Recently I tried to set up ClaimXRay NG with the guidance of DSInternals, learned things, failed here and there and stumbled upon a totally-not-helpful error message: “There was an error in the uploading the private certificate and password. Please try again or contact support.” To cut to the chase: This message appeared when I was […]
https://f12.hu/2026/01/29/entra-app-instance-property-lock-vs-saml-signing-certificate-an-uncommon-way-of-self-sabotage/
Back in the days when M365 MTO was in preview, it was possible to add group(s) to the default sync scope – today, the documentation states that if you want to sync groups, “you must configure cross-tenant synchronization directly in Microsoft Entra ID”. It doesn’t say “it is impossible to add groups to the default […]
https://f12.hu/2026/01/12/multitenant-organization-cheat-to-add-groups-to-the-default-sync-scope/
Personal Microsoft accounts registered with corporate email address can cause end-user confusion and probably some headaches for IT admins. Let’s find these users before they find you.
https://f12.hu/2025/12/16/find-personal-microsoft-accounts-with-corporate-email-address/
Disabling Entra Seamless SSO is simple – or you can get lost in the details.
https://f12.hu/2025/10/31/disabling-entra-seamless-sso-some-extra-notes/
One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]
https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/
Recently, I came across a post on LinkedIn which demonstrated that Passkey authentication is way faster than traditional Password+MFA notification login. It made me curious: how much time does it exactly take to do MFA? TL;DR– This report uses the SignInLogs table which needs to be configured in Diagnostic settings– Unfortunately I did not manage […]
https://f12.hu/2025/01/04/how-much-time-your-users-are-wasting-with-traditional-mfa/
Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) Note: This post is not strictly related to fighting client secret usage for apps. However, it may provide a basis for considering the purchase of Microsoft Entra Workload Identities Premium licence for at least those apps that use client secret. In my previous […]
https://f12.hu/2023/08/12/fighting-azuread-app-registration-client-secrets-step3-using-conditional-access-for-workload-identities-custom-security-attributes/
Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) In my previous post, I highlighted the risks of using password credentials for apps and how to spot client secret usage for service principals. This post will focus on limiting password lifetime for apps (scoped to tenant or specific application level) which can […]
https://f12.hu/2023/06/18/fighting-azuread-app-registration-client-secrets-step2-limiting-app-password-lifetime/
When talking about Azure AD security, we tend to put less focus on service principals/app registrations*. But when we take into consideration that these principals can have assigned API permissions and “static” credentials (certificate or password) and that these credentials in the wrong hands can cause serious damage, we may change our attitude.* While “App […]
https://f12.hu/2023/05/06/azuread-app-registrations-the-application-permission-credentials-combination-security-nightmare/
Scenario: the business is now convinced that computers should be managed centrally (either with Active Directory or Azure Active Directory) instead of having WORKGROUP computers.Problem: after joining to (Azure)AD, users will have a new profile created. Gone are their settings, wallpaper, pinned icons, etc. You need to note these settings, copy the files to the […]
https://f12.hu/2023/03/30/dont-do-that-series-migrate-personal-user-profile-to-azuread-user-profile-with-win32_userprofile-changeowner-method/