication Methods Policy Convergence.” I was part of the private preview program, and I’m very happy to see this feature going public. In this post, I will give you a brief introduction to this new feature and explain why this is such a big deal. Current situation A while back, I wrote this post where I explained that the SSPR and MFA settings are very… 

How to set up Evilginx to phish Office 365 credentials

Disclaimer Evilginx can be used for nasty stuff. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties, or for educational purposes. That being said: on with the show. Today a step-by-step tutorial on how to set up Evilginx and how to use it to phish for Office 365 or… 

Use a FIDO2 security key as Azure MFA verification method

This news seems to be kept under the radar a little bit, but I wanted to point out a new feature in Azure AD that might help out some organizations with their Azure MFA implementations. Take a look at this list of supported authentication methods, and notice that passwordless methods can also be used as a form of verification for Azure AD Multi-Factor Authentication: Microsoft Authenticator app Windows Hello for Business FIDO2 security key OATH hardware token (preview) OATH software… 

Get alerts on Azure resource assignments made outside PIM

Microsoft released a new public preview where admins can be alerted when assignments to Azure resources are made outside of Privileged Identity Management. This was already possible in combination with Azure AD roles, but the new preview now applies to Azure resources as well. Where alerts on Azure AD roles are enabled by default, alerts for Azure resources need to be enabled by an administrator first. This feature is extremely valuable when you want to govern your Privileged Access implementation,… 

Multi-stage approval for privileged roles using Azure AD Identity Governance

Privileged Identity Management is a great feature within Azure AD to provide just-in-time access to your admin roles and Azure resources. But some roles may require an extra level of security, for the simple fact the role is highly privileged, and (hopefully) rarely used. With the current capabilities, you are able to activate an approval step, but that is only limited to one approver. In this article, I will show you how you can use Azure AD Identity Governance to create… 

10 tips to secure your identities in Microsoft 365

I was recently invited by the Dutch Virtual Desktop User Group to present a session about Identity Security. Now, because this was in Dutch (my native language), I decided to do a ‘short’ write-up in English, so everybody can benefit from this. I shared 10 tips on how to secure your identities, but not before I showed how easy it is to phish Office 365 credentials, even if they are protected with MFA. You can also check the recording in… 

Access reviews for Azure AD directory roles

This blog post is for all those organizations out there with stale, overprivileged accounts having standing access to Azure AD roles, that nobody knows about, far away from the HR systems and on/offboarding processes. This is often a huge problem and the elephant in the (security) room. Now, what can we do about it? I assume you are already aware of Azure AD Privileged Identity Management, and the great features that it brings. In short: with PIM you can reduce… 

Onboard FIDO2 keys using Temporary Access Pass in Azure AD

One of the requirements to use FIDO2 security keys with your Microsoft 365 or Azure Active Directory account is multi-factor authentication. So if the user has not added an authentication method, they need to do that first, in order to add the FIDO2 security key to the account. That is sort of a chicken and egg situation. To work around that, we can use Azure Active Directory’s Temporary Access Pass (TAP) to onboard the user. Using this method, TAP will… 

Use Registration campaign to promote Microsoft Authenticator App

With all the new improvements to the Microsoft Authenticator App, this seems a good time to highlight a new capability in Azure AD: Registration Campain, also known as the nudge feature. Also, organizations should move away from phone transports for authentication. If your users use text (SMS) for second-factor authentication, they have very little context, and therefore might be confusing. On top of that, attackers use SIM jacking techniques to bypass those phone methods. By far the most secure way…