Thomas Naunheim
@naunheim.cloud
#Microsoft MVP | #CloudSecurity Architect ☁️ | #Entra #AzureAD 🔑 + #AzureSecurity 🛡️ | #CommunityRocks | #Schaengel
Had the great privilege and a lot of fun joining 🎙️#EntraChat together with my friend and MVP fellow @samilamppu.bsky.social!
🙏 Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!
🙏 Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!
Thomas Naunheim and Sami Lamppu quietly built one of the most useful open projects for Entra ID defenders.
The Entra ID Attack & Defense Playbook
It’s free, community-driven, and packed with real detection logic and KQL queries.
🧵👇
The Entra ID Attack & Defense Playbook
It’s free, community-driven, and packed with real detection logic and KQL queries.
🧵👇
November 2, 2025 at 10:15 AM
Had the great privilege and a lot of fun joining 🎙️#EntraChat together with my friend and MVP fellow @samilamppu.bsky.social!
🙏 Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!
🙏 Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!
The availability of GraphApiAuditEvents in #MicrosoftDefender brings significant value to every environment, enhancing capabilities for detecting and hunting #MicrosoftGraph API calls. In my recent research, I’ve created a few resources that I’m happy to share with the community.
July 30, 2025 at 6:47 AM
The availability of GraphApiAuditEvents in #MicrosoftDefender brings significant value to every environment, enhancing capabilities for detecting and hunting #MicrosoftGraph API calls. In my recent research, I’ve created a few resources that I’m happy to share with the community.
🚀🔎 Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
July 17, 2025 at 6:43 AM
🚀🔎 Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
My session, “Defending Tier 0: Taking Control of Your Cloud’s Control Plane,” from last year’s #HIPConf is now available on YouTube. The session focused on securing privileged access and implementing a tiered administration model in #MicrosoftEntra.
youtu.be/pVPEieHtOVM
youtu.be/pVPEieHtOVM
Defending Tier 0: Taking Control of Your Cloud's Control Plane
YouTube video by Semperis
youtu.be
May 17, 2025 at 7:48 AM
My session, “Defending Tier 0: Taking Control of Your Cloud’s Control Plane,” from last year’s #HIPConf is now available on YouTube. The session focused on securing privileged access and implementing a tiered administration model in #MicrosoftEntra.
youtu.be/pVPEieHtOVM
youtu.be/pVPEieHtOVM
I've published a #KQL function ("WorkloadIdentityInfoXDR") for #MicrosoftDefender to enhance details of #MicrosoftEntra #WorkloadID from various sources, incl. the new table "OAuthAppInfo" but also IdentityInfo table and #ExposureManagement. (1/2)
🔗 github.com/Cloud-Archit...
🔗 github.com/Cloud-Archit...
April 9, 2025 at 11:51 AM
I've published a #KQL function ("WorkloadIdentityInfoXDR") for #MicrosoftDefender to enhance details of #MicrosoftEntra #WorkloadID from various sources, incl. the new table "OAuthAppInfo" but also IdentityInfo table and #ExposureManagement. (1/2)
🔗 github.com/Cloud-Archit...
🔗 github.com/Cloud-Archit...
Cloud #IdentitySummit 2025 is back!
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
April 8, 2025 at 5:23 AM
Cloud #IdentitySummit 2025 is back!
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
IdentityInfo table in #MicrosoftDefender has been expanded to include eligible roles from #MicrosoftEntra. I’ve developed a #KQL function to get a summarized overview of all directory role assignments, enriched with details from my #EntraOps classification:
github.com/Cloud-Archit...
github.com/Cloud-Archit...
March 17, 2025 at 6:12 AM
IdentityInfo table in #MicrosoftDefender has been expanded to include eligible roles from #MicrosoftEntra. I’ve developed a #KQL function to get a summarized overview of all directory role assignments, enriched with details from my #EntraOps classification:
github.com/Cloud-Archit...
github.com/Cloud-Archit...
I had the great pleasure of speaking about #MicrosoftEntra Token Hunting 🍪🔎 at #YellowHat 🚧👷♂️. You can find the slides from my session here:
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
March 8, 2025 at 9:31 AM
I had the great pleasure of speaking about #MicrosoftEntra Token Hunting 🍪🔎 at #YellowHat 🚧👷♂️. You can find the slides from my session here:
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
I have the great pleasure of joining a shared session with @samilamppu.bsky.social at the M365 Security & Compliance User Group tonight. Last preparations are now in full swing... You can find more details about the meetup and register for this free online event here:
www.meetup.com/m365sandcug/...
www.meetup.com/m365sandcug/...
February 26, 2025 at 12:51 PM
I have the great pleasure of joining a shared session with @samilamppu.bsky.social at the M365 Security & Compliance User Group tonight. Last preparations are now in full swing... You can find more details about the meetup and register for this free online event here:
www.meetup.com/m365sandcug/...
www.meetup.com/m365sandcug/...
Enhancements in #MicrosoftEntra (diagnostic) logs: Several interesting sign-in properties (including Session ID, status for Token Protection, or GSA traffic) have been added to the sign-in logs and available in #MicrosoftSentinel. (1/3)
February 11, 2025 at 5:31 PM
Enhancements in #MicrosoftEntra (diagnostic) logs: Several interesting sign-in properties (including Session ID, status for Token Protection, or GSA traffic) have been added to the sign-in logs and available in #MicrosoftSentinel. (1/3)
Reposted by Thomas Naunheim
I'm building a new home for IntuneBrew and would like to share my progress so far.
IntuneBrew.com will serve as the project's landing page, featuring a Quick Start Guide and an overview of key features.
IntuneBrew.com will serve as the project's landing page, featuring a Quick Start Guide and an overview of key features.
January 29, 2025 at 4:37 PM
I'm building a new home for IntuneBrew and would like to share my progress so far.
IntuneBrew.com will serve as the project's landing page, featuring a Quick Start Guide and an overview of key features.
IntuneBrew.com will serve as the project's landing page, featuring a Quick Start Guide and an overview of key features.
Do you like to know if ownership of privileged objects in #MicrosoftEntra has been delegated to lower privileged users? Graph semantics in KQL and XSPM allow building powerful queries and analyzing data as graphs. I've started to include data from #EntraOps to analyze delegated ownership. (1/3)
January 29, 2025 at 6:47 AM
Do you like to know if ownership of privileged objects in #MicrosoftEntra has been delegated to lower privileged users? Graph semantics in KQL and XSPM allow building powerful queries and analyzing data as graphs. I've started to include data from #EntraOps to analyze delegated ownership. (1/3)
Final touches and rehearsal for my #TECTalk on #TokenSecurity in #MicrosoftEntra tonight. I'll be discussing attack scenarios on various token types and how TPM, Token Protection, CAE & Global Secure Access can help prevent token theft. Register for the free webinar:
www.quest.com/event/the-ex...
www.quest.com/event/the-ex...
January 23, 2025 at 8:23 AM
Final touches and rehearsal for my #TECTalk on #TokenSecurity in #MicrosoftEntra tonight. I'll be discussing attack scenarios on various token types and how TPM, Token Protection, CAE & Global Secure Access can help prevent token theft. Register for the free webinar:
www.quest.com/event/the-ex...
www.quest.com/event/the-ex...
How can you detect and mitigate #MicrosoftEntra Compliant Device Bypass in the #MicrosoftIntune Company Portal? What are the potential attack paths? @fabian.bader.cloud, @cbrhh.bsky.social and I had additional research and summarized our results in this blog post:
www.glueckkanja.com/blog/securit...
www.glueckkanja.com/blog/securit...
Compliant Device Bypass in Microsoft Intune – Detection, Response & Mitigation
In this blog post, glueckkanja's MVP Fabian Bader, Chris Brumm and Thomas Naunheim gather details about the Compliant Device Bypass in Microsoft Intune Company Portal. After additional research, they ...
www.glueckkanja.com
January 17, 2025 at 6:19 AM
How can you detect and mitigate #MicrosoftEntra Compliant Device Bypass in the #MicrosoftIntune Company Portal? What are the potential attack paths? @fabian.bader.cloud, @cbrhh.bsky.social and I had additional research and summarized our results in this blog post:
www.glueckkanja.com/blog/securit...
www.glueckkanja.com/blog/securit...
#MicrosoftEntra Attack & Defense Playbook Update:
@samilamppu.bsky.social and I have updated some content:
🔃 #EntraConnect: New capabilities by MDI sensor & XSPM
🎯 #AiTM: Attack scenarios on MDA sessions
🛡️ #MITRE: Updated TTP coverage & map
Check out the latest version:
github.com/Cloud-Archit...
@samilamppu.bsky.social and I have updated some content:
🔃 #EntraConnect: New capabilities by MDI sensor & XSPM
🎯 #AiTM: Attack scenarios on MDA sessions
🛡️ #MITRE: Updated TTP coverage & map
Check out the latest version:
github.com/Cloud-Archit...
GitHub - Cloud-Architekt/AzureAD-Attack-Defense: This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can b...
This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected. - Cloud-Architekt/Azu...
github.com
January 9, 2025 at 8:00 AM
#MicrosoftEntra Attack & Defense Playbook Update:
@samilamppu.bsky.social and I have updated some content:
🔃 #EntraConnect: New capabilities by MDI sensor & XSPM
🎯 #AiTM: Attack scenarios on MDA sessions
🛡️ #MITRE: Updated TTP coverage & map
Check out the latest version:
github.com/Cloud-Archit...
@samilamppu.bsky.social and I have updated some content:
🔃 #EntraConnect: New capabilities by MDI sensor & XSPM
🎯 #AiTM: Attack scenarios on MDA sessions
🛡️ #MITRE: Updated TTP coverage & map
Check out the latest version:
github.com/Cloud-Archit...
Reposted by Thomas Naunheim
We’re excited to announce the next speakers for MC2MC Connect: @naunheim.cloud and @ugurkoc.de 🚀
In their session, they’ll show how to configure Platform SSO in Intune and highlight its benefits for user experience and security.
🎟️ tinyurl.com/5dxvnsn4
#MC2MC #ConnectMC2MC
In their session, they’ll show how to configure Platform SSO in Intune and highlight its benefits for user experience and security.
🎟️ tinyurl.com/5dxvnsn4
#MC2MC #ConnectMC2MC
December 20, 2024 at 2:31 PM
We’re excited to announce the next speakers for MC2MC Connect: @naunheim.cloud and @ugurkoc.de 🚀
In their session, they’ll show how to configure Platform SSO in Intune and highlight its benefits for user experience and security.
🎟️ tinyurl.com/5dxvnsn4
#MC2MC #ConnectMC2MC
In their session, they’ll show how to configure Platform SSO in Intune and highlight its benefits for user experience and security.
🎟️ tinyurl.com/5dxvnsn4
#MC2MC #ConnectMC2MC
Am 11.04.2025 findet die #ExpertsLiveDE in Leipzig statt, mit vielen spannenden Vorträgen zu Cloud, Workplace, AI und Security. Ich freue mich sehr, dieses Jahr dabei sein zu dürfen und über #TokenTheft in #MicrosoftEntra sprechen zu dürfen. Weitere Infos sowie Tickets: www.expertslive.de
December 17, 2024 at 6:07 AM
Am 11.04.2025 findet die #ExpertsLiveDE in Leipzig statt, mit vielen spannenden Vorträgen zu Cloud, Workplace, AI und Security. Ich freue mich sehr, dieses Jahr dabei sein zu dürfen und über #TokenTheft in #MicrosoftEntra sprechen zu dürfen. Weitere Infos sowie Tickets: www.expertslive.de
Reposted by Thomas Naunheim
Do you like to learn more about tokens and ways to protect them in #MicrosoftEntra? Join my #TECTalk on January 23rd to explore the various kind of token artifacts, post authentication attacks and mitigations to prevent #TokenTheft. Register for free at www.quest.com/event/the-ex...
November 27, 2024 at 6:55 PM
Do you like to learn more about tokens and ways to protect them in #MicrosoftEntra? Join my #TECTalk on January 23rd to explore the various kind of token artifacts, post authentication attacks and mitigations to prevent #TokenTheft. Register for free at www.quest.com/event/the-ex...
Reposted by Thomas Naunheim
So who wants a verified 'Microsoft' and 'Microsoft MVP' label on their profile and all the posts?
I just finished setting up @bluesky.ms as a labelling service.
Go subscribe to the label to start seeing labels on verified MVPs and Microsofties.
🧵👇
I just finished setting up @bluesky.ms as a labelling service.
Go subscribe to the label to start seeing labels on verified MVPs and Microsofties.
🧵👇
November 26, 2024 at 2:35 PM
So who wants a verified 'Microsoft' and 'Microsoft MVP' label on their profile and all the posts?
I just finished setting up @bluesky.ms as a labelling service.
Go subscribe to the label to start seeing labels on verified MVPs and Microsofties.
🧵👇
I just finished setting up @bluesky.ms as a labelling service.
Go subscribe to the label to start seeing labels on verified MVPs and Microsofties.
🧵👇
New Release: #EntraOps 0.3.3! 🚀 This update includes bug fixes and enhancements to #MicrosoftSentinel workbooks and nested #MicrosoftEntra PIM for Groups. Get the latest version from the GitHub repository: github.com/Cloud-Archit...
November 27, 2024 at 6:06 AM
New Release: #EntraOps 0.3.3! 🚀 This update includes bug fixes and enhancements to #MicrosoftSentinel workbooks and nested #MicrosoftEntra PIM for Groups. Get the latest version from the GitHub repository: github.com/Cloud-Archit...
Celebrating 4 years of the "#MicrosoftEntra Attack & Defense Playbook" 🔐 ☁️ community project! Last week, @samilamppu.bsky.social and I took the opportunity to record a video about the journey of this project, from research to writing process. #MVPBuzz #TechCommunity
www.youtube.com/watch?v=fBD1...
www.youtube.com/watch?v=fBD1...
Microsoft Entra ID Attack & Defense Playbook with Sami Lamppu
YouTube video by Thomas Naunheim
www.youtube.com
November 26, 2024 at 7:52 AM
Celebrating 4 years of the "#MicrosoftEntra Attack & Defense Playbook" 🔐 ☁️ community project! Last week, @samilamppu.bsky.social and I took the opportunity to record a video about the journey of this project, from research to writing process. #MVPBuzz #TechCommunity
www.youtube.com/watch?v=fBD1...
www.youtube.com/watch?v=fBD1...
Next week, I have the great pleasure to speak together with @gregorreimling.bsky.social at APE XXL in Apenheul, NL. We'll be sharing best practices in various design areas of #Azure #EnterpriseScale. Get your tickets for a day full of #Azure breakout sessions and workshops: xxl.azure-ape.nl
November 25, 2024 at 12:52 PM
Next week, I have the great pleasure to speak together with @gregorreimling.bsky.social at APE XXL in Apenheul, NL. We'll be sharing best practices in various design areas of #Azure #EnterpriseScale. Get your tickets for a day full of #Azure breakout sessions and workshops: xxl.azure-ape.nl
November 23, 2024 at 1:41 AM
Just wrapped up day 3 of #MSIgnite with @adrianritter.bsky.social, @okieselb.bsky.social and @ugurkoc.de. Our latest video covers all the recent announcements and sessions about SSE, Data Governance, Intune's AI management on macOS, and #Copilot. Tune in!
youtu.be/wjri-1EvPSw?...
youtu.be/wjri-1EvPSw?...
Microsoft Ignite 2024 - Day 3 Recap
YouTube video by Thomas Naunheim
youtu.be
November 22, 2024 at 5:11 PM
Just wrapped up day 3 of #MSIgnite with @adrianritter.bsky.social, @okieselb.bsky.social and @ugurkoc.de. Our latest video covers all the recent announcements and sessions about SSE, Data Governance, Intune's AI management on macOS, and #Copilot. Tune in!
youtu.be/wjri-1EvPSw?...
youtu.be/wjri-1EvPSw?...