Cloudbrothers

Avoid Entra Conditional Access using alternative token broker

Autor — Tue, 07 Apr 2026 00:00:00 +0000

In Entra ID, Conditional Access acts as the gatekeeper to any token material. Regardless of whether you want a bearer token or a refresh token, Entra ID will be the entity creating and signing them. But not before Conditional Access has checked your identity, device and network for different conditions. This is the reason why this security measure is the cornerstone of Microsoft’s zero trust architecture and any holes in this construct can have far reaching consequences.

Run XDRInternals as GitHub Action

Autor — Mon, 09 Feb 2026 00:48:37 +0000

When Nathan and I released XDRInternals one of the biggest shortcomings for me was the lack of workload identity support. Since we are using the native API of the Defender portal only delegated permissions are supported, which makes it very hard to automate things in a pipeline.

But the fact that it makes it very hard should not prevent you from doing it. Security considerations and common sense are the reasons you should not do it, but let’s throw them overboard for the fun of it.

Conditional Access bypasses

Autor — Sun, 30 Nov 2025 00:00:00 +0000

In Microsoft Entra, Conditional Access is, after the Authentication itself, the most crucial part of defense against attackers. It’s referenced as “zero trust policy engine” and the idea behind is, that in addition to your username and password you can also enforce additional requirements when you access a specific resource.

This could be any combination of

a second factor (2FA),
a specific authentication method (e.g. passkey)
a device that is in a “compliant” state
a trusted or compliant network

and a lot more, depending on your specific use case.

Remove old or orphaned Sentinels from the XDR Streaming API

Autor — Mon, 25 Aug 2025 10:32:57 +0000

This blog post is a sleeper. I documented it in 2023 and never came around to publish it. The post was always too short in my opinion, too niche. But today Jonathan Bourke reached out on Twitter and asked why he was getting this strange error message when trying to connect a new Sentinel workspace to his XDR instance.

Warnung

The limit of 5 diagnostic settings was reached.
To create new setting ‘SentinelExportSettings-log-sentinel’, delete an existing one.

long time now, defenders had the ability to monitor behavior of human- and workload identities in Entra tenants not only through AuditLogs but with high level of insight with the MicrosoftGraphActivityLogs logs. The last two articles of this series gave you detection ideas and hunting queries for this logs source and were meant as a kick starter for detection engineers. But in the end the high cost of this log prevented many companies from putting it into operation. This is about to change with the release of GraphAPIAuditEvents logs in the XDR portal.

Workshop: Kusto Graph Semantics Explained

Autor — Fri, 06 Dec 2024 01:08:51 +0000

Ho, ho, ho… In Germany on the 6th of December we celebrate “Nikolaus”. Kids put out one shoe the night before in the hopes that, in the morning, it is filled with nuts, mandarin oranges, chocolate or even small gifts. Lucky for you, it seems that you also put out your shoe last night, because I have a gift for you as well. But please don’t confuse me with Nikolaus ;)

EDR Silencers and Beyond: Exploring Methods to Block EDR Communication - Part 1

Autor — Sun, 01 Dec 2024 01:08:51 +0000

For red teams and adversary alike it’s important to stay hidden. As many companies nowadays have EDR agents deployed those agents are always in focus and tools like EDRSilencer or EDRSandblast use different techniques to prevent further communications of the EDR agent with the log ingestion endpoint.

A few weeks ago Mehmet Ergene and I were discussing other ways to prevent agent communications and ways to detect such tampering. The idea for a a two part blog post was born. While I cover only one “novel” way to block EDR Mehmet has released part 2 which covers other angels.

You always trust your CSP - Cross Tenant MFA and GDAP

Autor — Fri, 23 Aug 2024 11:52:55 +0000

Entra ID Multifactor Authentication is on everyone’s mind, as Microsoft will enforce the usage of MFA for most of the Admin portals starting October 2024. But many in the industry are a step ahead and had MFA enforced already and are thinking about how to make MFA more convenient for everybody involved.

Let me introduce you to cross-tenant access settings for B2B collaboration and especially inbound trust settings for MFA. With this you can configure if you trust another tenants MFA configuration and don’t require the users from this tenant to setup a second set of MFA in your tenant.

Find lateral movement paths using KQL Graph semantics

Autor — Mon, 08 Jul 2024 01:08:51 +0000

Graph databases offer great insights into existing data, that relational databases cannot or can only solve with more resources. Tools that leverage this ability to find lateral movement paths (edges) between user, computers and other entities (nodes) like Bloodhound offer an amazing data source for red teams and blue teams alike. But still the use in the defender world is yet limited. This might be because blue teams don’t like to use red teamers toolkit (really?) or companies often don’t see the immediate value of such additional data sources. But what we as defenders like to use is SIEM systems, EDR agents and other sensors that give us great, near real time insights into the companies IT landscape.

Data Protection Made a Breeze: MDA integration in Edge for Business

Autor — Wed, 19 Jun 2024 16:10:12 +0000

Microsoft Defender for Cloud Apps is one of the many puzzle pieces of the Microsoft XDR solution that helps you to secure your corporate environment. While Defender for Endpoint and Defender for Office 365 may be the more prominent names in this puzzle, Defender for Cloud Apps has a few aces up it’s sleeve that help you to protect access to corporate data on a complete other level.

Many of you might already know the cloud discovery capabilities, which help you to get a deep insight into your companies usage of Software as a Service solutions.