Christopher Brumm's Avatar

Christopher Brumm

@cbrhh.bsky.social

70 Followers  |  61 Following  |  9 Posts  |  Joined: 15.11.2024  |  1.6912

Latest posts by cbrhh.bsky.social on Bluesky

Take a look at the article I linked. It says: "Microsoft Entra Internet Access for Microsoft services capabilities are included in a Microsoft Entra ID P1 or Microsoft Entra ID P2 license."

05.03.2025 12:17 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Compliant Device Bypass in Microsoft Intune – Detection, Response & Mitigation In this blog post, glueckkanja's MVP Fabian Bader, Chris Brumm and Thomas Naunheim gather details about the Compliant Device Bypass in Microsoft Intune Company Portal. After additional research, they ...


@fabian.bader.cloud, @naunheim.cloud and I have also looked into the topic of TokenSmith and are describing the Blue Team perspective (including an effective detection) in this blog:
www.glueckkanja.com/blog/securit...

17.01.2025 07:21 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
TokenSmith Meets Evilginx: Token Theft Combined with Entra Conditional Access Bypass
YouTube video by SYNACK Time TokenSmith Meets Evilginx: Token Theft Combined with Entra Conditional Access Bypass

Unfortunately, that was only a matter of time!

This video combines two of the most dangerous tools at the moment associated with phishing - and it's surprisingly simple!
www.youtube.com/watch?v=Dp1z...

Do we have defense options? Read on πŸ‘‡

17.01.2025 07:21 β€” πŸ‘ 10    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0
Preview
Continuous access evaluation in Microsoft Entra - Microsoft Entra ID Responding to changes in user state faster with continuous access evaluation in Microsoft Entra

A Compliant Network behaves like a Named Location and triggers the Continuous Access Evaluation trigger.
This will force the user to reauthenticate if the token is CAE enabled (and the Service is SharePoint Online).
-> learn.microsoft.com/en-us/entra/...
-> learn.microsoft.com/en-us/entra/...

4/4

10.01.2025 19:09 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Enable Compliant Network Check with Conditional Access - Global Secure Access Learn how to require known compliant network locations in order to connect to your secured resources with Conditional Access.

Why should you do this?

You get the option to protect your resources behind the compliant network control by configuring a Conditional Access policy
-> learn.microsoft.com/en-us/entra/...

This policy is regarding to my tests really powerful to protect against replayed tokens.

3/4

10.01.2025 19:09 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
The Global Secure Access Client for Windows - Global Secure Access The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Windows client.

Means: you can install the Global Secure Access Client on all your clients and route the traffic to all the Microsoft Endpoints through GSA.
-> learn.microsoft.com/en-us/entra/...

The client is available for Windows, Mac, Android and iOS and it is really easy to deploy.

2/4

10.01.2025 19:09 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
What is Global Secure Access? - Global Secure Access Learn how Microsoft's Security Service Edge (SSE) solution, Global Secure Access, provides network access control and visibility to users and devices inside and outside a traditional office.

Global Secure Access and Token Replay - a thread...

Did you know that "Microsoft Entra Internet Access for Microsoft" is included in your Entra ID P1 license?
-> learn.microsoft.com/en-us/entra/...

1/4

10.01.2025 19:09 β€” πŸ‘ 7    πŸ” 1    πŸ’¬ 2    πŸ“Œ 0
Preview
Use Defender XDR advanced hunting query capabilities to detect possible device compliance bypass attacks for Entra ID Conditional Access according to the vulnerability disclosed by Yuya Chudo (https:/... Use Defender XDR advanced hunting query capabilities to detect possible device compliance bypass attacks for Entra ID Conditional Access according to the vulnerability disclosed by Yuya Chudo (http...

gist.github.com/CloudProtect...

This one does a very good job because it considers if the device is joined/registered any only looks at the AADGraph. For this resource its not normal that a non-registered device is accessing it

09.01.2025 07:30 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Any tips? That's a really strange coincidence - ours needs to be replaced too...

29.12.2024 20:33 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I hope every SOC is monitoring incoming emails for signs of anomalous incoming mail amounts to your users. If this happens the execution of any RMM by the target user is a high alert you should follow up on.

19.12.2024 22:24 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 2    πŸ“Œ 0
Post image

πŸ”Š @cbrhh and I will be part of this year's Experts Live DK with our session: The state of passkey in 2025

#ELDK2025

conference.expertsli...

19.12.2024 14:52 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image

Great news! πŸŽ‰

I have the opportunity to speak in March at the #eldk2025 in Copenhagen!

I will do a comparison of Entra Private Access and a classic VPN solution and show why Global Secure Access is much closer to my understanding of Zero Trust Network Access.

Hope to see you there!

19.12.2024 17:03 β€” πŸ‘ 6    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

@cbrhh is following 20 prominent accounts