Fabian Bader's Avatar

Fabian Bader

@fabian.bader.cloud

#Security #Azure #EntraID #XDR #MDE #Identity #M365 #AD #PKI #KQL Microsoft MVP Tweets and opinions are my own

2,374 Followers  |  362 Following  |  299 Posts  |  Joined: 10.05.2023  |  1.9895

Latest posts by fabian.bader.cloud on Bluesky

Preview
Microsoft Entra Conditional Access token protection explained - Microsoft Entra ID Learn how to secure your environment with token protection in Microsoft Entra Conditional Access policies.

A rare, but highly welcome change. Microsoft changed the license requirement for Token protection from Entra ID P2 to P1.

This will protect more customers in the long run and lead to a more secure ecosystem.

learn.microsoft.com/en-us/entra/...

24.07.2025 04:39 β€” πŸ‘ 9    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center Customer guidance for SharePoint vulnerability CVE-2025-53770

🚨 PSA - Zero day in SharePoint on-prem is actively exploited!

β—½ Have Defender AV active
β—½ Don't disable AMSI integration of SharePoint
β—½ Keep an eye out for the alerts outlined in the article
β—½ Look for post exploitation with the hunting query

msrc.microsoft.com/blog/2025/07...

20.07.2025 04:39 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Overview of NTLM auditing enhancements in Windows 11, version 24H2 and Windows Server 2025 - Microsoft Support Summary of new auditing features and deployment details

Part 8053 of eleventy billion on our path to killing NTLM: way way way way way better auditing.

support.microsoft.com/en-us/topic/...

13.07.2025 16:35 β€” πŸ‘ 47    πŸ” 13    πŸ’¬ 3    πŸ“Œ 0
Post image

What r u doing while cooking?
That’s my distraction ….
#PSConfEU 2915

29.06.2025 18:36 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Azure AD Graph retirement Migrate your applications using Azure AD Graph APIs scripts to Microsoft Graph before September 2025.

The latest on the Azure AD Graph retirement mentions two temporary outage tests and more guidance.

If something stops working it might be because of those tests.

#Entra #AADGraph

techcommunity.microsoft.com/blog/microso...

29.06.2025 08:49 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

One of the results of the joined research with @dirkjanm.io is entrascopes.com

Basically the yellow pages for Microsoft first party apps.

#TROOPERS25

26.06.2025 09:48 β€” πŸ‘ 23    πŸ” 6    πŸ’¬ 2    πŸ“Œ 0

"One thing we have learned over years is that the world moves quickly, and building is easy but supporting is hard...."

Sydney Smith 2025

#StateOfTheShell
#PSConfEU 2025

23.06.2025 09:34 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Citrix Netscaler customers - keep calm and patch CVE-2025-5777 from Tuesday.

It allows unauth memory reads, has similarities to CitrixBleed (CVE-2023-4966) as may allow session token theft.

20.06.2025 15:52 β€” πŸ‘ 84    πŸ” 36    πŸ’¬ 2    πŸ“Œ 2

Great company you have there. Enjoy MalmΓΆ

22.06.2025 21:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Rerunning my test scenarios for the #TROOPERS25 presentation...

22.06.2025 16:58 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Congratulations πŸŽ‰

01.06.2025 22:07 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
A margarita pizza with mozzarella cheese

A margarita pizza with mozzarella cheese

Pizza πŸ•

25.05.2025 17:31 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Microsoft trying to be like @vxunderground, smh πŸ˜‚

20.05.2025 19:17 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image Post image Post image

Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.

19.05.2025 13:34 β€” πŸ‘ 7    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

The unified IdentityInfo table is the most comprehensive way to identify users and their attributes in the unified SOC experience.

You have to onboard your Sentinel workspace AND enable UEBA to take advantage of this in advanced hunting.

#xdr #sentinel

14.05.2025 21:27 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Made it on #58 of the MSRC leaderboard Q1 2025

Made it on #58 of the MSRC leaderboard Q1 2025

First time I made it on the @msftsecresponse leaderboard 🍾

msrc.microsoft.com/leaderboard

09.05.2025 22:51 β€” πŸ‘ 8    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

Experts live NL
Workplace Ninja Norway
TROOPERS (DE)
Workplace Ninja Summit (CH)

07.05.2025 19:11 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Not yet, but if you see me at any of the conferences starting June come over and ask me about it.

07.05.2025 18:37 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
a card deck from the back, fanned out, reading "Family of Client IDs" with a tree in the middle

a card deck from the back, fanned out, reading "Family of Client IDs" with a tree in the middle

Planning for some days off from work. What to put in the duffle back beside a good book and some sunscreen?
My new favorite card game of course.
#FOCI #FamilyOfClientID

07.05.2025 17:44 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Application Based Authentication on Microsoft Entra Connect Sync is near. With this change you will be able to use a TPM backed certificate in Entra Connect Sync for authentication.

This is a welcome change to prevent the compromise of this high privileged account.

#Entra #Certificate

02.05.2025 06:52 β€” πŸ‘ 10    πŸ” 2    πŸ’¬ 0    πŸ“Œ 1

Not really

28.04.2025 20:19 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Azure X-Ray - Microsoft Edge AddonsYour Privacy Choices Opt-Out Icon Make Microsoft Edge your own with extensions that help you personalize the browser and be more productive.

I made an Azure version
microsoftedge.microsoft.com/addons/detai...

27.04.2025 02:35 β€” πŸ‘ 10    πŸ” 4    πŸ’¬ 1    πŸ“Œ 1

Here's (finally!) what I've found about this πŸ˜‰
bsky.app/profile/cnot...

24.04.2025 13:46 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

Is this in the Entra portal or in forwarded logs to Log Analytics

26.04.2025 19:21 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Video thumbnail

πŸ‘€ Who is Nova?

We will find out tomorrow πŸ˜‰

25.04.2025 16:00 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Here's another Maester v1.2 teaser.

We just added Severity for test results plus the ability to filter by Severity.

25.04.2025 16:44 β€” πŸ‘ 10    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Great writeup

24.04.2025 21:59 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Looks like Lifecycle Workflows just added the ability to revoke session tokens πŸ’ͺ

Previously, we had to create our own custom extension (Logic App) to do this, so really nice to see it as a built-in task now :)

learn.microsoft.com/...

19.04.2025 06:02 β€” πŸ‘ 14    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
What's new in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint See what features are generally available (GA) in the latest release of Microsoft Defender for Endpoint, and security features in Windows 10 and Windows Server.

Two new ASR rules are now generally available:

β—½Block rebooting machine in Safe Mode
β—½Block use of copied or impersonated system tools

learn.microsoft.com/en-us/defend...

14.04.2025 19:01 β€” πŸ‘ 7    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Automatic attack disruption: Enhanced containment for critical assets and shadow IT | Microsoft Community Hub Staying ahead of attackers is tough, as they constantly evolve and use advanced techniques like AI to exploit vulnerabilities. Protecting high-value assets...

Microsoft XDR Automatic attack disruption just got better. It now takes into account the device role and criticality to preserve key network functionality while protecting the assets.

Plus IP address based containment of undiscovered devices! #XDR

techcommunity.microsoft.com/blog/microso...

10.04.2025 05:09 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

@fabian.bader.cloud is following 18 prominent accounts