Disabling Entra Seamless SSO – some extra notes

Disabling Entra Seamless SSO is simple – or you can get lost in the details.

by Daniel Kovacs on October 31, 2025 • Permalink

Posted by Daniel Kovacs on October 31, 2025

https://f12.hu/2025/10/31/disabling-entra-seamless-sso-some-extra-notes/

Quicknote: Hybrid Exchange mailbox migration account vs. modern authentication policy

Recently, I came across an uncommon issue while disabling legacy authentication in a hybrid Exchange environment. Since I did not find any exact solutions, I thought I share my story about modern authentication in on-premises Exchange server and how it affects the mailbox migration account. Spoiler: it breaks the mailbox migration TL;DR– Exchange Online uses […]

by Daniel Kovacs on September 25, 2025 • Permalink

Posted in Exchange, Exchange Online

Posted by Daniel Kovacs on September 25, 2025

https://f12.hu/2025/09/25/quicknote-hybrid-exchange-mailbox-migration-account-vs-modern-authentication-policy/

Powershell with Entra CBA – unattended access to Defender portal when Graph API or Application permission does not fit

One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]

by Daniel Kovacs on May 2, 2025 • Permalink

Posted in AzureAD, Defender, GraphAPI, PowerShell

Tagged AzureAD, Defender, EntraID, PowerShell

Posted by Daniel Kovacs on May 2, 2025

https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/

How much time your users are wasting with “traditional” MFA?

Recently, I came across a post on LinkedIn which demonstrated that Passkey authentication is way faster than traditional Password+MFA notification login. It made me curious: how much time does it exactly take to do MFA? TL;DR– This report uses the SignInLogs table which needs to be configured in Diagnostic settings– Unfortunately I did not manage […]

by Daniel Kovacs on January 4, 2025 • Permalink

Posted in AzureAD, Conditional Access, KQL

Tagged AzureAD, conditional access, EntraID, Report

Posted by Daniel Kovacs on January 4, 2025

https://f12.hu/2025/01/04/how-much-time-your-users-are-wasting-with-traditional-mfa/

Find clients authenticating from unassigned AD subnets – using Defeder for Identity

Housekeeping with Defender for Identity – finding unassinged AD subnets using the IdentityLogonEvents table

by Daniel Kovacs on October 25, 2024 • Permalink

Posted in GraphAPI, KQL, MDI, PowerShell

Posted by Daniel Kovacs on October 25, 2024

https://f12.hu/2024/10/25/find-clients-authenticating-from-unassigned-ad-subnets-using-defeder-for-identity/

Tracking Microsoft Secure Score changes

Microsoft Secure Score is a useful feature in the Defender portal, but I missed the alerting option.

No Comments

by Daniel Kovacs on May 6, 2024 • Permalink

Posted in GraphAPI, PowerShell

Posted by Daniel Kovacs on May 6, 2024

https://f12.hu/2024/05/06/tracking-microsoft-secure-score-changes/

Reporting on Entra Application Proxy published applications – Graph PowerShell

I thought it will be a quick Google search to find a PowerShell script that will give a report on applications published via Entra application proxy, but I found only scripts (link1, link2, link3) using the AzureAD PowerShell module – so I decided to write a new version using Graph PowerShell. The script: Some story […]

by Daniel Kovacs on April 4, 2024 • Permalink

Posted in AzureAD, PowerShell

Posted by Daniel Kovacs on April 4, 2024

https://f12.hu/2024/04/04/reporting-on-entra-application-proxy-published-applications-graph-powershell/

Playing with Microsoft Passport Key Storage Provider – protect user VPN certificates with Windows Hello for Business?

I’m really into this Windows Hello for Business topic… Recently, I was going through the “RDP with WHfB” guide from MS Learn (link) which gave me an idea: can this method be used to protect user VPN certificates? The short answer is: yes, but no 🙂 TL;DR– Depending on your current infrastructure, several options are […]

No Comments

by Daniel Kovacs on February 17, 2024 • Permalink

Posted in AzureAD, Conditional Access, Windows Hello for Business

Posted by Daniel Kovacs on February 17, 2024

https://f12.hu/2024/02/17/playing-with-microsoft-passport-key-storage-provider-protect-user-vpn-certificates-with-windows-hello-for-business/

Convenience PIN policy enables Windows Hello for Business enrollment in Windows Security

Windows Hello and Hello for Business are usually mutually exclusive, but the Windows Security application is not aware of this when ‘Turn on convenience PIN sign-in’ is configured.

by Daniel Kovacs on January 19, 2024 • Permalink

Posted in AzureAD, GPO, Windows Hello for Business

Posted by Daniel Kovacs on January 19, 2024

https://f12.hu/2024/01/19/convenience-pin-policy-enables-windows-hello-for-business-enrollment-in-windows-security/

Hunting for report-only (Microsoft-managed) Conditional Access impacts

Evaluating report-only Conditional Access impact is very straightforward when Entra ID logs are streamed to Log Analytics. Those who can’t have this feature enabled can still use the AADSignInEvents beta table in Defender to find some extra insights.

by Daniel Kovacs on January 17, 2024 • Permalink

Posted in AzureAD, Conditional Access, KQL

Tagged conditional access, Defender, EntraID, KQL, Report

Posted by Daniel Kovacs on January 17, 2024

https://f12.hu/2024/01/17/hunting-for-report-only-microsoft-managed-conditional-access-impacts/

Archives
Categories
- AlwaysOn VPN
- Android
- AOVPN
- App configuration policy
- AzureAD
- Bitlocker
- Conditional Access
- Defender
- Edge
- Entra Workload Identities
- Exchange
- Exchange Online
- GPO
- GraphAPI
- Intune
- KQL
- MDI
- PowerShell
- SCCM
- SharePoint Online
- Uncategorized
- Windows Hello for Business
Disclaimer

The information on this website is provided for informational purposes only and I make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of my employer.
Social

LinkedIn

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Recent Posts

Recent Comments