Disabling Entra Seamless SSO is simple – or you can get lost in the details.
All posts tagged AzureAD
Disabling Entra Seamless SSO – some extra notes
Posted by Daniel Kovacs on October 31, 2025
https://f12.hu/2025/10/31/disabling-entra-seamless-sso-some-extra-notes/
Powershell with Entra CBA – unattended access to Defender portal when Graph API or Application permission does not fit
One of my previous posts covered a “basic” way to track secure score changes using Graph API with application permissions. While I still prefer application permissions (over service accounts) for unattended access to certain resources, sometimes it is not possible – for example when you want to access resources which are behind the Defender portal’s […]
Posted by Daniel Kovacs on May 2, 2025
https://f12.hu/2025/05/02/powershell-with-entra-cba-unattended-access-to-defender-portal-when-graph-api-or-application-permission-does-not-fit/
How much time your users are wasting with “traditional” MFA?
Recently, I came across a post on LinkedIn which demonstrated that Passkey authentication is way faster than traditional Password+MFA notification login. It made me curious: how much time does it exactly take to do MFA? TL;DR– This report uses the SignInLogs table which needs to be configured in Diagnostic settings– Unfortunately I did not manage […]
Posted by Daniel Kovacs on January 4, 2025
https://f12.hu/2025/01/04/how-much-time-your-users-are-wasting-with-traditional-mfa/
Fighting AzureAD App registration client secrets – step3: using Conditional Access for Workload Identities (+custom security attributes)
Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) Note: This post is not strictly related to fighting client secret usage for apps. However, it may provide a basis for considering the purchase of Microsoft Entra Workload Identities Premium licence for at least those apps that use client secret. In my previous […]
Posted by Daniel Kovacs on August 12, 2023
https://f12.hu/2023/08/12/fighting-azuread-app-registration-client-secrets-step3-using-conditional-access-for-workload-identities-custom-security-attributes/
Fighting AzureAD App registration client secrets – step2: limiting app password lifetime
Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) In my previous post, I highlighted the risks of using password credentials for apps and how to spot client secret usage for service principals. This post will focus on limiting password lifetime for apps (scoped to tenant or specific application level) which can […]
Posted by Daniel Kovacs on June 18, 2023
https://f12.hu/2023/06/18/fighting-azuread-app-registration-client-secrets-step2-limiting-app-password-lifetime/
AzureAD App registrations – the “application” permission + credentials combination security nightmare
When talking about Azure AD security, we tend to put less focus on service principals/app registrations*. But when we take into consideration that these principals can have assigned API permissions and “static” credentials (certificate or password) and that these credentials in the wrong hands can cause serious damage, we may change our attitude.* While “App […]
Posted by Daniel Kovacs on May 6, 2023
https://f12.hu/2023/05/06/azuread-app-registrations-the-application-permission-credentials-combination-security-nightmare/
“Don’t do that” series – migrate personal user profile to (Azure)AD user profile with Win32_UserProfile.ChangeOwner method
Scenario: the business is now convinced that computers should be managed centrally (either with Active Directory or Azure Active Directory) instead of having WORKGROUP computers.Problem: after joining to (Azure)AD, users will have a new profile created. Gone are their settings, wallpaper, pinned icons, etc. You need to note these settings, copy the files to the […]
Posted by Daniel Kovacs on March 30, 2023
https://f12.hu/2023/03/30/dont-do-that-series-migrate-personal-user-profile-to-azuread-user-profile-with-win32_userprofile-changeowner-method/
SharePoint Online external file sharing report using Graph API and PowerShell
The story in short: one of my customers asked me if it is possible to generate a report on all content in Office365 shared externally. Doing some searches I found the following solutions:– Run the sharing reports on each site and each OneDrive (link, link)– Run reports based on audit logs (link) While these reports […]
Posted by Daniel Kovacs on March 13, 2023
https://f12.hu/2023/03/13/sharepoint-online-file-sharing-report-using-graph-api-and-powershell/
Conditional Access policies – do you backup them ALL?
This will be a short post about a recent finding: AzureAD Conditional Access policies created from template may miss from your backups if not using Graph API beta endpoint. TL;DR– When you create a Conditional Access policy using the “New policy from template (Preview)” button, the policy will not show when querying policies using the […]
Posted by Daniel Kovacs on February 28, 2023
https://f12.hu/2023/02/28/conditional-access-policies-do-you-backup-them-all/
Nextcloud with AzureAD Application Proxy
There are certain scenarios where Microsoft’s OneDrive/SharePoint solution is not an option for storing data (eg. data localization restrictions enforced by law). However, if you still want to provide your users with the file sync experience and/or other collaboration features you may have came across Owncloud or Nextcloud as an alternative. But have you considered […]
Posted by Daniel Kovacs on February 8, 2023
https://f12.hu/2023/02/08/nextcloud-with-azuread-application-proxy/