Christopher Brumm
@cbrhh.bsky.social
Take a look at the article I linked. It says: "Microsoft Entra Internet Access for Microsoft services capabilities are included in a Microsoft Entra ID P1 or Microsoft Entra ID P2 license."
March 5, 2025 at 12:17 PM
Take a look at the article I linked. It says: "Microsoft Entra Internet Access for Microsoft services capabilities are included in a Microsoft Entra ID P1 or Microsoft Entra ID P2 license."
@fabian.bader.cloud, @naunheim.cloud and I have also looked into the topic of TokenSmith and are describing the Blue Team perspective (including an effective detection) in this blog:
www.glueckkanja.com/blog/securit...
Compliant Device Bypass in Microsoft Intune – Detection, Response & Mitigation
In this blog post, glueckkanja's MVP Fabian Bader, Chris Brumm and Thomas Naunheim gather details about the Compliant Device Bypass in Microsoft Intune Company Portal. After additional research, they ...
www.glueckkanja.com
January 17, 2025 at 7:21 AM
@fabian.bader.cloud, @naunheim.cloud and I have also looked into the topic of TokenSmith and are describing the Blue Team perspective (including an effective detection) in this blog:
www.glueckkanja.com/blog/securit...
A Compliant Network behaves like a Named Location and triggers the Continuous Access Evaluation trigger.
This will force the user to reauthenticate if the token is CAE enabled (and the Service is SharePoint Online).
-> learn.microsoft.com/en-us/entra/...
-> learn.microsoft.com/en-us/entra/...
4/4
This will force the user to reauthenticate if the token is CAE enabled (and the Service is SharePoint Online).
-> learn.microsoft.com/en-us/entra/...
-> learn.microsoft.com/en-us/entra/...
4/4
Continuous access evaluation in Microsoft Entra - Microsoft Entra ID
Responding to changes in user state faster with continuous access evaluation in Microsoft Entra
learn.microsoft.com
January 10, 2025 at 7:09 PM
A Compliant Network behaves like a Named Location and triggers the Continuous Access Evaluation trigger.
This will force the user to reauthenticate if the token is CAE enabled (and the Service is SharePoint Online).
-> learn.microsoft.com/en-us/entra/...
-> learn.microsoft.com/en-us/entra/...
4/4
This will force the user to reauthenticate if the token is CAE enabled (and the Service is SharePoint Online).
-> learn.microsoft.com/en-us/entra/...
-> learn.microsoft.com/en-us/entra/...
4/4
Why should you do this?
You get the option to protect your resources behind the compliant network control by configuring a Conditional Access policy
-> learn.microsoft.com/en-us/entra/...
This policy is regarding to my tests really powerful to protect against replayed tokens.
3/4
You get the option to protect your resources behind the compliant network control by configuring a Conditional Access policy
-> learn.microsoft.com/en-us/entra/...
This policy is regarding to my tests really powerful to protect against replayed tokens.
3/4
Enable Compliant Network Check with Conditional Access - Global Secure Access
Learn how to require known compliant network locations in order to connect to your secured resources with Conditional Access.
learn.microsoft.com
January 10, 2025 at 7:09 PM
Why should you do this?
You get the option to protect your resources behind the compliant network control by configuring a Conditional Access policy
-> learn.microsoft.com/en-us/entra/...
This policy is regarding to my tests really powerful to protect against replayed tokens.
3/4
You get the option to protect your resources behind the compliant network control by configuring a Conditional Access policy
-> learn.microsoft.com/en-us/entra/...
This policy is regarding to my tests really powerful to protect against replayed tokens.
3/4
Means: you can install the Global Secure Access Client on all your clients and route the traffic to all the Microsoft Endpoints through GSA.
-> learn.microsoft.com/en-us/entra/...
The client is available for Windows, Mac, Android and iOS and it is really easy to deploy.
2/4
-> learn.microsoft.com/en-us/entra/...
The client is available for Windows, Mac, Android and iOS and it is really easy to deploy.
2/4
The Global Secure Access Client for Windows - Global Secure Access
The Global Secure Access client secures network traffic at the end-user device. This article describes how to download and install the Windows client.
learn.microsoft.com
January 10, 2025 at 7:09 PM
Means: you can install the Global Secure Access Client on all your clients and route the traffic to all the Microsoft Endpoints through GSA.
-> learn.microsoft.com/en-us/entra/...
The client is available for Windows, Mac, Android and iOS and it is really easy to deploy.
2/4
-> learn.microsoft.com/en-us/entra/...
The client is available for Windows, Mac, Android and iOS and it is really easy to deploy.
2/4
Reposted by Christopher Brumm
gist.github.com/CloudProtect...
This one does a very good job because it considers if the device is joined/registered any only looks at the AADGraph. For this resource its not normal that a non-registered device is accessing it
This one does a very good job because it considers if the device is joined/registered any only looks at the AADGraph. For this resource its not normal that a non-registered device is accessing it
Use Defender XDR advanced hunting query capabilities to detect possible device compliance bypass attacks for Entra ID Conditional Access according to the vulnerability disclosed by Yuya Chudo (https:/...
Use Defender XDR advanced hunting query capabilities to detect possible device compliance bypass attacks for Entra ID Conditional Access according to the vulnerability disclosed by Yuya Chudo (http...
gist.github.com
January 9, 2025 at 7:30 AM
gist.github.com/CloudProtect...
This one does a very good job because it considers if the device is joined/registered any only looks at the AADGraph. For this resource its not normal that a non-registered device is accessing it
This one does a very good job because it considers if the device is joined/registered any only looks at the AADGraph. For this resource its not normal that a non-registered device is accessing it
Any tips? That's a really strange coincidence - ours needs to be replaced too...
December 29, 2024 at 8:33 PM
Any tips? That's a really strange coincidence - ours needs to be replaced too...