Dustin Schutzeichel

@[email protected]
8 Followers
8 Following
33 Posts
Focusing on #security and #compliance in the #Microsoft365 & #Azure cloud ecosystem
Bloghttps://cloudprotect.ninja
Twitterhttps://twitter.com/CloudProtectNja
GitHubhttps://github.com/CloudProtectNinja
Dustin SchutzeichelDec 8, 2023

Microsoft shared a great collection of measures to prevent identity compromise

#EntraID #M365 #Security

https://www.microsoft.com/en-us/security/blog/2023/12/05/microsoft-incident-response-lessons-on-preventing-cloud-identity-compromise/

Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog

In real-world customer engagements, Microsoft Incident Response (Microsoft IR) sees combinations of issues and misconfigurations that could lead to attacker access to customers’ Microsoft Entra ID tenants. Effective protection of a customer’s Entra ID tenant is less challenging than protecting an Active Directory deployment but does require governance and monitoring. Reducing risk and exposure of your most privileged accounts plays a critical role in preventing or detecting attempts at tenant-wide compromise.

Microsoft Security Blog
Dustin SchutzeichelNov 29, 2023
Merill Fernando  Nov 27, 2023

🚨📰 The 20th edition of the weekly Entra News is out!

Read the latest at https://entra.news/p/entranews-20-your-weekly-dose-of

Entra.News #20: Your weekly dose of Microsoft Entra

Microsoft named a Leader by Gartner for Access Management, Graph CLI v1 goes GA and more!

Entra.News - Your weekly dose of Microsoft Entra
Dustin SchutzeichelNov 26, 2023

📢 Use an Azure runbook to only include or exclude specific #M365 groups & teams in #EntraID access reviews, depending on:

✓ prefixes according to your group naming convention
✓ private/public visibility
✓ group age
✓ ... and other group attributes

https://cloudprotect.ninja/access-reviews-for-specific-m365-groups-and-teams/

Starting Access Reviews for specific Microsoft 365 Groups and Teams using Azure Runbooks

Use an Azure runbook to start Entra ID access reviews for a subset of Microsoft 365 groups or teams only, e.g. based on prefixes according to your group naming convention.

Cloud Protect Ninja
Show threadDustin SchutzeichelJun 22, 2023

Microsoft‘s guidelines for app developers can be found here:

https://learn.microsoft.com/en-us/azure/active-directory/develop/migrate-off-email-claim-authorization

Migrate away from using email claims for user identification or authorization - Microsoft Entra

Learn how to migrate your application away from using insecure claims, such as email, for authorization purposes.

Dustin SchutzeichelJun 22, 2023

❗️Developers of #AzureAD multi-tenant apps with #SSO based on #OpenIDConnect should take care to use immutable claims (tid + oid) of the JWT token instead of mutable claims (email) to uniquely identify and authorize access for signed-in users. #nOAuth

https://www.descope.com/blog/post/noauth

nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover

This blog will cover an authentication implementation flaw Descope discovered in Microsoft Azure AD OAuth applications that, when exploited, could lead to full account takeover.

Dustin SchutzeichelMay 23, 2023

#MicrosoftGraph PowerShell SDK is on its way to reach v2 and was recently published as rc1 on GitHub. I really like the new version since it offers native managed identity support for Azure Automation runbooks as shown in my blog:

https://cloudprotect.ninja/managed-identities-to-connect-to-microsoft-365-and-azure/

https://github.com/microsoftgraph/msgraph-sdk-powershell/releases/tag/2.0.0-rc1

Using Managed Identities to Connect to Microsoft 365 & Azure

The ultimate guide how to securely connect Azure Automation runbooks to Microsoft cloud services including Exchange, SharePoint, Teams, Graph API and Azure.

Cloud Protect Ninja
Dustin SchutzeichelMay 23, 2023

App Governance in Defender for Cloud Apps will soon be included in the #M365 E5 (Security) license and helps you to identify and clean up:

✓ Unused apps
✓ Apps with high Microsoft Graph API permissions
✓ Apps with expiring credentials

https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-secure-apps-app-hygiene-features

Secure apps with app hygiene features - Microsoft Defender for Cloud Apps

Learn how to secure apps with app hygiene features

Dustin SchutzeichelMar 5, 2023

Microsoft provides good guidance on how to implement #ZeroTust security in your #Microsoft365 environment. I really like their posters and illustrations summarizing the key ingredients and policies necessary for a zero trust architecture.

https://learn.microsoft.com/en-us/microsoft-365/security/microsoft-365-zero-trust

Zero Trust deployment plan with Microsoft 365

Learn how to apply Zero Trust security principles with Microsoft 365 to defend against threats and protect sensitive data.

Dustin SchutzeichelFeb 19, 2023

Did you ever wonder whether your #Sentinel data connectors, analytics and automation rules work reliably?

#Microsoft provides new SentinelHealth & SentinelAudit tables and predefined workbooks for health monitoring.

Start by checking out this article:
https://learn.microsoft.com/en-us/azure/sentinel/health-audit

Auditing and health monitoring in Microsoft Sentinel

Learn about the Microsoft Sentinel health and audit feature, which monitors service health drifts and user actions.

Dustin SchutzeichelFeb 15, 2023

❗️ Vulnerability for #SharePoint download restrictions ❗️

#Microsoft released a #PowerShell cmdlet to activate the web-only mode for sensitive #SharePoint, #Teams or #OneDrive sites. Thus, users should not be able to download, sync or print files:
https://learn.microsoft.com/en-us/sharepoint/block-download-from-sites

But I found a little hack to bypass the download restriction: Just add a shortcut to OneDrive for the respective document library. Consequently, in the OneDrive web interface, you can download the ”protected“ library as .zip archive.

Until Microsoft provides a fix, you could use JSON formatting for list views and hide the ”addShortcut“ button (security by obscurity):
https://learn.microsoft.com/en-us/sharepoint/dev/declarative-customization/view-commandbar-formatting

Alternatively, you must globally deactivate the ”Add shortcut to OneDrive“ button for all sites in the tenant. You cannot scope the cmdlet to specific sites:
https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-disableaddshortcutstoonedrive

Block the download of files from a SharePoint site or OneDrive (preview) - SharePoint in Microsoft 365

Learn how administrators can block download of files from a SharePoint and OneDrive without using conditional access policies.