Security Best Practices for Bookings Page's Mailbox Objects in Entra ID
Hi, are there any recommendations / best practices for hardening the user objects that are created in Entra ID when I create a new Microsoft Bookings page? Unlike regular shared mailboxes, the sign-in is enabled by default, I can simply reset the password, sign in via Outlook Web and see the Microsoft Bookings calendar. Bad actors could brute force this sign-in, register the MFA authentication method of their choice and gather data of the customers that used my public bookings page. What is the recommeded way to handle these objects in Entra ID? Conditional Access settings? Azure Monitoring alerts for sign-ins? Defender alerts for when an inbox rule is created? Kind regards, Yasemin
employeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, B
Defender for Identity Certificate Requirements
One of the required certificates for the MDI sensor to run is this certificate: Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Issuer : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Thumbprint : D4DE20D05E66FC53FE1A50882C78DB2852CAE474 FriendlyName : DigiCert Baltimore Root NotBefore : 5/12/2000 11:46:00 AM NotAfter : 5/12/2025 4:59:00 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} It expires in a little over 2 weeks. I still see it listed as required here: https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues Does anyone know if that requirement will be going away and/or will the certificate be updated before this one expires? I haven't been able to find anything related to its replacement through my various searches so I apologize if this has been covered already. Thanks.Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksWarning: PIM disconnects users from Teams Mobile
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble. Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying "Open Teams to continue receiving notifications for <email address>", or "<email address> needs to sign in to see notifications". Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles. Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users' tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep: "When a user's role changes (either due to activation or expiration), Skype AAD[?] will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior and is working as designed. These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well." Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this.
ATP sensor fails to start since yesterday
Hi there, we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting. Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error. Rebooting the machines will not help. 2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local] 2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ] We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday. Running Test-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password. I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines. Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong? Best regards, Ingo
