Jesus follower, family man, security solutions architect, love to learn and teach | Board
@OpsecEdu | @TribeOfHackers
#InfoSec
#MicrosoftDefender
#ActiveDirectory
#AzureAD
#Intune
#Azure
#NathansBlog
| Blog | https://blog.nathanmcnulty.com |
| GitHub | https://github.com/nathanmcnulty |
| https://twitter.com/nathanmcnulty | |
| Twittodon | https://twittodon.com/share.php?t=nathanmcnulty&[email protected] |
The one about Token Binding
https://textslashplain.com/2023/10/23/protecting-auth-tokens/
As promised, here is my deep dive into the Microsoft Enterprise Single Sign On (SSO) plug-in for Apple devices
This works on all Apple devices including iOS, iPadOS & macOS!
Windows users have long enjoyed SSO, now you can bring that experience to your Apple users 😍
Read on ⬇️
Pretty excited to share a new post on a lesser known Intune feature! :)
Microsoft Tunnel can do full device or per-app tunneling on iOS and Android, providing access to on-prem resources, restricted cloud resources, or ensuring access to SaaS apps come from a known, trusted set of IPs 🔥
https://blog.nathanmcnulty.com/intune-microsoft-tunnel-vpn-gateway/
A really neat but lesser known feature of Intune is Microsoft's Tunnel VPN solution which can do full device or per-app VPN tunneling on iOS and Android. This allows us to provide access to on-prem resources, restricted cloud resources, or ensure access to SaaS apps are coming from a known,
In case it's helpful for anyone else, I quickly documented how to create a CA for your lab
OpenSSL offline root CA, ADCS as Intermediate CA, and for fun, GitHub + Azure Static Website to host the CRLs :p
Microsoft Tunnel and EAP-TLS posts in the works :)
https://blog.nathanmcnulty.com/lab-certificate-authority-setup/
Hey #AzureAD admins - We can now automate clean up of stale devices!
Microsoft updated the Delete device API endpoint to support Application permissions, so I've rewritten my Azure Automation blog post
Also new: Managed Identities and Graph V2 modules :)
https://blog.nathanmcnulty.com/azure-automation-device-cleanup-v2/
Just published my follow up post for setting up Azure AD SSO to AWS for Single-Account access, also using PIM for Groups :)
This one is really cool because of this regex used to create the SAML claim:
AWS-(?'accountid'[\d]{12})-(?'role'[\w])
Even if you don't use AWS, this technique can be applied to other apps that use Roles in SAML claims, like Splunk
https://blog.nathanmcnulty.com/aws-pim-single-account-access/
Previously I showed how we can configure SAML SSO with AWS IAM Identity Center which can make many things easier, especially for larger companies, but it may not be an ideal fit for smaller companies who have one or two accounts and want to manage groups, permissions, and governance in
It works! 🥳
Last two pieces that did the trick: a HAADJ session host needs the *on-prem* user added to the Remote Desktop Users group, not the AAD user (which can be added as a SID converted from AAD Object ID but it doesn't work for this use case).
Duo's Windows application had to be removed. Otherwise the RDP session would start but not sign you in - you just connected to the session host's local console output.
Did you know the Recon SOC sends out a monthly newsletter about trending threats and mitigations?
No sales or marketing--just immediately useful information for IT teams✌️💙🤓
Interested? Sign up here: https://reconis.co/3GNvXaE
Just published a new blog post on setting up AWS SSO with Azure AD leveraging Privileged Access Groups to provide just-in-time access and approval workflows
This concept can be used for any Azure app, so it's still an interesting read even without AWS :)
I've been working in AWS a fair bit lately (Defender for Cloud posts coming soon) and thought it would be fun to set up SSO from Azure AD. But I also wanted to see if there was a way I could integrate Privileged Identity Management into it for just in
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them.
EricLaw
Merill Fernando 
CJ
Recon InfoSec
Kileen