Ru Campbell

New video: deep dive into Defender for Endpoint/Antivirus settings.

- what every one really does
- what “good” looks like
- gotchas
- nuances

And why some of the important ones are “hidden”.

Watch: youtu.be/R8btJ_SjwVk

TIL that Purview parent sensitivity labels are being replaced by label groups (MC1111778). You can migrate using a wizard and by default it'll convert the parent label into both a group and a label within that group (to not risk removing an in-use label).

I don’t think that’s the incentive LinkedIn thinks it is…

TIL Entra ID Governance for guests is PAYG. Example: access review for inactive guests charged based on # guests in scope.

So, charged on API events that include guests separate to usual 50K allowance. Max 1 charge guest/month even if multiple events.

learn.microsoft.com/...

TIL about Purview on-demand classification for Windows to discover + classify files at rest on devices (MC1106875).

On-demand classification (PAYG) was previously limited to SPO + ODfB.

Partially addresses a gap a lot of my customers ask about... will auto labelling follow? 🤔

Most IT teams, including mature ones, aren’t gonna adopt physical dedicated PAWs and it’s not reasonable to assert they should.

What have been your most successful compromises for this?

New video: 1hr of advanced Conditional Access deep dives with @NateHutch365 at @Threatscape.

Covering nuanced scenarios like app allow listing, missing app management, and really stretching CA into some cool and uncommon uses.

WATCH: youtu.be/DkCq8wWN9Sc

New video: 5 best practices for Conditional Access. Kind of an inverse on my 5 common mistakes video. Point being: know what to avoid doing; while knowing what good looks like.

Watch: youtu.be/drO5YFxZDyU

More art than science.

New video: understanding Copilot Studio, MCP, and generally the state of play for securing AI in Microsoft 365 with Microsoft's Graham Hosking.

Watch: youtu.be/9JrBswGsUSw

A hidden gem in MDE’s new effective settings page is revealing which admin-set values are ignored by tamper protection's enforcement of known good ones.

For example, threat actions (quarantine, etc) are protected by TP which enforces response based on Defender definitions.

News about Microsoft Authenticator backing up MFA to iCloud hit the message centre today, but if I'm reading this correctly, it doesn't apply to Entra MFA?

>"Only account names and third-party TOTP credentials will be backed up"

Trying so hard to use new Oulook as daily driver but it's honestly just brutal with no upside except the 'Quote' format button is neat.

Not quick to offense, but having just seen it, if you're using the recent Microsoft redundancies to shill your product, I will immediately block and delete you.

The world isn’t divided by politics or class. It’s divided by whether you pronounce Entra as “Entra” or “Entra”.

I can not and will not be stopped.

Live only, no recordings, don't ask.

June 2025 - M365 Security & Compliance User Group, Wed, Jun 25, 2025, 6:00 PM | Meetup Hey everyone, hope you can join us for this user group. We will kick off with a rundown of the latest Microsoft security news, then have two awesome speaker sessions, endin

Join us 25 June 18:00 UTC+1 for two stellar sessions

REGISTER: www.meetup.com/m365s...

@Cyb3rMik3 Exposing hidden threats with Defender Vulnerability Management

@janbakker_ Passkeys: Hype vs. Reality

$150+ of prizes thanks to @AppGovScore @PacktPublishing @Threatscape

It's LLM based (Llama and OpenAI iirc) so I can't exactly recommend it for sensitive information (without learning more) but that won't stop be with today's unsolicited advice to check it out:

wisprflow.ai/r/RUAIR...

Aye, it’s a referral link. Every penny’s a prisoner :)

My process so far is dictate to get about 90% of the text down, then refine it the old fashioned way. Generally I write the way I speak, so it's not a lot effort.

In the process of writing two books on Defender and using dictation via @WisprFlow has really changed everything. It's more accurate than Windows' native transcribe feature (at least with my accent) and includes smart formatting like bullets and paragraphs.

New video: Had a cool run through with @lukasberancz into the kind of gaps DART identify commonly in incident response, then a deeper dive on hardware based credential providers like macOS Platform SSO.

WATCH: youtu.be/qZV3IeWsRd0

Huge M365 news: “… powered by Azure Local, Microsoft 365 Local enables customers to deploy Microsoft productivity workloads like Exchange Server and SharePoint Server in their own datacenters or sovereign cloud environments…”

Full announcement: blogs.microsoft.com/...

Making sure I understand:

It used to be Device Guard Configurable Code Integrity then Windows Defender Application Control then Application Control for Business but that's only when managed using Intune otherwise it's now Application Control for Windows.

Have I got this right.

Had a great discussion with Directions on Microsoft's @maryjofoley and @getwired.com on Security Copilot - strengths, weakness, hype, and reality. Directions does incredible work on Microsoft license guidance, so check it out.

LISTEN: www.directionsonmicr...

New video: As I've learned from a few incidents, app-to-app access is an attack path few teams monitor. Keith Fleming from the Defender for Cloud Apps team joined me to break down OAuth risks, SaaS security, and how app governance helps defenders.

Watch: youtu.be/AcneWgWPp4Y

New video: deep dive with David Mallet from Microsoft into new Defender for Cloud Apps capabilities that let you hunt (KQL) then control unknown gen AI use ('shadow AI') in your org.

Watch: youtu.be/CMRmgj3o-r0

Finding a great song late is both joy and regret, and makes me wonder what else I'm missing.

New video: deep dive into Purview Insider Risk Management architecture (1 hour step by step guide) with @WelkasWorld

• policy design and best practices
• minimising false positives
• Adaptive Protection integration with Conditional Access

Watch: youtu.be/n1ll4UN32-s

New video: 1 hour of Conditional Access design deep dive.

I always get asked to share Conditional Access templates, so I roped @NateHutch365 into the first of a few long forms on thinking about robust, scalable, and customizable CA architecture.

Watch: www.youtube.com/watc...