Lukas Beran
@lukasberan.com
Senior Security Researcher (DART) at Microsoft. Opinions are my own. #MSIncidentResponse #DART #Microsoft365 #EntraID #DefenderXDR #Sentinel
Pinned
Lukas Beran
@lukasberan.com
· Jan 29
📺 𝐈 𝐡𝐚𝐯𝐞 𝐦𝐲 𝐨𝐰𝐧 𝐘𝐨𝐮𝐓𝐮𝐛𝐞 𝐜𝐡𝐚𝐧𝐧𝐞𝐥! 📺
I have started publishing detailed instructional videos primarily (but not exclusively) focused on cybersecurity and the Microsoft cloud.
If you don't want to miss out on interesting industry tips and tricks, be sure to subscribe. 👇 👇
www.youtube.com/@cswrldcom
I have started publishing detailed instructional videos primarily (but not exclusively) focused on cybersecurity and the Microsoft cloud.
If you don't want to miss out on interesting industry tips and tricks, be sure to subscribe. 👇 👇
www.youtube.com/@cswrldcom
Reposted by Lukas Beran
New video: 5 common Entra ID guests mistakes (Entra B2B)
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
October 31, 2025 at 4:47 PM
New video: 5 common Entra ID guests mistakes (Entra B2B)
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
• excessive directory visibility
• ignored cross-tenant defaults
• untrusted MFA & device states
• open SharePoint sharing
• no guest lifecycle
There's tons more! But here's a starter
WATCH: youtu.be/AXuj-U9p3jU
Reposted by Lukas Beran
After yesterday's interesting #Copilot+#OneDrive event I took a much deeper look at the 'Add shortcut to OneDrive' #SharePoint feature.
Microsoft have declared this as the direction of travel.
At first it looked great. Until I dug deeper. What I found is pretty horrifying. Blog inbound...
Microsoft have declared this as the direction of travel.
At first it looked great. Until I dug deeper. What I found is pretty horrifying. Blog inbound...
October 9, 2025 at 8:28 PM
After yesterday's interesting #Copilot+#OneDrive event I took a much deeper look at the 'Add shortcut to OneDrive' #SharePoint feature.
Microsoft have declared this as the direction of travel.
At first it looked great. Until I dug deeper. What I found is pretty horrifying. Blog inbound...
Microsoft have declared this as the direction of travel.
At first it looked great. Until I dug deeper. What I found is pretty horrifying. Blog inbound...
Chaos is exactly where our work begins. Our job is to bring clarity, calm, and momentum—fast.
Watch the video from my colleague Adrian Hill on our Microsoft Security blog.
www.microsoft.com/en-us/securi...
Watch the video from my colleague Adrian Hill on our Microsoft Security blog.
www.microsoft.com/en-us/securi...
Calm in the Chaos | Security Insider
When threat actors strike, Microsoft’s Incident Response team steps into the chaos, not as a cyber SWAT team, but as calm, collaborative partners.
www.microsoft.com
October 9, 2025 at 7:41 PM
Chaos is exactly where our work begins. Our job is to bring clarity, calm, and momentum—fast.
Watch the video from my colleague Adrian Hill on our Microsoft Security blog.
www.microsoft.com/en-us/securi...
Watch the video from my colleague Adrian Hill on our Microsoft Security blog.
www.microsoft.com/en-us/securi...
Reposted by Lukas Beran
Did you know Entra ID Protection never automatically clears Medium or High risk?
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
October 7, 2025 at 10:45 PM
Did you know Entra ID Protection never automatically clears Medium or High risk?
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
We either need to use Risk Based Conditional Access policies to remediate or an admin needs to manually remediate
User risk = password reset
Sign-in risk = require MFA
learn.microsoft.com/...
Microsoft introduced new Sentinel commitment tier for SMBs.
The 50 GB commitment tier is available in public preview, with promotional pricing starting October 1, 2025, until March 31, 2026. Customers who sign up during this period will lock in promotional pricing until March 31, 2027.
The 50 GB commitment tier is available in public preview, with promotional pricing starting October 1, 2025, until March 31, 2026. Customers who sign up during this period will lock in promotional pricing until March 31, 2027.
October 6, 2025 at 5:30 AM
Microsoft introduced new Sentinel commitment tier for SMBs.
The 50 GB commitment tier is available in public preview, with promotional pricing starting October 1, 2025, until March 31, 2026. Customers who sign up during this period will lock in promotional pricing until March 31, 2027.
The 50 GB commitment tier is available in public preview, with promotional pricing starting October 1, 2025, until March 31, 2026. Customers who sign up during this period will lock in promotional pricing until March 31, 2027.
Reposted by Lukas Beran
A 3 picture story of why you should default quarantine password protected files and enforce SmartScreen without allowing user bypass...
September 25, 2025 at 4:52 AM
A 3 picture story of why you should default quarantine password protected files and enforce SmartScreen without allowing user bypass...
Seriously, Apple?
That plastic-like white back on your silver flagship iPhone looks awful. This might be the ugliest iPhone ever, and I’m seriously thinking about returning it purely because of the design.
That plastic-like white back on your silver flagship iPhone looks awful. This might be the ugliest iPhone ever, and I’m seriously thinking about returning it purely because of the design.
September 20, 2025 at 4:43 PM
Seriously, Apple?
That plastic-like white back on your silver flagship iPhone looks awful. This might be the ugliest iPhone ever, and I’m seriously thinking about returning it purely because of the design.
That plastic-like white back on your silver flagship iPhone looks awful. This might be the ugliest iPhone ever, and I’m seriously thinking about returning it purely because of the design.
Reposted by Lukas Beran
IMHO - Worry less about how long tokens are valid for, worry more about protecting the tokens, both on the client and during authentication
Obviously we need phishing resistant auth, but also focus on client hardening (app control, EDR, etc.) and VPN/ZTNA with enforced CAE
Obviously we need phishing resistant auth, but also focus on client hardening (app control, EDR, etc.) and VPN/ZTNA with enforced CAE
September 14, 2025 at 12:48 AM
IMHO - Worry less about how long tokens are valid for, worry more about protecting the tokens, both on the client and during authentication
Obviously we need phishing resistant auth, but also focus on client hardening (app control, EDR, etc.) and VPN/ZTNA with enforced CAE
Obviously we need phishing resistant auth, but also focus on client hardening (app control, EDR, etc.) and VPN/ZTNA with enforced CAE
Reposted by Lukas Beran
Wow, I totally missed this change!
Apparently since July, we've been able to use Asset rules management to use device details, like name, domain, OS, and other tags, to dynamically apply MDE-Management for MDE attach 😎
learn.microsoft.com/...
Apparently since July, we've been able to use Asset rules management to use device details, like name, domain, OS, and other tags, to dynamically apply MDE-Management for MDE attach 😎
learn.microsoft.com/...
September 14, 2025 at 4:31 AM
Wow, I totally missed this change!
Apparently since July, we've been able to use Asset rules management to use device details, like name, domain, OS, and other tags, to dynamically apply MDE-Management for MDE attach 😎
learn.microsoft.com/...
Apparently since July, we've been able to use Asset rules management to use device details, like name, domain, OS, and other tags, to dynamically apply MDE-Management for MDE attach 😎
learn.microsoft.com/...
Reposted by Lukas Beran
I love passkeys in Microsoft Authenticator, but rolling them out with Compliance and/or App Protection Policies has not been as easy as it should be...
But I have good news - we can create a better experience without introducing significant gaps :)
But I have good news - we can create a better experience without introducing significant gaps :)
Improving passkey registration experiences
Lets see what we can do about minimizing passkey deployment issues with Compliance and App Protection Policy requirements :)
nathanmcnulty.com
September 10, 2025 at 2:50 AM
I love passkeys in Microsoft Authenticator, but rolling them out with Compliance and/or App Protection Policies has not been as easy as it should be...
But I have good news - we can create a better experience without introducing significant gaps :)
But I have good news - we can create a better experience without introducing significant gaps :)
𝗛𝗼𝘄 𝘁𝗼 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗰𝗮𝗹𝗹𝘆 𝘂𝗽𝗱𝗮𝘁𝗲 𝗮𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗼𝗻 𝗰𝗼𝗺𝗽𝘂𝘁𝗲𝗿𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗜𝗻𝘁𝘂𝗻𝗲
Microsoft Intune does not have any built-in options for updating installed applications on Windows computers.
Microsoft Intune does not have any built-in options for updating installed applications on Windows computers.
August 29, 2025 at 11:55 AM
𝗛𝗼𝘄 𝘁𝗼 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗰𝗮𝗹𝗹𝘆 𝘂𝗽𝗱𝗮𝘁𝗲 𝗮𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗼𝗻 𝗰𝗼𝗺𝗽𝘂𝘁𝗲𝗿𝘀 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗜𝗻𝘁𝘂𝗻𝗲
Microsoft Intune does not have any built-in options for updating installed applications on Windows computers.
Microsoft Intune does not have any built-in options for updating installed applications on Windows computers.
Microsoft has been ranked #1 in the worldwide modern endpoint security market share for the third year in a row (IDC, 2024).
August 28, 2025 at 7:48 PM
Microsoft has been ranked #1 in the worldwide modern endpoint security market share for the third year in a row (IDC, 2024).
Reposted by Lukas Beran
The financially motivated threat actor Storm-0501 has continuously evolved to achieve sharpened focus on cloud-based TTPs as their primary objective shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics. msft.it/63326sZC6E
Storm-0501’s evolving techniques lead to cloud-based ransomware | Microsoft Security Blog
Financially motivated threat actor Storm-0501 has continuously evolved their campaigns to achieve sharpened focus on cloud-based tactics, techniques, and procedures (TTPs). While the threat actor has been known for targeting hybrid cloud environments, their primary objective has shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.
msft.it
August 27, 2025 at 4:10 PM
The financially motivated threat actor Storm-0501 has continuously evolved to achieve sharpened focus on cloud-based TTPs as their primary objective shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics. msft.it/63326sZC6E
For incident response to be successful, the proper tools and logging systems should be in place—but that is usually easier said than done.
August 27, 2025 at 3:20 PM
For incident response to be successful, the proper tools and logging systems should be in place—but that is usually easier said than done.
Reposted by Lukas Beran
Convenient reminder to stop what you’re doing and enforce browser extension allow listing.
August 27, 2025 at 6:08 AM
Convenient reminder to stop what you’re doing and enforce browser extension allow listing.
We’re excited to announce the general availability of Windows Backup for Organizations!
August 26, 2025 at 8:01 PM
We’re excited to announce the general availability of Windows Backup for Organizations!
Seamless SSO is a legacy setting only for very old and unsupported systems. If you have it turned on, go and turn it off. If you must keep it on, ať least rotate the kerberos deception key every month.
Seamless SSO is a security risk, and many orgs enabeld it without knowing and are now stuck wondering what might break if they turn it off...
Since Microsoft provides no help identifying actual usage, I did some research so you can safely turn it off :)
nathanmcnulty.com/bl...
Since Microsoft provides no help identifying actual usage, I did some research so you can safely turn it off :)
nathanmcnulty.com/bl...
August 26, 2025 at 4:34 AM
Seamless SSO is a legacy setting only for very old and unsupported systems. If you have it turned on, go and turn it off. If you must keep it on, ať least rotate the kerberos deception key every month.
Get the latest Windows quality updates during the out-of-box experience (OOBE) by default.
This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later.
This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later.
August 25, 2025 at 7:51 PM
Get the latest Windows quality updates during the out-of-box experience (OOBE) by default.
This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later.
This much awaited improvement is coming to your eligible Microsoft Entra joined or Microsoft Entra hybrid joined devices running Windows 11, version 22H2 and later.
As enterprise defenses continue to mature, threat actors are shifting toward quieter, more efficient techniques. Attackers are increasingly using native tools and stealthy methods to operate under the radar.
August 25, 2025 at 7:48 PM
As enterprise defenses continue to mature, threat actors are shifting toward quieter, more efficient techniques. Attackers are increasingly using native tools and stealthy methods to operate under the radar.
Reposted by Lukas Beran
One thing I always recommend when it comes to designing conditional acesss policies.
Never use a block policy when the same outcome can be achieved with a grant policy.
This blog post by Rakhesh is a good walthrough why... 👇
Never use a block policy when the same outcome can be achieved with a grant policy.
This blog post by Rakhesh is a good walthrough why... 👇
Teams AOSP Phone; Conditional Access Blocks vs Grant
Had an interesting issue at work that we resolved today. It’s probably not relevant to most folks, but I enjoyed getting to the bottom of it with a colleague (who came up with the eventual fi…
rakhesh.com
August 23, 2025 at 7:47 PM
One thing I always recommend when it comes to designing conditional acesss policies.
Never use a block policy when the same outcome can be achieved with a grant policy.
This blog post by Rakhesh is a good walthrough why... 👇
Never use a block policy when the same outcome can be achieved with a grant policy.
This blog post by Rakhesh is a good walthrough why... 👇
Reposted by Lukas Beran
I like my Lenovo hardware, and I want to keep it up to date with the latest drivers, firmware, and other software updates. In this small blog post, I will show you how you can do that using the LSUClient module from Jantari.
powershellisfun.com/2025/08/22/u...
#PowerShell #Lenovo #Update
powershellisfun.com/2025/08/22/u...
#PowerShell #Lenovo #Update
PowerShell is fun :)Update your Lenovo using the LSUClient PowerShell module
I like my Lenovo hardware, and I want to keep it up to date with the latest drivers, firmware, and other software updates. In this small blog post, I will show you how you can do that using the LSU…
powershellisfun.com
August 22, 2025 at 9:06 PM
I like my Lenovo hardware, and I want to keep it up to date with the latest drivers, firmware, and other software updates. In this small blog post, I will show you how you can do that using the LSUClient module from Jantari.
powershellisfun.com/2025/08/22/u...
#PowerShell #Lenovo #Update
powershellisfun.com/2025/08/22/u...
#PowerShell #Lenovo #Update
Reposted by Lukas Beran
Token Protection in Microsoft Entra Conditional Access for Windows is now GA! 🎉
#EntraID #Token
learn.microsoft.com/en-us/entra/...
#EntraID #Token
learn.microsoft.com/en-us/entra/...
August 22, 2025 at 4:56 PM
Token Protection in Microsoft Entra Conditional Access for Windows is now GA! 🎉
#EntraID #Token
learn.microsoft.com/en-us/entra/...
#EntraID #Token
learn.microsoft.com/en-us/entra/...
Reposted by Lukas Beran
New video: Why your Defender update settings are risky
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
August 18, 2025 at 1:06 PM
New video: Why your Defender update settings are risky
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
- update types: engines, platforms, intelligence
- what is Microsoft’s 'Safe Deployment Practices' (SDP)?
- update rings in Defender (not just Windows)
- balancing rollout risk vs. protection
WATCH: youtu.be/trQv__-Z9-8
Microsoft has announced the public preview of the Phishing Triage Agent in Microsoft Defender!
August 17, 2025 at 5:35 AM
Microsoft has announced the public preview of the Phishing Triage Agent in Microsoft Defender!