Ru Campbell
@campbell.scot
Microsoft Security MVP + Microsoft Security Practice Lead at Threatscape
Mostly: Entra, Defender, Intune, Purview, and Microsoft 365
Also: dad, metal, lifting, wrestling, cars
Mostly on Twitter rather than here: @rucam365
Mostly: Entra, Defender, Intune, Purview, and Microsoft 365
Also: dad, metal, lifting, wrestling, cars
Mostly on Twitter rather than here: @rucam365
New video: 5 common Entra ID guests mistakes (Entra B2B)
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
October 31, 2025 at 4:47 PM
New video: 5 common Entra ID guests mistakes (Entra B2B)
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
ICYMI: Microsoft Authenticator for iOS + Android will detect, prevent, then wipe Entra creds on rooted devices (MC1179154).
• Phase 1 (warn mode) begins February '26
• followed by Phase 2 (block mode)
• then Phase 3 (wipes Entra creds)
• expected to be completed ~April '26
• Phase 1 (warn mode) begins February '26
• followed by Phase 2 (block mode)
• then Phase 3 (wipes Entra creds)
• expected to be completed ~April '26
October 29, 2025 at 2:16 PM
ICYMI: Microsoft Authenticator for iOS + Android will detect, prevent, then wipe Entra creds on rooted devices (MC1179154).
• Phase 1 (warn mode) begins February '26
• followed by Phase 2 (block mode)
• then Phase 3 (wipes Entra creds)
• expected to be completed ~April '26
• Phase 1 (warn mode) begins February '26
• followed by Phase 2 (block mode)
• then Phase 3 (wipes Entra creds)
• expected to be completed ~April '26
The unified Defender for Identity sensor as part of Defender for Endpoint is now generally available :-)
Docs: learn.microsoft.com/...
Docs: learn.microsoft.com/...
October 23, 2025 at 6:05 PM
The unified Defender for Identity sensor as part of Defender for Endpoint is now generally available :-)
Docs: learn.microsoft.com/...
Docs: learn.microsoft.com/...
Next M365 S&C UG - Oct 29, 18:00 UTC
- @JoanneCKlein & Anna Bordioug: Two Sides of the Data Coin: Data Protection vs. Data Retention in Practice
- @brand_gefahr: How Much is the Phish? An End-to-End Perspective on Phishing Operation
REGISTER: www.meetup.com/m365s...
- @JoanneCKlein & Anna Bordioug: Two Sides of the Data Coin: Data Protection vs. Data Retention in Practice
- @brand_gefahr: How Much is the Phish? An End-to-End Perspective on Phishing Operation
REGISTER: www.meetup.com/m365s...
October 20, 2025 at 5:05 AM
Next M365 S&C UG - Oct 29, 18:00 UTC
- @JoanneCKlein & Anna Bordioug: Two Sides of the Data Coin: Data Protection vs. Data Retention in Practice
- @brand_gefahr: How Much is the Phish? An End-to-End Perspective on Phishing Operation
REGISTER: www.meetup.com/m365s...
- @JoanneCKlein & Anna Bordioug: Two Sides of the Data Coin: Data Protection vs. Data Retention in Practice
- @brand_gefahr: How Much is the Phish? An End-to-End Perspective on Phishing Operation
REGISTER: www.meetup.com/m365s...
New video: new Defender detections for jailbreaks + prompt injection in Microsoft 365 Copilot
• recap on what jailbreaks and prompt injections are (examples)
• how they show up in Defender for Cloud Apps/hunting and Purview
WATCH: youtu.be/iCRYJ32fwro
• recap on what jailbreaks and prompt injections are (examples)
• how they show up in Defender for Cloud Apps/hunting and Purview
WATCH: youtu.be/iCRYJ32fwro
October 17, 2025 at 11:04 AM
New video: new Defender detections for jailbreaks + prompt injection in Microsoft 365 Copilot
• recap on what jailbreaks and prompt injections are (examples)
• how they show up in Defender for Cloud Apps/hunting and Purview
WATCH: youtu.be/iCRYJ32fwro
• recap on what jailbreaks and prompt injections are (examples)
• how they show up in Defender for Cloud Apps/hunting and Purview
WATCH: youtu.be/iCRYJ32fwro
New video: deep dive on building Intune security baselines that actually work with legend of the game @SkipToEndpoint
• why so many baselines are just plain bad
• balancing security / usability
• when to customise
• how OIB makes it practical
WATCH: youtu.be/Xe32TzHgueA
• why so many baselines are just plain bad
• balancing security / usability
• when to customise
• how OIB makes it practical
WATCH: youtu.be/Xe32TzHgueA
October 10, 2025 at 4:16 PM
New video: deep dive on building Intune security baselines that actually work with legend of the game @SkipToEndpoint
• why so many baselines are just plain bad
• balancing security / usability
• when to customise
• how OIB makes it practical
WATCH: youtu.be/Xe32TzHgueA
• why so many baselines are just plain bad
• balancing security / usability
• when to customise
• how OIB makes it practical
WATCH: youtu.be/Xe32TzHgueA
Still time to sign up at aka.ms/EntraZeroTrust for the rest of the Entra Zero Trust Practitioner series. On 9 October, I'm joining @merill, @nathanmcnulty, and more for a live Q+A on everything Entra identity and network access.
October 8, 2025 at 10:21 AM
Still time to sign up at aka.ms/EntraZeroTrust for the rest of the Entra Zero Trust Practitioner series. On 9 October, I'm joining @merill, @nathanmcnulty, and more for a live Q+A on everything Entra identity and network access.
Among others in the Microsoft 365 stack, there is a new Defender icon!
See them all: microsoft.design/art...
See them all: microsoft.design/art...
October 1, 2025 at 11:36 PM
Among others in the Microsoft 365 stack, there is a new Defender icon!
See them all: microsoft.design/art...
See them all: microsoft.design/art...
New video: deep dive into Entra ID Governance with MVP @MattChatt42.
• why identity is the front door
• sources of authority (HR vs AD)
• joiner/mover/leaver workflows
• PowerShell scripts vs governance at scale
WATCH: youtu.be/VVU2UhYaGzk
• why identity is the front door
• sources of authority (HR vs AD)
• joiner/mover/leaver workflows
• PowerShell scripts vs governance at scale
WATCH: youtu.be/VVU2UhYaGzk
September 30, 2025 at 2:30 PM
New video: deep dive into Entra ID Governance with MVP @MattChatt42.
• why identity is the front door
• sources of authority (HR vs AD)
• joiner/mover/leaver workflows
• PowerShell scripts vs governance at scale
WATCH: youtu.be/VVU2UhYaGzk
• why identity is the front door
• sources of authority (HR vs AD)
• joiner/mover/leaver workflows
• PowerShell scripts vs governance at scale
WATCH: youtu.be/VVU2UhYaGzk
Running in-person only (Edinburgh) ‘Mastering Microsoft Entra ID Security’’ on 6 Nov.
2hr Entra security deep dive for blue teams.
Note this is exclusively for in-house security teams rather than other partners, MSSPs, etc.
REGISTER: www.eventbrite.ie/e/...
2hr Entra security deep dive for blue teams.
Note this is exclusively for in-house security teams rather than other partners, MSSPs, etc.
REGISTER: www.eventbrite.ie/e/...
September 30, 2025 at 12:25 PM
Running in-person only (Edinburgh) ‘Mastering Microsoft Entra ID Security’’ on 6 Nov.
2hr Entra security deep dive for blue teams.
Note this is exclusively for in-house security teams rather than other partners, MSSPs, etc.
REGISTER: www.eventbrite.ie/e/...
2hr Entra security deep dive for blue teams.
Note this is exclusively for in-house security teams rather than other partners, MSSPs, etc.
REGISTER: www.eventbrite.ie/e/...
Folks, join us TONIGHT for the M365 Security & Compliance User Group
Two killer sessions and lots of prizes:
Denis Mutlu - Optimizing Log Management for Sentinel & MDXDR
@ThomasVrhydn - Proactive Exposure Hunting with Enterprise Exposure Graph
REGISTER: www.meetup.com/m365s...
Two killer sessions and lots of prizes:
Denis Mutlu - Optimizing Log Management for Sentinel & MDXDR
@ThomasVrhydn - Proactive Exposure Hunting with Enterprise Exposure Graph
REGISTER: www.meetup.com/m365s...
September 24, 2025 at 4:07 AM
Folks, join us TONIGHT for the M365 Security & Compliance User Group
Two killer sessions and lots of prizes:
Denis Mutlu - Optimizing Log Management for Sentinel & MDXDR
@ThomasVrhydn - Proactive Exposure Hunting with Enterprise Exposure Graph
REGISTER: www.meetup.com/m365s...
Two killer sessions and lots of prizes:
Denis Mutlu - Optimizing Log Management for Sentinel & MDXDR
@ThomasVrhydn - Proactive Exposure Hunting with Enterprise Exposure Graph
REGISTER: www.meetup.com/m365s...
One of the first things you realise when contending with Microsoft 365 security posture management (like @Threatscape Overwatch): you really need to fight hard the instinct to mark everything 'High Risk'. There are a lot of dominos/attack paths that even small gaps can open up!
September 22, 2025 at 10:57 AM
One of the first things you realise when contending with Microsoft 365 security posture management (like @Threatscape Overwatch): you really need to fight hard the instinct to mark everything 'High Risk'. There are a lot of dominos/attack paths that even small gaps can open up!
New video: an honour to join @HeikeRitter's Virtual Ninja Show discussing MDE policy management and deploying at scale:
• personas + policy merge
• rings and “critical time delay”
• Live Response + RBAC
• Effective settings
WATCH: youtu.be/IvLNLcXRlrY
• personas + policy merge
• rings and “critical time delay”
• Live Response + RBAC
• Effective settings
WATCH: youtu.be/IvLNLcXRlrY
September 4, 2025 at 6:21 AM
New video: an honour to join @HeikeRitter's Virtual Ninja Show discussing MDE policy management and deploying at scale:
• personas + policy merge
• rings and “critical time delay”
• Live Response + RBAC
• Effective settings
WATCH: youtu.be/IvLNLcXRlrY
• personas + policy merge
• rings and “critical time delay”
• Live Response + RBAC
• Effective settings
WATCH: youtu.be/IvLNLcXRlrY
Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
August 27, 2025 at 1:21 PM
Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should.
Convenient reminder to stop what you’re doing and enforce browser extension allow listing.
August 27, 2025 at 6:08 AM
Convenient reminder to stop what you’re doing and enforce browser extension allow listing.
With so many different ways of managing Microsoft 365 apps' updates and settings (Intune, config.office.com, third-party), what are YOU using, and what is currently the "most recommended" method?
August 21, 2025 at 10:39 AM
With so many different ways of managing Microsoft 365 apps' updates and settings (Intune, config.office.com, third-party), what are YOU using, and what is currently the "most recommended" method?
Heads up. Spotted by a colleague this morning: deception capabiliites in MDE are not making it past public preview.
August 19, 2025 at 8:56 AM
Heads up. Spotted by a colleague this morning: deception capabiliites in MDE are not making it past public preview.
New video: Why your Defender update settings are risky
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
August 18, 2025 at 1:06 PM
New video: Why your Defender update settings are risky
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
Folks, working on two Defender books out this year and want to feature the best community tips.
Defender for Endpoint In Depth 2nd Ed (w/ @Threatzman)
Mastering Defender XDR 2nd Ed (w/ @Headburgh)
So, drop your great MDE, MDO, MDI, MDA, and XDR tips here. Best get featured.
Defender for Endpoint In Depth 2nd Ed (w/ @Threatzman)
Mastering Defender XDR 2nd Ed (w/ @Headburgh)
So, drop your great MDE, MDO, MDI, MDA, and XDR tips here. Best get featured.
August 14, 2025 at 9:27 AM
Folks, working on two Defender books out this year and want to feature the best community tips.
Defender for Endpoint In Depth 2nd Ed (w/ @Threatzman)
Mastering Defender XDR 2nd Ed (w/ @Headburgh)
So, drop your great MDE, MDO, MDI, MDA, and XDR tips here. Best get featured.
Defender for Endpoint In Depth 2nd Ed (w/ @Threatzman)
Mastering Defender XDR 2nd Ed (w/ @Headburgh)
So, drop your great MDE, MDO, MDI, MDA, and XDR tips here. Best get featured.
New video: deep dive into Defender for Endpoint/Antivirus settings.
- what every one really does
- what “good” looks like
- gotchas
- nuances
And why some of the important ones are “hidden”.
Watch: youtu.be/R8btJ_SjwVk
- what every one really does
- what “good” looks like
- gotchas
- nuances
And why some of the important ones are “hidden”.
Watch: youtu.be/R8btJ_SjwVk
August 8, 2025 at 6:31 PM
New video: deep dive into Defender for Endpoint/Antivirus settings.
- what every one really does
- what “good” looks like
- gotchas
- nuances
And why some of the important ones are “hidden”.
Watch: youtu.be/R8btJ_SjwVk
- what every one really does
- what “good” looks like
- gotchas
- nuances
And why some of the important ones are “hidden”.
Watch: youtu.be/R8btJ_SjwVk
TIL that Purview parent sensitivity labels are being replaced by label groups (MC1111778). You can migrate using a wizard and by default it'll convert the parent label into both a group and a label within that group (to not risk removing an in-use label).
August 7, 2025 at 12:29 PM
TIL that Purview parent sensitivity labels are being replaced by label groups (MC1111778). You can migrate using a wizard and by default it'll convert the parent label into both a group and a label within that group (to not risk removing an in-use label).
I don’t think that’s the incentive LinkedIn thinks it is…
August 6, 2025 at 5:19 PM
I don’t think that’s the incentive LinkedIn thinks it is…
TIL Entra ID Governance for guests is PAYG. Example: access review for inactive guests charged based on # guests in scope.
So, charged on API events that include guests separate to usual 50K allowance. Max 1 charge guest/month even if multiple events.
learn.microsoft.com/...
So, charged on API events that include guests separate to usual 50K allowance. Max 1 charge guest/month even if multiple events.
learn.microsoft.com/...
August 6, 2025 at 7:52 AM
TIL Entra ID Governance for guests is PAYG. Example: access review for inactive guests charged based on # guests in scope.
So, charged on API events that include guests separate to usual 50K allowance. Max 1 charge guest/month even if multiple events.
learn.microsoft.com/...
So, charged on API events that include guests separate to usual 50K allowance. Max 1 charge guest/month even if multiple events.
learn.microsoft.com/...
TIL about Purview on-demand classification for Windows to discover + classify files at rest on devices (MC1106875).
On-demand classification (PAYG) was previously limited to SPO + ODfB.
Partially addresses a gap a lot of my customers ask about... will auto labelling follow? 🤔
On-demand classification (PAYG) was previously limited to SPO + ODfB.
Partially addresses a gap a lot of my customers ask about... will auto labelling follow? 🤔
August 5, 2025 at 3:29 PM
TIL about Purview on-demand classification for Windows to discover + classify files at rest on devices (MC1106875).
On-demand classification (PAYG) was previously limited to SPO + ODfB.
Partially addresses a gap a lot of my customers ask about... will auto labelling follow? 🤔
On-demand classification (PAYG) was previously limited to SPO + ODfB.
Partially addresses a gap a lot of my customers ask about... will auto labelling follow? 🤔
Most IT teams, including mature ones, aren’t gonna adopt physical dedicated PAWs and it’s not reasonable to assert they should.
What have been your most successful compromises for this?
What have been your most successful compromises for this?
August 3, 2025 at 12:24 PM
Most IT teams, including mature ones, aren’t gonna adopt physical dedicated PAWs and it’s not reasonable to assert they should.
What have been your most successful compromises for this?
What have been your most successful compromises for this?