From Aman Jabbi - The 🇺🇸 data-center explosion is a Trojan horse for the United Nations Sustainability The 🇺🇸 data-center explosion is a Trojan horse for the United Nations Sustainability Agenda and its derivatives. #DigitalID #DigitalTransformation #UNSDG #ClimateLockdown #IoT #Geofencing #SmartCities #Tokenization #LandCapture #NAC #30x30 #WaterScarcity #EnergyScarcity #Biodiversity #LeastPrivilege #NIEO #Blockchain #ZeroTrust #DefaultDeny #ConditionalAccess #SmartContracts #TheGreatReset #InclusiveCapitalism #SocialImpactInvesting #Slaves4Life 👁️

Microsoft Entra ID Self-Service Password Reset is changing — and this is an important identity security update for 2026 linkedin.com/posts/eduards-g… #MicrosoftEntra #SSPR #IdentitySecurity #Microsoft365 #ZeroTrust #IAM #CyberSecurity #ConditionalAccess

Still have users without #MFA in your org? That’s like leaving your front door wide open. 😬 Discover the simple fix to ensure users complete MFA in #Microsoft365 and boost your secure score! 👉 blog.admindroid.com/ensure-m… #EntraID #ConditionalAccess #AdminDroid #AuthenticatorApp

Your M365 default settings won't pass a SOC 2 Type II audit. Conditional access? Intune? External sharing controls? Auditors check all three. Reply "M365" and I'll DM the 15-point Microsoft 365 security checklist. #ConditionalAccess #Intune

#MFA for all users is not a #ConditionalAccess strategy. It doesn't stop a valid session token from a compromised account. It doesn't block legacy auth protocols that bypass MFA entirely. Get your free Conditional Access Policy template here: hubs.li/Q04d-Mqm0

🪟 Microsoft 365 Baseline Security Mode is the “secure by default” vibe without the chaos… but it’s also Microsoft’s scoreboard for what they think you’re doing wrong. Good… until you realize it’s a roadmap, not a magic fix. windowsforum.com/threads/mic… #ConditionalAccess

Finally: see every Conditional Access policy that applies to a user, group or app in one graph. EntraBoost's new Object Explorer maps the relationships native Entra ID hides across blades. Join the beta at entraboost.com. #Entra #ConditionalAccess #Microsoft365

🔍 Hunting for #ConditionalAccess bypasses and baseline scope enforcement in #MicrosoftEntra?  ConditionalAccessAudiences  logs every resource evaluated by CAP - but only as raw GUIDs. I built a KQL query that resolves them to names adds key signals. 🔗 github.com/Cloud-Architekt/A…

Think all your admin portals are protected by #ConditionalAccess? My Staff Portal is often left out when applying those protections. One compromised manager account—and multiple user accounts could be at risk.⚠️ Learn how to secure it: blog.admindroid.com/secure-m… #AdminDroid #M365

حتى لو كاتب أعقد كلمة مرور وتستخدم الـ MFA.. هجوم الـ Session Hijacking كفيل بتجاوز دفاعاتك بالكامل في ثوانٍ قراصنة الإنترنت اليوم صاروا يتبعوا أساليب أذكى؛ بدل ما يحاولوا يخمنوا الباسورد، بيقوموا بسرقة ملفات تعريف الارتباط (Cookies) الخاصة بالجلسة النشطة للمنتقلين داخل الشبكة. النتيجة؟ بيقدروا يتجاوزوا عملية تسجيل الدخول بالكامل ويدخلوا للنظام كأنهم أنت، دون الحاجة للمرور على صفحة التحقق أو طلب الـ MFA. عشان نحمي أصول الشركة وحساباتها من هاد الخطر، بنعتمد على استراتيجيتين هندسيتين حاسمتين: 🛡️ الوصول المشروط (Conditional Access): تقنية ذكية جداً بتحلل سياق تسجيل الدخول بالكامل (الموقع الجغرافي، نوع الجهاز المستخدم، وتوقيت المحاولة) قبل ما تعطي الإذن بالوصول. 🛡️ سياسة الحد الأدنى من الصلاحيات (Least Privilege): الموظف بيمتلك فقط الحد الأدنى من الصلاحيات اللازمة لأداء وظيفته. هاد التوجه بيقلل مساحة الهجوم ويمنع المهاجم من التحرك الجانبي (Lateral Movement) داخل الشبكة لو نجح باختراق حساب واحد. برأيك، لماذا يسهل تجاوز العامل الثاني القائم على رسائل SMS مقارنة باستخدام تطبيقات المصادقة البرمجية (مثل Authenticator Apps)؟ #SessionHijacking #ConditionalAccess #LeastPrivilege #CyberSec #NetworkSecurity #أكاديمية_اتصالاتي

#企業公式相互フォロー そのアクセス、 本当に“許可していいアクセス”ですか？ 見えない脅威は、 IDから始まる。 ✔ 不正ログイン ✔ 特権ID乱用 ✔ 権限放置 ✔ 監査不足 それらを防ぐため、 IDaaSガーディアン起動。 山崎行政書士事務所 クラウド法務 × Azure技術支援 #IDaaS #ZeroTrust #MFA #ConditionalAccess

🚀AccessLens v1.9.0 is live This release focuses on one thing: making token theft and identity abuse harder across Microsoft 365. What’s new: 🛡️ Agent Identity gap checks for Microsoft 365 Copilot Agents & autonomous workload identities 🔐 Expanded Token Protection coverage validation for Exchange, SharePoint & Teams 🎯 Authentication Context checks for PIM role activation 🌍 Continuous Access Evaluation strict location enforcement analysis 📡 Global Secure Access compliant network coverage checks ⚠️ Improved detection for adversary-in-the-middle and token theft exposure 👤 Expanded admin role detection across newer Entra roles Plus a range of analysis improvements and risk scoring updates. 🔗 accesslens.co.uk #MicrosoftEntra #ConditionalAccess #CyberSecurity #IdentitySecurity #ZeroTrust #InfoSec #M365 #EntraID

📢Blog Post: Most geo-blocked Conditional Access setups eventually turn into a mess of permanent travel exceptions. ❌ Stale named locations ❌ Bloated exclusion lists ❌ “Temporary” bypasses nobody audits Well, There is a better way: Time-bound travel exemption group with PIM. Access auto expires. No CAP edits required. New blog post 👇 accesslens.co.uk/blog/travel… #EntraID #ConditionalAccess #ZeroTrust

🚨 Your Conditional Access policies probably have blind spots. AccessLens Quick Scan is completely free and finds them in seconds. 📤 Upload your CA policy JSON 🔒 No OAuth permissions 🧠 No sign-up required ⚡ Runs entirely in your browser Detect gaps, overlaps, risky exclusions, and misconfigurations before attackers do. 🔗 accesslens.co.uk/upload #MicrosoftEntra #ConditionalAccess #ZeroTrust #InfoSec #MSP

Security Copilot agents review — starting with Microsoft Entra. linkedin.com/posts/eduards-g… #SecurityCopilot #MicrosoftEntra #IdentitySecurity #ConditionalAccess #ZeroTrust #CyberSecurity #IAM #SecOps #AI

🔒 Secure Bits 💡 𝗕𝗿𝗲𝗮𝗸-𝗴𝗹𝗮𝘀𝘀 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀: 𝗳𝘂𝗹𝗹 𝗴𝘂𝗶𝗱𝗲 (𝗣𝗗𝗙) In my last post I talked about the “worst day” scenario: CA misconfig → admins locked out. Most orgs think they’re covered… until they test it. As promised, 𝗵𝗲𝗿𝗲’𝘀 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗣𝗗𝗙 𝗴𝘂𝗶𝗱𝗲 that walks you through a practical break-glass setup: ▪️ Naming ▪️ Permissions ▪️ Role-Assignable Security Group ▪️ Custom Break-glass Administrator role (Optional) ▪️ Restricted Management Administrative Unit (RMAU) ▪️ Authentication Methods ▪️ Conditional Access Configuration ▪️ Monitoring & Alerting ▪️ Operational Procedures 📎 Download the PDF here: academy.horizon-secured.com/… 𝘈𝘶𝘵𝘩𝘰𝘳: Martin Strnad 💬 When was the last time you tested your break-glass access? #EntraID #IdentitySecurity #ConditionalAccess #SecureBits #HorizonSecured

"Apply and wait" isn’t a testing strategy. But there is a better way! Entra ID’s #WhatIf tool lets you simulate how a #ConditionalAccess policy will behave for a user, app, or location, before it goes live. Try it 👇 blog.admindroid.com/what-if-… #EntraID #AdminDroid #CAPolicy

🔒 Secure Bits 💡 𝗬𝗼𝘂𝗿 𝘁𝗲𝗻𝗮𝗻𝘁 𝗵𝗮𝘀 𝗖𝗔 𝗺𝗶𝘀𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝘁𝗶𝗼𝗻. 𝗘𝘃𝗲𝗿𝘆 𝗮𝗱𝗺𝗶𝗻 𝗶𝘀 𝗹𝗼𝗰𝗸𝗲𝗱 𝗼𝘂𝘁. 𝗗𝗼 𝘆𝗼𝘂 𝗵𝗮𝘃𝗲 𝗮 𝘄𝗮𝘆 𝗯𝗮𝗰𝗸 𝗶𝗻? Most organizations don’t — or think they do, until they discover their break-glass accounts are untested, unmonitored, or built on outdated guidance. You don’t want to find that out the hard way, and you definitely don’t want to go through Microsoft’s Tenant Recovery process. 🤔 𝗪𝗵𝘆 𝗰𝗮𝗿𝗲? A lockout from a bad CA policy, a compromised admin, or a personnel emergency means opening a support ticket with Microsoft and waiting. In urgent situations, you don’t have 14 days for that process. 🧠 𝗪𝗵𝗮𝘁 𝘄𝗲 𝘀𝗲𝗲 𝗶𝗻 𝘁𝗵𝗲 𝗳𝗶𝗲𝗹𝗱 •𝗕𝗿𝗲𝗮𝗸-𝗴𝗹𝗮𝘀𝘀 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 𝗮𝗿𝗲 𝗺𝗶𝘀𝘀𝗶𝗻𝗴 — Two geographically separated accounts is the baseline. •𝗚𝗲𝗻𝗲𝗿𝗶𝗰 𝗻𝗮𝗺𝗲𝘀 — admin@…, info@… are not break-glass accounts. •𝗙𝘂𝗹𝗹 𝗖𝗔 𝗲𝘅𝗰𝗹𝘂𝘀𝗶𝗼𝗻 𝗶𝘀 𝗱𝗲𝗮𝗱 — MFA is now enforced by Microsoft regardless. •𝗪𝗲𝗮𝗸 𝗮𝘂𝘁𝗵 𝗺𝗲𝘁𝗵𝗼𝗱𝘀 — Phone or certificate-based auth will fail exactly when you need it. •𝗨𝗻𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗲𝗱 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 — Any admin can edit or delete them. •𝗡𝗼 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 — If someone touches these accounts, you should know immediately. 🛠️ 𝗖𝗿𝗲𝗮𝘁𝗲 𝘁𝘄𝗼 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 Use descriptive names on onmicrosoft[.]com with a random string — e.g. BreakGlass_c3287ba1@org.onmicrosoft.com. Assign 𝗚𝗹𝗼𝗯𝗮𝗹 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗼𝗿 as a direct, permanent, active role. No eligibility. 🛠️ 𝗟𝗼𝗰𝗸 𝘁𝗵𝗲𝗺 𝗱𝗼𝘄𝗻 Place both accounts and their group inside an 𝗥𝗠𝗔𝗨 (requires Entra P1). Manage access via a custom PIM role — max 1-hour activation, approval required, auth context enforced (requires Entra P2). 🛠️ 𝗖𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 Scope a passkey profile to the break-glass group with specific AAGUIDs for your hardware keys (YubiKey, Token2). Enforce via a custom authentication strength in a dedicated CA policy. Exclude the group from all other CA policies — run a What If to verify only your two break-glass policies apply. 🛠️ 𝗦𝗲𝘁 𝘂𝗽 𝗮𝗹𝗲𝗿𝘁𝗶𝗻𝗴 Stream AuditLogs and SignInLogs to a Log Analytics Workspace (requires Azure subscription). KQL alert rule on the break-glass Object IDs — any event fires immediately. 🛡️ 𝗦𝘁𝗼𝗿𝗲, 𝘁𝗲𝘀𝘁, 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁 Each passkey PIN in a separate physical location. Define who can trigger the procedure and under what circumstances. Test end-to-end at minimum every 180 days — Microsoft recommends 90. Pick your cadence, but validate. 💬 When was the last time you tested these accounts? 𝘈𝘶𝘁𝘩𝘰𝘳: Martin Strnad PS: We will soon 𝗽𝘂𝗯𝗹𝗶𝘀𝗵 𝗳𝘂𝗹𝗹 𝗴𝘂𝗶𝗱𝗲 on this topic! #EntraID #IdentitySecurity #ConditionalAccess #SecureBits #HorizonSecured

🛡️ AccessLens Baseline Builder 🔗 accesslens.co.uk Stop guessing which Conditional Access policies you need. Start building against real standards. Baseline your tenant in minutes, not weeks. 📚 Microsoft, CIS, CISA, NCSC, Maester framework ✅ Guided checklist of required CA policies 📊 See progress against each framework instantly 🔄 Update once - every framework stays aligned 🚀 Ideal for new tenants or security uplift projects 🧭 Every recommendation explained Build a compliant baseline. Without reinventing it. No uploads. No storage. No risk. #MicrosoftEntra #ConditionalAccess #ZeroTrust #InfoSec