Entra ID

Practical Graph: Tracking Critical App Actions Through Audit Events

• Post author:By Tony Redmond

App management audit events are captured when changes are made to Entra registered and enterprise apps. Critical app management audit events should be closely monitored to ensure that permissions are used properly and attackers haven't attempted to penetrate the tenant to extract data. This article explains how to find and analyze audit data for some critical app management audit events and run the code as an Azure Automation runbook.

• Entra ID

July 8, 2025

3 Comments

Practical Graph: Finding Owners for Ownerless Apps from Audit Data

• Post author:By Tony Redmond

When administrators create new Entra ID apps, the apps don't have an owner unless an owner is explicitly assigned. The net result is that a tenant can end up with many ownerless apps. In this article, we explain how to find ownerless apps, and how to use audit data to find suitable owners for those apps. All done with PowerShell, of course.

• Entra ID

June 23, 2025

Practical Protection: Getting Started with Graph Threat Hunting

• Post author:By Paul Robichaux

In this episode of Practical Protection, we dive into the basics of Threat Hunting, tools you can use, and even some DIY hunting advice.

• Blog

June 17, 2025

Securing Microsoft 365 with Graph Activity Logs

• Post author:By Mezba Uddin

In the first installment of Securing Microsoft 365 with Graph Activity Logs, Mezba Uddin dives into the essentials of the Microsoft Graph Activity Log, what it does, its importance for visibility, and how to get it running to start seeing it's data.

• Microsoft Graph

June 10, 2025

One comment

Practical Protection: Protecting Your Tenant by Restricting Applications

• Post author:By Paul Robichaux

Any time you allow a third-party application to run in a system you own or control, you’re assuming risk. In this episode of Practical Protection, we discuss how to reduce that risk by managing app consent in Microsoft Entra ID, as well as a few other alternatives.

• Entra ID

May 6, 2025

Practical Graph: Use App Management Policies to Control App Credentials

• Post author:By Tony Redmond

App secrets are used to authenticate registered apps with Entra ID. App secrets (or passwords) are convenient and easy to use, but they're relatively insecure. The default app management policy for the tenant can block app secrets while custom app management policies can allow selective apps to use app secrets for testing or other well-defined purposes. All explained here.

• Entra ID

May 5, 2025

One comment

Controlling Access to Microsoft 365 Entra ID Apps Part #2

• Post author:By Ingo Gegenwarth

In the second part of this series on Controlling Access to Microsoft 365 Entra ID Apps, Ingo dives into the process of creating custom Role-Based Access Control (RBAC) to Improve Security in your tenant.

• PowerShell

April 29, 2025

One comment

Using Conditional Access to Combat Token Theft

• Post author:By Thijs Lecomte

With AiTM phishing attacks on the rise, it is important to have procedures in place to combat future attacks. In this article, we explore three different ways to protect against token theft using Conditional Access.

• Security

April 2, 2025

7 Comments

Controlling Access to Microsoft 365 for Entra ID Apps

• Post author:By Ingo Gegenwarth

In the first installment of this new series on Entra ID Access Control, we explore the fundamentals of granting permissions to Entra ID user accounts and applications for task automation.

• Entra ID

March 20, 2025

6 Comments

Practical PowerShell: Restore an Entra ID Deleted User Account and Update Its User Principal Name

• Post author:By Tony Redmond

The need to restore deleted user accounts sometimes arises. The process is well understood and options are available to do the job in the Entra and Microsoft 365 admin centers. But if you need to restore a deleted user account and change its user principal name, that operation can only be done with PowerShell. This article explores why updating a user principal name during a restore might be necessary and the code to restore accounts.

• Entra ID

March 4, 2025

Identifying Privileged Applications and Their Secret Passwords

• Post author:By Brandon Colley

Securing applications in an Entra tenant is crucial, especially after recent attacks like Midnight Blizzard. This article reviews how to use PowerShell to help identify privileged applications, their permissions, as well as client Secrets.

• Entra ID

January 30, 2025

Practical Graph: Combining Sign In Activity and App Detail in a User Report

• Post author:By Tony Redmond

Often tenants create user sign-in reports based on the sign-in data held in user account properties. This article explains how to supplement that information with insights about the apps users sign into using sign-in audit logs. The combined information is more valuable than simply knowing when someone last successfully signed in.

• Blog

January 7, 2025