Client Credentials - Client Certificate

Client Credentials - Client Certificate

The process is quite similar to the client secret flow described here, so be sure to take a look! The challenge here lies in generating a JWT (JSON Web Token) based on a certificate. I will provide a detailed explanation of how the JWT is generated and exchanged for an access token below.
5 min read
Authentication Security
Client Credentials - Client Secret

Client Credentials - Client Secret

The next authentication flow in my series will be the Client Credentials Flow. Be sure to check out the first one here! We will first take a look at the client secret model. I will skip the basics in this article as this has been explained in my other article.
2 min read
Authentication Security
Bicep: Dynamic naming technique

Bicep: Dynamic naming technique

When designing IaC modules finding the correct syntax to deploy a certain resource type is often not the hardest thing to do. What I found in 3 years of writing Bicep code, is that defining a dynamic way to name your resources which is also easy to use, seems to pose quite the challenge. This article won't define the best way to get this but a way that seems to work for me and the customers I have worked with in the past.
7 min read
Bicep Azure IaC
T1556.009 - Detect and prevent suspicious conditional access policy modifications

T1556.009 - Detect and prevent suspicious conditional access policy modifications

In April 2024, MITRE came with their new V15 version of ATT&CK. In this version a new sub-technique was introduced called 'T1556.009 - Modify Authentication Process: Conditional Access Policies'. This was, in my opinion, a great addition to the framework, since it is an important technique which can be abused by adversaries. By changing a Conditional Access policy (later referred to as 'CA policy'), an adversary can establish Credential Access, Defense Evasion, and Persistence in Entra ID. Since it is such a vital component, I thought it was time to do a bit of a deep dive into how we can detect and mitigate suspicious CA policy changes.
21 min read
Entra ID Conditional Access MITRE ATT&CK Defender XDR
Authorization Code Flow

Authorization Code Flow

In the past, I was always curious about the workings of Connect-AzAccount, the authentication command from the Az.Accounts PowerShell module. This led me to delve into debugging, and the subsequent article is a product of that exploration. It's intriguing that both Az CLI and Az PowerShell are operational across all tenants, even the newly created ones. I aimed to emulate this functionality in PowerShell and utilize it in my scripts. For instance, this could be beneficial when executing commands across various tenants, a task that the Az modules are not adept at handling.
9 min read
Authentication Security
Analyzing MDE Network Inspections

Analyzing MDE Network Inspections

What is Defender for Identity NNR, why is it important, and how can you resolve issues with it?
9 min read
MDI Defender XDR Kusto Health monitoring
Using WDAC to ingest missing MDE events and detect token stealing

Using WDAC to ingest missing MDE events and detect token stealing

In a previous blog post I talked about how adversaries can exploit SSO capabilities of Hybrid or fully Entra ID joined devices. I mentioned the different ways we can steal tokens from the devices, either by using BrowserCore.exe or MicrosoftAccountTokenProvider.dll.
7 min read
Entra ID WDAC Tokens PRT Stealing