M365 Show Podcast

Mirko Peters
  • 5,0 (1)
  • TIN TỨC CÔNG NGHỆ
  • HẰNG NGÀY

Welcome to the M365 Show — your essential podcast for everything Microsoft 365, Azure, and beyond. Join us as we explore the latest developments across Power BI, Power Platform, Microsoft Teams, Viva, Fabric, Purview, Security, and the entire Microsoft ecosystem. Each episode delivers expert insights, real-world use cases, best practices, and interviews with industry leaders to help you stay ahead in the fast-moving world of cloud, collaboration, and data innovation. Whether you're an IT professional, business leader, developer, or data enthusiast, the M365 Show brings the knowledge, trends, and strategies you need to thrive in the modern digital workplace. Tune in, level up, and make the most of everything Microsoft has to offer. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.

  1. MCP & Semantic Kernel: Building AI Agents That Take Action, Not Just Chat

    5 GIỜ TRƯỚC

    MCP & Semantic Kernel: Building AI Agents That Take Action, Not Just Chat

    Ah! You’re wasting AI on small talk. Pure power trapped in chit-chat. In this episode, we break open the containment field and show you how to turn AI from a polite conversationalist into a fully-acting IT Operations agent—one that plans, executes, verifies, and stays inside governance at all times. You’ll learn exactly how modern enterprise teams are using Semantic Kernel, MCP, and Azure OpenAI tool-calling with Managed Identity to auto-remediate incidents, reduce MTTR, eliminate hundreds of service desk tickets, and create predictable, auditable workflows. This isn’t theory—it’s the blueprint. 🎯 Episode Focus — From Answering to Acting Traditional chatbots whisper advice. Acting agents do the work. We explore the shift from static Q&A loops to a closed-loop cycle: Intention → Plan → Tool Use → Result → Self-Check → Next Step Learn why this pattern unlocks automation in Microsoft environments without sacrificing safety, compliance, or observability. Micro-Story: A real SRE team wired an agent to monitor high CPU alerts, correlate with deployments, drain faulty nodes, roll back the slot, and post an incident summary—all before the human even rolled out of bed. Not magic. Orchestration. 🔌 Why Microsoft Shops Win Big: MCP + SK + Managed Identity Three components snap together and give you enterprise-grade capability: 🔧 MCP (Model Context Protocol): The WiringTools describe themselves with standards and schemasMicrosoft Graph, Intune, Service Health, internal APIs become discoverableNo brittle plugins or secret adaptersAdd new capabilities without redeploying anythingMCP makes your tools visible. 🧠 Semantic Kernel: The Orchestration LayerTurns MCP tools into callable kernel functionsHandles planning: sequential, parallel, or graph-shaped tasksAuto-builds JSON schemas models expectRemoves the need for hand-crafted payloadsSK shapes the plan and the calls. 🔐 Azure OpenAI + Managed Identity: The Containment FieldModel decides what, identity decides what’s allowedTokens are never exposedEach action is access-controlled at the tool boundaryHigh-risk actions require approval tokensIdentity contains the blast radius. 🧬 The Six-Part Agent Molecule: Build Stable, Reliable Agents A high-functioning IT Ops agent is built from a six-part molecule:Persona — SRE temperament encoded (cautious, concise, safety-first).Memory — Short-term context + durable environmental facts.Planner — Decomposes tasks into safe, verifiable steps.Tools — MCP-exposed actuators and sensors.Policy — Identity controls, approvals, guardrails.Verifier — Post-action checks: metrics, probes, risk state.Miss one of these parts and your agent becomes unpredictable. ⚙ Blueprint 1 — SK Planner + Graph via MCP (IT Ops) We walk through a concrete pattern for post-deployment error spikes: Goal: Recover from elevated 5xx while minimizing blast radius. Tools (via MCP):AppInsightsQueryGraphServiceHealthGraphChangeLogDrainSubsetByBuildRollbackSlotPostIncidentNotePlan:Assess: Query metrics, deployments, health advisories (parallel).Decide: Pick the narrowest safe fix—e.g., drain a bad build subset.Act: Perform drainage or rollback with identity-scoped tools.Verify: Require P95 + 5xx improvement before declaring success.Report: Summaries, graphs, dashboards, change IDs.Key win: Narrow-first fixes prevent unnecessary rollbacks. 🔧 Blueprint 2 — Azure OpenAI Tool-Calling with Managed Identity This blueprint shows how to let the model act without ever handing out credentials. Example: Password Reset AutomationAgent validates user status via GraphChecks MFA, riskState, and role assignmentsPerforms compliant reset (MI scopes enforce safety)Notifies user and closes ITSM ticketVerifies sign-in status or risk flag after resetPolicy encoded in tools ensures governance is non-negotiable. 🛠 Blueprint 3 — Closed-Loop Auto-Remediation The crown jewel: a fully contained remediation loop. Flow:Triggered by telemetry or incidentMulti-branch assessment for root-cause hintsNarrow corrective action first (drain, isolate, scale)Approval-gated high-risk actions (rollback, redeploy)Continuous verification with App InsightsAuto-reporting with evidenceClosed-loop means no guessing—an agent proves the outcome. 📈 Business Outcomes: Why This Actually Matters Beyond the tech, we break down real business impacts:40–70% reduction in MTTR for repeatable failure modes60–90% ticket deflection for onboarding and identity issues50% faster change cycles with Parallel Assess → Safe ActionLower burnout and attrition in SRE/on-call teamsAudit-ready logs for every action—no mystery behaviorRisk compression thanks to identity-scoped tools and approvalsAutomation stops being magic—it becomes measurable. 🛡 Guardrails & Responsibility: Safety as Physics We detail the guardrails that prevent chaos:Split Managed Identities (read vs. write vs. high-risk)Hard-coded schema constraints for dangerous operationsApproval tokens enforced by the tool, not the promptImmutable audit envelopes for every tool callRed-team testing for bypass attempts and prompt injectionsScope-drift monitoring on tools and identitiesPrivacy guarantees for sensitive dataFailure choreography: safe fallback → escalate → contextual summaryModel rotation behind stable tool contractsGovernance isn’t vibes—it’s encoded in the tool boundary. 🏁 Conclusion — The Agent Era Starts Now If you remember nothing else: SK orchestrates. MCP connects. Foundry governs. Managed Identity contains. Verification proves. Start with one narrow flow—like drain-then-verify for post-deploy spikes—and scale safely outward. Subscribe for next week’s episode: The Minimal Viable RAG Pipeline for Enterprise Truth: Chunking, Guardrails, Evaluations, and Cost Control. Delicious security awaits. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    42 phút
  2. RAG vs Copilot: When You Need Your Own AI — and When You Don’t

    17 GIỜ TRƯỚC

    RAG vs Copilot: When You Need Your Own AI — and When You Don’t

    Your tenant is humming. Your files are stacked like rusted steel. You need answers — fast. But not guesses. This episode tears into one of the most misunderstood decisions in modern enterprise AI: Should you rely on Microsoft Copilot, or build a Retrieval-Augmented Generation (RAG) pipeline that cites from your own knowledge? Most teams get this wrong. They assume Copilot “knows everything.” They assume RAG is “too hard.” They assume accuracy magically appears on its own. And then they pay for it — in rework, bad decisions, broken trust, and a service desk drowning under repeat questions. We’re here to stop that. What You’ll Learn in This Deep-Dive Episode 🚀 Copilot: Powerful, Fast… and Bounded We break down how Copilot actually works — an M365-native assistant that walks Outlook alleys, Teams threads, SharePoint sites, and OneDrive folders you already have rights to. Perfect for: Drafting emails, briefs, and meeting notesSummaries and rewrites in your voiceSurfacing documents inside your permissionsFast context on work already in your laneCopilot saves minutes per move — but we expose the moment it falls apart: when the truth you need lives outside the M365 glow. 🛑 Where Copilot Quietly Fails (and Why It’s Not Its Fault) Organizations destroy their own trust when they ask Copilot questions it was never designed to answer: Outdated PDFs on a file shareDevice baselines split across three contradictory versionsSOPs buried across wikis, Word docs, and tribal knowledgeERP/CRM fields living in systems Copilot can’t seeWhen Copilot can’t reach the right source, it doesn’t tell you it’s blind — it gives its best guess. Good tone. Bad facts. Big risk. 📚 RAG: Your AI Librarian With Receipts The RAG Breakdown (No Hype, Just Reality): Retrieval: Clean, chunk, tag, and index your docs with metadata and vector embeddingsAugmentation: Find only the most relevant chunks at query timeGeneration: Have the model answer only from those cites, with “don’t know” when blindIt’s not a model trick. It’s a discipline — an information supply chain built for accuracy. With RAG: Every answer is grounded in your sourcesCitations are mandatoryContradictions surface instead of hidingPolicies and SOPs are always up-to-date after reindexingTrust skyrockets because nothing is inventedIf Copilot is speed, RAG is truth. 🏭 Case Study: The Global Manufacturer That Turned Chaos Into Clarity We walk through a real (anonymized) transformation: Before RAG: 4,800+ policy files scattered everywhereConflicting versions, duplicated PDFs, outdated baselines12–15 repeat questions hitting the service desk dailyCopilot helping only on shallow tasksEmployees guessing because finding the right doc was too slowAfter RAG on Azure: Unified index across SharePoint + file serversEvery clause chunked, dated, tagged, ownedHybrid semantic search for precisionTeams agent returning answers with citations in secondsService desk load dropped by a thirdContradictions surfaced and fixed in days, not monthsLeadership finally trusted the documentation againNot because the model was smarter — but because the library was. 💡 Credibility Boosters: Why RAG Wins Enterprise Trust You’ll hear the key lines from real teams: “The biggest win wasn’t speed — it was accuracy.”“Users trusted the answers because citations were mandatory.”“We didn’t retrain anything. We just fixed our data.”RAG is the only approach where: Every answer is auditableEvery source is traceableEvery contradiction is fixableEvery update is immediate after reindexingIn enterprise, this isn’t optional — it’s survival. 🧭 How to Actually Choose Between Copilot and RAG We give you the simple, crystal-clear filter: Use Copilot when: ✔ You’re working inside M365 ✔ You need a draft, summary, rewrite, or quick info ✔ Governance + simplicity outweigh precision ✔ You don’t need strict citations or cross-system truth Use RAG when: ✔ Correctness beats speed ✔ Answers must cite specific clauses ✔ Knowledge lives outside M365 ✔ Policies, SOPs, or baselines shift often ✔ You depend on ERP/CRM/LOB data ✔ Repeatability matters — same question, same answer, same source Copilot is your runner. RAG is your librarian. Know which city you’re operating in. 🔥 Up Next: The RAG Blueprint Episode Subscribe now — the next episode breaks down the minimal viable RAG pipeline, costs, architecture, chunking strategy, evaluation techniques, and guardrails you must implement to avoid hallucinations and blowback. Make the call. Pick the lane. Build the truth. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    26 phút
  3. Why Your Intune Deployment Is A Security Risk

    1 NGÀY TRƯỚC

    Why Your Intune Deployment Is A Security Risk

    In this episode, we walk into the Intune habitat and zoom in on five subtle misconfigurations that quietly invite attackers into your Microsoft 365 ecosystem. Your deployment might look calm. Policies are assigned. Devices report in. Compliance dashboards show a reassuring shade of green. And yet: A single weak Conditional Access policyA missing baseline on just one device groupA standing admin role that never sleepsA fleet of unmanaged BYOD devices at the edgeOr reckless policy and update rings…is all it takes to turn a fleeting misstep into a costly breach. This episode breaks down what’s dangerous, why it fails, and exactly how to fix it — in the Intune admin center and via Graph/PowerShell — plus a short field audit ritual you can run every week. One small adjustment in Intune can prevent a minor oversight from becoming your next incident report. 🧨 What You’ll Learn By the end of this episode, you’ll know how to: Recognize the five most damaging Intune misconfigurations in modern cloud environmentsConnect device compliance, Conditional Access, PIM, and BYOD into one coherent Zero Trust storyUse report-only, rings, and baselines to change posture safely without breaking half your usersTurn intuitive hunches (“this feels unsafe”) into hard evidence you can show leadershipRun a practical Intune + Entra + PowerShell field audit that validates reality instead of assumptions🌍 The Threat Landscape Shaping Intune Risk We start with the environment your Intune instance actually lives in: Attackers hunt identities, not just unpatched softwarePassword spraying leads to token theft and OAuth abuseA single over-privileged app with offline_access converts one bad sign-in into broad, quiet accessMisconfigurations don’t just add risk — they multiply itYou’ll hear how: Device compliance, Conditional Access, and privileged access must work togetherA compliant device signal with weak policies is a timid bird — decorative, not protectivePrivileged roles left “always on” act like apex predators, reshaping the environment with a single mistakeUnmanaged BYOD and chaotic update rings create shadow corridors and shockwaves that attackers exploitThe takeaway: Intune is not the fortress — it’s the field instrument that measures device health and feeds identity the posture it needs to enforce Zero Trust. ⚠️ Misconfiguration #1: Weak Conditional Access — Identity Gates Left Ajar We zoom in on the first failure pattern: Conditional Access policies that exist, but don’t bite. You’ll learn: How over-broad exclusions, “trusted” executive groups, and named locations become private tunnels for attackersWhy basic/legacy authentication silently bypasses MFA and still lands tokensWhat a resilient Conditional Access design actually looks like:One policy enforcing MFA for all cloud appsA second requiring compliant devices for Exchange, SharePoint, admin portalsA third reacting to risk (medium = step-up, high = block)We walk through: Building policies in report-only modeUsing Insights and reporting to see who would break, and which flows use legacy authDesigning two break-glass accounts and nothing else exemptUsing Graph/PowerShell to export all CA policies, states, assignments, and old report-only rules that never got enforcedYou get a concrete quick win: Create a pilot CA policy in report-only that requires MFA + compliant device for Exchange/SharePoint, and a second that blocks legacy auth. After 7 days of telemetry, enforce in rings. 🛡 Misconfiguration #2: Missing or Divergent Security Baselines — Posture Drift Next, we watch posture drift creep in: Browsers quietly drop protectionsDefender rules loosen “just for a test”Unsigned code runs because of one old exception no one remembersYou’ll learn: Why security baselines are your gravity: Windows, Defender, EdgeHow building everything from scratch without baselines guarantees inconsistency and unintended gapsHow to use:Intune Security baselines for Windows/Defender/EdgeThe baseline comparison view to see where your environment driftsA structured exception model: reason, owner, expiryWe cover: Aligning compliance policies to baselines so “compliant device” actually means “meets our baseline”Resolving conflicts with Group Policy and overlapping MDM profilesReporting on per-setting success/conflict and mapping drift back to ring groups with Graph/PowerShellQuick win: Assign the Windows security baseline to a pilot ring today, clean conflicts, then tie a compliance policy + Conditional Access to those settings for your high-value apps. 👑 Misconfiguration #3: PIM Gaps and Standing Admin Access — Privileges That Never Sleep Here we meet the apex roles: Global AdminPrivileged Role AdminIntune Service AdministratorYou’ll see why always-on admin rights are a standing invitation: One stolen session = full controlOne hasty approval = tenant-wide blast radiusWe dive into: Moving from standing access to just-in-time (JIT) with Privileged Identity Management (PIM)Making admin roles eligible, not permanentRequiring:MFA on every activationJustificationApprovals for high-impact rolesShort activation windows (2–4 hours)You also learn how to: Bind PIM activations to Conditional Access so they only happen from compliant devicesDesign and monitor break-glass accounts properlyUse PIM audit history and Graph/PowerShell to report:Who activates mostWhenFor how longWhere standing access still existsQuick win: Pick one high-impact role (e.g., Intune Service Administrator), convert all active assignments to eligible, enforce MFA + justification, and add an approver. Then expand to other apex roles. 🕶 Misconfiguration #4: Unmanaged BYOD & Compliance Gaps — Shadow Creatures at the Perimeter We move to the edges of the habitat: personal devices and half-managed endpoints. You’ll see: How unmanaged BYOD silently carries valid tokens and corporate data off your estateHow old mail clients and basic auth on personal laptops undo your entire MFA storyWhy attackers love the “trusted” contractor laptop and ungoverned mobile accessWe walk through a balanced model: Corporate devices → full Intune enrollment + compliance + Conditional Access (require compliant device)Personal devices → app protection (MAM) with approved apps (Outlook, Teams, OneDrive) + Conditional Access (require approved client app)Tenant-wide → Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    30 phút
  4. Why Your Threat Analytics Is Useless (The Report You Missed)

    1 NGÀY TRƯỚC

    Why Your Threat Analytics Is Useless (The Report You Missed)

    In this episode, we break open one of the most misunderstood security capabilities in Microsoft 365: Threat Analytics. Not the dashboard you scroll past. Not the report you skim. The living, breathing intelligence engine that can slash dwell time, expose hidden attack paths, and transform your SOC from reactive to relentless. Most organizations never use Threat Analytics the way it was designed. They read the headline but skip the MITRE mapping. They see recommendations but never bind them to Secure Score actions or owners. They ignore the tenant-specific exposure panel that quietly says, “This is happening here.” Today, we fix that. 🔥 What This Episode Delivers The hard truth (and the promise) We begin with a call to awareness: Threat Analytics isn’t useless — it’s unused. Attackers walk through doors we should have closed. This episode teaches a single pattern that saves you from that: read → test → act → verify. Not someday. Today. 1. What Threat Analytics really is — and what it’s not You’ll learn how Threat Analytics combines global threat intelligence, Microsoft IR experience, MITRE ATT&CK mapping, tenant-specific exposure, and actionable recommendations into one unified signal. We explore: How to extract techniques and artifactsHow to interpret the exposure panelWhy recommendations are not “ideas,” but enforceable controlsHow Threat Analytics links incidents and Secure Score into one defensive narrativeThis section gives listeners a blueprint for understanding the full value of the feature, not just what appears at the top of the page. 2. The three oversights that make security teams blind We uncover the three habits that turn Threat Analytics into a passive newsletter: Skipping MITRE techniques and exposure dataTreating recommendations as optionalIgnoring device and account evidenceYou’ll learn why these oversights add days to dwell time and how to flip them into strengths with simple structural fixes. 3. The One-Hour Method — turn any report into action This is the heart of the episode: a 60-minute workflow your team can run every week. You’ll learn how to: Select the right reportExtract techniques, TTPs, and artifactsBuild targeted hunting queries in DefenderCorrelate findings to incidentsAssign Secure Score controls with owners and SLAsVerify protections, rerun queries, and document outcomesThis method reduces time-to-detect and closes attack paths with ruthless consistency. 4. Two real detection gaps — and how to close them We walk through two live threat paths that regularly bypass unstructured SOCs: Phishing → OAuth consent abuse → token replayLiving-off-the-land persistence through script interpreters and abused binariesYou’ll hear exactly how to hunt them, which events reveal them, which policies block them, and how Threat Analytics guides the remediation. 5. Measurement and governance that actually prove value Security programs fail without metrics. We show you how to measure what matters: Time-to-detect (TTD)Named attack paths closed by techniqueSecure Score controls enacted from real reportsExposure changes across your tenantYou’ll walk away knowing how to build dashboards that make improvement visible — daily, weekly, monthly. ✨ Why This Episode Is a Must-Listen If you defend Microsoft 365, this episode teaches you how to: Turn global intelligence into tenant-specific actionShorten dwell time using repeatable workflowsImprove Secure Score based on real threatsCommunicate risk and progress to leadershipClose attack paths with evidence, not hopeIt’s practical. It’s repeatable. And it’s framed in a narrative style that makes the lessons unforgettable. 🎧 Listen Now If you’re responsible for M365 security, SOC operations, DFIR, governance, or cloud architecture, this is one of the most actionable episodes you’ll hear all year. Read with intent. Test with precision. Act with ownership. Verify with evidence. This is the covenant in the cloud. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    29 phút
  5. The M365 Audit Logs You're Ignoring: Why Zero Trust is a Lie Without Them

    2 NGÀY TRƯỚC

    The M365 Audit Logs You're Ignoring: Why Zero Trust is a Lie Without Them

    An account pulled down 12,000 SharePoint files in 20 minutes. No malware, no DLP alert, no blocked session. Zero Trust said “allowed.” In this episode, we dissect why Zero Trust without audit evidence is policy theater—and how to fix it. You’ll learn how to fuse Entra sign-in risk, the Microsoft 365 Unified Audit Log, Purview policy edits, and Copilot interactions into one coherent timeline. We finish by reconstructing a quiet exfiltration case step by step and give you concrete detection recipes, KQL ideas, and automation patterns you can deploy in your own tenant. Opening – The Anomaly Zero Trust Can’t Explain It starts with a warning and ends with silence: One account downloads 12,000 SharePoint files in under 20 minutes. No malware. No DLP alert. Conditional Access says “allowed.” The thesis: Zero Trust without audit evidence is policy theater. Verification isn’t a checkbox; it’s a trail. In this episode, we: Pull from four log sources:Entra ID sign-in & riskMicrosoft 365 Unified Audit Log (UAL)Purview retention & policy changesCopilot interaction logsShow the one log pivot that reliably exposes data stagingReconstruct a real-style exfiltration case, end to endTurn it into queries, alerts, dashboards, and automationSection 1 – Entra ID Sign-in & Risk: Verify the Verifier Every breach still begins with an identity. Entra’s risk signals are your earliest warning—but only if you keep them long enough and correlate them correctly. Key points: Entra splits visibility:Risky sign-ins: ~30-day windowRisk detections: often ~90 daysIf you only review risky sign-ins, you lose early signals and can’t reconstruct the path later.Three streams you must track together: Risky sign-ins – the attempts and outcomesRisk detections – patterns like anomalous token or AiTMWorkload identity anomalies – service principals behaving like usersHigh-priority detections: Anomalous token → session theft / replayAttacker-in-the-middle → sign-in through a malicious proxyUnfamiliar sign-in properties → new device / client / IP combosThe catch: Conditional Access can “succeed” while the threat remains.Medium-risk sign-in → prompt for MFA → success → session allowed.Repeated medium risk over days correlates strongly with later data staging.What to actually do: Join sign-ins with Conditional Access evaluation so every successful auth carries:UserId, AppId, IP, DeviceId, derived SessionIdRiskDetail, RiskLevel at event timeWhich CA policy allowed / challenged itPatterns to alert on: Repeated medium-risk sign-ins:3+ in 7 days from distinct ASNs / IP ranges → investigation, not “business as usual”Workload identities suddenly authenticating from public IPs or gaining new API permissionsIf risk >= high and token anomalies present → force sign-out and require password resetRetention hygiene: Export risky sign-ins weekly beyond the 30-day window.Keep risk detections in your SIEM for 180 days+ so you can replay the first 12 hours when it matters.Bottom line: verify the verifier. The sign-in narrative is the prologue. The story starts when movement begins. Section 2 – Unified Audit Log: Trace Lateral Movement Across Workloads Once the door opens, the Unified Audit Log is your ledger. It captures cross-service movement: Exchange, SharePoint, OneDrive, Teams, and admin actions in one place.Why it matters: Real attackers don’t stay in one workload. They:Add mailbox forwarding rulesChange SharePoint permissionsRegister new sync clientsCreate sharing links that bypass normal pathsThree lenses to apply to the UAL: Identity lens – UserId, AppId, ClientIP, SessionKeyPrivilege lens – mailbox permissions, site admin changes, role assignmentsData lens – FileDownloaded, FileAccessed, FileSyncAdded, SharingLinkCreatedCore idea: Privilege change + data surge = staging, not collaboration. Better than raw “mass download”: Build per-user baselines and look for change from baseline:User normally touches ~20 files per daySuddenly touches 800 unique items across two sites in 30 minutesPlus: new sync relationship and wider sharing links → staging, not syncKill chain reconstruction uses patterns like: Set-InboxRule or Set-Mailbox forwarding externallyFollowed by a burst of SharePoint FileDownloaded in that same sessionPlus SharingLinkCreated with “Anyone” or “Organization” scopePractical moves: Stream UAL via the Management Activity API into Sentinel/Log AnalyticsNormalize by: UserId, ClientIP, Operation, ObjectId, RecordType, TimestampBuild session keys (User + IP + App + 30–45 min bin) and aggregate:UniqueFiles, UniqueSites, privilege-change flags, sharing-scope changes Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    41 phút
  6. Why Your M365 Security Fails Against Social Engineering

    2 NGÀY TRƯỚC

    Why Your M365 Security Fails Against Social Engineering

    Attention, valued knowledge workers. By order of the Productivity Council, your Microsoft 365 defenses are failing precisely where human judgment collides with ambiguous policy. Many assume MFA, EDR, and secure score form an adequate perimeter. They do not. They do not arrest consent exploitation, device-code laundering, or Teams pretexting executed under your own brand. Here is the operational truth: adversaries enter through official channels and harvest trust at line speed. The Council will present five incident case files and the corrective doctrine—policies, detections, user protocols, and tooling. One misconfiguration currently nullifies your MFA entirely. Remember it. Its name will be issued shortly. Citizens, this is the formal record of Authority Theater. The adversary enters not through malware nor brute force, but through Teams external federation—the front door you assumed was screened. A profile appears: “IT Support – Priority”. Microsoft-colored avatar. Crisp timing. The message asserts a routine authentication irregularity and promises expedited resolution. A verification number follows. Familiar. Harmless-looking. The intended mechanism is approval fatigue. The victim, already conditioned by countless legitimate prompts, approves the MFA request to “resolve the issue.” In that instant, an attacker-in-the-middle relay kit captures the session token. The mailbox changes. The SharePoint site syncs. Teams threads flicker with unseen edits. Compliance evaporates silently. Failure Analysis This breach does not demonstrate adversary brilliance—it reveals policy ambiguity. External access defaults remain permissive. Most tenants allow any federated domain to message any user.Message hygiene is not enforced. Unsolicited DMs from new tenants are not quarantined or rate-limited.Risk policies operate independently of collaboration channels. A risky session triggered from a Teams-initiated elevation looks “normal” to identity systems.Verification protocol does not exist. Users cannot distinguish a sanctioned IT outreach from an adversarial pretext.This is not failure of technology; it is failure of ceremony. Corrective Doctrine The following orders are mandatory: 1. Restrict External Federation Disable Teams external federation entirely, or narrow it to an explicit allow list of partner domains. In Teams Admin Center: External access → Deny by default.Add only verified partner tenants. Use shared channels for legitimate collaboration; forbid unsolicited tenant-to-tenant DMs.Enable Safe Links for Teams with real-time detonation to scrub URLs before delivery. 2. Treat Teams as an Elevation Vector Teams is an identity elevator and must be governed as such. Conditional Access requirements: Require compliant device for any Teams-initiated access to Exchange, SharePoint, or admin portals.Enforce phishing-resistant authentication strengths (FIDO2, CBA) for privileged workloads.For risky sign-ins: restrict to web-only, block download, and require reauthentication before sensitive operations.Shorten sign-in frequency for elevated roles—durable exposure is unacceptable.3. Detection: The But/Therefore Chain Detection must acknowledge the causal pattern: A message appears →therefore an MFA prompt follows →therefore elevation is attempted.Correlate: Inbound external DMs from unseen tenantsMFA prompt clusters in five-minute windowsDevice context mismatches (consumer IP → corporate elevation)Sudden mailbox or SharePoint privilege activitySIEM must ingest these as a single incident chain, not discrete noise. 4. User Protocol: Verification Rituals Training is procedural, not optional. Verification Phrase Protocol: All legitimate IT outreach includes a rotating phrase listed on the intranet. No phrase, no action.Code-over-Voice Prohibition: Citizens are forbidden to read codes, numbers, device codes, or MFA digits into chat, SMS, or voicemail. Ever.Mandatory Pause Rule: Stop. Verify using the Service Desk number printed on the badge—not the number in the message. Proceed only upon confirmation.5. Instructional Micro-Story 08:12. A finance analyst receives a DM titled “Payroll Lock.” A prompt appears. They decline. They invoke the pause rule. The Service Desk confirms no ticket exists. Security correlates the DM with deviceAuth endpoint hits, blocks access, and revokes tokens. A breach evaporates because a protocol, not improvisation, controlled the moment. 6. Tooling Enforcement Activate: Defender for Office Safe Links in TeamsDefender for Cloud Apps policies for mass external messaging, anomalous OAuth consent seeded from TeamsUEBA baselines for chat frequency, external-tenant ratios, and time-of-day anomaliesSOAR responses that isolate sessions and enforce FIDO2 reauthentication when Teams-to-MFA patterns appearClosing Directive Teams is not a chat room. It is an identity surface. Therefore, supervision is compulsory. If external messaging is not business-critical, disable it. If it is, confine it under governance. When chat pretext fails under verification friction, adversaries pivot. They reach for device code flows, capturing cooperation without asking for a password. Case File II will document that pivot. Mandatory compliance is appreciated. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    44 phút
  7. Teams Channels Are Not Secure By Default: The Admin Lie

    3 NGÀY TRƯỚC

    Teams Channels Are Not Secure By Default: The Admin Lie

    Teams is not secure by default—especially in hybrid environments full of guests, private channels, and synced libraries. In this episode, we walk through two real-world style incidents where “set and forget” Teams defaults quietly exposed data, then build a five-layer hardening plan: Conditional Access that actually bites, Purview DLP on chat and channels, Entra ID guest governance, audit & forensics you can prove in court, and retention that survives scrutiny. You’ll leave with exact policy patterns you can copy, test, and measure in your own tenant. Opening – The Hook & Value Promise The night’s loud with static. Teams channels hum like open vents. Guests linger. Files sync to places no one watches. One careless paste away from a bleed you can’t stop. This episode gives you a concrete Teams security blueprint: Enforce MFA for everyone, including guestsKill legacy authenticationRequire compliant or protected devices for Teams / SharePoint / ExchangeWire Purview DLP into chat and channelsGovern guests with expirations, reviews, and access packagesProve it all in logs, holds, and auditsYou’ll see two incidents that show how defaults burn tenants—and then we’ll build the five layers that would have stopped them. Segment 1 – Incident Proof: How Defaults Burned Two Tenants We open with two Teams failure stories: Incident 1 – The Guest That Never Left A project ends. Champagne’s gone. One guest remains in the team.Private channel = separate SharePoint site; the guest’s sync client still points to that library.Weeks later, guest opens their laptop → the private channel library syncs fresh sensitive files down automatically.What failed: No guest expirationNo Entra ID access reviews for the teamExternal sharing too loose for private-channel SharePoint sitesOwners assumed “project over” = “access over.” It wasn’t.Blast radius: Sensitive docs in the private channel siteMeeting recordings, Loop components, and thread-linked filesAll delivered via SharePoint sync—no need to open Teams at allIncident 2 – PII Paste and the Data Fork A tired internal user pastes SSNs and bank details into a Teams channel.Someone copies it to email for a vendor. Another exports the thread.PII now lives in Teams, Exchange, local drives, and third-party systems. Cleanup becomes a scavenger hunt.What failed: No Purview DLP for Teams chat & channelsNo policy tips, no block-with-override, no compliance alertTeams treated like a front-end; core controls (Purview, Entra, SharePoint) were never tunedKey takeaway: Teams isn’t the vault. It’s the lobby. The vault lives in Conditional Access, Purview DLP, Entra ID Governance, and SharePoint sharing policies. From here, we build the five layers that would have shut both incidents down. Layer 1 – Conditional Access Baseline That Actually Bites Goal: Identity is the lock. Make it hurt to be misconfigured. You’ll hear a complete Conditional Access baseline: MFA for Everyone (Including Guests)Entra policy: All users (including Guests and external) → All cloud apps.Grant: Require MFA.Exclude only two break-glass accounts with long random passwords, monitored and stored offline.Kill Legacy AuthenticationNew policy targeting Exchange ActiveSync and Other clients.Grant: Block access.Starves phish and breaks old clients that can’t do MFA.Require Device Compliance for Crown AppsScope: internal users (and guests where feasible).Apps: Teams, SharePoint Online, Exchange Online.Grant: Require compliant device (Intune)For BYOD/mobile: cloned policy using “approved client app” + app protection instead.Session Controls & Risk-Based PoliciesShort sign-in frequency (e.g., 8 hours) and weekly reauth for sensitive apps.Enable Continuous Access Evaluation (CAE) so password changes and account disables kill live sessions.Extra policies for high-risk sign-ins/users → block or force password change and investigation.Guest & Service Account Edge CasesEnsure guests hit MFA at first sign-in.Disable interactive sign-in for service accounts; move to workload or managed identities.Regularly test break-glass accounts and CAE behavior.The point: MFA enforced, legacy auth dead, only trusted devices, short sessions, and real risk-based gates. Layer 2 – Purview DLP for Teams Chat & Channels Goal: Sensitive data should trip a wire the second it hits chat. Configuration you’ll walk through: Purview DLP Policy targeted specifically to:Teams chat and Teams channel messagesSensitive Info Types:SSNs, credit cards, bank accounts, health data, and custom IDs (employee/customer IDs, etc.).Rules:High-confidence block with overrideMatch = 1 for crown jewels (SSN, PAN with Luhn, etc.).Block message; allow override with typed justification.Real-time policy tip to user + high-severity alert to compliance.Medium-confidence educate & alertAllow message but warn user and notify compliance for tuning and behavior change.Extras: Mirror policies to SharePoint/OneDrive so files + links are both covered.Tune confidence and match counts to kill noise.Use policy tips that explain in plain language, not legalese.Pilot, tune, then roll out by department → finally org-wide. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    26 phút
  8. Your "Hybrid Security" Is A Lie: Why Defender XDR Is Mandatory

    3 NGÀY TRƯỚC

    Your "Hybrid Security" Is A Lie: Why Defender XDR Is Mandatory

    You’ve got six dashboards and three vendors, but attackers still stroll through the gaps between email, identity, endpoints, and cloud apps. In this episode, we break down why siloed tools fail in hybrid environments and how Defender XDR fuses Microsoft 365, Entra ID, endpoints, and cloud apps into one incident story with one timeline. You’ll see how attackers live in your blind spots—and how XDR uses cross-domain correlation, auto-response, and unified incidents to flip Microsoft security from “expense” to “savings.” Opening – The Illusion of “Hybrid Security” Control You’ve got dashboards, vendors, and a color-coded incident spreadsheet. It looks like control—but it’s really a Rube Goldberg machine that alerts loudly and catches little. Hybrid security isn’t “more tools”; it’s two overlapping attack surfaces pretending to be one. This episode exposes the four blind spots your silos hide: Microsoft 365 (email & collaboration)Identities (on-prem AD + Entra / Azure AD)Endpoints (EDR, laptops, servers)Cloud apps (SaaS, OAuth, shadow IT)Then we show how Defender XDR pulls them into one incident, one timeline, one response—and the one capability that turns XDR from a cost center into an actual savings engine. Segment 1 – Why Siloed Security Fails in Hybrid Environments We start with the foundation: why your current hybrid stack keeps burning you. Hybrid reality: on-prem AD limping along, Entra ID doing the real work, roaming laptops, and SaaS your team “definitely ran by security.”Every separate tool creates context debt:Email sees a phish.Identity sees risky sign-ins.Endpoint sees weird PowerShell.Cloud app security sees rogue OAuth consent.Individually “low”, together a live intrusion.Key ideas: Your SOC becomes the RAM, manually correlating alerts that should already be fused.Alert fatigue is a tax, not a feeling—paid in dwell time, overtime, and missed signals.Tools say “something happened.” What you need is: “what happened, in what order, across which domains.”Defender XDR shift: Instead of four tools and four tickets, you get one incident graph that ties mailbox rules, consent grants, tokens, endpoint processes, and cloud sessions to the same user and device. The platform does the stitching; your team does the deciding. Blind Spot 1 – Microsoft 365 Without Identity Fusion Email is still where most intrusions start—but not where they end. Common failure pattern: Phish lands → you quarantine the email → “incident closed.”Meanwhile:User clicks “Accept” on a malicious app (“Calendar Assistant Pro”).Attacker moves from mailbox → OAuth + Graph.Mail is quiet, but tokens and consent now carry the breach.Why this is a blind spot: M365 has rich telemetry (delivery, Safe Links, mailbox rules, Teams shares) but in an email silo it’s just noise.Different teams clear their own console and declare victory; nobody sees the token, consent, and endpoint together.Defender XDR advantage: Builds one incident that links:Phish in OutlookEntra sign-ins and token issuanceEndpoint process chain (Office → PowerShell)Cloud app and SharePoint file accessAuto-IR can:Isolate the deviceRevoke user sessions and tokensKill malicious OAuth consentRoll back mailbox rules – from one pane, not four.Result: fewer reinfection loops where the email is clean but the token and OAuth grant live on. Blind Spot 2 – Identities Without Endpoint and App Context Identities are the keys. Attackers don’t just steal passwords—they steal sessions, tokens, and consent. Identity-only failure patterns: Azure AD / Entra flags risky sign-ins, impossible travel, anonymous IP.The fix is: password reset, MFA enforced, risk lowered → incident closed.But:Refresh tokens still validOAuth grants still activeCompromised device still leaking cookiesWhy identity in a silo lies: No view of endpoint posture (was the machine already dirty?).No view of cloud apps (did a new app just start scraping SharePoint?).No linkage to mailbox rules or consent events.Defender XDR advantage: Risky sign-ins are fused with:Device health & process lineageOAuth consent and Graph behaviorSharePoint downloads and Teams activityAuto-IR can:Revoke refresh tokensKill active sessionsMark the user risky and isolate the deviceSurface mailbox rules and OAuth grants tied to that identityIdentity is no longer just a risk score; it’s part of a cross-domain incident story. Blind Spot 3 – Endpoints Without SaaS and Identity Context Endpoints are where the noise is—but not always where the breach lives. Endpoint-only loop: EDR flags Office → PowerShell → suspicious script.You block, isolate, reimage.But the attacker keeps a browser token and OAuth grant, and continues exfiltration from a different device or cloud host.Problem: Processes don’t show how the attacker got there (phish, consent, token).EDR can’t see Graph API exfiltration or SharePoint sessions.You treat symptoms; the root cause (identity + consent) lives upstream.Defender XDR advantage: Endpoint alerts are tied to:The specific user and sign-insThe token issued in the browserThe app consent that followed the phishThe cloud sessions that moved data outCorrect order of response:Kill token + sessions → revoke consent → then isolate/reimage.You stop “clean endpoint, dirty identity” from bouncing back every week. Blind Spot 4 – Cloud Apps & Shadow IT Without Identity / Device Linkage Cloud apps are where your data lives—and where shadow IT quietly routes exports and reports out of the tenant. Typical CASB-only view: Sees “high-risk OAuth grant” or “unusual SharePoint downloads.”Lacks:Device context (was the browser compromised?).Identity history (was there a phish or risky sign-in?).Unified response (can’t revoke tokens, isolate device, fix mail).Defender XDR advantage: Defender for Cloud Apps signals live inside the same incident graph:OAuth consentSession details Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support. Follow us on: LInkedIn Substack

    26 phút
Xem tất cả (383)

Giới Thiệu

Welcome to the M365 Show — your essential podcast for everything Microsoft 365, Azure, and beyond. Join us as we explore the latest developments across Power BI, Power Platform, Microsoft Teams, Viva, Fabric, Purview, Security, and the entire Microsoft ecosystem. Each episode delivers expert insights, real-world use cases, best practices, and interviews with industry leaders to help you stay ahead in the fast-moving world of cloud, collaboration, and data innovation. Whether you're an IT professional, business leader, developer, or data enthusiast, the M365 Show brings the knowledge, trends, and strategies you need to thrive in the modern digital workplace. Tune in, level up, and make the most of everything Microsoft has to offer. Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.

Thông Tin

  • Nhà sáng tạo
    Mirko Peters
  • Năm hoạt động
    2 N
  • Tập
    383
  • Xếp hạng
    Sạch
  • Bản quyền
    © Copyright Mirko Peters / m365.Show
  • Trang web chương trình
    M365 Show Podcast

Có Thể Bạn Cũng Thích