AndrewCZ

📢 Breaking changes: Guest billing for Entra ID Governance

I haven't seen any announcements on this and guidance is extremely lacking, so Joe Stocker gave me time to create a script to help everyone assess costs early :)

I would love your feedback!
github.com/nathanmcnult...

How to use Microsoft Graph Api Batching to speed up your scripts Graph Api batching is a great way to dramatically improve the performance of your Graph API-related scripts. It enables parallel execution of up to 20 Graph API calls, which is fantastic, but there is one tiny little problem. You have to write your o...

I have rewritten Get-IntunePolicy using graph api batching (Invoke-GraphBatchRequest from my MSGraphStuff module) and now it returns all our Intune policies in just 11 seconds instead of 50! Check doitpshway.com/how-to-use-m... for more details.

#powershell #graph #MSIntune

Dll conflicts between AZ and Graph Sdk auth modules. To avoid this you need to import the modules in correct order plus have versions that can work together. It's awful.

What about Az? That's the real pain mostly.

Struggling to find a caller by object ID in AzureActivity in your directory? It may be from another directory.

Check the claims field, the tenant ID is contained within the claim and you can use something like aadinternals.com/osint/ to find out which tenant the caller is from.

Basically if I take the code it can be used to backup our sentinel settings (after some modification of course)?

GitHub - mystak23/Sentinel_DevOpsConnection: This repository contains a script for automatic MicrosoftSentinel - AzureDevOps connection. This repository contains a script for automatic MicrosoftSentinel - AzureDevOps connection. - mystak23/Sentinel_DevOpsConnection

Sentinel DevOps Connection - This script creates the new Azure DevOps repository with Microsoft Sentinel code content. github.com/mystak23/...

#MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR

Not run o lot of tests but in general batching was faster for me (probably because of parallel overhead)

I am a little bit surprised you didn't show graph batching which is much faster 🤔

Ever wonder exactly what Defender AV settings are configured and where they got those settings from?

This new feature in Defender for Endpoint shows the effective configuration and the source the settings came from

Very helpful for troubleshooting :)

learn.microsoft.com/...

Sure. It's reappearing issue that won't be solved without teams that create those modules coordination though.

Automatically deploy Windows drivers on Patch Tuesday | Peter Klapwijk - In The Cloud 24-7 Automatically deploy drivers for Windows devices on Patch Tuesday to avoid unneeded reboots.

It was Patch Tuesday this week, time to align the driver deployment with the monthly patch Tuesday!

#Windows #WindowsUpdate #MsIntune #Automation

inthecloud247.com/automaticall...

They should with every sdk release inform with what version of AZ modules this one is compatible for (doesn't have dll conflicts). Otherwise I stay on the 2.25 🙂

CI/CD Implementation for Azure Sentinel Using Terraform | Microsoft Community Hub As cyber threats become increasingly sophisticated, security teams must adopt scalable and repeatable practices to maintain a robust defense posture. Azure...

CI/CD Implementation for Azure Sentinel Using Terraform techcommunity.micros...

#MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security #DefenderXDR

One of the questions during our #MSGraph sessions at @mmsmoa.bsky.social was around filtering. Highly recommend checking out @merill.net’s blog post for a deeper dive and fantastic visuals

merill.net/2024/07/prop...

#PowerShell #MMSMOA

PowerShell 7.5 GA is now available - PowerShell Team We’re pleased to announce the release of PowerShell 7.5.0! For this release the focus has been on quality, security and stability of the platform. We greatly appreciate the enormous amount of communit...

Psh Core 7.5 has this sorted btw

devblogs.microsoft.com/powershell/a...

New version of EntraFIDOFinder is out now Now with over 15 new keys! It was a little slow last month, but this month they made up with adding 6 new Vendors too. For the module, most of the enhancements were on the backend, where I created …

NEW keys added to EntraFIDOFinder #PowerShell module - check out the blog post clatent.com/2025/05/new-...

I made an Azure version
microsoftedge.microsoft.com/addons/detai...

Introducing ActorInfoString: A New Era of Audit Log Accuracy in Exchange Online | Microsoft Community Hub How ActorInfoString Elevates Security and Transparency  We’re excited to introduce ActorInfoString, a significant new feature...

Introducing ActorInfoString: A New Era of Audit Log Accuracy in Exchange Online techcommunity.micros...

#Security #MicrosoftSecurity #Cybersecurity #SFI #SecureFutureInitiative

Not seeing out-gridview getting fixed? 🙁

Linking to page aka.ms/GetMicrosoftAuthenticator

🚨 PSA: FAKE Microsoft Authenticator apps are flooding the App Store & Play Store! ⚠️

Protect your users!

ONLY send them to the official download link 👇

Bookmark this! Update your user guides & intranet NOW. RT to spread the word!

#CyberSecurity #MFA

🧵↓

Comprehensive Guide to Configuring Advanced Auditing This post provides everything you need to ensure Advanced Auditing is fully configured and auditing everything we possibly can for both existing and new users. I recently shared guidance for this via social media (see below), and it felt like a perfect time to revisit my previous posts and combine everything into one comprehensive guide :) You likely aren't collecting all available events to the Unified Audit Log First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything). Retention is based on license... pic.twitter.com/IEKKfrkpI8

Most Microsoft tenants do not have Advanced Auditing configured correctly, and orgs only find out after it is too late :(

I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up, it's important ;)

nathanmcnulty.com/bl...

Microsoft Attempts to Fix Microsoft Graph PowerShell SDK V2.26 and V2.26.1 of the Microsoft Graph PowerShell SDK were low-quality, buggy disasters. Microsoft aims to fix the problem in the next version.

Microsoft attempts to fix the problem with V2.26.1 of the Graph #PowerShell SDK and Azure Automation. This is the kind of issue that should never have appeared in public. Sad to see vital components abused.
office365itpros.com/2025/04/14/m...
#Microsoft365

100% true.

I would add other incompatibilities like with AZ auth module and that it requires you to authenticate in the correct order 🙂

Recover Admin Account with Entra Break Glass Access Application Learn how to configure break glass access application in Entra ID to recover admin accounts from the lockouts.

I've been mulling over this concept of a break glass application in Entra, and thought I'd share some important notes for anyone that might be considering it

For reference, here's the article:
blog.admindroid.com/...

Short thread, but my primary concern is privilege escalation

So, uhh, this seems like something that is highly abusable that I bet almost nobody is monitoring for... :-/

learn.microsoft.com/...

# Find apps missing SPs, select and register
Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'servicePrincipal') and servicePrincipalId eq '00000000-0000-0000-0000-000000000000'" | Out-GridView -PassThru | ForEach-Object {New-MgBetaServicePrincipal -AppId $_.appId}

PowerShell is fun :)Introduction to the Microsoft.OSConfig PowerShell module While at the Microsoft MVP summit, one of the MVPs mentioned the Microsoft.OSConfig module. I haven’t used it before, and I like how it works and how the product team works with the Desired S…

While at the Microsoft MVP summit, one of the MVPs mentioned the Microsoft.OSConfig module. I haven’t used it before, and I like how it works! In this blog post, I will show you how it works.

powershellisfun.com/2025/04/04/i...

#PowerShell #Security #OSConfig

Managing Restricted Groups with Access Packages 👮 Restricted Management Admin Units (RMAU) in #EntraID Hackers HATE This Hidden Entra ID Feature Most Admins Never Use@NathanMcNulty breaks it down for us 👇 🎧 Get the full podcast episode at https://t...

New website and first blog post in a couple years! :)

I got to talk with @merill.net recently about Restricted Management Admin Units, but some noted they break Access Packages and PIM making them less useful

While true by design, we can actually fix this!

nathanmcnulty.com/blog/2025/04...

Retire Service Principal-Less Authentication - Microsoft identity platform Learn about the mitigation steps tenant administrators should perform for service principal-less authentication behavior deprecation.

This is awesome! Microsoft is killing off the ability for multi-tenant applications to authenticate in directories where a service principal has not been registered.

learn.microsoft.com/...

I'd like to automate discovery and remediation for admins, but I need help testing :)