All news with #azure entra id tag

🔒 The FBI warns of phishing campaigns using Kali365 to harvest Microsoft 365 OAuth access tokens and bypass multi-factor authentication. Attackers trick users into entering a code on a legitimate Microsoft page, which instead authorizes the attacker’s device to access the victim’s account. The FBI advises IT teams to deploy conditional access policies and block authentication transfer to reduce exposure.

🔍 ROADtools is an open-source Python toolkit for red teams and researchers that attackers have repurposed to target Microsoft Entra ID. It enumerates tenants, registers devices, and acquires or manipulates OAuth2/OpenID Connect tokens while using legitimate Microsoft APIs and configurable request attributes to evade detection. Nation-state actors have used ROADtools for discovery, persistence and defense evasion, and Palo Alto Networks outlines detection queries, mitigation recommendations and protections available via Cortex Cloud, Cortex XDR and Unit 42 services.

🔒 Microsoft announced a set of security enhancements designed to protect agents, data, and identities as organizations scale AI. Highlights include the general availability of Microsoft Purview DSPM, expanded investigation capabilities with OCR and custom examinations, and a new Entra ID Account recovery flow for restoring organizational access. Public preview of Windows 365 for Agents and integration with Microsoft Agent 365 aim to govern and secure agent workloads in managed Cloud PCs.

🔐 Microsoft has reached general availability for Entra-Only identities for Azure Files SMB, enabling native Microsoft Entra ID authentication for SMB file shares using cloud-only identities. This eliminates the need for on-premises Active Directory, Entra Connect, or managed domain controllers, simplifying architecture and reducing operational overhead. Entra acts as the Kerberos Key Distribution Center (KDC), issuing Kerberos tickets while preserving SMB protocol compatibility, and supports VDI scenarios with FSLogix, Managed Identities, macOS clients, and NTFS ACL editing. The capability is supported across HDD and SSD shares, available at no extra cost, and is being extended to sovereign cloud regions.

🔒 A high-severity authentication bypass (CVE-2025-14510, CVSS 8.1) affects ABB Ability OPTIMAX systems that use Azure Active Directory Single Sign-On, potentially permitting an attacker to bypass user authentication remotely. Affected builds include all 6.1 and 6.2 releases and 6.3/6.4 builds prior to 6.3.1-251120 and 6.4.1-251120. ABB has published fixes (for example, 6.3.1-251120); administrators should follow the ABB PSIRT advisory, apply available updates, and implement network segmentation and secure remote access controls while performing impact analysis prior to changes.

📋 This blog by Rico Mariani outlines eight practical best practices for CISOs conducting risk reviews, focusing on identifying assets, applications, and access controls to shape review scope and priorities. It emphasizes good quality authentication (tokens and issuers like Microsoft Entra), robust authorization, network isolation, detection, and auditing to enable proactive security. The post also highlights commonly overlooked areas such as backups, support, and development systems to ensure comprehensive risk coverage.

🔧 AWS updated the Transfer Family Terraform module to include end-to-end examples demonstrating integration with Okta and Microsoft Entra ID as custom identity providers. Built on the open-source Custom IdP solution and example repositories, the module automates deployment of Transfer Family endpoints while leveraging existing identity infrastructure. Included security controls—MFA, audit logging, and per-user IP allowlisting—help organizations meet operational and compliance requirements; consult the Terraform Registry and the Transfer Family Custom IdP user guide for implementation details and regional availability.

🔐 AWS IAM Identity Center centralizes workforce access and can consume session tags from external SAML providers such as Microsoft Entra ID to enable fine‑grained, attribute‑based access control (ABAC) across multiple AWS accounts. By mapping directory group attributes to session tags, administrators can dynamically apply permissions and runtime configuration—examples include selecting an AWS Glue usage profile or configuring Systems Manager Session Manager run‑as behavior. The post walks through SAML and SCIM setup, creating a custom permission set, mapping claims (for example AccessControl:glue:UsageProfile), testing job creation in the Glue console, and validating session tags via CloudTrail AssumeRoleWithSAML events.

🔒 Researchers at Silverfort discovered that Microsoft’s Agent ID Administrator role could modify and take ownership of unrelated service principals, allowing role holders to create credentials and authenticate as compromised applications. The flaw stemmed from scope enforcement failing in the Agent Identity Platform, where agent identities share primitives with applications. Microsoft deployed a fix by April 9, 2026; organizations should audit role assignments and service principal ownership and monitor for unexpected changes.

🔐 Microsoft will roll out Entra passkey support for phishing‑resistant passwordless authentication on Windows devices starting in late April, with general availability expected by mid‑June 2026. The capability enables device‑bound FIDO2 passkeys stored in the Windows Hello container and used via face, fingerprint, or PIN on corporate, personal, and shared devices, including unmanaged Windows machines. Administrators can control rollout and access through Conditional Access and Authentication Methods policies.

⚠️ Microsoft has traced an ongoing Universal Print sharing failure to a code change in the Microsoft Graph API, which increased Entra ID directory replication latency and exposed a pre-existing race condition that causes intermittent “Sharing Print Failed” errors when creating certain printer shares. The issue (UP1287359) affects shares created with the "Allow all users in my organization" toggle or when specific users/groups are selected. Microsoft is deploying a corrective code change and published a 13-step workaround that involves creating the share without assigning members initially, waiting for propagation, and then adding users or security groups manually.

🔒 A high-severity authentication flaw in Azure SRE Agent exposed agent activity streams to unauthorized tenants, researcher Yanir Tsarimi of Enclave AI reported. Tracked as CVE-2026-32173 with a CVSS score of 8.6, the vulnerability stemmed from an Entra ID app registration configured as multi-tenant and a WebSocket hub that accepted tokens without tenant authorization checks. The hub broadcast agent prompts, internal reasoning, commands and outputs to all connected clients. Microsoft applied a server-side fix and says no customer action is required, but organizations that ran the agent during preview should review any credentials or sensitive data that may have traversed agent interactions.

🔒 AWS Managed Microsoft AD can now forward Kerberos Encryption audit event logs (Event IDs 201–209) to Amazon CloudWatch Logs. These logs provide visibility into whether clients and services negotiate RC4 or AES encryption, helping you decide whether to upgrade clients for stronger protection or retain compatibility. Enable log forwarding from the directory's Network and Security tab in the Directory Service console. This feature is available in all AWS Regions offering the service except UAE and Bahrain.

🛡️ Stryker reported a large-scale disruption after thousands of employee devices were remotely wiped and many users were unable to log in, saying the issue appears contained to its internal Microsoft environment and that there is no indication of malware at this time. The pro-Iranian group Handala claimed responsibility and employees reported seeing its logo on affected machines. Analysts say the pattern is consistent with a compromise of Microsoft Intune and Entra-based admin controls, which would permit remote wiping without deploying traditional malware, and recommend tightened admin verification and credential protections.

🔐 Microsoft is introducing passkey support in Microsoft Entra for Windows, enabling phishing-resistant, passwordless sign-ins via Windows Hello. The opt-in feature enters public preview worldwide from mid‑March through late April 2026, with government clouds (GCC, GCC High, DoD) following mid‑April through mid‑May. Passkeys are device-bound, stored in the Windows Hello container, and never transmitted over the network, preventing credential theft and MFA bypass. IT administrators must enable the Passkeys (FIDO2) authentication method, create a passkey profile including the required Windows Hello AAGUIDs, and assign the profile to appropriate groups to enroll devices.

🔐 Bitwarden now supports logging into Windows 11 using passkeys stored in the Bitwarden vault, enabling phishing‑resistant, passwordless sign-in across devices. The capability is available on all plans, including the free tier, and uses a QR scan and mobile confirmation to release a vault‑stored Entra ID passkey. Required: Entra ID–joined devices, FIDO2 sign‑in enabled, and a registered Entra ID passkey in the vault. Microsoft will roll out the Windows support this month, subject to Entra configuration.

🔁Microsoft now enables enterprise users to restore personal settings and Microsoft Store apps from a previous Windows 11 device using the first sign-in restore experience in Windows Backup for Organizations. The update extends support beyond Microsoft Entra-joined machines to hybrid-managed environments, multi-user devices, and Windows 365 Cloud PCs, presenting a one-time restore prompt at first login. Administrators can control and deploy the feature through existing policies via Microsoft Intune or Group Policy, with general availability for devices that installed Windows updates released Feb 24, 2026 or later.

📞 Threat actors are combining device-code phishing and voice-based social engineering to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Instead of malicious apps, attackers leverage legitimate Microsoft OAuth client IDs and the standard device login workflow so victims unknowingly produce valid tokens and complete MFA. Security researchers suspect the ShinyHunters extortion group is involved; administrators should audit and revoke suspicious consents, disable the device code flow when not needed, and enforce conditional access policies.

🔐 Microsoft 365 tenant configurations are the operational blueprint for services such as Entra, Intune, Exchange, Defender, Teams and SharePoint. The piece stresses that Microsoft does not provide backups for tenant-level settings under the shared responsibility model, so restoration is the customer's duty. Lost or altered policies — from conditional access and MFA rules to DLP and retention policies — can disrupt security, compliance and business continuity. Organizations should adopt intelligent configuration backup to maintain a Zero-Trust posture and ensure recoverability.

🔒 Microsoft will update its Content Security Policy to block unauthorized script injection during browser-based Entra ID sign-ins at login.microsoftonline.com. The policy will permit script downloads only from Microsoft-trusted CDN domains and allow inline execution solely from trusted Microsoft sources. Rolled out globally in mid-to-late October 2026 under the Secure Future Initiative, the change excludes Microsoft Entra External ID. Organizations should test sign-in flows and avoid browser extensions or tools that inject code to prevent authentication friction.