Nathan McNulty
@nathanmcnulty.com
Loves Jesus, loves others | Husband, father of 4, security solutions architect, love to learn and teach | Microsoft MVP | @TribeOfHackers | 🐘infosec.exchange@nathanmcnulty
First of three legs on my way to WPNinjas US in Dallas. Only 13 hours of travel to go... 🤪
It'll totally be worth it to see everyone, hopefully help some folks with work, career, and family :)
I'm way behind on planning, so hmu if you're going to be there!
It'll totally be worth it to see everyone, hopefully help some folks with work, career, and family :)
I'm way behind on planning, so hmu if you're going to be there!
December 8, 2025 at 12:04 AM
First of three legs on my way to WPNinjas US in Dallas. Only 13 hours of travel to go... 🤪
It'll totally be worth it to see everyone, hopefully help some folks with work, career, and family :)
I'm way behind on planning, so hmu if you're going to be there!
It'll totally be worth it to see everyone, hopefully help some folks with work, career, and family :)
I'm way behind on planning, so hmu if you're going to be there!
I often make this mistake with Filter for devices in Conditional Access... and I bet you are doing it too 🤪
To target unregistered devices, you probably want to do INCLUDE with trustType/isCompliant NotEquals
Go double check your policies ;)
learn.microsoft.com/...
To target unregistered devices, you probably want to do INCLUDE with trustType/isCompliant NotEquals
Go double check your policies ;)
learn.microsoft.com/...
December 2, 2025 at 2:37 AM
I often make this mistake with Filter for devices in Conditional Access... and I bet you are doing it too 🤪
To target unregistered devices, you probably want to do INCLUDE with trustType/isCompliant NotEquals
Go double check your policies ;)
learn.microsoft.com/...
To target unregistered devices, you probably want to do INCLUDE with trustType/isCompliant NotEquals
Go double check your policies ;)
learn.microsoft.com/...
Hey folks, just jumping on a live Entra Chat to talk about all the Ignite announcements with @merill.net, @naunheim.cloud, Martin Sandren, and Ru Campbell!
Come join us at riverside.fm/studio/entra...
Come join us at riverside.fm/studio/entra...
November 21, 2025 at 7:14 PM
Hey folks, just jumping on a live Entra Chat to talk about all the Ignite announcements with @merill.net, @naunheim.cloud, Martin Sandren, and Ru Campbell!
Come join us at riverside.fm/studio/entra...
Come join us at riverside.fm/studio/entra...
SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED 😳
November 21, 2025 at 5:51 AM
SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED 😳
Fancy - looks like we'll have the ability to block Agents based on use cases and agent risk
Curious to see if this goes the way of Workload Identity Premium after Preview
Curious to see if this goes the way of Workload Identity Premium after Preview
November 18, 2025 at 9:04 PM
Fancy - looks like we'll have the ability to block Agents based on use cases and agent risk
Curious to see if this goes the way of Workload Identity Premium after Preview
Curious to see if this goes the way of Workload Identity Premium after Preview
Defender for Identity can now automatically configure Windows Event Auditing on your Domain Controllers when using the new v3 sensor 🥳
learn.microsoft.com/...
learn.microsoft.com/...
November 18, 2025 at 2:10 AM
Defender for Identity can now automatically configure Windows Event Auditing on your Domain Controllers when using the new v3 sensor 🥳
learn.microsoft.com/...
learn.microsoft.com/...
We can now change Source of Authority on Contacts as well 🔥
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
November 3, 2025 at 10:24 PM
We can now change Source of Authority on Contacts as well 🔥
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
Looks like we can change contact SOA using the https://graph.microsoft.com/v1.0/contacts API endpoint too :)
A 138 character cmdlet in a production PowerShell module 🫠
November 2, 2025 at 9:06 PM
A 138 character cmdlet in a production PowerShell module 🫠
Everybody is always worried about emergency access, but what about emergency shutdown? 😏
October 30, 2025 at 8:55 PM
Everybody is always worried about emergency access, but what about emergency shutdown? 😏
Just casually dropping nuanced licensing details on step 7 of a how to guide, as one does 🤷♂️
October 21, 2025 at 4:48 AM
Just casually dropping nuanced licensing details on step 7 of a how to guide, as one does 🤷♂️
I demand to speak to a manager! :P
October 19, 2025 at 2:46 AM
I demand to speak to a manager! :P
Ahh yes, Blizzard Antivirus, my favorite of all the Antivirus products 🤣
October 15, 2025 at 12:03 AM
Ahh yes, Blizzard Antivirus, my favorite of all the Antivirus products 🤣
Reposted by Nathan McNulty
Brilliant Conditional Access masterclass at #MMSMusicCity by @nathanmcnulty.com and @conditionalaccess.uk
Your policy is as strong as its poorest exclusion
#MMSMOA
Your policy is as strong as its poorest exclusion
#MMSMOA
October 14, 2025 at 7:51 PM
Brilliant Conditional Access masterclass at #MMSMusicCity by @nathanmcnulty.com and @conditionalaccess.uk
Your policy is as strong as its poorest exclusion
#MMSMOA
Your policy is as strong as its poorest exclusion
#MMSMOA
I can't stop laughing 😂
October 14, 2025 at 5:02 PM
I can't stop laughing 😂
Reposted by Nathan McNulty
👋 Check out this new Microsoft Entra blog post 👇
Your shortcut to Microsoft Entra deployment success
techcommunity.microsoft.com/t5/microsoft...
Your shortcut to Microsoft Entra deployment success
techcommunity.microsoft.com/t5/microsoft...
Your shortcut to Microsoft Entra deployment success
FastTrack has developed created 20+ short, scenario-based videos that guide you step-by-step through Microsoft Entra deployments.
techcommunity.microsoft.com
October 10, 2025 at 5:47 PM
👋 Check out this new Microsoft Entra blog post 👇
Your shortcut to Microsoft Entra deployment success
techcommunity.microsoft.com/t5/microsoft...
Your shortcut to Microsoft Entra deployment success
techcommunity.microsoft.com/t5/microsoft...
Intune now has dedicated security recommendations docs just like Entra 🔥
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
October 10, 2025 at 4:49 AM
Intune now has dedicated security recommendations docs just like Entra 🔥
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
The Entra security docs are extremely popular, and I love seeing other teams publishing this kind of guidance
Thanks to my collegaue (Josh Gatewood) for pointing this out!
learn.microsoft.com/en-us/intune...
Did you know Entra ID Protection never automatically clears Medium or High risk?
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
October 7, 2025 at 10:45 PM
Did you know Entra ID Protection never automatically clears Medium or High risk?
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
It's happening! Converting AD resources to Entra resources is here, and even more docs just arrived 🥳
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
October 7, 2025 at 5:30 AM
It's happening! Converting AD resources to Entra resources is here, and even more docs just arrived 🥳
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
Delivered with the User SoA docs is something even bigger - architectural guidance for shifting from AD to Entra using Source of Authority conversion🔥
learn.microsoft.com/...
cyber awareness month is off to a great start...
October 3, 2025 at 2:12 AM
cyber awareness month is off to a great start...
Hahaha, wow... 😮
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
October 2, 2025 at 4:47 AM
Hahaha, wow... 😮
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
If you leave App passwords enabled and enforce MFA through per-user MFA, the MFA enrollment wizard actually makes the user to create an app password 🤯
If you've been evaluating the new(ish) Defender for Identity sensor (v3.0) that's in preview, there's a new config to support advanced identity detections :)
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
October 1, 2025 at 10:09 PM
If you've been evaluating the new(ish) Defender for Identity sensor (v3.0) that's in preview, there's a new config to support advanced identity detections :)
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
Just add the tag "Unified Sensor RPC Audit" to the DC's (docs recommend asset rule management)
learn.microsoft.com/...
I just love how predictable cloud is - you can migrate or we'll migrate it for you, but either way, you're moving to the new service that will probably cost you more
October 1, 2025 at 4:52 AM
I just love how predictable cloud is - you can migrate or we'll migrate it for you, but either way, you're moving to the new service that will probably cost you more
This was postponed, so there's still time... tomorrow is the last day before mandatory MFA for Azure CLI/PowerShell and anything else hitting Azure Resource Manager REST API
September 30, 2025 at 6:42 AM
This was postponed, so there's still time... tomorrow is the last day before mandatory MFA for Azure CLI/PowerShell and anything else hitting Azure Resource Manager REST API
Reposted by Nathan McNulty
That's a common and huge security risk that most admins do not know about. I wrote a blog post about it. www.cswrld.com/2024/11/how-...
How to disable Self-Service Password Reset for administrators
Self-service password reset can be a useful feature that allows users to access their account in case they forget their password. On the other hand, it is potentially risky, as...
www.cswrld.com
September 28, 2025 at 4:39 AM
That's a common and huge security risk that most admins do not know about. I wrote a blog post about it. www.cswrld.com/2024/11/how-...
In Entra ID, did you know sensitive cloud admins are enabled for Self-Service Password Reset by default, even if you never turn SSPR on?
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
September 28, 2025 at 2:03 AM
In Entra ID, did you know sensitive cloud admins are enabled for Self-Service Password Reset by default, even if you never turn SSPR on?
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...
It also doesn't follow auth method policies, so they can use email and SMS...
You really should disable it
learn.microsoft.com/...