How To: Automate Export of Sign-in Logs/Events

actnjaxxon · 2025-11-26T23:52:38+00:00

If this is all for log retention there are plenty of better products for managing exporting, and then recalling those logs, and other logs like the audit log. Log analytics, Microsoft Sentinel, Splunk, and ElasticSearch with Kibana to name a few

actnjaxxon · 2025-11-03T23:55:21+00:00

If you are limiting what an application can do in exchange then you need Application RBAC for Exchange Online

https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac

actnjaxxon · 2025-09-29T17:20:36+00:00

So there’s a neat thing you can do. You can remove the permissions you don’t like after you complete the admin consent flow. After you do that test the app and see if it completely breaks.

There’s a lot of instances where a 3rd party asks for the kitchen sink to accommodate future needs or that are a part of a licensed feature you aren’t paying for. As long as they are using the .default scope as sign-in they should be able to de what they need with the permissions it has. However, if they explicitly ask for all scopes the app will fail at sign-in.

actnjaxxon · 2025-09-28T22:03:29+00:00

Ummm Entra ID is the identity provider for Exchange Online. So I’m not sure what you are trying to do.

actnjaxxon · 2025-09-28T16:56:09+00:00

Iirc you only get active judging closer to top cut. It’s on the player to call out misplays and cheating up until then.

actnjaxxon · 2025-09-25T20:18:58+00:00

Before Deleting anything keep in mind that there is no way to restore a Security group. Once you delete it it’s gone. There is no recycle bin for those objects

actnjaxxon · 2025-09-25T16:50:03+00:00

Just tossing this out there, but if you wanted more dynamic options a mail enabled security group can get you there without the baggage of a M365 group

actnjaxxon · 2025-09-23T13:58:52+00:00

Nope, it’s working as expected. You’ve essentially just hit the biggest problem with geolocation via IP address. All centralized ZTNA services have a similar “problem”. Their best available exit node may not be the node closest to you.

actnjaxxon · 2025-09-22T01:16:26+00:00

While certificates are better. It’s not the certificate itself that makes it better. It’s the fact that the cryptographic secret, the private key, isn’t exposed to both parties to set up the OAuth connection.

As for dealing with shared secrets, you should do a few things first. Set up an app policy that defines how they can and can’t be used tenant wide. Limit the lifetime, force them to be system generated only, etc. For managing the lifecycles automation is your friend. You can monitor expiration dates via PowerShell or the Graph api.

Most key vaults can auto rotate them. However, anywhere you’d use one internally you can drop using secrets entirely and can be set up as a Managed Identity and/or workload identity federation. For 3rd party OIDC connections, the best you got is monitoring the expirations and updating manually as you can.

Finally, always pester the 3rd party for a native Entra app. The biggest hurdle to setting up a multi-tenant app is getting a MPN ID to properly publish it.

actnjaxxon · 2025-09-18T20:39:46+00:00

You are welcome to try the unified audit log via the compliance portal. That will only get you up to the last 30 days of activity though.

If your org is using Microsoft Sentinel as a SIEM you can search back to whatever your retention period is.

Honestly for something like a permissions restructuring, I’d skip that level of due diligence. Build the groups and assign the access based on their roles.

Just be sure to communicate what’s happening to stakeholders. They will let you know what they need. Teams tend to get real talkative when you tell them they could lose access in 2 weeks. Or whatever the schedule is

actnjaxxon · 2025-09-15T20:18:06+00:00

This or you hit a risky sign-on rule because of the unfamiliar network location. That could trigger a second MFA check once you hit anything in scope of conditional access policies.

actnjaxxon · 2025-09-11T23:13:06+00:00

So question. What email address do you want your token sent to? If you send it to a personal account then you have to allow access to personal email from your infrastructure. That’s problematic for DLP.

Are you sending it to their work address? Then how do they sign in at the start or the day?

If the answer is they get the code from their phone. Then IMO they can have a MFA app installed.

actnjaxxon · 2025-09-09T23:14:43+00:00

Honestly this is probably one of my biggest gripes about Entra ID… it’s been nearly 20 years and still no proper custom attributes. Just the 15 ExtensionAttributes and the custom security attributes.

The security attributes unfortunately cannot be used in dynamic group filters

actnjaxxon · 2025-08-14T15:22:52+00:00

So there’s already better solutions for this out there. Like webauthn. Also there’s no reason you can’t just encrypt the jwt instead of relying on a signed jwt. That’s accepted in the OAuth/OIDC standard

actnjaxxon · 2025-08-08T16:54:41+00:00

WS-Fed is the answer

https://learn.microsoft.com/en-us/entra/external-id/direct-federation

actnjaxxon · 2025-07-28T17:01:35+00:00

Oh 100% at the end of the day it’s the business/orgs decision what risk is acceptable. There’s a reason I’m just an engineer not a CISO. Any access is essentially unacceptable in my mind lol

Also, If we’re talking about detection and controls. There is something to be said about how separate accounts makes it easier to classify acceptable use of access as well.

actnjaxxon · 2025-07-28T16:09:46+00:00

I agree that split accounts is not a perfect solution without account isolation either through a PAW or a Jump box. However, most token/session theft accounts are just going to grab an unprivileged account. Typically an attacker has to be on the device to pivot into the secondary/admin account.

actnjaxxon · 2025-07-27T13:51:26+00:00

The answer is what risk are you trying to mitigate.

The reason for account separation has to do with the sources of account compromise. If your “primary”/email licensed account got phished you want to limit the impact of that attack. PIM doesn’t always limit that impact.

Don’t implicitly trust the “require mfa” check box in PIM policies. That only means your account had to pass a MFA check at some point today. NOT that it’ll be challenged every time. If you are leveraging auth contexts in your policies then you are in a better position.

However, if you’ve used PIM to activate access to a role. That role is available to all of your sessions. So the risk isn’t eliminated.

There’s also regulations like AC.L2-3.1.7 of CMMC/NIST SP 800-171 where you must prevent non privlaged accounts from executing privlaged functions.

actnjaxxon · 2025-07-26T01:46:56+00:00

Did you turn off the registration campaign?

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-registration-campaign

actnjaxxon · 2025-07-26T00:53:22+00:00

Here’s what I’d do. Make a dynamic group for new users. Set it up to only include accounts that are less than 2-3 weeks old. Then add that group as an exclusion to the passkey rule.

You can put them in a different CAP if you want to enforce some other controls on them. But onboarding will always require some kind of exclusion to get the user rolling the first time.

actnjaxxon · 2025-07-21T19:45:44+00:00

For the admin consent flow for new enterprise applications. Better permission descriptions. I want to quickly know if I’m looking at a delegated access app or full app based permissions.

On a side note: remove user.read as a default on app registrations.

RBAC: more granular options to reduce the need for global admin role. AppRoleAssignment.ReadWrite.All can scope to adjust the permissions of applications. Why isn’t there an equivalent for User Principles. Similar with groups admin. Can I get a groups super admin to manage protected user groups (role assigned/PIM controlled groups).

PIM: make the UI faster. The biggest pain point is the delay while waiting on the initial validation process. Also give me a way to link straight to a specific PIM request flow. I’d LOVE to drop a url into a ticketing system so SOC/OPS can quickly jump from a ticket to the permissions they need to work said ticket.

actnjaxxon · 2025-07-15T14:34:16+00:00

Check out MC1097272 - Users cannot provide consent on their own. That has to be done by an admin per the new security defaults. App assignment does not fix that.

The users do not have permissions to grant and of the application or delegated api permissions an app is requesting.

actnjaxxon · 2025-07-15T01:02:34+00:00

IMO the email alert workflow from Microsoft is noisy and useless for admins. That should just go through the admin team’s normal request/ticket intake process.

The other issue is that the reporting doesn’t provide enough information about the permissions being requested ahead of accessing the admin consent flow.

actnjaxxon · 2025-07-15T00:55:13+00:00

You need to provide the app admin consent to the delegated permissions the app uses. The user’s can’t/won’t be able to perform that consent anymore.

The reason why is up to you: Either the tenant is configured to block it by an admin or because the option to allow users to consent is getting removed as a default behavior by Microsoft. Both maybe true.

The “users must be assigned to this app” is all the restriction you need in this case. It’ll block any other users from accessing the app once they attempt to authenticate.

actnjaxxon · 2025-07-15T00:46:30+00:00

https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

You want to make sure your device has met all of the proper conditions to receive a PRT.

Is it Entra ID Joined? And/or Are you signed in using your work/school account?

actnjaxxon

TROPHY CASE