Hi there 👋

Profile Photo My name is Nicola and I am interested in endpoint management, security, identity and automation. On this blog I like to share ideas, solutions, experiences and learning on all things related to tech.

Have you heard about passkeys and AAGuids?

With the availability of passkeys the FIDO2 standards become more accessible in the form of password managers, web-browsers and (mobile) operating systems — without the need for dedicated hardware such as FIDO2 keys. Microsoft is currently in the process of developing support for passkeys and shipping the public preview in Q1 2024: While this is a very welcome addition to make passwordless authentication easily accessible without dedicated hardware such as FIDO2 security keys this also introduces new risks, especially for high value accounts — But why’s that?...

December 1, 2023 · 5 min · 987 words · Nicola Suter

Enriching Microsoft Sentinel tables with eligible Entra directory roles

Microsoft 365 Defender and Sentinel provide an IdentityInfo table that contains various information that is helpful for threat hunting and detections. One key piece are also the assigned Entra directory roles for a specific identity. Unfortunately only permanently assigned permissions are covered and in times of Entra Privileged Identity Management (PIM) we should have standing permissions only for non-privileged roles and break-glass accounts. Within this blog post I want to share a few tips and tricks to answer the following questions with Sentinel and a little bit of scripting and KQL:...

November 17, 2023 · 5 min · 1050 words · Nicola Suter

Maintaining Microsoft Sentinel Analytic Rules in JSON and YAML with GitHub Actions

Microsoft Sentinel Analytic Rules can be shared in both the YAML and ARM format, whereas the ARM format leverages JSON as file type. Within… Microsoft Sentinel Analytic Rules can be shared in both the YAML and ARM format, whereas the ARM format leverages JSON as file type. Within this short post I want to demonstrate an approach that leverages a GitHub Action to automatically build and update the rules in YAML format — so you can just export and update existing rules without any manual conversion effort....

November 13, 2023 · 4 min · 707 words · Nicola Suter

Have you heard of workload identity access token replay?

Microsoft recently made the Microsoft Graph Activity Logs available as part of the Microsoft Entra ID diagnostic settings. This means we can use the MicrosoftGraphActivityLogs Table to enrich custom detections and analytic rules. Within this post I want to elaborate closer on an attack scenario for workload identities that leverage workload identity federation and don’t have any persistent credentials or long lived secrets. But one type of credential artefacts is still theft-able — the short lived access tokens....

November 8, 2023 · 6 min · 1108 words · Nicola Suter

Microsoft Entra Connect Sync Hardening

Microsoft Entra Connect Sync (aka Azure AD Connect) allows establishing hybrid identity scenarios by interconnecting on-premises Active Directory and Entra ID (aka Azure AD) and leveraging synchronisation features in both directions. As you might already know, this brings potential for abuse of the assigned permissions to the involved service accounts and permissions of this service. On the internet are already some posts with subset of this information but I wanted to provide an actionable post with individual measures to implement....

September 24, 2023 · 5 min · 1060 words · Nicola Suter

Why you should use Entra Workload Identity Federation

Microsoft Entra Workload Identity Federation is a hidden gem when dealing with app registrations and service principals because it will significantly improve the security posture of your workload identities. While I already blogged about the more technical and implementation specific details in my GitHub Actions with Entra Workload Identity Federation post, I want to highlight the benefits and scenarios where you can use Workload Identity Federation to access Entra ID protected resources....

September 7, 2023 · 5 min · 921 words · Nicola Suter

Retrieving Windows LAPS Azure AD Passwords with PowerShell

Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword cmdlet. Kudos to Niklas Tinner as he brought this to my attention while working together. Where is this command originating from? The Get-LapsAADPassword cmdlet is part of the LAPS PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates....

May 10, 2023 · 2 min · 416 words · Nicola Suter

Let's have a tête-à-tête with the new Windows LAPS for Azure AD joined devices

Loooooong awaited and it’s finally here - the new Windows LAPS. With the previous announcement(s) of the integration into the native Windows operating system and support for Azure AD join this was a long-awaited feature. With the recent patch Tuesday the binaries were backed and delivered natively into the current Windows client and Server OS and today they also launched the Azure AD backend that can serve as the backup source for passwords....

April 21, 2023 · 7 min · 1291 words · Nicola Suter

Provoking Defender for Identity suspicious certificate usage alerts

Microsoft Defender for Identity (MDI) has announced a new capability back in February to detect suspicious certificate usage for Kerberos authentication. It is already well-known, that Active Directory Certificate Services (ADCS) is a lucrative target for adversaries to achieve persistence in Active Directory as ADCS can be easily misconfigured resulting in an easy way to exploit those misconfigurations. In this post I want to show you how easy those misconfigurations can be abused and how and when such an attempt is detected by Microsoft Defender for Identity new detection capabilities for suspicious certificate usage....

April 11, 2023 · 8 min · 1547 words · Nicola Suter

You must not touch my endpoint security settings!

Intune Endpoint Security Configuration Settings have become the way to go for configuring security features on various platforms. What did start with Microsoft Defender for Endpoint settings for Windows clients has evolved to settings for macOS, Windows Servers and is treated like a first class citizen. So it is important to guard those sensitive configurations as they control (and can potentially disable) vital security features on endpoints such as defender tamper protection, attack surface reduction rules, firewall and many more....

March 12, 2023 · 3 min · 634 words · Nicola Suter