User Profile
bart_vermeersch
Steel Contributor
Joined 9 years ago
User Widgets
Recent Discussions
(non-) interactive user sign-ins are missing from Enterprise applications
Since one or two weeks the Enterprise Applications isn't showing the user sign-ins anymore. According to the support ticket we opened, this was removed "by design". There used to be four tabs, but the interactive and non-interactive user sign-ins are now gone. This doesn't make a lot of sense to me, while investing in additional tools (like app governance) to better monitor the security of the applications, info on who is using the application has to be found somewhere else (eg filtering all users sign-ins).Activity details: Sign ins tab contains very old and already deleted conditional access policies??
We're a but surprised (and worried) to see very old conditional access policies, which were deleted months ago, resurface on the Sign ins tab in the sign in logs of AAD. By accident we stumbled upon a few user sign in logs with references too non-exiting conditional access policies. On the pane below, we see 30 policies listed for these sign ins while we currently have less than 10 conditional access policies. Most sign in are ok and just list the existing policies. Anyone else seen this weird and worrisome behavior?user consent instead of admin consent
We have enabled the "Admin consent flows" for oauth permissions. If oauth permissions are approved now, they get Admin consent for the entire organisation. Would it be possible (if needed by script) to approve oauth permissions only for specific users through an admin account?Device detail page in MCAS
On the user account detail page, you have links to the activities page of that user and to the Azure AD page. It would be so such a time saver if you could provide similar links on the device detail page to the activities on that device (not only the alerts) (and if possible tothe Azure AD or endpoint manager page). Looking forward to this!! Thanks BartResource access activity
Where can we find more info on the following activities logged by Azure ATP? What is the difference between those two: Resource access:devicexxxx, property xxxx/xxxx Resource access:propertySpnsxxx/xxxx, userxxxx What could cause a lot of these activities by one user? Can this indicate kerberoasting? https://www.eshlomo.us/kerberoasting-extracting-service-account-password/User info for Failed log on (AccountDisabled, WrongPassword, UnknownUser)
When reviewing Failed log on events in MCAS (from Azure ATP), user info is often not visible in the list. It would be so much easier if the sourceAccountName is always displayed in the User column. Now we have to click each item to open and see the sourceAccountName in the activity object (upon hovering) when it's a computer object or an unkown user.