Recently, I came across an uncommon issue while disabling legacy authentication in a hybrid Exchange environment. Since I did not find any exact solutions, I thought I share my story about modern authentication in on-premises Exchange server and how it affects the mailbox migration account. Spoiler: it breaks the mailbox migration TL;DR– Exchange Online uses […]
Quicknote: Hybrid Exchange mailbox migration account vs. modern authentication policy
Posted by Daniel Kovacs on September 25, 2025
https://f12.hu/2025/09/25/quicknote-hybrid-exchange-mailbox-migration-account-vs-modern-authentication-policy/
Powershell with Entra CBA – unattended access to Defender portal when Graph API or Application permission does not fit
One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]
Posted by Daniel Kovacs on May 2, 2025
https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/
How much time your users are wasting with “traditional” MFA?
Recently, I came across a post on LinkedIn which demonstrated that Passkey authentication is way faster than traditional Password+MFA notification login. It made me curious: how much time does it exactly take to do MFA? TL;DR– This report uses the SignInLogs table which needs to be configured in Diagnostic settings– Unfortunately I did not manage […]
Posted by Daniel Kovacs on January 4, 2025
https://f12.hu/2025/01/04/how-much-time-your-users-are-wasting-with-traditional-mfa/
Find clients authenticating from unassigned AD subnets – using Defeder for Identity
Housekeeping with Defender for Identity – finding unassinged AD subnets using the IdentityLogonEvents table
Posted by Daniel Kovacs on October 25, 2024
https://f12.hu/2024/10/25/find-clients-authenticating-from-unassigned-ad-subnets-using-defeder-for-identity/
Tracking Microsoft Secure Score changes
Microsoft Secure Score is a useful feature in the Defender portal, but I missed the alerting option.
Posted by Daniel Kovacs on May 6, 2024
https://f12.hu/2024/05/06/tracking-microsoft-secure-score-changes/
Reporting on Entra Application Proxy published applications – Graph PowerShell
I thought it will be a quick Google search to find a PowerShell script that will give a report on applications published via Entra application proxy, but I found only scripts (link1, link2, link3) using the AzureAD PowerShell module – so I decided to write a new version using Graph PowerShell. The script: Some story […]
Posted by Daniel Kovacs on April 4, 2024
https://f12.hu/2024/04/04/reporting-on-entra-application-proxy-published-applications-graph-powershell/
Playing with Microsoft Passport Key Storage Provider – protect user VPN certificates with Windows Hello for Business?
I’m really into this Windows Hello for Business topic… Recently, I was going through the “RDP with WHfB” guide from MS Learn (link) which gave me an idea: can this method be used to protect user VPN certificates? The short answer is: yes, but no 🙂 TL;DR– Depending on your current infrastructure, several options are […]
Posted by Daniel Kovacs on February 17, 2024
https://f12.hu/2024/02/17/playing-with-microsoft-passport-key-storage-provider-protect-user-vpn-certificates-with-windows-hello-for-business/
Convenience PIN policy enables Windows Hello for Business enrollment in Windows Security
Windows Hello and Hello for Business are usually mutually exclusive, but the Windows Security application is not aware of this when ‘Turn on convenience PIN sign-in’ is configured.
Posted by Daniel Kovacs on January 19, 2024
https://f12.hu/2024/01/19/convenience-pin-policy-enables-windows-hello-for-business-enrollment-in-windows-security/
Hunting for report-only (Microsoft-managed) Conditional Access impacts
Evaluating report-only Conditional Access impact is very straightforward when Entra ID logs are streamed to Log Analytics. Those who can’t have this feature enabled can still use the AADSignInEvents beta table in Defender to find some extra insights.
Posted by Daniel Kovacs on January 17, 2024
https://f12.hu/2024/01/17/hunting-for-report-only-microsoft-managed-conditional-access-impacts/
Entra Workload Identities – Trusted Certificate Authorities (public preview)
In the November 2023 – What’s New in Microsoft Entra Identity & Security w/ Microsoft Security CxE identity episode, a public preview feature of Entra Workload ID premium license was presented (link) which was actually announced on November 9th (link). I really love the idea of restricting application key credentials to a predefined list of […]
Posted by Daniel Kovacs on December 11, 2023
https://f12.hu/2023/12/11/entra-workload-identities-trusted-certificate-authorities-public-preview/