Profile avatar
fabian.bader.cloud
#Security #Azure #EntraID #XDR #MDE #Identity #M365 #AD #PKI #KQL Microsoft MVP Tweets and opinions are my own
259 posts 2,266 followers 358 following
Prolific Poster
Conversation Starter
Posts 33 Comments 17

Tamper protection will make sure notifications are enabled.

submitted 6 hours ago • 1 comment

If you work with Entra, you'll want to bookmark and monitor this page 😎 Much of this is in Identity / Secure Score, but it's great to see security guidance cleanly laid out in one doc You might think this is well known stuff, I assure you it is not :( learn.microsoft.com/...

submitted 19 hours ago • 5 comments

Today began w/an email from Microsoft that still has me pinching myself. It's an incredible privilege to join others I have looked up to for years. The imposter syndrome never goes away; I just hope to always be able to share something of value w/this amazing community! 💙🙏🥳

submitted 20 hours ago • 7 comments

We did a thing! DES (not even 3DES) has been a pain in our necks for years, but we couldn't remove it for compat reasons. It required special config to use so it's not dangerous out of the box, but it's still just...ugh, DES. Anyway, we said enough is enough and now the code is getting deleted.

submitted 2 days ago • 10 comments

When you group your logs by timestamp(binning) to detect threats, you probably cause false negatives. Solve it using sliding window counts! academy.bluraven.io/blog/advance... #KQL #ThreatHunting #DetectionEngineering

submitted 2 days ago • 0 comments

Which one did you own?

submitted 2 days ago • 0 comments

It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.

submitted 10 days ago • 0 comments

I think Cryptomator is available in the UK. If you know similar software feel free to comment. cryptomator.org/for-individu...

submitted 7 days ago • 0 comments

A very common mistake I see for those newer to Azure and Arc is not understanding the risk associated with permissions in Azure and privilege escalation paths to Arc enabled servers It's a good idea to consider locking down Arc to only what you need ;) learn.microsoft.com/...

submitted 8 days ago • 2 comments

🛡️If you work with any Microsoft Security product #YellowHat is the conference for you. Technical deep dives, no marketing, and an amazing speaker lineup. Register today to join the livestream for free on https://yellowhat.live/ #XDR #MDE #MDI #Sentinel

submitted 9 days ago • 0 comments

In our new #blog, Senior Research Analyst @codewhisperer84.bsky.social unveils his new tool DIT Explorer which he created after researching NTDS.dit files on Active Directory. Read part one of this series now to find out what this tool can do! trustedsec.com/blog/explori...

submitted 10 days ago • 0 comments

Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀

submitted 12 days ago • 1 comment

We are excited to start off our speaker announcements with this one. Rod Trent @rodtrent.bsky.social is a true #MSSecurity Ninja and will be joining us in Oslo on June 11th. Be sure to secure your spot by getting your tickets today: https://wpninjas.no #MustLearnKQL #SecurityCopilot

submitted 12 days ago • 0 comments

👋 We just sent out this week's Entra newsletter. Read at entra.news/p/entra-n...

submitted 14 days ago • 2 comments

Good to see that Microsoft is highlighting this more prominent. Don't grant tenant root access to your global admins. 1️⃣Remove it 2️⃣Alert on it Action required: 1 user has elevated access in your tenant. You should take immediate action and remove all role assignments with elevated access

submitted 14 days ago • 1 comment

Hunt for signins using device code flow, requesting the Device Registration Service and registering a new Entra ID device as the result #DeviceCodeFlow #Entra #Security #KQL

submitted 14 days ago • 0 comments

A year later and still relevant. #DeviceCodeFlow cloudbrothers.info/en/protect-u...

submitted 14 days ago • 0 comments

Had this saved in the WIP folder forever KQL for anti-forensics activities github.com/AttacktheSOC... So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name OMG, look at this😶updates to come! github.com/MikeHorn-git...

submitted 15 days ago • 1 comment

🧰After years as a cloud endpoint management consultant, I've built a go-to toolbox of essential resources. 🛠️I’ve now shared part of it on my blog—mainly for convenience- but you might find it helpful! 👂Please let me know of any great tools out there! 🧰Toolbox Rundown skotheimsvik.no/toolbox-rund...

submitted 17 days ago • 0 comments

Entra Kerberos key rotation does not support phishing resistant authentication, so those who need to comply with specific requirements have limited choices... I found that we are able to use one-time Temporary Access Pass for this purpose, and this works for Entra Connect too :)

submitted 16 days ago • 2 comments

🚨 Time to check your detection queries for MDE: DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.

submitted 22 days ago • 0 comments

ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀

submitted 23 days ago • 2 comments

Start your day zen #NinjaCat

submitted 24 days ago • 0 comments

Updated guidance on conditional access: Either target all resources with MFA or at least target Azure AD Graph through "Custom security attributes". #EntraID https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#protecting-directory-information

submitted 25 days ago • 4 comments

Now you can use your own company standard values for your attributes in Entra with Custom Maester Tests and #PowerShell Learn more clatent.com/2025/02/now-... @merill.net @fabian.bader.cloud @naunheim.cloud

submitted 27 days ago • 0 comments

This is a really good change. "Let's keep your account secure" is much more relatable and helps the user to understand what's happening next.

submitted 28 days ago • 0 comments

Huge congratulations for all new Microsoft MVPs in February 2025! 👏 Thank you all for the invaluable work you do on helping others to succeed within their day to day work by sharing your knowledge 🧡 We are looking forward on what we can achieve together in the future! #MVPBuzz

submitted 29 days ago • 1 comment

So downloading zip files from web[.]whatsapp[.]com on corporate devices and opening the "PDF.lnk" inside is really a thing now 😓

submitted 29 days ago • 2 comments

🚀 Join my webinar: Decrypting RDP Traffic in Wireshark! 🔍 📅 Date: February 11th ⏰ Time: 09:00 AM – 10:00 AM EST Learn how to analyze and decrypt RDP traffic like a pro. Can't make it live? No worries—register now, and you'll get the slides & recording afterward! 🔗 Register now 👇

submitted 30 days ago • 0 comments

Is anybody aware of a method to get an overview of the Microsoft Graph scopes available to a user when I'm not using the MSGraph SDK but only have the bearer token and Invoke-RestMethod / curl? #MSGraph PS: parsing the access token is no option

submitted 31 days ago • 0 comments

#Check MDE Attach TLS Inspection $domain = 'discovery.dm.microso...' $req = [System.Net.Sockets.TcpClient]::new($domain, '443') $stream = [System.Net.Security.SslStream]::new($req.GetStream()) $stream.AuthenticateAsClient($domain) $stream.RemoteCertificate | fl *

submitted 31 days ago • 0 comments

Happening tonight! I'm feeling better and incredibly excited about this session where I talk about practical #GenAI. I've learned an a ton in the past few months and can't wait to share it with the #PowerShell community. Join me at 7PM Central European time for this virtual mtg w/ HHPSUG

submitted 32 days ago • 1 comment

Just a few hours until the next Hamburg PowerShell User Group with @funbucket.dev Today @ 19:00 CET virtual www.meetup.com/hamburg-powe...

submitted 32 days ago • 0 comments