This post provides everything you need to ensure Advanced Auditing is fully configured and auditing everything we possibly can for both existing and new users. I recently shared guidance for this via social media (see below), and it felt like a perfect time to revisit my previous posts and combine everything into one comprehensive guide :)
You likely aren't collecting all available events to the Unified Audit Log
First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).
Retention is based on license... pic.twitter.com/IEKKfrkpI8
👮 Restricted Management Admin Units (RMAU) in #EntraID
Hackers HATE This Hidden Entra ID Feature Most Admins Never Use@NathanMcNulty breaks it down for us 👇
🎧 Get the full podcast episode at https://t.co/gnvH23WorW pic.twitter.com/nxBwCQ6BwS
— Merill Fernando (@merill) March 29, 2025 I recently had a chance to discuss Restricted Management Administrative Units (RMAUs) with Merill, and one of my favorite uses for these is to protect groups that are used in Conditional Access policies so they aren’t accidentally modified or deleted. I’m also a big fan of using Access Packages to control membership of these groups for things like exclusions from geofencing policies, user action policies, blocking policies, etc.
It was such an honor to join Merill Fernando on Entra Chat, and I hope to join him again in the future. Be sure to check out Entra Chat:
https://entra.news/p/operational-groups-in-entra-with
Automate security group membership based on device hardware, software, vulnerabilities, and other inventory data
Quick tip on using workbooks to create KQL queries and get more data than provided by the workbook
Ensure all available audit records are collected to Unified Audit Log
A tool to assess and automate configuration in the Defender portal
Improve Defender performance by performing one full scan
A tool to assess historical impact of report-only policies
Automate analysis of MDE Client Analyzer output for common issues
Comprehensive automation for device cleanup
The defaults are better than they used to be, but you can still do better.
I had a great time hanging out and talking about a little bit of everything with some of the Trimarc folks. Thanks to Brandon for inviting me on! :)
This step-by-step tutorial is ideal for those looking to experiment with Certificate Authority setups in a lab environment. Learn how to configure an offline CA using OpenSSL, use it to sign an Enterprise ADCS Intermediate CA, and publish CRLs in an Azure Static Web App.
Note This article was last updated on 01/30/2025 for readability and updated URLs. I am working on updating this for the UI changes that have been made to Intune :)
Note This article was last updated on 01/30/2025 for readability and updated URLs. We no longer need to manually load modules as shown, and this article will be completely overhauled to include backup of LAPS passwords and BitLocker keys to Azure Key Vault as well :)
Note This article was last updated on 01/30/2025 for readability and updated URLs. I am working on updating this for the UI changes that have been made to Intune :)
Note This article was last updated on 01/30/2025 for readability and updated URLs
Note This article was last updated on 01/30/2025 for readability and updated URLs
Note This article was last updated on 01/30/2025 for readability and updated URLs
Note This article was last updated on 01/30/2025 for readability and updated URLs
Note This article was last updated on 01/30/2025 for readability and updated URLs
Note This article was last updated on 01/27/2025 for readability and updated URLs, and the content itself will be updated in the near future :)
Back in May of last year, I started building a new server and had planned to fully share the process of putting it together, setting up the OS, templates, etc. Instead, we had a baby, remodeled and sold our home, moved over 1500 miles, and had job constraints that forced me to rush putting it together :(
New home server :D
Dell R630 with 2x 14 core E5-2680 v4 CPUs
Already ordered 1.2TB SAS drives (best bang for buck currently at $20 each). Working on 32GB sticks as I can find them around $60. Goal is 8x 1.2TB drives, 2x 1TB NVMe via PCI-Express adapters, and 16x 32GB sticks :p pic.twitter.com/2p3jEdKOZG
Note Unfortunately, the images from this article were never able to be recovered, and it is unlikely I will be able to recreate them. Email security has come a long way, but there is still a lot of value in using this method if you don’t have access to better tools :)
Note This article was last updated on 01/27/2025 for readability and updated URLs, but content review and image updates are in process :)
Note This article was last updated on 01/27/2025 for readability and updated URLs, but content review is in process. New guidance is to enable the credential theft rule out of the box, and there are new rules to put in audit mode and add to the queries.
Getting a web app to run in Edge in Kiosk mode on iOS has been a journey, so here's a guide on how I did it :)
Note This article was last updated on 01/26/2025 for readability and updated URLs
Note This article was last updated on 01/26/2025 for readability and updated URLs. Unfortunately, images were not able to be restored from a previous hosting provider :(