Category: Microsoft
Category Archives: Microsoft
Skilling snack: Managing Windows 11 updates
As part of your ongoing journey managing Windows across your organization, we’ve compiled some great tips and resources including analysis, reporting, servicing, and enriching your Windows experience. We’ve also included several links to bookmark for regular, continuous learning.
Time to learn: 138 minutes
WATCH
Did you miss this year’s Tech Community Live? Catch up on this full “Ask Microsoft Anything” recording, where viewers are treated to an in-depth discussion on the latest tools and strategies for managing Windows updates.
(60 mins)
Windows Update + Intune + WUfB + Autopatch
LEARN
Manage Windows updates in the cloud
Done learning the basics? In this intermediate learning module, you’ll take a deeper dive into how to manage your updates and control your user experience across your devices.
(41 mins)
Intune + Windows Update + Microsoft Cloud + Group Policy + MDM
READ + REGISTER
Sign up for Windows known issue email alerts
Did you know that you can sign up for email alerts designed to help you manage Windows? Read all about it in the original announcement and register to start receiving these alerts in your own inbox.
(4 mins)
Support + Windows release health + Microsoft 365 + Windows feature and quality updates
WATCH
Windows Autopatch, How it Works
Autopatch is a cloud service that supports your Windows 11 upgrades. Learn how it works, and how to make it work for you, in this introductory video.
(11 mins)
Autopatch + Microsoft Edge + Office + Microsoft 365 + Windows Enterprise
READ
Customize Windows Update settings with Autopatch
Want to run your Windows Update deployment on a customized schedule? We’ll show you how you can achieve this with Windows Autopatch.
(8 mins)
Autopatch + Windows Update + Deployment rings
READ
Manage Windows driver and firmware updates with Microsoft Intune
Intune makes it easy to keep all of your device drivers current. Learn now to create and manage your own device update policies here.
(7 mins)
Intune + Drivers + Windows Enterprise
EXPERIENCE
Prescriptive Guidance: Intune Windows Update Policy
Microsoft Intune deployment rings help protect against malicious attacks by allowing for progressive updates across your devices. In this step-by-step demo, you’ll walk through the process of setting up your own deployment rings.
(5 mins)
Intune + Windows Update + Deployment rings + Compliance + Security
REGISTER
IT pros: Join us every month for Windows Office Hours!
Tune in for this monthly live discussion, where Microsoft experts will answer your questions and guide you in your Windows management journey.
(2 mins)
Windows 365 + Intune + Configuration Manager + Security
BOOKMARK
Every month, the Windows IT Pro Blog publishes a digest of all the practical new Windows developments announced in the past month. Check out the most recent article and bookmark the page to come back for more.
Do you use Microsoft Intune? Check in on the Intune blog to stay up to date with news and developments in your favorite cloud-based management system.
Explore the latest Microsoft capabilities through interviews with the product teams building the tech and the IT professionals managing Windows in the real world. Hear about enhancements, innovations, and tools for Windows 11, Microsoft Intune, Windows 365, Windows Update for Business, and more.
(time varies)
Windows 11 + Security + Device management + Copilot + Windows Server + Intune + Configuration Manager + W365 + WUfB
Managing Windows 11 is a topic too big for a single skilling snack. If you’re interested in learning more on the topic, check out these earlier snacks:
Feature update management
Windows monthly updates
Windows information and resources for IT pros
Windows device management in the public sector
Using Windows Update for Business
Come back every two weeks for fresh servings of Windows knowledge and leave a comment below to tell us what you would like to learn next.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft Tech Community – Latest Blogs –Read More
Stop Worrying and Love the Outage, Vol III: Cached Logons
This is the third article in a series:
Stop Worrying and Love the Outage, Vol I: Group Policy and Sharing Violations
Stop Worrying and Love the Outage, Vol II: DCs, custom ports, and Firewalls/ACLs
Hello, Chris Cartwright here from the Directory Services support team. This is the third post in a series where I try to provide the IT community with some tools and verbiage that will hopefully save you and your business many hours, dollars, and frustrations. Occasionally, we get cases for users working remotely that are unable to log on with a message that the domain is not available. More often than not, this is caused by an overly enthusiastic Cached Logon configuration.
The setting:
The “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” policy setting controls whether cached account information can be used to sign in to a Windows domain. When a user signs in to a domain account, the sign-in information can be stored locally so that, if a domain controller is unreachable later, the user can still sign in. If a user’s credentials are not cached, you should get one of the following errors:
There are currently no logon servers available to service the logon request.
We can’t sign you in with this credential because your domain isn’t available. Make sure your device is connected to your organization’s network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.
The domain specified is not available. Please try again later.
This policy setting specifies how many different users’ sign-in information can be kept locally, but it leaves out some rather important details like:
Cached logon is based on the method used for logon. Smart card (per issuer), passwords, and Windows Hello logons have their own cache entry per user.
You cannot cache a new entry without line of sight to a Domain Controller.
New smart cards require a new entry and will overwrite an existing one if from same issuer.
Service accounts also have their own entry
By default, the number of cached logons setting is set to a value of 10, which is generally high enough for most organizations. The security risk for this setting is based on use/abuse of the cached credentials by bad actors. Security is a balancing act.
Consider the following points as well:
“The Windows security baselines don’t recommend configuring [the number of previously cached logons].”
“…the server overwrites the oldest cached sign-in session.”
“Users can’t sign in to any devices if there’s no domain controller available to authenticate them.”
So, when your compliance team comes in and tells you to set this to lower values, especially 1 or 0, make sure you know your environment. Issues from miscalculating this cache value range from remote users being unable to log on to (worst case) data loss. After reading this, I hope in future conversations you feel better armed to respond with the potential risks associated with this setting and can avoid this kind of outage without having to learn the hard way!
References:
Cached domain logon information – Windows Server | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
Sharepoint Lists “export to excel” function incorrectly exporting restricted data
Hi All,
Odd recent issue with Lists which is quite critical as it relates to sensitive data.
When clicking the “Export to Excel” button it should only export data which the user has access to. This has been the case until very recently.
It now so happens that with a recent new updated look and feel version of Lists which has been slowly rolled out at our organisation, users are now able to export ALL data from the list including data they don’t have permissions set up to see.
Has anyone else experienced this issue and is there a fix available? Really worrying
Hi All, Odd recent issue with Lists which is quite critical as it relates to sensitive data. When clicking the “Export to Excel” button it should only export data which the user has access to. This has been the case until very recently. It now so happens that with a recent new updated look and feel version of Lists which has been slowly rolled out at our organisation, users are now able to export ALL data from the list including data they don’t have permissions set up to see. Has anyone else experienced this issue and is there a fix available? Really worrying Read More
What’s the best way to document the purpose of each passage?
I want to explain why each sentence is included in the document. But I don’t want those explanations to appear in the print version.
Every sentence is included for a specific reason, usually because it is required by a law or regulation. Sometimes the structure of an entire section will appear in a certain way to conform to a regulation. Many collaborators will write this document with me, and I don’t want people to change a sentence unless they understand the regulations that required the inclusion of the sentence.
I know I can achieve this with comments. But I am wondering if there are other ways. Perhaps there is a better document writing solution than Word. The comments can become very cumbersome. And it will get messy if I have hundreds of comments and Word is tracking changes.
Any thoughts?
I want to explain why each sentence is included in the document. But I don’t want those explanations to appear in the print version. Every sentence is included for a specific reason, usually because it is required by a law or regulation. Sometimes the structure of an entire section will appear in a certain way to conform to a regulation. Many collaborators will write this document with me, and I don’t want people to change a sentence unless they understand the regulations that required the inclusion of the sentence. I know I can achieve this with comments. But I am wondering if there are other ways. Perhaps there is a better document writing solution than Word. The comments can become very cumbersome. And it will get messy if I have hundreds of comments and Word is tracking changes. Any thoughts? Read More
FYI | Some episodes of The Intrazone podcast now published to the Community News Desk
Hello Fellow SharePoint’ers! A quick note, we now publish posts for our regular episodes to the new Community News Desk blog. We will continue to publish the SharePoint roadmap pitstop episodes as posts to the SharePoint community blog.
Thanks for tuning in. And if you haven’t yet listened to The Intrazone podcast, or shared it with a fellow collaborator, well – no time like the present (and thanks in advance for doing so). Doing either of these two actions buys you 100 virtual credits to spend on hidden likes to any SharePoint tweet.
Yours podcastingly, Mark “Here and there” Kashman and Chris “There and here” McNulty
Hello Fellow SharePoint’ers! A quick note, we now publish posts for our regular episodes to the new Community News Desk blog. We will continue to publish the SharePoint roadmap pitstop episodes as posts to the SharePoint community blog.
Thanks for tuning in. And if you haven’t yet listened to The Intrazone podcast, or shared it with a fellow collaborator, well – no time like the present (and thanks in advance for doing so). Doing either of these two actions buys you 100 virtual credits to spend on hidden likes to any SharePoint tweet.
The Intrazone – A show about the Microsoft 365 intelligent intranet – with co-hosts: Chris McNulty and Mark Kashman. aka.ms/TheIntrazone
Yours podcastingly, Mark “Here and there” Kashman and Chris “There and here” McNulty Read More
Samsung S23Ultra locked with old Android Enterprise Account
Here a challenging situation that I put myself in!!
1. Android device was enrolled normally with Intune (Corporate Owned with Work Profile), but after Google account converted to Business account many things stopped working as Intune currently doesn’t support Google G-suite (business)
2. So, a decision was made to remove the linked existing Android Enterprise account (from Intune) and create a new personal one.
3. Before doing so, wipe existing enrolled devices initiated, then removed them, and finally unlinking Android Enterprise account.
4. Android Business account was also removed from Google.
5. Phones that was active before wipe command initiation works OK, the problem exists with those phones who was not active and after unlinking Android Enterprise account, they are stuck.
6. Performed Factory Reset on those devices, and not anymore able to make them work as phones, Google needs the owner account – registered personal account or Android Enterprise doesn’t work, and Google insists to put owners account (which I did, but for some reason it doesn’t see it as owners account). – Google account was even removed from one of the mobiles before initiating factory reset.
7. Mobiles that I did not do yet factory reset are stuck with Intune app, and I cannot remove it because I restricted it myself in the configuration. I do not want to initiate factory reset before solving this issue.
Any suggestions
Alex
Here a challenging situation that I put myself in!!1. Android device was enrolled normally with Intune (Corporate Owned with Work Profile), but after Google account converted to Business account many things stopped working as Intune currently doesn’t support Google G-suite (business) 2. So, a decision was made to remove the linked existing Android Enterprise account (from Intune) and create a new personal one. 3. Before doing so, wipe existing enrolled devices initiated, then removed them, and finally unlinking Android Enterprise account. 4. Android Business account was also removed from Google. 5. Phones that was active before wipe command initiation works OK, the problem exists with those phones who was not active and after unlinking Android Enterprise account, they are stuck. 6. Performed Factory Reset on those devices, and not anymore able to make them work as phones, Google needs the owner account – registered personal account or Android Enterprise doesn’t work, and Google insists to put owners account (which I did, but for some reason it doesn’t see it as owners account). – Google account was even removed from one of the mobiles before initiating factory reset. 7. Mobiles that I did not do yet factory reset are stuck with Intune app, and I cannot remove it because I restricted it myself in the configuration. I do not want to initiate factory reset before solving this issue. Any suggestions Alex Read More
Announcing Windows Admin Center in Azure for Windows Client machines
In 2022, we introduced Windows Admin Center in Azure, making it easy for you to manage your Windows Server Azure VMs directly from the Azure Portal. Since its release, we’ve been overwhelmed by the positive response and feature requests we’ve received. Over the last 2 years, we expanded to support Azure Arc-enabled Windows Servers and Azure Stack HCI clusters, providing you access to Windows Admin Center for your on-premises machines without. We’ve heard you and added secure, password-less authentication, giving you single sign-on using your Entra ID credentials. We also increased the performance by over 50% leveraging Azure Front Door as our content delivery network. We continue to release every month, providing you with new experiences, updates, and bug fixes.
Today, we’re excited to announce that Windows Admin Center in Azure is expanding to also support Windows 10/11 machines. When you’re running Windows 10/11 as an Azure VM, you will be able to use Windows Admin Center in Azure to manage your client machines directly from the Azure Portal. By default, the Azure Portal provides a singular view for virtual machine management and the essential elements to manage your infrastructure. With the addition of Windows Admin Center, we have supplemented this great experience with additional capabilities such as an enhanced view of virtual machine usage, performance monitoring, viewing of events, and much more. We expect this to reduce the need for you to remote desktop into your virtual machine for administration, simplifying your experience as you deploy and maintain your client machines.
Get started with Windows Admin Center
Windows Admin Center in Azure is available to all Windows client customers on Azure running Windows 10/11 in the public cloud. To get started, create a new virtual machine today or deploy Windows Admin Center on your existing infrastructure. You can begin managing your virtual machines in Azure using Windows Admin Center by navigating to the Windows Admin Center blade under Connect in the Virtual Machine Azure portal UI. You can learn more here.
Thank you for using Windows Admin Center in Azure and stay tuned for more updates and features coming soon.
Microsoft Tech Community – Latest Blogs –Read More
How to break the token theft cyber-attack chain
We’ve written a lot about how attackers try to break passwords. The solution to password attacks—still the most common attack vector for compromising identities—is to turn on multifactor authentication (MFA).
But as more customers do the right thing with MFA, actors are going beyond password-only attacks. So, we’re going to publish a series of articles on how to defeat more advanced attacks, starting with token theft. In this article, we’ll start with some basics on how tokens work, describe a token theft attack, and then explain what you can do to prevent and mitigate token theft now.
Tokens 101
Before we get too deep into the token theft conversation, let’s quickly review the mechanics of tokens.
A token is an authentication artifact that grants you access to resources. You get a token by signing into an identity provider (IDP), such as Microsoft Entra ID, using a set of credentials. The IDP responds to a successful sign-in by issuing a token that describes who you are and what you have permission to do. When you want to access an application or service (we’ll just say app from here), you get permission to talk to that resource by presenting a token that’s correctly signed by an issuer it trusts. The software on the client device you’re using takes care of all token handling behind the scenes.
The first token you get, called a session token, shows that you successfully signed into the IDP, and how you signed in. When you sign into an app, it can exchange that session token for an access token, which gives you access to a specific resource for a certain amount of time without having to reauthenticate. To use an analogy, think of an amusement park. The IDP is the ticket office, which issues a park pass that provides credits for different rides. If you want to go on the roller coaster, you go to the ticket office, show your season park pass, and receive a ticket for that ride.
Just as you might be able to buy a day pass, season pass, or lifetime pass to the park, each token has a lifetime, usually between and 24 hours. And just as a 12-month season pass may get you a one-day pass to a specific ride, session tokens can have different—and usually much longer—lifetimes than access tokens. Moreover, access token lifetimes can differ, so the roller coaster pass may last an hour while the Ferris wheel pass is good for an entire day.
Traditionally, longer lifetimes are more convenient for users and more resilient against potential IDP outages (they save round trips to the IDP and associated latency) but riskier, while shorter lifetimes are safer (the IDP checks the integrity of the request more often). Technologies such as continuous access evaluation provide continuous assessment, so a shorter token lifetime isn’t a benefit when these are in place. When a token expires or continuous access evaluation reports heightened risk, the client goes back to the IDP and requests a refresh. This process is typically invisible to users, but if a risk condition has changed, and your organization policy requires it, then you may have to reauthenticate and get a new token. One last thing to note: while it’s a bummer to lose your roller coaster ticket, it’s really bad to lose your season park pass. An attacker can use your roller coaster ticket to get on a single ride for a short while, but with your season park pass, they can get on any ride for as long as they want. It’s similar with which, if stolen, give an actor a lasting ability to get access tokens.
How token theft works
Attackers steal tokens so they can impersonate you and access your data for as long as that stolen token lives. To do this, they get access to where a token is stored (on the client, in proxy servers, or in some cases in application or network logs) to acquire it and replay it from somewhere else.
Identity provider
Ticket office
Session token
Season park pass
Access token
Individual ride ticket
When an attacker steals your session token, it’s like picking your pocket after you’ve purchased your all-access season park pass at the fair’s ticket office. Because a token is digital, token theft is like stealing the pass from your pocket, making a photocopy, and then putting the original back in your pocket. The attacker can use their copy of your session token to get unlimited new access tokens to keep stealing your data, just as they can show a copy of a valid park pass to keep getting on rides without paying.
An attacker stealing your access token is comparable to someone and stealing your ride ticket as you stand in line. They do the same copy-and-replace trick, using their copy of your token to access the resource, just as they could show a copy of a valid ticket to get on an individual ride without paying.
And because in both cases the attacker puts the original pass or ticket back in your pocket, you don’t even know an attacker is riding the rides in your name. Your token seems fine, even though an attacker is using an illegitimate copy of it, and it may take a while to determine that anything is amiss—if you ever do.
Here’s an example:
Contoso stores all their documents in a secure cloud storage service and requires all employees to verify their identity using MFA before accessing it.
One day, after starting their workday by signing into Contoso’s cloud storage service, a user inadvertently installed malware on their device by clicking on a malicious ‘phishing’ link sent to them via email. The malicious code copied the user’s session token and sent it to the attacker.
The attacker then used the stolen and MFA-validated session token, now copied to their machine, to gain access to Contoso’s environment.
The attacker then downloaded as many documents as they could access, including a bunch of confidential reports, and leaked them on the internet.
Use of malware on the client to acquire the token is one common, easy method for attackers. Other tactics used to steal tokens include:
Copying tokens from the network as they pass through a proxy or router that the attacker controls.
Extracting tokens from unsecured server logs of the relying party.
While token theft still constitutes fewer than 5% of all identity compromises, incidents are growing. alone, we detected 147,000 token replay attacks, a 111% increase year-over-year.
Protecting tokens
IDPs and clients should handle tokens as securely as possible by only transmitting them over encrypted channels and not storing them in the open. But if an attacker infiltrates the device or network channel as in the example above, they can steal tokens and use them until they expire.
Ideally, a token would only work when used from the device to which it was issued. That is, if replayed from a different device, such as one an attacker controls, the would be rejected.
A key part of Microsoft’s protections against token theft is the use of tokens that are cryptographically tied to the device they . This is often called token binding, but may also be called sender constrained tokens, or token proof of possession. Token protection makes it harder to execute the main types of attacks designed to steal tokens, including network-based attacks and those using malware on the device by restricting use of the stolen token from devices they weren’t issued to.
In Microsoft Entra, token protection binds tokens to cryptographic keys specific to the device and ties them to the device registration. Once developers enable their applications to use protected tokens, you can enforce an Entra Conditional Access policy that requires client applications to use protected tokens to access a service. This policy rejects tokens which are not cryptographically tied to the device they were issued to. In the theme park analogy, this is like the ticket office taking your picture and printing it on your ride ticket and requiring ride operators to match the picture to your face before letting you ride.
This is a large project, spanning operating system platforms, native and web applications, all our cloud services, and the full range of different tokens in use for each case. It will be released in stages for specific scenarios. The first stage, in public preview now, protects the sign-in session tokens that native applications on Windows devices use when accessing Exchange, SharePoint and Teams services.
Token protection policy is available for Windows clients today. We’ll support Azure management scenarios and web applications that access Microsoft 365 resources and extend our cross-platform capabilities to Mac, iOS, Android, and other clients over the next year.
Practical steps for countering token theft
Token protection will offer the strongest protection against token theft; however, it will take the industry time to update all applications to use bound tokens. The good news is that Microsoft offers compelling countermeasures against attacks involving token theft that you can use today to reduce their risk and impact. We recommend a systematic defense-in-depth approach:
Reduce the risk of successful token theft.
Prevent malicious use of stolen tokens.
Be prepared to detect and investigate attacks that use stolen tokens.
Reduce the risk of successful token theft
The first line of defense is to reduce the chances of attackers stealing tokens in the first place, and below are some well-established techniques for building it. It’s the equivalent of keeping your ride tickets and park passes safe from pickpockets while you’re in the theme park.
Require managed and compliant devices. Use device management and define Conditional Access policies to require that users access resources from a compliant device. Compliance policies we recommend to reduce the risk of successful token theft from devices include:
To help prevent accidental infection with token-stealing malware, require users running on Windows to run as standard users rather than with device admin rights and require that all devices run up to date anti-malware and virus tools.
Use storage encryption to protect device content, including tokens, in case someone steals the device itself.
Enable Local Security Authority (LSA) protection to help protect Entra ID tokens in LSA memory. LSA protection is on by default for new devices and can be enabled for other devices via Intune.
Use jailbreak or rooting detection for mobile devices. Jailbroken devices are more likely to expose tokens and cryptographic secrets to potential attacks.
Find step-by-step instructions for enabling credential guard in our documentation.
Turn on Credential Guard for your Windows users. If your users are running Windows 10 or later, you can prevent theft of Active Directory credentials by configuring Credential Guard, which us es virtualization-based security (VBS) to isolate local and cached credentials so that only privileged system software—and not malware—can access them. Starting in Windows 11, version 22H2, Credential Guard is on by default for devices that meet requirements. This also helps protect cloud applications and resources when hybrid-joined devices using Active Directory authentication initiate a session to access cloud applications.
Find step-by-step instructions for enabling credential guard in our documentation.
Prevent malicious use of stolen tokens
While device management and strong credentials certainly reduce the risk of token theft, not everyone has them, and they’re still not completely foolproof. The next layer of defense is to prevent attackers from using stolen tokens for ongoing access by configuring policies to reject them wherever possible, and by detecting attempted use and responding automatically.
Require token protection in Conditional Access, and where possible, choose apps and services that use token protection. Microsoft is updating our apps, identity provider, and operating systems to support token protection, so if you’re using our apps and platforms, be sure to use the latest versions. Then configure Conditional Access to require token protection for sign-in sessions so only applications and devices using bound sign in session tokens, which can’t be used if they’ve been stolen and moved to another device.
Find step-by-step instructions for creating a Conditional Access policy that requires token binding in our documentation.
Create a risk policy to disrupt token theft in your environment automatically. When a user initiates a session or attempts to access an application, ID Protection will examine user and session risk factors to see if any have changed. Configure Conditional Access policies to protect both medium and high-risk sessions by either challenging users with MFA or by requiring reauthentication. This will make it difficult or impossible for an attacker to initiate a session using a stolen session token.
Wherever available, Continuous Access Evaluation (CAE) can automatically invalidate tokens when ID Protection raises the risk for a user or a service principal. This triggers the risk-based Conditional Access policies to mitigate in real-time, requiring re-authentication.
Find step-by-step instructions for creating risk-based Conditional Access policies in our documentation.
Reduce the risk of token reuse by restricting sessions for use within network boundaries. Most attackers use stolen tokens from untrusted IP addresses. You can establish network boundaries with policies that prevent users from accessing your resources if they’re coming from unknown locations or from known bad locations.
Restrict networks with Entra Conditional Access: Conditional Access includes controls that will block requests from outside a network compliance boundary that you define. This will prevent an attacker from refreshing a stolen Entra token, restricting its use to the lifetime of the token.
Find step-by-step instructions for defining a network compliance boundary with Conditional Access in our documentation.
Enhance network controls with Microsoft’s Security Service Edge (SSE) solution: To prevent the attacker from using a token outside of a trusted network at all, Entra Internet Access and Entra Private access use agents installed on endpoints and a compliant network check (enforced in real-time via CAE) to verify whether a user is connecting from a trusted network. Find step-by-step instructions for enabling compliant network check with Conditional Access in our documentation.
CAE-capable applications and services such as Teams, Exchange Online, and SharePoint Online will continuously enforce the IP-based named location Conditional Access policies and compliant network policies to ensure that tokens can be used only from trusted networks to access services. CAE offers a strict location enforcement mode to maximize protection. Find the step-by-step instructions for enabling this in our documentation.
Revoke tokens using Continuous Access Evaluation
In addition to ensuring that the supported services can only be accessed from trusted locations, CAE can revoke tokens when admins (or users themselves) take action in response to detecting an account compromise or token theft. These include disabling accounts, changing passwords, and revoking refresh tokens. Learn more about Continuous Access Evaluation in our documentation.
Be prepared to detect and investigate attacks that use stolen tokens
Use Entra ID Protection and Microsoft Defender to monitor for token theft. When a threat actor replays a token, their sign-in event can trigger detections such as ‘anomalous token’ and ‘unfamiliar sign-in properties’ from both Entra ID Protection and Microsoft Defender for Cloud Apps. Premium detections recognize abnormal characteristics such as an unusual token lifetime, a token played from an unfamiliar location, or token attributes that are unusual or match known attacker patterns. Signals from Microsoft Defender for Endpoint (MDE) can indicate a possible attempt to access the Primary Refresh Token.
Find step-by-step instructions for investigating token theft in our documentation.
Pull all your data into one Security Information and Event Management (SIEM ), such as Microsoft Sentinel, to investigate potential token theft. If you receive an alert for an event that may indicate token theft, you can investigate it in the Microsoft Sentinel portal or in another SIEM. Microsoft Sentinel gives you important details about a specific incident, such as its severity, when it occurred, how many entities were involved, which events triggered it, and whether it reflects any MITRE ATT&CK tactics or techniques. You can then view the investigation map to understand the scope and root cause of the potential security threat.
Find step-by-step instructions for investigating incidents using Sentinel in our documentation.
Reduce the risk of successful token theft
Prevent malicious use of stolen tokens
Be prepared to detect and investigate attacks that use stole tokens
Require managed and compliant devices.
Turn on Credential Guard for your Windows users.
Create a risk policy to disrupt token theft in your environment automatically.
Reduce the risk of token reuse by restricting sessions for use within network boundaries.
Revoke tokens using Continuous Access Evaluation
Use Entra ID Protection and Microsoft Defender to monitor for token theft.
Pull all your data into one SIEM, such as Microsoft Sentinel, to investigate potential token theft.
As defenders building defenses to help everyone strengthen cybersecurity, Microsoft is in a big strategic fight against token theft. We’ll keep you updated on any advancements you can use to counter attacks that use token theft. In the meantime, to help defend your environment, configure your Conditional Access policies to take advantage of token protection wherever you can and employ the countermeasures we’ve described here.
Stay safe out there,
Alex Weinert
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft Entra News and Insights | Microsoft Security Blog
Microsoft Entra blog | Tech Community
Microsoft Entra documentation | Microsoft Learn
Microsoft Entra discussions | Microsoft Community
Microsoft Tech Community – Latest Blogs –Read More
“Reflecting on OneDrive and SharePoint” 🎙 – The Intrazone podcast
You might call this episode ShareDrive or OnePoint, if you dare. It blends the focus of two product managers spanning the OneDrive and SharePoint product boundaries.
In this episode, you’ll hear from Stephen Rice (Principal product manager) from our OneDrive companion pod, Sync Up … and he chats/interviews your very own Intrazone host, me, Mark Kashman. It’s a little bit of an M365 multi-verse as we interview each other – PM-to-PM, pod-to-pod, Intrazone-to-Sync Up. You’ll hear our takes on our respective products – Stephen on OneDrive and me on SharePoint. In the end, it’s a bountiful double bonus for you – the benefit of the best of both pods and a lot of updates and insights across both products.
The Intrazone, episode 110:
Subscribe to The Intrazone podcast + show links and more below.
About Sync Up
Sync Up is your opportunity to go behind the scenes of OneDrive and get the inside scoop on the latest and greatest features! Join your hosts, Stephen Rice and Arvind Mishra, as they shed light on how OneDrive connects you to all your files in Microsoft and enables you to share and work together from anywhere, and any device! Hear from experts behind the design and development of OneDrive, as well as customers and Microsoft MVPs! Each episode will give you news and announcements, tips and best practices for your OneDrive experience, and some fun and humor! Transcripts are provided for each episode.
About Stephen
Stephen Rice, Principal Product Manager for the OneDrive team, has worked at Microsoft for the past 9 years. He focuses on enabling collaboration across Microsoft 365, whether you are working with partners inside or outside of your organization. In his free time, Stephen enjoys playing games such as Magic: The Gathering and enjoys Star Wars, which he reviews on his other podcast, the Ion Cannon podcast.
Links to important on-demand recordings and articles mentioned in this episode:
Hosts, guests, and related products
Stephen Rice (Principal product manager for OneDrive at Microsoft) | LinkedIn [guest]
SharePoint | Facebook | @SharePoint | SharePoint community blog | Feedback
OneDrive | @OneDrive | OneDrive community blog | Office Hours (sign up) | Newsletter | Feedback
Mark Kashman |@mkashman [co-host]
Chris McNulty |@cmcnulty2000 [co-host]
Articles and sites
The Sync Up crew published this same interview, plus on-the-spot quick takes from M365Con – in their new episode, “Live from M365 Conference!” + Stephen’s LinkedIn post.
“Content Management and Collaboration for the AI Era” (full on-demand session)
“The intranet of tomorrow: beautiful, flexible, and AI ready” (full on-demand session)
“OneDrive: AI at your fingertips” (full on-demand session)
Microsoft Docs – The home for Microsoft documentation for end users, developers, and IT professionals.
Microsoft Tech Community Home
Stay on top of Office 365 changes
Listen to other Microsoft podcasts
Upcoming Events
Intranets and AI on Microsoft 365 | June 19-20, 2024 – Virtual
Community Days – Chicago | July 20, 2024 – Chicago, Illinois
M365 NYC (Community Days) | July 26, 2024 – New York City, NY
TechCon365 – DC | August 12-16, 2024
CollabDays Hamburg | August 31, 2024 – Hamburg, Germany
Power Platform Community Conference | Sept. 18-20, 2024 | Las Vegas
CollabDays – NE | Oct. 18, 2024 – Burlington, Massachusetts, USA
TechCon365 – Dallas | Nov. 11-15, 2024
Microsoft Ignite (+ more info) | Nov 18-22, 2024, “Save the date,” Chicago, IL
European SharePoint Conference | Dec 2-5, 2024 – Stockholm, Sweden
+ always review and share the CommunityDays.org website to find your next event.
Subscribe today!
Thanks for listening! If you like what you hear, we’d love for you to Subscribe, Rate and Review on iTunes or wherever you get your podcasts.
Be sure to visit our show page to hear all episodes, access the show notes, and get bonus content. And stay connected to the SharePoint community blog and where we’ll share more information per episode, guest insights, and take any questions or suggestions from our listeners and SharePoint users (TheIntrazone@microsoft.com).
Get The Intrazone anywhere and everywhere
Show page
Apple Podcasts
Google Play Music
Spotify
Pandora
Stitcher
Overcast
TuneIn
RadioPublic
iHeart
RSS
+ Listen to other Microsoft podcasts at aka.ms/microsoft/podcasts.
Microsoft Tech Community – Latest Blogs –Read More
No longer have access to family organizer account
I no longer have access to my family organizer account. I’m almost certain it is under an old work email. Somehow, we got everything mixed up with my son’s Xbox account. Now, the account associated with my personal email says I’m 9 years old. As a “child” account, I’m severely limited on what I can do online. It’s quite frustrating. Can someone tell me how to change the family organizer when I can’t even access the account? Can I just delete all Microsoft accounts and start over?
I no longer have access to my family organizer account. I’m almost certain it is under an old work email. Somehow, we got everything mixed up with my son’s Xbox account. Now, the account associated with my personal email says I’m 9 years old. As a “child” account, I’m severely limited on what I can do online. It’s quite frustrating. Can someone tell me how to change the family organizer when I can’t even access the account? Can I just delete all Microsoft accounts and start over? Read More
Unable to create shared bookings page
Hi, I have been trying all methods to be able to create a booking page the user is a global admin even has an premium business account i have assigned and reassigned their license. even turned of and on the bookings. created a new policy but still getting the same error “Ugh-oh, there was a problem while creating your booking page” and can’t find any solution if someone could help out. The other user can create the booking page and is also a global admin but i don’t know what’s the issue with the user who can’t.
Hi, I have been trying all methods to be able to create a booking page the user is a global admin even has an premium business account i have assigned and reassigned their license. even turned of and on the bookings. created a new policy but still getting the same error “Ugh-oh, there was a problem while creating your booking page” and can’t find any solution if someone could help out. The other user can create the booking page and is also a global admin but i don’t know what’s the issue with the user who can’t. Read More
CoPilot is not appearing in Outlook or Teams for Mac
I applied new CoPilot licenses to three Mac users today. After several hours and restarts, CoPilot is still missing from Outlook and Teams.
In Outlook I have:
– confirmed they are using the new Outlook for Mac.
– confirmed they only have the one account in Outlook that is licensed.
– refreshed the license, and then restarted Outlook.
– opened copilot.microsoft.com in Safari and made sure they were logged in. (I saw this in another article, but not sure what it was supposed to do…)
In Teams, I:
– confirmed they were logged into the licensed account.
– tried to refresh the license, but this was not an option.
Any other ideas on how to fix?
I applied new CoPilot licenses to three Mac users today. After several hours and restarts, CoPilot is still missing from Outlook and Teams. In Outlook I have:- confirmed they are using the new Outlook for Mac.- confirmed they only have the one account in Outlook that is licensed.- refreshed the license, and then restarted Outlook.- opened copilot.microsoft.com in Safari and made sure they were logged in. (I saw this in another article, but not sure what it was supposed to do…) In Teams, I:- confirmed they were logged into the licensed account.- tried to refresh the license, but this was not an option. Any other ideas on how to fix? Read More
Why is it possible to create broken 365 app config files?
I’ve been trying to configure Intune win32 deployable Office & 365 applications for my company, and it’s been driving me insane.
I used the deployment tool and the config creator to create deployments for Office, Visio, & Project.
Office worked fine, but Visio & Project have not been working at all. Just failing instantly.
I’ve just done hours of investigating and trial-and-error and have found the problem: Visio and Project are not available in en-gb language.
I tried installing through Intune (instant fail), then directly from the setup.exe with the config: instant fail. Neither gave any useful error information. I then changed the config to show the installation display (which was hidden, as it’s meant for mass deployment), which then said the language is not compatible.
I thought that had to be a mistake, why wouldn’t British English work? I then tried making it the same language as the device’s Office installation (also en-gb) using MatchInstalled, hoping it was just some bug – this seemed to work, it didn’t show the language error any more!
It was now showing a connectivity error. Ugh. I spent a while trying to diagnose this before changing the language in the config to en-us, and it worked instantly.
Why was I able to create the configs for Visio and Project using the official Microsoft tool with en-gb as the language when that was never going to work?
I’ve been trying to configure Intune win32 deployable Office & 365 applications for my company, and it’s been driving me insane. I used the deployment tool and the config creator to create deployments for Office, Visio, & Project. Office worked fine, but Visio & Project have not been working at all. Just failing instantly. I’ve just done hours of investigating and trial-and-error and have found the problem: Visio and Project are not available in en-gb language. I tried installing through Intune (instant fail), then directly from the setup.exe with the config: instant fail. Neither gave any useful error information. I then changed the config to show the installation display (which was hidden, as it’s meant for mass deployment), which then said the language is not compatible. I thought that had to be a mistake, why wouldn’t British English work? I then tried making it the same language as the device’s Office installation (also en-gb) using MatchInstalled, hoping it was just some bug – this seemed to work, it didn’t show the language error any more! It was now showing a connectivity error. Ugh. I spent a while trying to diagnose this before changing the language in the config to en-us, and it worked instantly. Why was I able to create the configs for Visio and Project using the official Microsoft tool with en-gb as the language when that was never going to work? Read More
Prompt for credentials when different user tries to login with Microsoft Single Sign On using SAML
We have a below mentioned requirement on our login screen.
User enters emailId in our application and selects Microsoft to login with that email Id.User logs in to our platform with Microsoft SSO using SAML.User then logs out from our application, not Microsoft.User again tries to login to our application with different Microsoft email Id.Now here, as soon as we hit Microsoft authentication URL, it automatically performs login with first email Id (the account that is still active in the browser).Is there a way, that we can pass the email Id to Microsoft along with authentication URL or any other way, so that if the email Id is same as the active user, it automatically signs the user in, but if the email Id passed is different from signed in accounts, then it will ask for authentication credentials?
We have a below mentioned requirement on our login screen. User enters emailId in our application and selects Microsoft to login with that email Id.User logs in to our platform with Microsoft SSO using SAML.User then logs out from our application, not Microsoft.User again tries to login to our application with different Microsoft email Id.Now here, as soon as we hit Microsoft authentication URL, it automatically performs login with first email Id (the account that is still active in the browser).Is there a way, that we can pass the email Id to Microsoft along with authentication URL or any other way, so that if the email Id is same as the active user, it automatically signs the user in, but if the email Id passed is different from signed in accounts, then it will ask for authentication credentials? Read More
Prompt Like a Pro: Transform your messages with Microsoft Copilot in Teams
Effective and efficient communication is key when it comes to managing your workday. Whether you’re collaborating with colleagues, discussing project details, or simply sharing updates in a chat, the way you convey your thoughts changes depending on who you are talking to. Microsoft Copilot in Teams’ chat and channels compose box is a powerful tool that helps take your messages to the next level. In this blog, we’ll cover what this AI-powered tool is, how to access and prompt with it, as well as an exciting new feature: Custom tone.
Rewrite your messages with Copilot in Teams chat and channels
Copilot can assist you in crafting more polished and coherent messages, straight from the text compose box in chat and channels. It goes beyond spell-checking and grammar correction; Copilot also suggests improvements, rewrites, and adjustments to enhance the clarity, tone, and impact of your messages. Whether you’re quickly responding to your coworker or sharing a detailed project update with a VP, Copilot has your back. If you have a Copilot for Microsoft 365 license, you can navigate to the message compose box anywhere in Teams and start crafting your message. To start rewriting click on the Copilot icon in your chat box, press “Rewrite,” and watch your message instantly transform!
Get more specific rewrites with “Adjust”
With just a couple of clicks, I was able to improve my message before sending it to my team, all thanks to Copilot. But this is just the beginning. Next to the “Rewrite” button is the “Adjust” option, which lets you specify how you want your message to be altered. This allows you to adapt that message to whatever audience you are talking to, from a co-worker to a friend, your larger team, or even your manager. Simply choose from the range of options in the “Adjust” menu and change the length (concise or longer) or the tone (casual, professional, confident, or enthusiastic) of your message.
Not only is this an easy way to perfect your messages, but it does so without requiring you to type in any prompts. Just choose how you want to modify your message and Copilot does the work for you! If you need further editing, you can always refine your message by stacking different tones and lengths together. “Rewrite” is available for times when you don’t have any specific asks in mind for Copilot and want to use it more like a proofreader, and “Adjust” is there to give you specificity on what you want to change in your message. And remember, Copilot is the foundation of your message, but it is always important to proofread and confirm any generated content before you hit send.
Now available: Custom tone
While having Copilot do the work with those pre-set adjustment options is a great, no-prompt way to rewrite your messages quickly and efficiently, there is a new feature that allows you to tell Copilot exactly how you want to turn your writing into the best version of itself: Custom tone.
Custom tone takes everything touched upon with the “Adjust” feature and gives you the freedom to pick how Copilot can rewrite a message for you via an open prompt. With that comes the freedom to ask for multiple changes to be made, which Copilot will complete simultaneously in your rewrite. Do you want to add persuasive language to make your message more compelling? Or add additional context to your tone to give the right impression? Or turn a long sentence into a bulleted list before sharing it with your team? With custom tone, prompting how to change your message gives you the reins to make Copilot work exactly how you want it to.
Custom tone even allows you to bridge language barriers between global coworkers! Simply ask Copilot to translate your message to a specific language. For example, you can prompt that you want Copilot to make your message “longer and cheerful and in Spanish” and Copilot can apply those changes while translating instantly in the compose box – without you needing to leave your flow of work. Now, Copilot in Teams allows you to reach global audiences like never before, making it easier to write and receive messages adapted to you.
Teams messages – your next superpower
A lot of our workday is spent responding to messages in Teams. That may mean you are swamped with messages waiting to be responded to, some that are truly urgent and get buried by all your other unread chats and channels. With Copilot, you can respond faster and more effectively, driving collaboration forward. It helps reduce complexity for you as a writer, making it easier to land your message with each audience, faster. And you benefit as the message’s receiver, too – a message that is easier to understand allows you to act on it more deliberately. Thanks to Copilot, writing messages in Teams has never been easier, and it’s all thanks to an AI feature – powered by you.
Additional resources
For more examples of prompts that Copilot can help you with, check out Copilot Lab! Filter by specific Microsoft 365 apps to learn what prompts to use for meetings, in chats, and get tips for better optimized prompts with Copilot!
What’s coming next
If you’re already using Copilot in Teams, share your favorite prompts in the comments for the chance to get featured in a future “Prompt Like a Pro” blog spotlighting some community favorites! And be sure to follow the Teams MTC site so you never miss upcoming blogs. Before you know it, you will be prompting like a pro as well!
Copilot in Teams is constantly evolving and improving thanks to your input and feedback. If a Copilot prompt does not work the way you expect it to, let us know how by using the thumbs-down button that appears after a response.
Microsoft Tech Community – Latest Blogs –Read More
Excel Gitch
Hi all,
Has anyone else come across these issues with excel:
-When inserting a row the page below the line moves but no line is inserted.
-Formula work perfectly then stop calculating, calculate now, etc do not work, have to click in the cell and hit enter to recalculate.
– Cutting – nothing seems to paste.
Thanks!
Hi all, Has anyone else come across these issues with excel:-When inserting a row the page below the line moves but no line is inserted.-Formula work perfectly then stop calculating, calculate now, etc do not work, have to click in the cell and hit enter to recalculate.- Cutting – nothing seems to paste. Thanks! Read More
Data Hashing Issue
We are trying to insert the data from temp table to main table in SQL server. We have encountered the below issue While hashing the data.
Please find the attached query used for insertion and received the below mentioned error message.
INSERT INTO hash2(email) (SELECT CDWH_REP.DBO.UDF_HASHBYTES(‘SHA256’,email) as email from hash1)
USE [CD_REP]
GO
/****** Object: SqlAssembly [hashCLR] Script Date: 6/20/2024 9:12:06 AM ******/
CREATE ASSEMBLY [cryptohashCLR]
from (hashing_value)
WITH PERMISSION_SET = SAFE
GO
USE [CD_REP]
GO
/****** Object: UserDefinedFunction [dbo].[udf_hashBytes] Script Date: 6/20/2024 9:12:45 AM ******/
SET ANSI_NULLS OFF
GO
SET QUOTED_IDENTIFIER OFF
GO
CREATE FUNCTION [dbo].[udf_hash](@hashtype [nvarchar](max), @input [nvarchar](max))
RETURNS [nvarchar](max) WITH EXECUTE AS CALLER
AS
EXTERNAL NAME [cryptohashCLR].[cryptohashCLR.SqlHash].[CLRHash]
GO
Note- We can successfully execute the same query in prod.
Msg 6522, Level 16, State 1, Line 4
A .NET Framework error occurred during execution of user-defined routine or aggregate “udf_hashBytes”:
System.Security.HostProtectionException: Attempted to perform an operation that was forbidden by the CLR host.
The protected resources (only available with full trust) were: All
The demanded resources were: MayLeakOnAbort
System.Security.HostProtectionException:
at System.RuntimeMethodHandle.PerformSecurityCheck(Object obj, RuntimeMethodHandleInternal method, RuntimeType parent, UInt32 invocationFlags)
at System.RuntimeMethodHandle.PerformSecurityCheck(Object obj, IRuntimeMethodInfo method, RuntimeType parent, UInt32 invocationFlags)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.SHA256Managed..ctor()
at cryptohashCLR.SqlHash.CLRHash(SqlString hashtype, SqlString input)
.
The statement has been terminated.
We are trying to insert the data from temp table to main table in SQL server. We have encountered the below issue While hashing the data.Please find the attached query used for insertion and received the below mentioned error message. INSERT INTO hash2(email) (SELECT CDWH_REP.DBO.UDF_HASHBYTES(‘SHA256’,email) as email from hash1) USE [CD_REP]GO/****** Object: SqlAssembly [hashCLR] Script Date: 6/20/2024 9:12:06 AM ******/CREATE ASSEMBLY [cryptohashCLR]from (hashing_value)WITH PERMISSION_SET = SAFEGO USE [CD_REP]GO/****** Object: UserDefinedFunction [dbo].[udf_hashBytes] Script Date: 6/20/2024 9:12:45 AM ******/SET ANSI_NULLS OFFGOSET QUOTED_IDENTIFIER OFFGOCREATE FUNCTION [dbo].[udf_hash](@hashtype [nvarchar](max), @input [nvarchar](max))RETURNS [nvarchar](max) WITH EXECUTE AS CALLERASEXTERNAL NAME [cryptohashCLR].[cryptohashCLR.SqlHash].[CLRHash]GO Note- We can successfully execute the same query in prod. Msg 6522, Level 16, State 1, Line 4A .NET Framework error occurred during execution of user-defined routine or aggregate “udf_hashBytes”:System.Security.HostProtectionException: Attempted to perform an operation that was forbidden by the CLR host.The protected resources (only available with full trust) were: AllThe demanded resources were: MayLeakOnAbortSystem.Security.HostProtectionException:at System.RuntimeMethodHandle.PerformSecurityCheck(Object obj, RuntimeMethodHandleInternal method, RuntimeType parent, UInt32 invocationFlags)at System.RuntimeMethodHandle.PerformSecurityCheck(Object obj, IRuntimeMethodInfo method, RuntimeType parent, UInt32 invocationFlags)at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)at System.Security.Cryptography.SHA256Managed..ctor()at cryptohashCLR.SqlHash.CLRHash(SqlString hashtype, SqlString input).The statement has been terminated. Read More
varible in link to another file or generating formula from a formula?
pc/office 10
excel version 2404
likely over my head again, but …
I need to generated formula in cells on worksheet to look at cells on other sheets.
I need to be able to paste list of part numbers, and generate the reference in each cell.
-pasting list in column a
all filenames/tabs/cell location will be pasted part number, plus the info contained in column p, labeled as suffix, (the last 2 digits ranging from 70 to 79, to represent columns B-K, labeled as op 10-100
the resulting desired formula is in column L, labeled as CONCAT results. from here, i would have to copy and paste qas the results, i do not want that step either
im sure there is a better way to do this …. is this even plausible?
pc/office 10excel version 2404 likely over my head again, but …I need to generated formula in cells on worksheet to look at cells on other sheets.I need to be able to paste list of part numbers, and generate the reference in each cell.-pasting list in column aall filenames/tabs/cell location will be pasted part number, plus the info contained in column p, labeled as suffix, (the last 2 digits ranging from 70 to 79, to represent columns B-K, labeled as op 10-100the resulting desired formula is in column L, labeled as CONCAT results. from here, i would have to copy and paste qas the results, i do not want that step eitherim sure there is a better way to do this …. is this even plausible? Read More
Project for the Web – “Failed to load baseline” error on read-only records
Hello dear community,
We have deployed Project for the Web, as well as the Project Accelerator, in a dedicated Dataverse environment. We customized it for our own PPM needs. All works well except an error related to the loading of the baseline when people with a read-only security role try open the Tasks tab of a project.
The message says “Failed to load baselines. Please try again later” with a correlation id.
It does not block other activities in the Tasks tab though.
We checked that they indeed get access through the expected security role. We then experimented changing the permissions:
Grant write permission on the 2 baseline related tables (Project Baseline Data, Project Baseline Task Data) => No change. We reverted to read-only on those two table.Grant write permission on the Project table => This resolves the problem
For information, we created that security role by copying the Project User role and grant only read permissions on all assigned table for the “Parent: Child Business Unit”.
Though this indeed seems to resolve the problem, it does not constitute a valid solution since granting unwanted write access.
Has any of you encountered similar issues?
Best regards,
Pascal
Hello dear community, We have deployed Project for the Web, as well as the Project Accelerator, in a dedicated Dataverse environment. We customized it for our own PPM needs. All works well except an error related to the loading of the baseline when people with a read-only security role try open the Tasks tab of a project. The message says “Failed to load baselines. Please try again later” with a correlation id. It does not block other activities in the Tasks tab though.We checked that they indeed get access through the expected security role. We then experimented changing the permissions:Grant write permission on the 2 baseline related tables (Project Baseline Data, Project Baseline Task Data) => No change. We reverted to read-only on those two table.Grant write permission on the Project table => This resolves the problemFor information, we created that security role by copying the Project User role and grant only read permissions on all assigned table for the “Parent: Child Business Unit”. Though this indeed seems to resolve the problem, it does not constitute a valid solution since granting unwanted write access. Has any of you encountered similar issues? Best regards,Pascal Read More