Nathan McNulty's Avatar

Nathan McNulty

@nathanmcnulty.com.bsky.social

Loves Jesus, loves others | Husband, father of 4, security solutions architect, love to learn and teach | Microsoft MVP | @TribeOfHackers | 🐘infosec.exchange@nathanmcnulty

5,577 Followers  |  427 Following  |  3,266 Posts  |  Joined: 27.04.2023  |  2.4348

Latest posts by nathanmcnulty.com on Bluesky

Preview
a woman in a plaid shirt says oops ! ALT: a woman in a plaid shirt says oops !
06.08.2025 01:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

KQL to review #DirectSend abuse

EmailEvents​
| where SenderMailFromDomain == RecipientDomain​
| where isempty(Connectors)​
| where DeliveryAction !in ("Junked", "Blocked")​
| extend AuthenticationDetails = parse_json(AuthenticationDetails)​
| where AuthenticationDetails.DMARC == "fail"​

05.08.2025 23:47 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 1    πŸ“Œ 2

And yet... this is the only reason I know this setting exists πŸ˜‚

I had to do troubleshooting, more than a few orgs have this applied to all users in an Entra environment :(

03.08.2025 17:07 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

And they do, in several places, but it's not as comprehensive as it could be (though great for a starting point)

Microsoft has long published security benchmarks based on research/testing and customer support cases

They also do the Secure Score stuff which is much better than it used to be :p

03.08.2025 17:05 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Or anything else requiring device identity really... So no filter for devices, no compliance, no hybrid join grant control :-/

Sadly, I'm not a member of CIS anymore nor have the time to go through all of the settings for issues, but hopefully they are listening to feedback :)

02.08.2025 23:25 β€” πŸ‘ 6    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

While I'm on the topic of CIS Benchmarks...

If you follow this one for Edge, you won't be able to use device compliance in your Conditional Access policies :-/

02.08.2025 22:49 β€” πŸ‘ 17    πŸ” 2    πŸ’¬ 3    πŸ“Œ 0

I ended up writing a post about the new feature to change group SOA from AD to #Entra. Big big thanks to @intune.best for all of the assistance he provided and initial testing he did in #WinAdmins Discord voice yesterday!

ajf.one/group-soa

02.08.2025 17:23 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

The S in MCP stands for security

02.08.2025 05:29 β€” πŸ‘ 517    πŸ” 92    πŸ’¬ 18    πŸ“Œ 6

Don’t blindly follow benchmarks.

They’re a great starting point β€” but not the finish line. Always make sure you understand what you’re configuring and why it matters in your specific environment.

02.08.2025 04:59 β€” πŸ‘ 10    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

I don't remember if it went that far back or not, but I know we had them in v2 (though there was no native way to convert them back to plain text back then, only via .NET)

02.08.2025 04:05 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I don't think this is really a factor, just dangerous imo

Lots of reasons, outside of not great defaults, most are total nonsense

Many just hate Microsoft, which is fine, but most don't configure it well, can't let go of AV results from a decade ago, compare to consumer experiences, etc.

02.08.2025 03:21 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Also fun, CIS says to enable ASR rules (which you absolutely should), but then disabling cloud delivered protection effectively disables 3 of the ASR rules they say you need to enable :P

So in the end, you can't actually get a device configured per the CIS Benchmarks, lol

01.08.2025 20:13 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image


As always, you cannot blindly trust benchmarks, you need to understand products to make the correct decisions for your environment

CIS was notorious for disabling PowerShell logging because it might capture a password... πŸ€¦β€β™‚οΈ

Here are just some of the things you will lose:

01.08.2025 20:12 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 3    πŸ“Œ 0
Post image

If you use CIS Benchmarks, I highly advise against this recommendation...

This disables cloud delivered protection which underpins a bunch of capabilities, disables roughly half of your protection

Fortunately, if you enable Tamper Protection, it is forcefully enabled for you :)

01.08.2025 20:12 β€” πŸ‘ 20    πŸ” 2    πŸ’¬ 2    πŸ“Œ 1

Euphoria

30.07.2025 22:01 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
How to Automate Intune Policy Assignments with Graph and PowerShell
YouTube video by Get Rubix How to Automate Intune Policy Assignments with Graph and PowerShell

Today I'll show you how to add Intune policy assignments using the Microsoft Graph and PowerShell.

youtu.be/PAlSpLl5ASA

#intune #windows #graph

30.07.2025 21:32 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Poor man’s IGA: Monitor and clean up stale guest accounts Today’s challenge Today, we are dealing with inactive or stale guest users in a tenant. Entra ID Governance has several ways to solve this, but if you had those licenses, you wouldn’t be here. For tod...

I'd love to know which limited features most are interested in

This is partly why I created my Entra Operational Groups project:
github.com/nathanmcnult...

@janbakker.bsky.social also has a nice series on poor man's IGA:
janbakker.tech/poor-mans-ig...

We can do a lot with a little admin effort :)

28.07.2025 23:28 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

At least they didn't let the security copilot licensing people touch it :p

I quite prefer getting charged for real usage though rather than licensing all active users or something

They'd lose a lot of money if they did this for all licenses, lol. So many licensed accounts not being used.

28.07.2025 20:26 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
nathanmcnulty/Entra/operational-groups/per-user-mfa.ps1 at master Β· nathanmcnulty/nathanmcnulty Contribute to nathanmcnulty/nathanmcnulty development by creating an account on GitHub.

This week I discovered we couldn't use my Entra Operational Group to create the per-user MFA groups because GCC doesn't allow Graph PowerShell to get tokens that work with this API endpoint

This technique worked around this limitation, very cool! :)

github.com/nathanmcn...

26.07.2025 03:53 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

Pro Tip: You can borrow Bearer tokens from your browser in the various Microsoft portals and use them with Graph PowerShell/CLI

This is useful when Graph API endpoints don't allow clients like Graph PowerShell/CLI to make requests, common on new endpoints or in GCC environments

26.07.2025 03:52 β€” πŸ‘ 14    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

MDM doesn't matter BTW

The combined mobileconfig and onboarding file could even be combined, but regardless, these are deployed as custom configuration profiles, AV policy can be via Settings Catalog, Endpoint security, Jamf schema, etc., and app via Intune or PKG from portal :)

25.07.2025 01:53 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Intune-based deployment for Microsoft Defender for Endpoint on macOS - Microsoft Defender for Endpoint Install Microsoft Defender for Endpoint on macOS, using Microsoft Intune.

Reminder when deploying Defender for Endpoint for macOS

You *could* do this the hard way:
learn.microsoft.com/...

Or you can do it the easy way:
github.com/microsoft...

You really just need 4 policies:

1) Permissions (combined)
2) Onboarding
3) AV policy
4) App installation

25.07.2025 01:53 β€” πŸ‘ 11    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Post image

Seeing a lot of folks frustrated with the Microsoft.Graph #PowerShell SDK...missing modules, bloat, weird errors.

If you just need to hit a few endpoints without the overhead:
Install-Module Microsoft.Graph.Authentication
Connect-MgGraph
Invoke-MgGraphRequest

#MSGraph #Intune

24.07.2025 23:49 β€” πŸ‘ 11    πŸ” 2    πŸ’¬ 3    πŸ“Œ 1
Post image

Looks like the Entra QR code authentication method is going GA πŸ₯³

They've also added some great guidance on suppressing the camera permission prompt for iOS :)

learn.microsoft.com/...

24.07.2025 23:30 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

It all depends on the use case, imo

If you are really using it for lifecycle workflows and lots of entitlement management capabilities (especially custom extensions), then it might be worth it

To just do a few actions, quite expensive imo

24.07.2025 05:59 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

At the speed of cloud!

(2x slower than a typical 486)

24.07.2025 00:51 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

For very large orgs, I left a comment on line 16 where we might have to use loggedByService due to too many records. I'm testing now.

Final note - I can't find this option anywhere in Entra, and I feel like I'm pretty good at navigating the portal :p

learn.microsoft.com/en-us/entra/...

23.07.2025 23:57 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image Post image

So now I'm stuck pulling ALL audit logs back and post processing, which brings me to my next "what the heck?" moment

This is no ordinary hashtable, they murdered this thing. It's arrays with unrelated key/value pairs inside of it, plus escaped quotes...

What a pain to work with

23.07.2025 23:56 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Many orgs have massive audit logs, so pulling them all back is not the best way to do this, except...

We can't actually filter on the things you want to for this, and the docs aren't clear which loggedByService corresponds to which API calls :-/

learn.microsoft.com/en-us/graph/...

23.07.2025 23:56 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

My whining thread :p

I couldn't find any reports, queries, etc., to help us assess impact :(

The responsibilty to discover licensing costs was left to the customer with sparse instructions to go figure it out...

"Just look at your audit logs!"

learn.microsoft.com/en-us/entra/...

23.07.2025 23:55 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

@nathanmcnulty.com is following 20 prominent accounts