๐ Blocking Device Code Flow in M365, full mini-toolkit now on GitHub:
1๏ธโฃ Audit script => verify zero legitimate usage before blocking (all 4 Entra sign-in log types)
2๏ธโฃ CA policy JSON => ready to import, just replace your break-glass group ID
๐ https://github.com/Bluewal/m365-intune-scripts/tree/main/entra/device-code-flow
#infosec #Microsoft365 #EntraID #ConditionalAccess #BlueTeam #PowerShell
๐จ EvilTokens / AiTM attacks are actively abusing Device Code Flow to bypass MFA in M365 tenants.
Before blocking it via Conditional Access โ verify it's actually unused in your environment.
Script queries all 4 Entra sign-in log types via Microsoft Graph:
โ
No results โ safe to block immediately
โ ๏ธ Results found โ review before deploying
#infosec #Microsoft365 #EntraID #ConditionalAccess #BlueTeam #PowerShell
Identity attacks rise; use conditional access, behavioral analytics. Infosec K2K boosts security with adaptive controls, real-time detection.
#CyberSecurity #IdentitySecurity #ConditionalAccess #BehavioralAnalytics #ZeroTrust #IAM #CyberResilience #InfosecK2K
๐จ Entra ID External MFA (old name was External Authentication Methods) is now Generally Available.
Custom Controls is being deprecated on 30 Sept 2026.
Here's how to check your usage.
https://thedxt.ca/2026/03/microsoft-entra-id-external-mfa/
#Entra #MFA #M365 #Microsoft #Microsoft365 #ConditionalAccess
Microsoft recently announced that External Authentication Methods has been renamed to External MFA and is Generally Available. Microsoft also announced that Custom Controls is being deprecated, with its deprecation currently planned for September 30th, 2026. Microsoft Entra ID External MFA (formerly External Authentication Methods) replaces Custom Controls. Here is a brief timeline of Custom... Read More Read More
๐๐จ๐ฐ ๐๐จ๐ง๐๐ข๐ญ๐ข๐จ๐ง๐๐ฅ ๐๐๐๐๐ฌ๐ฌ ๐๐จ๐ฅ๐ข๐๐ข๐๐ฌ ๐๐ซ๐ ๐๐ฏ๐๐ฅ๐ฎ๐๐ญ๐๐ ๐ข๐ง ๐๐ข๐๐ซ๐จ๐ฌ๐จ๐๐ญ ๐๐ง๐ญ๐ซ๐ ๐๐
Understanding how Conditional Access policies are evaluated in Microsoft Entra ID is absolutely essential if you are involved in their creation or management.
I often encounter fundamental misunderstandings regarding how the evaluation of Conditional Access policies takes place. Many administrators are accustomed to systems like firewalls, where there is an order or priority for evaluating created rules. However, it does not work this way with Conditional Access policies in Microsoft Entra ID. Applying the same principle to Conditional Access policies will very likely lead to significant security risks.
Read my blog post bellow ๐ ๐
https://www.cswrld.com/2026/02/how-conditional-access-policies-are-evaluated-in-microsoft-entra-id/
Microsoft is rolling out two Entra ID changes this spring that take effect automatically.
Passkey profiles move to GA in March. Tenants that do not opt in will be auto-migrated starting in April (through late May for Worldwide, late June for GCC/GCC High/DoD). If attestation is disabled, synced passkeys become allowed by default, meaning credentials can sync via iCloud Keychain and Google Password Manager without an explicit decision to allow synced passkeys.
Conditional Access is closing an enforcement gap starting March 27. Policies targeting "All resources" with resource exclusions will now enforce on sign-ins where apps request only OIDC or limited directory scopes. These flows were previously not being evaluated..
I published a breakdown covering:
โข Auto-migration logic and default configuration behavior
โข PowerShell scripts to audit your tenant
โข A three-profile passkey architecture for role-based separation
โข How to identify affected Conditional Access policies
โข Key gotchas (silent campaign shifts, retroactive AAGUID removal, destructive preview opt-out)
The post includes links to MC1221452, the Microsoft Tech Community announcement, and the relevant Microsoft Learn documentation.
https://nineliveszerotrust.com/blog/entra-march-2026-passkeys-ca/
#EntraID #Identity #ZeroTrust #Passkeys #ConditionalAccess #CloudSecurity #MFA
RE: https://infosec.exchange/@franklesniak/115572191076370399
#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity
@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube.
"Finding Entra ID CA Bypasses - the structured way" @WEareTROOPERS
๐๐ผ๐ ๐๐ผ ๐ฏ๐น๐ผ๐ฐ๐ธ ๐๐ป๐ธ๐ป๐ผ๐๐ป ๐ฝ๐น๐ฎ๐๐ณ๐ผ๐ฟ๐บ๐ ๐ถ๐ป ๐ ๐ถ๐ฐ๐ฟ๐ผ๐๐ผ๐ณ๐ ๐๐ป๐๐ฟ๐ฎ ๐๐
Under conditional access policies, it is possible to block individual device platforms. In general, it is a good idea to eliminate all ways that a potential threat actor could use to compromise the environment. In other words, block everything that is not needed.
This also applies to device platforms within Microsoft Entra ID. For example, if your organization only uses Windows, iOS, and Android, it's a good idea to disable all other platforms. If you also use macOS, you need to add macOS as well, of course.
What I would definitely recommend blocking is Windows Phone and other unknown platforms. Unrecognized / unknown platforms are usually spoofed User Agents, which is mainly used by threat actors.
๐บ Watch my YouTube video bellow ๐ ๐
https://youtu.be/vFhQgwXmqTo
#cswrld #videotutorial #entraid #conditionalaccess #platforms #blocking
Bluewall 
InfosecK2K
Daniel Keer
Lukas Beran
Jerrad Dahlager
Frank Lesniak
Fabian Bader
dmstork