Skip to content

Block users from viewing their BitLocker keys

This post is mainly focused on a new tenant setting, where you can prevent your end-users from viewing their Bitlocker keys. By design, your users can see Bitlocker keys from devices they own from the MyAccount portal. My Account (microsoft.com) For some (large) enterprise organizations, this is an unwanted feature. Changing the setting Using PowerShell or Graph API, you can now disable this feature. This will apply to the entire tenant so that users without proper permissions will no longer… 

How to set up Evilginx to phish Office 365 credentials

Update: Evilginx 3 is here! This post is based on Evilginx 2 and still works, as I forked the old repository to my personal Github, and did some tweaks to make it work. I recently created a newer version of the phishlet that only works for Evilginx 3. Read all about it here: Running Evilginx 3.0 on Windows – JanBakker.tech If you are a red-teamer, I really recommend checking out the new Evilginx 3 framework, and learn how it works… 

How to deal with orphaned objects in Azure AD (Connect)

We have done hybrid identity for a couple of years now, and it looks like the vast majority is not going to change that soon. Over the past years, we had different tools to facilitate hybrid identity. When we started this journey, there was no Azure AD Connect. We used tools like Dirsync or FIM/MIM, and that was not always easy. Still today, proper management of Azure AD Connect can be quite complex. What’s the issue? Today we are going… 

Use a FIDO2 security key as Azure MFA verification method

This news seems to be kept under the radar a little bit, but I wanted to point out a new feature in Azure AD that might help out some organizations with their Azure MFA implementations. Take a look at this list of supported authentication methods, and notice that passwordless methods can also be used as a form of verification for Azure AD Multi-Factor Authentication: Microsoft Authenticator app Windows Hello for Business FIDO2 security key OATH hardware token (preview) OATH software… 

Get alerts on Azure resource assignments made outside PIM

Microsoft released a new public preview where admins can be alerted when assignments to Azure resources are made outside of Privileged Identity Management. This was already possible in combination with Azure AD roles, but the new preview now applies to Azure resources as well. Where alerts on Azure AD roles are enabled by default, alerts for Azure resources need to be enabled by an administrator first. This feature is extremely valuable when you want to govern your Privileged Access implementation,… 

Dynamic Administrative Units using on-prem Organizational Units

  • Entra
  • 4 min read

Gone are the days that I could start a workshop, session, or training with: “Do you know the big difference between Active Directory and Azure Active Directory? Azure AD is flat, where AD is not.” Well…… If there is one thing I’ve learned over the last years: it’s hard to do Zero Trust in a flat landscape. Lucky for us, we have Administrative Units nowadays. I really love Administrative Units (AUs) as they bring scoping to Azure AD. Until recently,… 

Get started with Azure AD B2B direct connect

We all love seamless collaboration, right? Well, here’s a new feature that might improve that experience. Today, we will talk about Azure AD’s cross-tenant access settings, and in particular, about Azure AD B2B direct connect. What is B2B direct connect? B2B direct connect is part of the cross-tenant access settings in Azure AD. These settings will give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD… 

KB – Reset cross-tenant access policies back to the system default.

  • Entra
  • 2 min read

This is a knowledgebase item. Hope it helps you out someday. The issue Changes have been made to the default settings in the Azure AD cross-tenant policies. You want to revert them, but there is no button in the Azure portal UI to do that (at the moment of writing this article) Solution This can be done using the Graph API. The easiest way is using Graph Explorer. So, how does that work? Browse to https://aka.ms/ge, and make sure that… 

Multi-stage approval for privileged roles using Azure AD Identity Governance

Privileged Identity Management is a great feature within Azure AD to provide just-in-time access to your admin roles and Azure resources. But some roles may require an extra level of security, for the simple fact the role is highly privileged, and (hopefully) rarely used. With the current capabilities, you are able to activate an approval step, but that is only limited to one approver. In this article, I will show you how you can use Azure AD Identity Governance to create… 

KB – mobile phone number not in sync Azure AD Connect

This is a knowledgebase item. Hope it helps you out someday. The issue Some users reported that the mobile phone number in Azure Active Directory / Office 365 was different from the number in on-prem Active Directory. Even though these users were synced with Azure AD Connect, the mobile phone attribute was no longer in sync. Cause After some investigation, it seemed that the affected accounts were previously edited with the Set-MsolUser cmdlet from the MSOnline PowerShell module. To make…