– und nicht #von Microsoft | iX Magazin https://www.heise.de/news/Himmelblau-2-0-Azure-Entra-ID-fuer-Linux-und-nicht-von-Microsoft-11071955.html #OpenSource #M365Excited to be putting the finishing screenshots in my #bsidesatl presentation about some new security controls that #AzureEntraID has made available around App Consent and Workload Identity protection. #entraid #Microsoft365 #cloudsecurity @bsidesatl
https://pretalx.com/bsidesatl-2025/talk/review/DMYAZJ83ZMUH8XWWPTTSBTKUYGDUHBJL
Abuse of Service Principals in EntraID has been a longstanding favorite of APT groups. In recent years, that knowledge has trickled down to eCrime actors and is leveraged for ransomware and extortion. Microsoft has introduced two (and a half) new security controls to address this in 2025. Each has its pros and cons, but as with any security control an understanding of the risk it mitigates is crucial to balance the tradeoffs against potential business disruption. In this talk, we'll go over three scenarios in which Service Principals are abused and which controls would be relevant to address this risk. We'll also explore how to perform your own testing to evaluate whether the controls you configure are functioning as expected.
#infosec #cloudsecurity #dfir #AzureEntraID If you have a suspected Azure Service Principal compromise, say a company up the supply chain got breached and the Application Registration might be used for access via a cross-tenant consent, then you absolutely MUST search for the AppId in the body of your logs.
If you’re streaming to a SIEM or LogAnalytics workspace, should be easy enough. If you’re pulling logs from Entra/UAL please leverage the “free text” search capabilities to search for the AppId(s) https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps#-freetext
Once you’ve done that, grab all of the logins for the SPs and look for any non-MSFT IPs, or any unusual ones (use your investigator thinking hats). Pay particular attention to the servicePrincipalCredentialKeyId field. If it’s a value that you don’t have in your tenant for your SP, congratulations you’re the victim of a supply-chain attack.
Then grab the SessionIDs from those logins and run them against the results of your FreeText UAL search. If you find any hits, then you’ll likely have new identities to go hunt for full UAL activity on in your environment.
The Search-UnifiedAuditLog cmdlet presents pages of data based on repeated iterations of the same command. Use SessionId and SessionCommand to repeatedly run the cmdlet until you get zero returns, or hit the maximum number of results based on the session command. To gauge progress, look at the ResultIndex (hits in the current iteration) and ResultCount (hits for all iterations) properties of the data returned by the cmdlet. The Search-UnifiedAuditLog cmdlet is available in Exchange Online PowerShell. You can also view events from the unified auditing log by using the Microsoft Purview compliance portal. For more information, see Audited activities. If you want to programmatically download data from the Microsoft 365 audit log, we recommend that you use the Microsoft 365 Management Activity API instead of using the Search-UnifiedAuditLog cmdlet in a PowerShell script. The Microsoft 365 Management Activity API is a REST web service that you can use to develop operations, security, and compliance monitoring solutions for your organization. For more information, see Management Activity API reference. This cmdlet is available in Office 365 operated by 21Vianet, but it won't return any results. The OutVariable parameter accepts objects of type ArrayList. Here's an example of how to use it: $start = (Get-Date).AddDays(-1); $end = (Get-Date).AddDays(-0.5); $auditData = New-Object System.Collections.ArrayList; Search-UnifiedAuditLog -StartDate $start -EndDate $end -OutVariable +auditData | Out-Null You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Configure Azure Entra ID as IdP on Keycloak
https://blog.ght1pc9kc.fr/en/2023/configure-azure-entra-id-as-idp-on-keycloak/
#HackerNews #Configure #Azure #Entra #ID #as #IdP #on #Keycloak #AzureEntraID #Keycloak #IdP #Configuration #CloudIdentity #IdentityManagement
Marcel SIneM(S)US
Hamishthepiper
N-gated Hacker News
Hacker News