In this episode Koos returns to a somewhat controversial topic - Security Copilot, but this time without the hype and of course with some practical tips. Chris introduces Microsoft Entra Suite in the first of two episodes taking a look at these capabilities.

Security Copilot

Why did I say it’s controversial?

• It seemed to burn through SCUs like candy. And these are expensive!
• I think there were some design flaws like lack of caching.

But there are some nice improvements!

• Caching is here! Previously, Copilot regenerated incident summaries every time—burning SCUs with each refresh. Also “incident report” stays in place as well as branched out investigations in dedicate Security Copilot portal.
• New “overage” SCUs make it more “pay-as-you-go”.
• There are better visual insights into usage and costs.

Cost structure

Billing is calculated on hourly blocks based on provisioned capacity rather than by 60-minute increments and has a minimum of one hour. Any usage consumed within the same hour is billed as a full SCU for provisioned capacity, regardless of start or end times within that hour. For overage units, SCUs are billed up to one decimal increments for the exact consumed units. Consumed units are not rounded up to whole numbers. This means that you’re charged precisely based on your usage (to one decimal place). For instance, if you provision an SCU at 9:05 a.m., then deprovision it at 9:35 am, and then provision another SCU at 9:45 am, you’ll be charged for two units within the 9:00 a.m. to 10:00 a.m. hour. To maximize usage, make SCU provisioning changes at the beginning of the hour. For more information, see Manage usage.

Practical tips

• You don’t have to keep it running 24/7.
• Activate Security Copilot temporarily in your tenant and benefit from it across:
  • Microsoft Defender XDR
  • Microsoft Intune
  • Entra ID
• Once you’ve gotten what you need—offboard it again. No shame. Smart use of your SCU.
• Use my PowerShell script for easy on-/off-boarding. (since there are ZERO docs out there :-( ))

Real-world scenarios

• Defender XDR

  Use Security Copilot directly inside an incident to:

  • “Show me the exact command line that was executed by this user in this incident.” Copilot pulls relevant ProcessCreationEvents, extracts the command line, and summarizes the behavior—without clicking through multiple pivots.

  • “Summarize which lateral movement techniques were observed in this incident.” Copilot parses incident evidence (like remote desktop usage, token theft, or SMB connections) and provides MITRE-aligned context.

• Entra ID

  Use natural queries to investigate identity-based activity:

  • “Show me the 10 most recent sign-ins for this user and summarize the MFA methods used.” Copilot fetches sign-in logs, filters and aggregates sign-in frequency, location anomalies, and which MFA methods were used.

  • “Summarize all Conditional Access policies that apply to this user and describe their impact.” No more digging through the CA policy blade—Copilot gives you a readable breakdown of each rule, its scope, and enforcement logic.

• Microsoft Intune

  Security Copilot can help surface endpoint insights fast:

  • “Which devices are non-compliant due to missing disk encryption?” Copilot summarizes compliance policies and instantly lists affected devices.

  • “Summarize app risk posture across all Android BYOD devices.” Copilot reviews app inventory and flags outdated, side-loaded, or unmanaged apps by device type.

Final Thoughts

Security Copilot has come a long way. If you were burned by it early on—or avoided it due to cost—it might be time to revisit and re-evaluate. But still be careful! SCU’s are still burning down quickly and with an hourly rate of $4 ($6 for overage) this can quickly add up if you keep them running 24/7.

Microsoft Entra Suite

Microsoft Entra Suite is a comprehensive identity and network access solution designed to support a Zero Trust security model. It integrates multiple security and access management tools to ensure secure and seamless authentication across applications and networks. Key Components of Microsoft Entra Suite are:

• Microsoft Entra Private Access – Provides secure access to private applications and corporate networks without requiring a VPN.
• Microsoft Entra Internet Access – Protects access to internet resources, including SaaS applications and Microsoft 365.
• Microsoft Entra ID Governance – Automates identity lifecycle management and access permissions.
• Microsoft Entra ID Protection – Detects and mitigates identity-based security risks.
• Microsoft Entra Verified ID Premium – Enables real-time identity verification while maintaining privacy

More licenses?

Licensing Options for Microsoft Entra:

• Microsoft Entra ID P1 – Required as a base subscription for Entra Suite. Available as a standalone product or included with Microsoft 365 E3 and Business Premium.
• Microsoft Entra ID P2 – Includes advanced security features and is available as a standalone product or bundled with Microsoft 365 E5.
• Microsoft Entra Suite – Combines multiple Entra products, including Private Access, Internet Access, ID Governance, ID Protection, and Verified ID Premium. It requires an Entra ID P1 subscription and is priced at $12 (USD) per user/month

Real-world use cases

• Microsoft Entra Private Access
  • VPN Replacement – Securely connect users to private applications without exposing full network access.
  • Just-in-Time Access – Grant temporary access to sensitive resources only when needed.
  • Secure Remote Work – Enable employees to access corporate apps securely from any device or location.
  • Privileged Access Protection – Enforce additional security controls for administrators accessing critical systems2.
• Microsoft Entra Internet Access
  • Web Content Filtering – Block access to malicious or inappropriate websites.
  • Secure SaaS Access – Protect access to cloud applications like Microsoft 365.
  • Conditional Access Enforcement – Apply security policies based on user identity and device compliance.
  • Threat Protection – Prevent phishing and malware attacks targeting internet traffic4.
• Microsoft Entra ID Governance
  • Identity Lifecycle Management – Automate onboarding, role transitions, and offboarding.
  • Access Reviews – Periodically review user access to ensure compliance.
  • Guest Access Management – Control access for external users like partners and vendors.
  • Privileged Identity Management – Secure high-risk accounts with additional verification6.
• Microsoft Entra ID Protection
  • Risk-Based Conditional Access – Automatically block or challenge risky sign-ins.
  • Threat Detection – Identify compromised accounts using AI-driven risk analysis.
  • Automated Remediation – Require multi-factor authentication or password resets for suspicious activity.
  • Security Information and Event Management (SIEM) Integration – Export risk data for deeper analysis8.
• Microsoft Entra Verified ID Premium
  • Identity Verification – Confirm user identities using verifiable credentials.
  • Self-Service Enrollment – Allow users to verify their identity without manual intervention.
  • Know Your Customer (KYC) Compliance – Streamline identity verification for financial transactions.
  • Face Check Authentication – Use facial matching for high-assurance identity verification.

Links

• Microsoft Entra Suite features and pricing model
• The Zero Trust Zone - Episode 1: Decentralized Identities

🛠️ Community Project

PIM Role Advisor by Morten Knudsen

Morten shows us that AI doesn’t need to be expensive. And in a fun way by integrating Azure AI Foundry with your PowerShell session. Then with help of his script, PowerShell is advise you which Entra/Azure role you need based on an explanation you provide of the work you want to get done formulated in natural language.

With 77 requests in his demo he burned through 2 million tokens but payed only $ 0.23

Check it out here and try it yourself There’s also a video of his script in action.

If you’re not already following Morton, please do. He’s probably the most hard-working community member I’ve ever met. He’s cranking out different sessions at events, organizing Experts Live Denmark and still able to write blogs like these while also running a company.

In this milestone 100th episode, we sit down with Daniel Brown, a Microsoft MVP based in Adelaide, to explore how AI is transforming the rugged world of opal mining. Daniel shares the fascinating story of how he developed Opal AI, a computer vision system that uses Microsoft’s Custom Vision and Azure services to identify precious opals in the harsh environment of Coober Pedy. By leveraging AI to detect opal, and safety hazards in real-time, Daniel demonstrates how edge computing can bring tangible efficiency and safety improvements to a traditionally manual industry.

The discussion delves into the practical challenges of deploying AI in the Australian outback, from using black light properties for opal detection to dealing with connectivity limitations that require robust offline edge processing. Daniel explains how he built and refined his models with over 5,000 tagged images, sharing practical advice for others looking to start their own AI projects using tools like customvision.ai with as few as 15 starter images.

Beyond the technical insights, the episode captures the intersection of ancient geology and cutting-edge technology, highlighting how AI can uncover treasures that are over 100 million years old while automating and securing mining operations.

We also celebrate our 100th episode, reflecting on nine years of community-driven conversations, learning, and evolving alongside the cloud ecosystem.

Prefer video? check us out on YouTube:

For more information on The Cloud Architects podcast, check us out on SoundCloud

• iTunes
• Spotify

In this episode we are joined by guest Kirsty McGrath, a Microsoft MVP and adoption expert, for an insightful conversation on working smarter in today’s AI-driven workplace. Kirsty shares her extensive experience leading adoption programs across Australia and consulting with top Microsoft clients, offering practical wisdom on the importance of user training and change management in maximizing the impact of tools like Microsoft Copilot.

The episode delves into the common confusion users face when navigating Microsoft 365’s vast ecosystem—especially with tools that overlap or are frequently updated. Kirsty emphasizes that adoption isn’t just about assigning licenses; it’s about helping people understand, trust, and effectively use technology. She also about the psychological and organizational barriers to change—how emotional comfort zones can prevent users from embracing new tools, and why strong change management can significantly reduce help desk pressure and improve employee satisfaction

For more information on The Cloud Architects podcast, check us out on SoundCloud

• iTunes
• Spotify

In this episode Chris shares 5 things you should configure in Microsoft 365 to make your tenant more secure and Koos introduces “Summary Rules” in Microsoft Sentinel. What are “Summary Rules”? And what new opportunities might bring it to your logging strategies?

5 ways to harden your Microsoft 365 tenant Security

There are many out-of-the-box configurations in M365 that are optimized for productivity and less than optimal from a security perspective. I thought it would be a good idea to go back to the basics today and talk about 5 things you can and should be doing to make your tenant more secure.

Disable user app registration

Setting “Users can register applications” to “No” in Microsoft 365 is a security measure to prevent users from registering their own applications within the organization’s environment. Here’s why this can be important:

• Prevent Unauthorized Access: By default, users can register applications that use Azure AD authentication. If misconfigured, these apps could introduce security risks or allow unintended access to sensitive data.
• Reduce Shadow IT: Without restrictions, users might create and integrate applications that bypass IT governance, potentially leading to security vulnerabilities or compliance issues.
• Enhance Governance and Control: This setting ensures that only IT administrators or designated personnel can register applications, maintaining oversight and control over app integrations.
• Minimize Data Exposure Risks: Some applications require extensive permissions to function, including access to organizational data. Disabling user registration prevents apps from accessing sensitive information without approval.

If your organization requires certain users to register applications, you can manage this through specific roles and policies rather than leaving it open to all users.

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity > Users select Users settings.
3. Set Users can register applications to No.
4. Click Save.

Disable User consent for applications

Setting “User consent for applications” to “Do not allow user consent” in Microsoft 365 enhances security and governance by ensuring only administrators control which applications can access organizational data. Here’s why it’s a recommended practice:

• Prevent Data Exposure: Users may unintentionally grant excessive permissions to third-party apps, risking sensitive data exposure.
• Reduce Security Vulnerabilities: Some apps request broad access scopes, which could lead to unauthorized data leaks or malicious exploitation.
• Maintain Compliance: Organizations handling regulated data need strict access controls to meet security and privacy standards.
• Ensure IT Oversight: Administrators can vet applications before approving access, reducing the risk of shadow IT and unmanaged integrations.

If you need flexibility, you can configure specific consent policies, allowing only trusted applications or designated users to request access. Tenant-wide admin consent can be requested by users through an integrated administrator consent request workflow or through organizational support processes

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity > Applications select Enterprise applications.
3. Under Security select Consent and permissions > User consent settings.
4. Under User consent for applications select Do not allow user consent.
5. Click the Save option at the top of the window.

Allow collaboration invitations to trusted domains only

Restricting user invitations to specified domains in Entra ID is a security best practice that ensures external collaboration remains controlled and aligned with organizational policies. Here’s why it’s a good idea:

• Prevent Unauthorized Access: Users might unintentionally invite people from untrusted or personal domains, increasing security risks.
• Enhance Data Protection: Limiting invitations to approved domains ensures sensitive organizational data isn’t exposed to unverified external users.
• Maintain Compliance: Certain industries require strict access controls to meet regulatory standards like GDPR or HIPAA.
• Reduce Risks from Shadow IT: Without restrictions, users might invite external collaborators without IT oversight, leading to unmanaged data sharing.
• Strengthen Identity Governance: Ensuring invitations align with approved domains prevents identity management inconsistencies and helps enforce security policies.

If your organization regularly collaborates with specific external partners, this policy ensures that only trusted domains are allowed. You should ensure that you have a process users can follow to request a trusted domain.

1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity > External Identities select External collaboration settings.
3. Under Collaboration restrictions, select Allow invitations only to the specified domains (most restrictive) is selected. Then specify the allowed domains under Target domains.

Manage SharePoint external sharing through domain allow lists

Setting SharePoint to limit external sharing by domain is a strategic way to maintain security, control data access, and prevent unauthorized sharing. Here’s why it’s a good practice:

• Prevent Data Leaks: Without domain restrictions, users could accidentally share sensitive files with untrusted or personal email accounts.
• Enhance Security: Limiting sharing to specific domains ensures external collaboration only happens with verified partners.
• Maintain Compliance: If your organization handles regulated data, restricting external sharing helps meet privacy and security standards.
• Reduce Insider Risks: Prevents users from sharing data with competitors or unauthorized third parties, safeguarding intellectual property.
• Ensure IT Governance: Provides administrators visibility and control over external sharing, reducing shadow IT and unmanaged file access.

If your organization regularly collaborates with specific external entities, this policy allows seamless access while keeping security tight.

1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint
2. Expand Policies then click Sharing.
3. Expand More external sharing settings and check Limit external sharing by domain.
4. Select Add domains to add a list of approved domains.
5. Click Save at the bottom of the page.

Disable communication with unmanaged Teams users

Setting “People in my organization can communicate with unmanaged Teams accounts” to “Off” in Microsoft Teams is an important security measure to control communication and prevent unauthorized data sharing. Here’s why it matters:

• Prevent Unverified Communication: Unmanaged accounts may belong to individuals who aren’t formally part of your organization, increasing security risks.
• Enhance Data Protection: Prevents sensitive conversations, files, and messages from being exchanged with untrusted accounts.
• Reduce Insider Threats: Ensures that only verified, managed accounts can interact with internal users, lowering the risk of data leaks.
• Maintain Compliance: Certain regulations require organizations to manage and track external communications, and allowing unmanaged accounts may violate those policies.
• Improve IT Governance: Keeps communication within approved boundaries, reducing shadow IT risks and unmanaged collaboration.

If your organization needs to collaborate externally, setting up verified guest accounts or using controlled external access policies is a safer alternative.

1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/
2. Click to expand Users select External access.
3. Select the Policies tab
4. Click on the Global (Org-wide default) policy.
5. Set People in my organization can communicate with unmanaged Teams accounts to Off.
6. Click Save.

Sentinel Summary Rules

In episode 4 back in March I spoke about the different table tiers in Sentinel. Auxiliary tier was still in preview back then, now it’s GA. But one of the downsides to these lower-tiered table plans is that you can’t use the data for real-time incident creation with your Sentinel Analytic Rules. And as I eluded earlier; you might want to consider looking into Azure Data Explorer for this reason alone since the costs will even be lower there.

Well, with Summary Rules I think Microsoft took a nice step into the right direction for making sure customers keep their data in Sentinel by increasing the value of logs in Auxiliary and Basis tables.

What is a Summary Rule?

• Aggregate large sets of data in the background
• Sort of “Scheduled KQL queries”
• Results are stored in separate Analytics table(s)

Example scenarios

• Quickly find potential malicious IPs in your network as part of triage
• Generate alerts on TI indicator matches
• Trigger alerts on baseline anomalies (i.e. TotalBytesSent)

• Bring down retention cost by summarizing high-volume tables(i.e. MicrosoftGraphActivityLogs)

But remember

• Still keep an eye on query performance!

• Enable monitoring and create an alert rule:

  LASummaryLogs
  | where Status !in("Succeeded", "Started")
  

• Summary rule creation needs Sentinel Contributor, but tables creation needs at least Log Analytics Contributor
• SIEM-as-a-Code deployments should also take destination table creation into account

Read more

• Microsoft provides some example scenario’s for Summary Rules on their Learn page.
• Dutch Security MVP Bert-Jan Pals (of course he’s Dutch 😉) gathered some useful scenario’s and KQL queries to get you started with Summary Rules.
• Time Series visualization of Palo Alto logs to detect data exfiltration

🛠️ Community Project

MDE Automator

Microsoft MVP Eric Mannon has created a very elaborate Toolkit for Defender for Endpoint! His experiences in the SecOps space led to the creation of a set of tools which can help with day-to-day incident response tasks in MDE environments.

It consists of:

• PowerShell module MDEAutomator

  Provides cmdlets for authentication, profile management, live response, response actions, custom detections, advanced hunting and threat indicator management in MDE.

  # Install & Import from PowerShell Gallery
  Install-Module -Name MDEAutomator -AllowClobber -Force
  Import-Module -Name MDEAutomator -ErrorAction Stop -Force
  

• Several Azure Functions (also built on PowerShell leveraging his MDEAutomator module)

  • MDEDispatcher

    Automates bulk management of response actions delivered to endpoints.

  • MDEOrchestrator

    Automates bulk management of Live Response commands.

  • MDEProfiles

    Automates bulk delivery of custom PowerShell scripts to configure policy on MDE endpoints.

  • MDETIManager

    Automates management of Threat Indicators (IOCs) in Microsoft Defender for Endpoint.

  • MDEAutoHunt

    Automates bulk threat hunting and exports output to Azure Storage.

  • MDECDManager

    Automates synchronization of Custom Detections from a blob container.

Check it out on Github

And make sure to follow Eric on LinkedIn! He not only has some useful insights for Incident Response challenges, SIEM and Microsoft Security products in general, his posts are also very enjoyable and funny to read.

In this episode we are joined by guests Ernie Anderson and Darrell Switzer from TBDCyber to discuss the critical topic of incident response (IR). Ernie and Darrell share their insights and experiences in IR. They highlight the importance of having a well-prepared incident response plan, how to effectively use EDR tools, and the value of proactive measures such as vulnerability testing and tabletop exercises. We also discuss the challenges of modern ransomware attacks, the role of cyber insurance, and the need for adaptive communication strategies during incidents. Both guests underscore the necessity of constant updating, testing, and training to ensure organizational resilience against cyber threats.

For more information on The Cloud Architects podcast, check us out on SoundCloud

• iTunes
• Spotify

In this episode we look at one of Defender XDRs most exiting features at the moment: Attack Disruption! Why it is so exiting and how you can start using it today?

Defender XDR Attack Disruption

Attack Disruption automatically identifies compromised assets and it will be able to stop attackers in their tracks in real-time. So, while the attack is happening!

It’s not new. It’s around since somewhere in 2023. But new features are added constantly and I think it’s one of the most exciting features of Defender XDR!

Attack Disruption is not primarily about detection. Most security products today will work like this: “we saw certain events, here’s the evidence, please investigate it and respond”. Microsoft wants to move away for this and provide actual protection and stop the attackers when they’re active.

By combining multiple Security products, bring signals together to dynamical and automatically detect and response to a threat. According to Microsoft it does this “in real-time” (“at machine speed” ;-) ) and “with high confidence” to contain and prevent (further) damage.

Works in several different stages

• Detection

  Correlated sign as from multiple sources are combined into a single high-confidence incident

• Correlation

  Classify attack scenario and identify assets controlled by the attacker Couple of scenario’s which are supported by Attack Disruption are: Human Operator Ransomware, Business email compromise, Adversary in the middle and Password Spray attacks among other.

• Intent Recognition

  Understand the intent of the attacker to accurately predict their next move & identity attack scenario. This is not pre-determined but dynamically build based on your organizations Attack Paths.

• Attack Disruption

  As the attack evolves it automatically identifies compromised assets (users, devices, mailboxes, apps, …) to determine a “blast radius” 🧨 within your network. It will then be able to suspends compromised assets in real-time.

• AI-powered automation
  (Because we need some AI in our product of course 😎) Leaves the SOC in full control of investigation and remediating but limits the impact of an attack by stopping lateral movement.

  Respond actions currently supported:

  • Device contain
  • User contain

  • Disable user

    But also first third-party support with SAP with Microsoft Sentinel. For example contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.

They’re not only using signals from multiple different products (Endpoint, Office, Cloud Apps….) but also using these product to respond/contain the attack.

For example MDE is used to contain the device and prevent lateral movement, while EntraID is used to contain the user AND MDI is used to contains the on-prem users. Also to prevent having to rely on a sync. The fast to disrupt the attack the better

A real-world example of Business e-mail compromise (BEC) and adversary in the middle attack (AitM)

Not only was attack disruption able to disable a compromised account. It was able to detect the AitM attack as well and invalidate the token of that compromised account.

Customer Grading

How customers respond (and other kinds of signals and behavior) determines the quality of the signal-to-noise ratio. According to Microsoft: only < 1% of false positives (99%+ true positive rate)

Due to the impactful native of the respond actions, attack disruption is designed to rely on high-fidelity signals only.

Microsoft learns from customer behavior surrounding a “attack disruption” type of incident.

You can look in your security portal and search for incidents with an “attack disruption” tag to find earlier incidents where Microsoft did perform some automated response actions.

Microsoft also learns from attack disruption incidents across orgs and harvest telemetry data to intervene ever quick at other customers.

According to Microsoft they’re disrupting 40.000 incidents a month.

How to use

Attack Disruption is enabled by default. But there are certain configurations you should look into for optimal usage.

Defender for Endpoint

• Attack disruption relies heavily on Defender for Endpoint’s discovery and contain capabilities. Go to Settings –> Device discovery and make sure that Discovery mode is set to “Standard” (not basic) for “all devices”.

You can always check if there are any discovered devices in your environment:

DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId  // Get latest known good per device Id
| where isempty(MergedToDeviceId) // Remove invalidated/merged devices
| where OnboardingStatus != "Onboarded"

• Make sure your automation is set to Full Remediation. Go into Settings –> Endpoint –> Device Groups –> Remediation level.

• Endpoint need to run Sense agent v10.8470 or newer. Check the DeviceTvmSoftwareInventory table to verify and find outdated clients

DeviceTvmSoftwareInventory
| where SoftwareVendor has "microsoft" and SoftwareName has "defender_for_endpoint"
| extend MajorVersion = toint(split(SoftwareVersion, '.')[0])
| extend MinorVersion = toint(split(SoftwareVersion, '.')[1])
| where MajorVersion == 10
| where MinorVersion < 8470

• Perhaps needless to say, but you need to make sure that all of your devices run Defender for Endpoint. Regularly check for non-onboarded discovered in your environment. (Devices –> Assets)

DeviceInfo
| where OnboardingStatus != "Onboarded"
| summarize lastSeen = arg_max(Timestamp, *) by DeviceId
| where isempty(MergedToDeviceId)
| limit 100
| invoke SeenBy()
| project lastSeen, DeviceId, DeviceName, DeviceType, SeenBy

Defender for Identity

Within Defender for Identity you need to check your “Action Accounts”. (Settings –> Identities –> Manage action accounts)

Here you have two options:

• Automatically use sensor’s local system account
• Manually configure and use a Group Managed Service Account (gMSA)
  

If you have chosen the latter, make sure that account still exists!

Also make sure all your sensors are healthy. Because MDI relies heavily on proper setup of auditing policies.

Defender for Cloud Apps

• Microsoft Defender for Cloud Apps must be connected to Microsoft Office 365 through the connector. Check the instructions here.
• App Governance must be turned on. Check the app governance documentation on how to turn it on.

Defender for Office 365

• Mailboxes are required to be hosted in Exchange Online
• The following mailbox events need to be audited by minimum:
  • MailItemsAccessed
  • UpdateInboxRules
  • MoveToDeletedItems
  • SoftDelete
  • HardDelete
• Safelinks policy needs to be present

SAP

• To use attack disruption for SAP, deploy a data connector agent

Notifications

I think it’s good practice to enable some form of notifications for certain actions (i.e. disable user, contain device). For example a user gets disabled, and within a short while somebody else tries to resolve an issue by enabling this user again.

It’s useful to notify stakeholders about the fact that someone (including Microsoft’s attack disruption) took this action.

Exclusions

You can also exclude certain device groups/entities from Attack Disruption. It’s not recommended! But sometimes necessary.

Settings –> Defender XDR –> Automated Response –> Identities/Devices

This incident will still trigger but with a “failed” action status.

Read more

• Microsoft’s documentation on Attack Disruption
• Microsoft Defender XDR Attack Disruption Prerequisites
• Shoutout to former-colleague Jeffrey Appel who wrote a lot about Defender XDR in the past.

🛠️ Community Project

Microsoft 365 Security Incident Investigation Tool (for Exchange Online)

Microsoft MVP Mezba Uddin has created a PowerShell script to help administrators investigate and respond to potential security incidents in Exchange Online. The script can perform six specific investigation actions in Exchange Online. Each action targets a common post-incident scenario using either audit log searches or Graph API queries, depending on what’s most effective for the individual scenario:

• Malicious Inbox Rules Detection
• Unusual Email Volume Detection
• Mailbox Permission Changes Monitoring
• Critical Email Deletion Detection
• Mailbox Export Monitoring

Check it out on Github

Booting high on community energy! In this special in-person episode, recorded on-site at the Microsoft Campus during the MVP Summit 2025, Koos and Chris share behind-the-scenes insights, tech trends, and reflections on the evolving security landscape—all while dodging T-shirt printers and Summit buzz.

🏙️ MVP Summit Experience

• First time recording in person!
• Koos and Chris reflect on how special it is to collaborate live, normally split by time zones.
• Value of meeting with product teams and MVP peers from around the world.

🧩 Capture the Flag Challenge

• Microsoft’s hands-on CTF challenge provided deep XDR visibility.
• Realistic red-team simulation in Defender showed how challenging threat hunting can be.
• Koos & Chris share a new appreciation for SOC analysts sifting through complex telemetry.

🤖 Security Copilot + Agents

• Microsoft announced Security Copilot Agents at Summit.
• These “agentic AI” bots can handle tasks like phishing triage and vulnerability remediation.
• Koos went from skeptic to fan—Agents reduce the need for custom logic app workflows.
• Built-in dashboards now show time saved per task, helping justify ROI.

🕵️‍♂️ Threat Hunting with the GHOST Team

• Microsoft’s GHOST Team: Global Hunting Oversight and Strategic Triage.
• Proactive hunting using advanced logs and behavioral anomalies.
• Emphasis on graph logs and assumed breach strategies.
• Outputs include improved detection rules and real-world attacker insights.

🔐 Identity & MFA – Still the #1 Target

• Identity remains the primary attack vector.
• Stop excluding MFA for office IPs or “trusted” users.
• Embrace phishing-resistant MFA like passkeys.
• Avoid risky group-based MFA exclusions—opt for dedicated groups or per-user control.

⚙️ Conditional Access & workload Identities

• Time to revisit and enrich older CA policies.
• Add device compliance and user risk signals (especially with Entra P2).
• Use tools like risk-based CA and sign-in risk to block compromised accounts.
• Apps and service principals are still a weak link in many orgs.
• Add CA rules to Applications (Workload Identities) to further heighten security (e.g. IP filtering).
• Because App secrets often go unmanaged and unrotated.

🧭 Final Thoughts

• Many attacks still succeed due to weak fundamentals: open ports, unpatched systems, overly-permissive apps.
• Mastering the basics remains critical.
• In-person energy made this episode extra special! 🙏🏻

🛠️ Community Project

Device Offboarding Manager

Microsoft MVP Ugur Koc has created a great PowerShell GUI tool for efficiently managing and offboarding devices from Microsoft Intune, Autopilot, and Entra ID, featuring bulk operations and real-time analytics for streamlined device lifecycle management. At it’s core, the tool features:

• Multi-Service Integration: Manage devices across Intune, Autopilot, and Entra ID
• Bulk Operations: Support for bulk device imports and operations
• Real-time Dashboard: View device statistics and distribution
• Secure Authentication: Multiple authentication methods including interactive, certificate, and client secret

I really like the playbooks feature that allows automation and support for specific custom scenarios.

Check it out on Github

At Microsoft Ignite 2024, we sat down with our old friend Anthony Bartolo to discuss the industry’s shift from traditional infrastructure roles to development, a transition heavily influenced by AI and automation.

As companies increasingly adopt “vibe coding” — the trend where developers focus on rapid prototyping and intuition-driven coding rather than rigid syntax — Anthony’s journey is a perfect example of how infrastructure professionals are embracing this new paradigm. He shared his experience moving from network engineering to full-stack development, and how AI tools helped bridge knowledge gaps. This aligns with vibe coding’s emphasis on leveraging AI-assisted development to lower entry barriers, allowing generalists to build functional applications without deep technical expertise. The discussion highlighted how AI is democratizing software creation, empowering both infrastructure specialists and non-traditional coders to build solutions quickly. While AI lowers the barrier to entry, it also raises questions about shallow expertise and long-term sustainability. Are we building real solutions or just stitching together AI-generated snippets with no real understanding?

Be sure to check out the AI Tour

A special thanks to the folks from ENow Software for helping us out with a location to record this episode.

For more information on The Cloud Architects podcast, check us out on SoundCloud

• iTunes
• Spotify

In this episode…

• Chris revisits his e-mail authentication and security from last time to dig a little deeper.
• Koos recently did some talks about SIEM migrations to Sentinel and keeping things as cost-efficient as possible. He also believes a company shouldn’t focus solely on Microsoft Sentinel, and should consider looking into alternatives alongside it like Azure Data Explorer. And why are companies so focussed on collecting all those logs in a “legacy” matter?
  
  

E-mail Security - Part II

Sequels aren’t always better, but this is an exception. ;)

In this episode, I’ll dive a little deeper into SPF clean-up and flattening and spend some time looking at some newer email security protocols:

• Authenticated Received Chain (ARC)
• MTA-STS (Mail Transfer Agent Strict Transport Security)

To follow on from our previous discussion on SPF, In an SPF record, there isn’t a strict limit on the number of IPv4/6 blocks (ip4/6: mechanisms) you can include. However, there are practical constraints:

• DNS Lookup Limit – SPF allows a maximum of 10 DNS lookups (e.g., include, a, mx, ptr, exists) per evaluation. ip4 and ip6 do not count towards this limit because they are directly included in the record.
• DNS TXT Record Length – A single TXT record (which SPF uses) is limited to 255 characters per segment, but multiple segments can be concatenated. The practical SPF record size limit is about 450–512 characters to avoid truncation issues. If the SPF record exceeds 512 bytes, some email servers may reject it.

If you have too many DNS lookups, a “SPF PermError: too many DNS lookups” is returned during an SPF check, DMARC treats that as fail since it’s a permanent error. There is one solution to this problem that is recommended all over the interwebs called “flattening” an SPF record. Using this method, each of the DNS-querying mechanisms/modifiers is queried for the IP addresses and these then replace the original mechanism/modifier thus reducing the number of DNS lookups. This is great, right?

Danger, Will Robinson!

I don’t personally recommend using SPF flattening unless absolutely necessary, with regular audit and cleanup you may not need it. It is also important to consider that:

• IP addresses do change and can break email delivery
• Flattening requires more administrative overhead to managed IP changes.

There are ‘dynamic SPF’ services available that market themselves as a solution to this - I haven’t got any personal experience with these so YMMV. Please reach out if you have any good or bad experience you’d like to share.

Authenticated Received Chain (ARC)

ARC is an email security mechanism that preserves authentication results (SPF, DKIM, and DMARC) when an email passes through forwarders, mailing lists, or intermediaries.

How ARC Works:

• The original sender sends an email → SPF, DKIM, and DMARC checks are performed.
• A forwarder (e.g., a mailing list, forwarding service) receives the email.
• The forwarder signs the email with ARC headers before sending it to the final recipient.
  • These headers include:
    • ARC-Authentication-Results → Records SPF/DKIM/DMARC results before forwarding.
    • ARC-Seal → Cryptographically signs the ARC chain to prevent tampering.
    • ARC-Message-Signature → Ensures integrity of the forwarded message.
• The recipient verifies the ARC chain to decide if it should trust the forwarded email.

Microsoft 365 already supports ARC, but if you run into issues with email delivery from a particular service, you can add their particular domain to the ARC trusted sealers list in the Microsoft 365 Defender portal

Microsoft Docs Configure trusted ARC sealers

MTA-STS (Mail Transfer Agent Strict Transport Security)

One of problems with SMTP is that encryption is entirely optional. When support for upgrading from plaintext to encryption in the form of the STARTTLS command was added to SMTP the specification explicitly specified that SMTP servers must accept plaintext connections. MTA-STS is a new standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode that requires authentication and TLS. MTA-STS is supported in Exchange Online.

MTA-STS requires two things to implement:

• A policy .txt file hosted at: https://mta-sts.domain.com/.well-known/mta-sts.txt
• A DNS TXT record _mta-sts.example.com

Dutch MVP Michel de Rooij has a great post on how to host you MTA-STS record using Github pages

Side note: You may have heard of DANE (DNS-Based Authentication of Named Entities) - DANE requires DNSSEC, which many domains do not implement and therefore kills adoption. MTA-STS is easier to deploy and works with standard DNS.

Check out the Microsoft Docs Enhancing mail flow with MTA-STS

Microsoft Sentinel as a SIEM and how to re-think logging strategies

Microsoft Sentinel celebrated it’s fifth anniversary already last September. But a lot has changed since:

• Sentinel’s role as an orchestrator between all the different security products (“all your Defenders are belong to us”)
• New log tiers, each with it’s own pros and cons
  • Auxiliary
• Sentinel is now also part of the “Unified Security Operation Platform”, but it’s still an Azure resource?

During SIEM migrations the topic of Sentinel cost is a big topic. Cloud-native SIEM works a bit different compared to a (dare I say) “legacy” SIEM solution. “Sentinel is expensive” people might say, but you might be using it wrong.

• Consider a multi-tiered log strategy:
  • Real-time analytics
  • Triage & Hunting
  • Compliance & Forensics
• Consider NOT ingesting those logs any longer ;)
  • Please hear me out….
  • Be critical during SIEM migrations
    • Decide per log source what to move or what to drop

Azure Data Explorer

• Very cost effective companion in my opinion to use alongside Sentinel.
• Very scalable and offers UNLIMITED data retention
• Query logs with KQL

Community Project

Yellowhat

We already have Blackhat and Bluehat, but now there’s Yellowhat! 👷🏻‍♂️

A couple of Security MVPs came together to organize a 100% Microsoft Security conference on March 6th 2025. Only deep-dive sessions (Level 400+) led by world-class experts, including Raviv Tamir (Microsoft ILDC), Roberto Rodriguez (Microsoft Redmond), Dirk-jan Mollema, and more announcements soon. All sessions will be broadcast live between 3pm and 9pm CET.

But there are also a few last VIP tickets for in-person visit. Hosted at Microsoft HQ @ Amsterdam and made possible with some great sponsors!

Register your (livestream) ticket now at yellowhat.live

Bluesky.ms

Another great project by Merill Fernando. Bluesky.ms is the authoritative source for Microsoft community-related activity on Bluesky. Its a crowdsourced database of anyone and everyone in the Microsoft community on Bluesky where you can connect with the Microsoft community and get your account verified. Here you can users categorized as:

• Microsoft Community Users
• Microsoft FTEs
• MVPs
• RDs

Check it out and join the community at bluesky.ms

In this episode we sit down with our old friend Antonio Maio. We recorded this episode at Microsoft Ignite 2024 in Chicago, and as always it was an enjoyable conversation with actionable insights. Antonio shares some tips from this Ignite talk to help you:

• Assess your environment at scale
• Protect your information
• Educate your users

Antonio gives us some great information about preparing for Copilot, why it helps to encourage everyone to build their own relationship with Copilot and how to find the balance between data protection and productivity.

For more information on The Cloud Architects podcast, check us out on SoundCloud

• iTunes
• Spotify