Fun side note - you can't actually block device join/registration - that grant control is not supported
But you can require a method that no user could possibly have ;)
Alternatively, use Temporary Access Pass to allow scenarios you want "block by default, allow by exception"
Do you exclude MFA on joined/registered devices? If so, do you require MFA for device join/registration?
I see this often because these controls aren't considered at the same time, and that's how we get this gap:
Attacker steals user/pass -> register device -> no MFA required
WhoAmI - Dynamics edition π
Hahaha, it's not too secret. I have a lot more polish I want to do, been a busy week. Hoping for a real release this weekend, but it's open for playing with :)
Just have to import-module for now, will publish to the gallery when it's ready
github.com/MSCloudInter...
OMG, XDRInternals dumping MDE device timeline straight into Azure Data Explorer π€―
Soon β’οΈ
Brand new feature being developed in 2026 using secrets for authentication π
Support for TAP and Phone Sign In are done! It was surprisingly harder than expected to get the phone sign-in flow to work properly :p
Working on cross-platform browser auth now, and hopefully will be able to add it to XDRInternals this weekend
"Because everyone else lowered the bar, we decided to join them" is so on-brand...
*chuckles* I'm in danger
π
Cut your cloud spending bills with this one weird trick!
lol, honestly, I can't believe how well this worked π
Feed M365 Copilot a simple markdown file asking for a Word doc, and of course it chokes and dies... It's truly impressive just how bad this product is :-/
Final validation is done for the Defender for Endpoint device actions including Live Response and the library
I'll post an update once that is merged, but this one is so freaking cool. Both interactive and non-interactive support for Live Response, up to 10 devices per minute.
Merged some good XDRInternals updates :)
Connect-XdrBySoftwarePasskey does exactly what it says, super easy to automate AI access to the portal π€
Get-XdrIdentityUserTimeline lets you extract the whole 180 days of user timeline data if you need it
github.com/MSCloudIn...
Apparently OnlyCopilotFans is a thing... π€’
Doing some napkin math, I estimate just under 3 hours (fully optimized) to wipe 200K devices via Intune API
If an attacker were unaware of API limits being per app, that bumps to ~5.5 hours under ideal conditions
What happens if all admin devices are wiped first? π€ π³ π₯Ί π
When you don't require security keys and a dedicated device for your privileged admin roles
If you think Intune's multi-admin mode is going to save you from a phished Global Admin, I have bad news... GA can just create a second admin and approve their change ;)
I love how you design a harness with delays, and AI is like, no bro, that's gonna take to long, let me change that for you π
They couldn't have called it biztalk? π
azd + maester = π²
Soon β’οΈ
If you have considered using my script to create software passkeys using ESTSAUTH cookies on a pentest or red team exercise, I have published a more secure option for you ;)
Create an Azure Key Vault, grant yourself Key Vault Crypto Officer, and run this:
github.com/nathanmcn...
There is absolutely no way I could have written a test harness, not to mention automated bug fix and re-test, and then left it for 4 hours
Guaranteed weeks of testing during my free time cut down to a couple of days of reviewing and approving
So freaking cool π
Game changer - use cap locks for voice to speak :)
This includes certificate profiles for all 4 platforms in Intune, no targets by default, but -AssignIntunePolicies assigns to all devices
Also has optional deployment of Defender for Key Vault, Log Analytics, and downgrade to Key Vault Standard (for testing, $1/mo)
Have fun! :)
Don't have PKI but want to use TLS inspection in Global Secure Access?
This script sets up Azure Key Vault Premium (HSM backed keys, $5/month), creates the CA certificate in Key Vault, gets the CSR from GSA, signs it with Key Vault, and adds it to GSA π₯
github.com/nathanmcn...
3οΈβ£ Bug fixes and optimization
- Now uses IndexedDB for better performance with large data sets
- Changed export schedules to 7 days to reduce risk of data loss if a run fails
- Fixed a few logic/timing issues
4οΈβ£ Documentation updates
- Setup instructions for Azure and GitHub
2οΈβ£ New modal layout and tooltips
- Reflowed the modal to group CVEs by devices
- Added tooltip to contain device details
- Optional enrichment with Advanced Hunting data (use -IncludeAdvancedHunting), adds EPSS scores and description tooltips to all CVE IDs
New features for my Defender Reporting solution :)
1οΈβ£ Azure deployment option
- Automation runbook exports vulnerability data and builds the dashboard, compressed data stored in blob storage
- Optional Container App hosts dashboard using Entra auth
github.com/nathanmcn...