alexmags.bsky.social
Techy. 🛡️blueteam🔐
twitter.com/alexmags
infosec.exchange/@Alexmags
16 posts
34 followers
45 following
Conversation Starter
comment in response to
post
How much experience have you had with Entra? Assuming the attributes set in directory you can do ABAC and RBAC with dynamic groups. Acces reviews for recertification. Add identity governance feature for self service access packages. PIM for admins. Group write back for AD. Where are you stuck?
comment in response to
post
Nice! How does this compare to Azure Firewall Analytics. Can you do the same there? How does Sentinel help? I'm also reviewing Azure firewall rules.
comment in response to
post
Update. Cloud app "windows cloud login" was the one I was missing. CA SIF policy with device filter did the trick.
comment in response to
post
I was using an app bundle I think called Windows 365 so I thought I was covered, but it didn't include everything. Just glad I didn't have to disable SSO
comment in response to
post
Update-It was Windows Cloud Login app registration I needed in every time SIF policy. Device filter on device ownership so only applies to byod.
comment in response to
post
Thanks @jeftek.com . Your doc recommendation guided me to the Windows Cloud Login app. This was the one I was missing to make sure users MFA on reconnect if Windows App session is left running. Don't need to disable SSO. 🙏
comment in response to
post
Workload Identity feature licences not expensive. Limits access in case secret gets compromised. Alternative to service accounts that bypassed MFA but compensated with network location CA policies.
learn.microsoft.com/en-us/entra/...
comment in response to
post
Thanks for the link. I'll dig in further to this.
learn.microsoft.com/en-us/azure/...
comment in response to
post
If I disconnect, leave Windows app running, and come back hours later I can still SSO into remote desktop without password or MFA. Not sure how the RDP connection is authenticated. Haven't spotted interaction with entra in sign-in logs when you connect. RDP is Kerberos to the Windows desktop?
comment in response to
post
Thanks. Signing up. I recently made a tool to setup Tiered Admin Model if it helps you. Next figuring out how to tier Admin Units in Entra.
github.com/alexmags/ADT...
comment in response to
post
Hi Jef. Got idle session timeout. But missing re-auth if they or someone else tries to reconnect.
comment in response to
post
Hi Nathan. Have CA policy set to every time for Win365 cloud app. If you restart Windows app or hit refresh in Windows App to get latest list of desktops you have to reauth. But connect (RDP) gets you in without reauth.
comment in response to
post
Anything in Entra sign-in logs user agent string?
comment in response to
post
Hi Donna. Is there a way to timeout Windows App ability to SSO without password or MFA? If you leave Windows App running somewhere, people can get in to your stuff. Looking for options or fun police will make me disable SSO😭
comment in response to
post
Service accounts were the safest way for automation scripts to authenticate because you could apply CA policies to limit use to specific IPs or devices. But now you can buy Workload Identity licences and protect app registrations with CA policies too. Time to switch.