@NathanMcNulty Nathan McNulty
Nathan McNulty posts on X about microsoft, if you, azure, this is the most. They currently have [------] followers and [---] posts still getting attention that total [-----] engagements in the last [--] hours.
Engagements: [-----] #
- [--] Week [------] +179%
- [--] Month [-------] +139%
- [--] Months [---------] +349%
- [--] Year [---------] -63%
Mentions: [--] #
- [--] Months [---] +91%
- [--] Year [---] -44%
Followers: [------] #
- [--] Week [------] +0.67%
- [--] Month [------] +1.10%
- [--] Months [------] +7.20%
- [--] Year [------] +15%
CreatorRank: [---------] #
Social Influence
Social category influence technology brands 38.26% stocks 20% finance 3.48% cryptocurrencies 2.61% social networks 1.74%
Social topic influence microsoft 19.13%, if you 18.26%, azure #555, this is 15.65%, in the 8.7%, business 5.22%, ai 4.35%, block 4.35%, the most 4.35%, stuff 4.35%
Top accounts mentioned or mentioned by @talarion83 @richardhicks @iamericabooted @merill @tenantiq @ainp0t @awakecoding @cyb3rmonk @imog @swiftonsecurity @rime1313 @akses0x00 @decryptedtech @lokto @ioactive @domaincom @janbakker @duosecs @icesolsts @crxaminer
Top assets mentioned Microsoft Corp. (MSFT) Everest (ID)
Top Social Posts
Top posts by engagements in the last [--] hours
"@akses_0x00 I mean nobody is trying to kill Defender on a Kali box lol This worked back when it was Debian [--] based I'm assuming it still works with the latest on [--] but boy did the Defender XDR portal get angry :p"
X Link 2026-02-15T03:48Z 17.6K followers, [---] engagements
"Before dropping admins in PUG please do read the docs and test. No NTLM no Kerb delegation etc. may break some things - but it absolutely shouldn't. If it breaks things it probably means you are doing privileged identity handling wrong. Time to build out least privilege"
X Link 2021-04-30T02:19Z 17.6K followers, [--] engagements
"Compared to a year ago it's amazing what AI assisted development can do now Probably best to not vibe code a full CRM and try to sell it. But if you aren't experimenting because it's sucked in the past I encourage you to try it again :) Pick something fun play and learn tweeps if you ever bulk import IOCs into Defender for Endpoint please feel free to try this out: @NathanMcNulty @merill @IAMERICAbooted and gang it's just a fling but it seems like it might be useful tweeps if you ever bulk import IOCs into Defender for Endpoint please feel free to try this out: @NathanMcNulty @merill"
X Link 2026-02-05T04:31Z 17.6K followers, [----] engagements
"@DecryptedTech @lo_kto [--] tips for better success: 1) Open Dev Tools network tab check preserve log then browse through config/compliance policies to capture the calls export HAR file and tell AI to use it 2) Use the Microsoft MCP Server for Enterprise (MSGraph) https://learn.microsoft.com/en-us/graph/mcp-server/overview https://learn.microsoft.com/en-us/graph/mcp-server/overview"
X Link 2026-02-05T17:53Z 17.6K followers, [----] engagements
"Pretty cool technique hiding the passkey option instead of just selecting a weaker method for the user Also a good reminder you have to ENFORCE phishing resistant auth just having them registered is not good enough This applies to all Identity Providers like Entra Okta etc. Just published a write-up on Serverless AiTM frameworks and MFA bypass techniques (from work I did in late 2024). Hope it's useful for the Red Team community Big thanks to @IOActive for the opportunity. π«‘ Read here: https://t.co/vwx8qyrowT Just published a write-up on Serverless AiTM frameworks and MFA bypass techniques"
X Link 2026-02-06T04:13Z 17.6K followers, [----] engagements
"Passkeys stored in Key Vault is ready for testing π₯³ .Initialize-PasskeyKeyVault.ps1 -PassThru .New-KeyVaultPasskey.ps1 -UserUpn "user@domain.com" -DisplayName "Automated Passkey" -PassThru .PasskeyLogin.ps1 -PassThru Details in the repo here: https://github.com/nathanmcnulty/nathanmcnulty/tree/main/Entra/passkeys/keyvault Holy crap π€― π Success The Key Vault-backed passkey authentication works It took me about an hour fixing up some issues Sonnet [---] had with Key Vault permissions and how to use Key Vault but it works Working on some quality of life changes will publish this soon π₯³"
X Link 2026-02-07T22:45Z 17.6K followers, 12.2K engagements
"I don't think i will be able to add enough parameters to this to support everyone's use cases but I did try my best :) Ultimately this is a pretty complex setup and not something I'll be able to simplify much further I am working on a GitHub Action for this too soon-ish :)"
X Link 2026-02-07T22:53Z 17.5K followers, [---] engagements
"Ever need to find out what Entra authentication methods your users are using but don't have Log Analytics/Sentinel :) It's not as difficult as you might think To get started log into the Entra portal go to Sign-in logs set the date range to [--] month then download the JSON:"
X Link 2026-02-09T20:33Z 17.5K followers, [----] engagements
"Now go to and set up your free cluster if you've never done that before. Once you have created the cluster and database right click on the database select Get data select Local file create a table for SigninLogs select it add your JSON and import. https://dataexplorer.azure.com/ https://dataexplorer.azure.com/"
X Link 2026-02-09T20:33Z 17.5K followers, [----] engagements
"New features for my Defender Reporting solution :) [--] Azure deployment option - Automation runbook exports vulnerability data and builds the dashboard compressed data stored in blob storage - Optional Container App hosts dashboard using Entra auth https://github.com/nathanmcnulty/defender-reportingtab=readme-ov-file#azure-resource-setup https://github.com/nathanmcnulty/defender-reportingtab=readme-ov-file#azure-resource-setup"
X Link 2026-02-09T22:23Z 17.6K followers, [----] engagements
"2 New modal layout and tooltips - Reflowed the modal to group CVEs by devices - Added tooltip to contain device details - Optional enrichment with Advanced Hunting data (use -IncludeAdvancedHunting) adds EPSS scores and description tooltips to all CVE IDs"
X Link 2026-02-09T22:23Z 17.5K followers, [----] engagements
"3 Bug fixes and optimization - Now uses IndexedDB for better performance with large data sets - Changed export schedules to [--] days to reduce risk of data loss if a run fails - Fixed a few logic/timing issues [--] Documentation updates - Setup instructions for Azure and GitHub"
X Link 2026-02-09T22:23Z 17.5K followers, [----] engagements
"This includes certificate profiles for all [--] platforms in Intune no targets by default but -AssignIntunePolicies assigns to all devices Also has optional deployment of Defender for Key Vault Log Analytics and downgrade to Key Vault Standard (for testing $1/mo) Have fun :)"
X Link 2026-02-12T00:26Z 17.6K followers, [---] engagements
"@TenantIQ @merill If you know ahead of time push a policy to prevent cached credentials as soon as you know could use a scheduled task to shutdown /s /t [--] /f for the time you want Alternatively you do it all ahead of time even doWipeProtected if needed and just make them dial call in"
X Link 2026-02-12T01:07Z 17.6K followers, [----] engagements
"@richardhicks That is a great question. I don't think I included that and would need something external to handle it. I will need to play with crlDistributionPoints to see if Key Vault lets me include that. If so I would probably spin up an Azure Static Website for this before key vault"
X Link 2026-02-13T00:20Z 17.6K followers, [--] engagements
"There are a lot of mitigations for this: Enforce attestation for passkeys Use CA policies to secure registering security info (auth strengths location etc.) Require compliance device or compliant network Or always require phishing resistant auth in the first place ;)"
X Link 2026-02-13T05:26Z 17.6K followers, [----] engagements
"Unfortunately if you want to allow synced passkeys this is your attack surface At the very least you need to enforce phishing resistant auth only for those users once they have registered them - avoid the downgrade attacks β Always check for passkeys on compromised accounts"
X Link 2026-02-13T05:27Z 17.6K followers, [----] engagements
"@Cyb3rMonk @janbakker_ Not yet I just used it to capture then call the script from the same container to test it would work I think I need to rewrite this in Go to call it natively that was my next step to look at"
X Link 2026-02-13T22:42Z 17.6K followers, [--] engagements
"The script now always creates a storage account creates the CRL and stores it on an Azure Storage static website If you provide the hostname such as gsacrl.domain.com it adds that to the CDP gives you details to add the CNAME to DNS and attempts to validate DNS for you"
X Link 2026-02-14T00:14Z 17.6K followers, [---] engagements
"If you don't provide a hostname it simply adds the Azure Storage URL to the CDP nothing else you need to do This is a great option for having a dedicated PKI for GSA and even if you have existing PKI this avoids pulling out an offline root CA or chaining GSA to it :)"
X Link 2026-02-14T00:14Z 17.6K followers, [---] engagements
"This has been a decades long fight with helpful tools like @duosec's now defunct CRXcavator and @IceSolst's @CRXaminer If you aren't aware of the risks posed both Ben's blog and solst's thread below are great reads to understand the threats these pose https://x.com/IceSolst/status/2007665099754926482s=20 A year ago I released @CRXaminer a Chrome extensions security scanning tool. I wrote a blog post to reflect on the tool more: https://t.co/bqI1kd33IG https://x.com/IceSolst/status/2007665099754926482s=20 A year ago I released @CRXaminer a Chrome extensions security scanning tool. I wrote a"
X Link 2026-02-10T02:28Z 17.6K followers, [----] engagements
"If you are still using PowerShell [--] you are missing one of the greatest features In PowerShell [--] we have the option to do $something ForEach-Object -Parallel "do the thing" Read all about it here: https://devblogs.microsoft.com/powershell/powershell-foreach-object-parallel-feature/ @agowa338 With a simple PowerShell -Parallel loop where I sign the files individually it shows garbled output (not surprised) but it boosts performance by about 250%. You know only 250% faster with simple parallelism nothing Azure Trusted Signing could have foreseen: https://t.co/iKgQWyTIDC"
X Link 2024-07-31T20:09Z 17.6K followers, 41.8K engagements
"@IAMERICAbooted @ainp0t You can't use the default user risk or sign-in risk policies or CA policies hence why I said you can't use it effectively without P2 But there are some "non-premium" detectionss as referenced in the below tables included in the free tier: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#sign-in-risk-detections-mapped-to-riskeventtype https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#sign-in-risk-detections-mapped-to-riskeventtype"
X Link 2026-02-17T00:33Z 17.6K followers, [--] engagements
"Thanks to @richardhicks for pointing out the lack of CRL support on this setup If GSA services were compromised or someone issued another subordinate CA off this root CA we wouldn't be able to revoke them π¬ The script now handles CRL and publishing: https://github.com/nathanmcnulty/nathanmcnulty/blob/main/Entra/global-secure-access/README.md#custom-crl-hostname Don't have PKI but want to use TLS inspection in Global Secure Access This script sets up Azure Key Vault Premium (HSM backed keys $5/month) creates the CA certificate in Key Vault gets the CSR from GSA signs it with Key Vault and"
X Link 2026-02-14T00:14Z 17.6K followers, [----] engagements
"@IAMERICAbooted @ainp0t Premium events are still detected but if you aren't licensed they are listed under the "Additional risk detected" category. So you have to pipe in your own automation to resolve these issues. P2 enables the ability to perform authorization controls/actions based on risk"
X Link 2026-02-17T00:35Z 17.6K followers, [--] engagements
"Don't have PKI but want to use TLS inspection in Global Secure Access This script sets up Azure Key Vault Premium (HSM backed keys $5/month) creates the CA certificate in Key Vault gets the CSR from GSA signs it with Key Vault and adds it to GSA π₯ https://github.com/nathanmcnulty/nathanmcnulty/tree/main/Entra/global-secure-access#tls-inspection-automation https://github.com/nathanmcnulty/nathanmcnulty/tree/main/Entra/global-secure-access#tls-inspection-automation"
X Link 2026-02-12T00:26Z 17.6K followers, 12.8K engagements
"There are many applications in Entra that you should prevent access to by default Unfortunately most of those don't expose an option to require assignment. must use Graph API :-/ I highly recommend locking these down list of apps and directions here: https://github.com/PatriotConsultingTech/Community/blob/main/Webinars/2025/AccessManagement/examples/applications/secure-apps-require-assignment/secure-apps-require-assignment.md Thats right. how is your cloud master now. https://t.co/eLJ0M5su1Y"
X Link 2026-02-12T00:30Z 17.6K followers, 59.5K engagements
"Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46 Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2 AzureAD PowerShell: 1b730954-1685-4b74-9bfd-dac224a7b894 Exchange PowerShell: fb78d390-0c51-40cd-8e17-fdbfab77341b Graph PowerShell/CLI: 14d82eec-204b-4c2f-b7e8-296a70dab67e"
X Link 2026-02-12T00:30Z 17.6K followers, [----] engagements
"curl -o microsoft.list sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list curl -sSL gpg --dearmor sudo tee /usr/share/keyrings/microsoft-prod.gpg /dev/null sudo chmod o+r /usr/share/keyrings/microsoft-prod.gpg sudo apt update sudo apt install mdatp And it's hilarious https://packages.microsoft.com/keys/microsoft-2025.asc https://packages.microsoft.com/config/debian/13/prod.list How do I install Windows Defender on Kali Linux https://packages.microsoft.com/keys/microsoft-2025.asc https://packages.microsoft.com/config/debian/13/prod.list How do I install Windows Defender on"
X Link 2026-02-15T03:41Z 17.6K followers, [----] engagements
"@talarion83 This is similar to saying we should allow every user to run PowerShell commands on their machine even though 99% of them never will It's a standing risk that isn't necessary - just lock it down to the people who actually need / use it and you significantly reduce risks"
X Link 2026-02-15T04:44Z 17.6K followers, [--] engagements
"@talarion83 While I would prefer to have stronger gates like PIM / Access Packages even just creating an exception for a static group of users is a huge improvement Some of these can do a lot of damage especially Azure PowerShell when 99% never use or need access to it"
X Link 2026-02-15T04:45Z 17.6K followers, [--] engagements
"@talarion83 For Azure PowerShell yes requesting tokens for other endpoints is a big risk. Lots of data or configuration options are avialable to users via CLIs it's just a lot of attack surface that most users don't need access to. For those that do add them as an exception :)"
X Link 2026-02-15T08:58Z 17.6K followers, [--] engagements
"@imog @FF_Freak @DrAzureAD @fabian_bader My recommendation would be to use passkey profiles Enforce attestation for the default passkey profile and then use a second passkey profile without attestation for exceptions when truly needed"
X Link 2026-02-16T03:25Z 17.6K followers, [---] engagements
"@awakecoding @IsabelleRLabs Ahh so you are already doing what I was going to look at cool stuff I hope teams start considering how to move this direction since AI dependency is only going to increase in the future"
X Link 2026-02-16T05:55Z 17.6K followers, [--] engagements
"Muahaha interactive Live Response inside of PowerShell"
X Link 2026-02-17T07:36Z 17.6K followers, [----] engagements
"Don't have Defender for Endpoint Don't have Intune I got you fam :) You can use NRPT rules in Windows to sinkhole undesirable TLDs too β« Add-DnsClientNrptRule -Namespace ".zip" -NameServers "127.0.0.1" If you would prefer to use Group Policy this should do it for you π₯ Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint π‘ This might be helpful if someone started selling TLD's you'll never do business with ;) Go to https://t.co/O1Etd1rhxw under Endpoint security - Firewall Reusable settings click Add https://t.co/7BgRNw4Roi Did you know we can block"
X Link 2023-05-17T00:13Z 17.6K followers, 110.3K engagements
"When your docs look like this it might be time to rethink defaults and the user experience. @NathanMcNulty @merill @paulsanders87 @rucam365 @d0m3l @el_nawser Love the big red box at https://t.co/qa2tJaC4Gg "You must CLEAR THE CHECKBOX Allow my organization to manage my device. Don't select No sign in to this app only." which is a clear sign the UI is absolutely terrible and part of Microsoft knows it but can't fix it. @NathanMcNulty @merill @paulsanders87 @rucam365 @d0m3l @el_nawser Love the big red box at https://t.co/qa2tJaC4Gg "You must CLEAR THE CHECKBOX Allow my organization to manage my"
X Link 2023-11-07T05:45Z 17.6K followers, 109.7K engagements
"Hi I'm Nathan McNulty π I am here because I enjoy learning and helping others. I feel like I've already accomplished more than I ever dreamed and I truly want that for everyone else. If you ever find yourself questioning my intent - start there DM me or call me out"
X Link 2024-04-22T19:24Z 17.6K followers, 65.2K engagements
"About to brief the Microsoft Executive team on changing the name back to Azure AD Wish me luck :D"
X Link 2024-04-23T19:22Z 17.6K followers, 1.2M engagements
"Oh you wanted to dump all the LAPS passwords from Entra ID for. reasons =) Here you go: Connect-MgGraph -Scopes Get-MgDevice -Filter "OperatingSystem eq 'Windows'" ForEach-Object array$b64 = (Get-MgDirectoryDeviceLocalCredential -DeviceLocalCredentialInfoId $.DeviceId -Property credentials).credentials.PasswordBase64 string$pw = if ((string::IsNullOrEmpty($b64))) Text.Encoding::UTF8.GetString(Convert::FromBase64String(($b64)0)) array$lapsReport += "$($.displayName)$pw" $lapsReport http://DeviceLocalCredential.Read http://DeviceLocalCredential.Read"
X Link 2024-04-29T20:59Z 17.6K followers, 124.5K engagements
"Reminder - Microsoft publishes some really nice communication templates for helping you roll out things like MFA SSPR passkeys Hello for Business and a lot more Check it out https://www.microsoft.com/en-us/download/details.aspxid=57600 https://www.microsoft.com/en-us/download/details.aspxid=57600"
X Link 2025-02-05T21:23Z 17.6K followers, 46.2K engagements
"@sailingbikeruk First option: Get-MgDeviceManagementManagedDevice % $id = $.azureADDeviceId $state = (Get-MgDevice -Filter "deviceId eq '$id'").accountEnabled $laps = Get-MgDirectoryDeviceLocalCredential -Filter "deviceId eq '$id'" Write-Output "$($.DisplayName)$state""
X Link 2025-04-09T22:35Z 17.6K followers, [---] engagements
"β Please do not delete inetpub β This is the fastest solution they could come up with to a privilege escalation vulnerability in the update stack that results in SYSTEM privileges If you delete it at least deny write on the root of the drive https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204 April update adds an empty C:Inetpub https://t.co/TbhIzAE9sj https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204 April update adds an empty C:Inetpub https://t.co/TbhIzAE9sj"
X Link 2025-04-12T02:55Z 17.6K followers, 77.4K engagements
"I'd like to talk about #windows for a minute I know it's hard to do something that will last 20+ years and maybe design choices from the 90's weren't the best ideas. There are foundational issues that need to be addressed. A clean install of windows ruined by its foundation"
X Link 2021-08-15T16:58Z 17.6K followers, [---] engagements
"I'm a huge fan of Azure Automation. If you're an #AzureAD / #M365 Admin and haven't used it before then this thread is for you You will need an Azure subscription but the first [---] minutes/month are free Here's an example of how to automate Azure AD device cleanup :)"
X Link 2022-04-21T00:03Z 17.6K followers, [---] engagements
"I was today years old when I learned that Microsoft publishes their own Azure AD Assessment tool You'll notice some familiar names on the commits - I won't spoil the surprise :) https://github.com/AzureAD/AzureADAssessment https://github.com/AzureAD/AzureADAssessment"
X Link 2022-07-27T00:31Z 17.6K followers, [----] engagements
"Come on Microsoft this was totally avoidable - just stop renaming things Also Clou dAlert lolol"
X Link 2023-04-04T01:17Z 17.6K followers, 203.9K engagements
"2005: Install OS then install apps 2010: Install hypervisor deploy VMs then install apps 2015: Install hypervisor deploy VMs install Docker then pull containers 2020: Install hypervisor deploy VMs install kubectl pull k8s containers setup k8s then pull containers"
X Link 2023-05-15T21:50Z 17.6K followers, 115.1K engagements
"I was unfortunately reminded today that not everyone is using Cost anomaly alerts for their Azure subscriptions These alerts are completely free but you have to enable them. Please set this up to avoid unexpected bills due to attackers or accidents :( https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/analyze-unexpected-charges#create-an-anomaly-alert https://learn.microsoft.com/en-us/azure/cost-management-billing/understand/analyze-unexpected-charges#create-an-anomaly-alert"
X Link 2023-05-25T23:35Z 17.6K followers, 48.4K engagements
"Here's the fix :) cd (Get-ChildItem -Path "C:Program Files (x86)MicrosoftEdgeApplication*Installer")-1 cmd /c "setup.exe --uninstall --system-level --force-uninstall" Disable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 -Remove -Online Hey gang stop using the domain controller to access https://t.co/Y73LCit8H4. Thanks Hey gang stop using the domain controller to access https://t.co/Y73LCit8H4. Thanks"
X Link 2023-06-29T01:25Z 17.6K followers, 75.7K engagements
"In Entra ID if we grant to an application it can read ALL email in the organization by default The most common misconfigured apps I see are helpdesk SIEM and awareness training Limit scope using an Application Access Policy: https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access http://Mail.Read https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access http://Mail.Read"
X Link 2023-09-14T21:57Z 17.6K followers, 53.2K engagements
"Just found out Woodgrove Bank has [--] Global Admins and there's only [--] employees in the company Whatever you do do not do banking with them π±"
X Link 2024-04-23T21:33Z 17.6K followers, 80.1K engagements
"4 FREE solutions low complexity huge security dividends 1) Use Windows LAPS 2) Use Hello for Business 3) Use Windows Firewall default to Block all inbound (define rules) 4) Use AppLocker to restrict users from running admin tools like PowerShell WMIC MSBuild certutil etc More complex security solutions are not necessarily better.more complex = more moving parts = more changes for things to go wrong More complex security solutions are not necessarily better.more complex = more moving parts = more changes for things to go wrong"
X Link 2024-05-15T20:14Z 17.6K followers, 60.1K engagements
"@SwiftOnSecurity Nice I recently ended up with these Still haven't tried them on. Kind of worried I'll like them :p"
X Link 2024-05-31T07:03Z 17.6K followers, 74.3K engagements
"A lot of cybersecurity is doing the IT parts that IT isn't usually given time to do Most sysadmins aren't setting up centralized logging hardening credential handling creating detections/alerts proactively remediating vulnerabilities I'd love to see more shifted back into IT Cybersecurity isnt a real job. I do all the work. Cybersecurity isnt a real job. I do all the work"
X Link 2024-11-09T01:52Z 17.6K followers, 129.5K engagements
"I demand to speak to a manager"
X Link 2024-11-21T20:59Z 17.6K followers, 50.4K engagements
"I wish I would have done this sooner"
X Link 2024-11-25T03:43Z 17.6K followers, 49.7K engagements
"If you work with Entra you'll want to bookmark and monitor this page π Much of this is in Identity / Secure Score but it's great to see security guidance cleanly laid out in one doc You might think this is well known stuff I assure you it is not :( https://learn.microsoft.com/en-us/entra/fundamentals/configure-security https://learn.microsoft.com/en-us/entra/fundamentals/configure-security"
X Link 2025-03-02T00:46Z 17.6K followers, 72.5K engagements
"Reminder: shutdown /r /fw You're welcome :) Enter to BIOS https://t.co/dK6Nbx8rY5 Enter to BIOS https://t.co/dK6Nbx8rY5"
X Link 2025-04-18T19:21Z 17.6K followers, 31.9K engagements
"@princessakano I can't stop laughing at "Stopped thinking" π€£"
X Link 2025-09-22T04:51Z 17.6K followers, 44.5K engagements
"In Entra ID did you know sensitive cloud admins are enabled for Self-Service Password Reset by default even if you never turn SSPR on It also doesn't follow auth method policies so they can use email and SMS. You really should disable it https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policywt.mc_id=MVP_452337&tabs=ms-powershell#administrator-reset-policy-differences https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policywt.mc_id=MVP_452337&tabs=ms-powershell#administrator-reset-policy-differences"
X Link 2025-09-28T02:02Z 17.6K followers, 19.8K engagements
"OpenAI wants ChatGPT to be your emotional support - @mayank_jee https://t.co/PcdtclnoOU https://t.co/PcdtclnoOU OpenAI wants ChatGPT to be your emotional support - @mayank_jee https://t.co/PcdtclnoOU https://t.co/PcdtclnoOU"
X Link 2025-10-04T21:56Z 17.6K followers, 18.9K engagements
"If you are still allowing NTLM for your privileged accounts like Domain Admins you should know Microsoft introduced hardening for this. almost [--] years ago. Your privileged accounts should be in the Protected Users Group: https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group RemotePotato0 A "won't fix" exploit for Windows that allows you to escalate your privileges from a generic User to Domain Admin. https://t.co/tmod800yEA https://t.co/cwxILWfiJ5"
X Link 2021-04-30T02:12Z 17.6K followers, [---] engagements
"Someone do Office macros next Log4j 2.16.0 is out and completely disables JNDI by default. https://t.co/WbrHCpkbjd Log4j 2.16.0 is out and completely disables JNDI by default. https://t.co/WbrHCpkbjd"
X Link 2021-12-14T04:51Z 17.6K followers, [---] engagements
"Quick PSA for those responding to Azure AD / Office [---] compromises Resetting passwords is usually not enough to evict an attacker from your environment Make sure you are revoking user access correctly and take into account Azure Apps with SSO: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access"
X Link 2022-01-29T23:50Z 17.6K followers, [---] engagements
"Group Policy was years ahead of its time It was so far ahead that Intune still hasn't reached feature parity after more than a decade of development And then there's Azure Policy where we just ignore the fact that non-Infrastructure as Code people exist. :-/ But yes kill AD"
X Link 2023-03-11T06:28Z 17.6K followers, 65.5K engagements
"I feel bad for new admins - we somehow made things even less accessible than it was [--] years ago Learning PowerShell DSC JSON etc. are great skills but this sucks for small IT shops with generalists The solution should not be "just write PowerShell scripts" but here we are"
X Link 2023-03-11T06:50Z 17.6K followers, 66.6K engagements
"A few key takeaways from this tool 1) Whenever possible apply MFA to All cloud apps/platforms/locations and when adding exclusions create compensating policies to limit the gap introduced Use the Gap Analysis workbook or @SantasaloJoosua's CA Optics: https://github.com/jsa2/caOptics https://github.com/jsa2/caOptics"
X Link 2023-04-02T03:26Z 17.6K followers, 86.3K engagements
"Hey #AzureAD admins - We can now automate clean up of stale devices Microsoft updated the Delete device API endpoint to support Application permissions so I've rewritten my Azure Automation blog post Also new: Managed Identities and Graph V2 modules :) https://blog.nathanmcnulty.com/azure-automation-device-cleanup-v2/ https://blog.nathanmcnulty.com/azure-automation-device-cleanup-v2/"
X Link 2023-04-23T06:47Z 17.6K followers, 39.9K engagements
"Everyone: Microsoft needs to fix their horrible mismanagement of DNS Microsoft: OK ok we hear you check out No one: Google: Anyone want a .zip or maybe a .mov domain http://cloud.microsoft http://cloud.microsoft"
X Link 2023-05-13T06:50Z 17.6K followers, 149K engagements
"Microsoft: To install our EDR on your on-prem servers you need to install this Arc agent then enable the Defender for Servers plan in Defender for Cloud which will enable the Defender for Endpoint extension All other EDR vendors: To install our EDR run this installer"
X Link 2023-05-19T22:03Z 17.6K followers, 105.7K engagements
"They said the cloud provides unlimited resources but apparently we have run out of cloud"
X Link 2023-05-31T01:22Z 17.6K followers, 55.4K engagements
"This is utter crap for AV advice from Microsoft It's bad enough that Teams still runs in a user-writable location (AppData) but lets combine that with AV exclusions AND not specify path based vs process based exclusions I would highly advise against path based exclusions here Teams AV exclusions: updated Oct 5th [----]. This include both classic and the new Teams. https://t.co/xblL27aeRB As a friendly reminder as well #Citrix has added newer entries in https://t.co/P5WF8uBXgn #Citrix https://t.co/09ABqrbAAI Teams AV exclusions: updated Oct 5th [----]. This include both classic and the new Teams."
X Link 2023-11-10T20:01Z 17.6K followers, 228.9K engagements
"We're adding another Azure Security Architect role If you love teaching others about Defender for Cloud Arc Sentinel and other Azure technologies this is for you :) β
Fully remote β
[--] day [--] hour work week β
Amazing team β
Focus on personal growth β
Work with me π"
X Link 2023-11-14T19:33Z 17.6K followers, 126.5K engagements
"It makes me really sad when I think about how many DFIR Reports may never have been written if we would just block a few apps such as wscript/cscript and PowerShell from having unrestricted access to the Internet :( https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/ You can also use Windows Firewall to block outbound connections to non-private IP ranges from processes like rundll32 or PowerShell If you have an EDR/SIEM go hunting and see if you find anything. If you find legit use cases add them as an exception with the private ranges ;)"
X Link 2024-02-27T02:45Z 17.6K followers, 52.5K engagements
"$name = 'abc' (Get-MgDirectoryDeviceLocalCredential -deviceLocalCredentialInfoId (Get-MgDevice -Filter "DisplayName eq '$name'").DeviceId -Property credentials).credentials % $.BackupDateTimeText.Encoding::UTF8.GetString(Convert::FromBase64String($.PasswordBase64))"
X Link 2024-05-09T00:37Z 17.6K followers, 57K engagements
"I am so excited to see this announced This solution brings Conditional Access to Kerberos authentication which means we can now put MFA and other controls in place when accessing file shares printers SQL Remote Desktop PowerShell remoting etc This is going to be huge :) On-prem MFA with Microsoft Entra Private Access is coming. Read more about it in the official announcement. https://t.co/sXByIn4KbJ https://t.co/zGxmbMMLAJ On-prem MFA with Microsoft Entra Private Access is coming. Read more about it in the official announcement. https://t.co/sXByIn4KbJ https://t.co/zGxmbMMLAJ"
X Link 2024-05-16T21:57Z 17.6K followers, 85.8K engagements
"Did you know you can send a file reqest link from OneDrive so others can upload files to you Lots of places don't allow for certain file types or file sizes via email and I get a lot of comments that people didn't know this existed :) Hopefully this is helpful to someone"
X Link 2024-05-22T22:51Z 17.6K followers, 38.7K engagements
"@SwiftOnSecurity Software vendors don't profit from solving security problems"
X Link 2024-06-30T22:24Z 17.6K followers, 13.2K engagements
"In case you didn't know Microsoft actually publishes a pretty large list of event IDs you should be collecting Not all are enabled by default though. and many are overly verbose It's definitely worth parsing some of these for only what you need ;) https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor We often argue about which log source is the most important how about which events What are your top [--] and why [----] - need those logons [----] - process creation of course [----] - Defender AV detection [----] - PowerShell script block logging [----] - service"
X Link 2024-07-06T18:17Z 17.6K followers, 73.8K engagements
"@rime1313 My first thought would be consent to the scope for the application. Did you do this and consent Connect-MgGraph -Scopes Also for what you want to do I would just get a list of all Windows devices a list of LAPS credentials and compareπ http://DeviceLocalCredential.Read http://DeviceLocalCredential.Read"
X Link 2024-08-08T20:07Z 17.6K followers, [---] engagements
"@rime1313 $alldevices = Get-MgDevice -Filter "OperatingSystem eq 'Windows'" $laps = Get-MgDirectoryDeviceLocalCredential Compare-Object -ReferenceObject $alldevices.DeviceId -DifferenceObject $laps.Id"
X Link 2024-08-08T20:08Z 17.6K followers, [----] engagements
"Almost embarrassed to post this but I've always used Fiddler or Burp for capturing things like this. I didn't have admin rights and was trying to capture network traffic from a pop-up so Dev Tools wasn't working Apparently this is built into Chrome/Edge edge://net-export/"
X Link 2024-11-17T06:47Z 17.6K followers, 130.5K engagements
"Torn on sharing this but I think it's important everyone be aware The Office [---] Management Activity API is awesome but it's also an incredible persistence location to monitor a victim that is almost invisible once set up Let me explain how it works and what to look for ;)"
X Link 2024-11-24T08:09Z 17.6K followers, 26.8K engagements
"Most Microsoft tenants do not have Advanced Auditing configured correctly and orgs only find out after it is too late :( I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up it's important ;) https://nathanmcnulty.com/blog/2025/04/comprehensive-guide-to-configuring-advanced-auditing/ https://nathanmcnulty.com/blog/2025/04/comprehensive-guide-to-configuring-advanced-auditing/"
X Link 2025-04-16T05:13Z 17.6K followers, 30K engagements
"Seamless SSO is a security risk and many orgs enabeld it without knowing and are now stuck wondering what might break if they turn it off. Since Microsoft provides no help identifying actual usage I did some research so you can safely turn it off :) https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/ https://nathanmcnulty.com/blog/2025/08/finding-seamless-sso-usage/"
X Link 2025-08-25T20:19Z 17.6K followers, 49K engagements
"I'm convinced one of the biggest wins for IT teams and overall security is to reduce the amount of technology especially overlapping solutions that a company has Yes we're here to support the business but also maybe having [--] CRMs and [--] marketing campgain tools is a bad idea brb figuring how how we can stop supporting half the useless software stacks we all have and blame it on the AI brb figuring how how we can stop supporting half the useless software stacks we all have and blame it on the AI"
X Link 2025-09-20T04:24Z 17.6K followers, 29.7K engagements
"Please stop using Private browser sessions for cloud admin accounts Look we all know we shouldn't be using admin accounts while signed into our productivity account but if you're gonna do it at least use browser profiles so you can enforce compliance https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-tokentabs=windows-prt-issued%2Cwindows-prt-used%2Cwindows-prt-renewal%2Cwindows-prt-protection%2Cwindows-apptokens%2Cwindows-browsercookies%2Cwindows-mfa#how-is-a-prt-used"
X Link 2025-09-27T21:33Z 17.6K followers, 40.7K engagements
"anyone else getting this vibe or just me Coming to a meeting near you https://t.co/WIpxu43OlO Coming to a meeting near you https://t.co/WIpxu43OlO"
X Link 2025-10-02T18:55Z 17.6K followers, 27.8K engagements
"Wow. π€― This is even bigger than Entra/Intune btw :( Certificates issued based on serial number GUID lots of stuff could be affected HP's script literally just searches the LocalMachineMy cert store where Subject or FriendlyName contains "1E" and deletes the cert. β Heads up Big warning for HP AI Devices β Some of HPs latest Next Gen AI PCs including the EliteBook X Flip G1i are getting the updated OneAgent 1.2.50.9581 build. That version seems to run a cleanup script removing any certificate containing 1E in its subject . https://t.co/ZMlHQMmcuv β Heads up Big warning for HP AI Devices β "
X Link 2025-10-23T01:03Z 17.6K followers, 75.2K engagements
"Re: NYC blocking Zoom I like Matthew a lot but I don't feel this is a "dumb overreaction." As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students I would love to shed some light on the difficulties Zoom has created for us. This is a dumb overreaction. https://t.co/xi52o0VhgT This is a dumb overreaction. https://t.co/xi52o0VhgT"
X Link 2020-04-06T18:26Z 17.6K followers, [----] engagements
"Microsoft added a capability to Edge that could have helped warn users about risky websites Instead they use it to beg users to stick with their browser and put down others Who the hell is running this ship This is embarrassing. Microsoft's new Edge prompts also call Chrome a "so 2008" browser when you try and download it π https://t.co/EacZ76To8Q https://t.co/qd2TsDpgUp Microsoft's new Edge prompts also call Chrome a "so 2008" browser when you try and download it π https://t.co/EacZ76To8Q https://t.co/qd2TsDpgUp"
X Link 2021-12-03T04:57Z 17.6K followers, [---] engagements
"Oh hell yeah this is cool DeviceNetworkEvents where RemoteIPType == "Public" where InitiatingProcessVersionInfoOriginalFileName in (( externaldata ( Name:string ) with (format=csv ignoreFirstRecord=true) distinct Name )) #MDE https://lolbas-project.github.io/api/lolbas.csv The #LOLBAS project's website now provides automatically updated feeds containing all entries part of the project .JSON file with the project's data set as data objects .CSV file with the project's data set broken down by command Check it out π https://t.co/mDyGq8ECoJ https://t.co/cxXVMc4ckc"
X Link 2022-10-04T06:29Z 17.6K followers, [----] engagements
""In the end it cost just under $1700 for a server that has 2x 14-core [---] GHz CPUs [---] GB RAM 8x [---] TB 10K RPM drives and 3x 1TB NVMe 3500MB/S SSDs" I have a couple friends working on building home labs so I wrote a blog post on my setup to help :) https://blog.nathanmcnulty.com/lab-server-build/ https://blog.nathanmcnulty.com/lab-server-build/"
X Link 2023-01-23T06:39Z 17.6K followers, 35.7K engagements
"Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint π‘ This might be helpful if someone started selling TLD's you'll never do business with ;) Go to under Endpoint security - Firewall Reusable settings click Add http://intune.microsoft.com http://intune.microsoft.com"
X Link 2023-05-14T01:35Z 17.6K followers, 257.1K engagements
"For your copy/pasta: global.rel.tunnels.api.visualstudio.com @Code now has built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices. https://t.co/nWpKDFQQBJ @Code now has built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices. https://t.co/nWpKDFQQBJ"
X Link 2023-09-08T01:29Z 17.6K followers, 155.2K engagements
"Reminder: Add an alias to your Microsoft account then remove the ability to sign in with your email address Alternatively go passwordless ;) More info on setting up an alias: https://x.com/NathanMcNulty/status/1345197001869201409t=SyrT5o2SSJc3F6zbwZcsYw&s=19 More of you see many unsuccessful sign-ins on your personal Microsoft Accounts I extracted all the [---] failed sign-ins in the last [--] days and visualised them in ADX to get some statistics. Almost all of them originate from IPv6 addresses hosted in Europe. https://t.co/T5jGL79Ehs"
X Link 2024-02-17T18:46Z 17.6K followers, 105.9K engagements
"When people say You wont survive in Cybersecurity if you dont like to research its true. You need to read those long PDF & website documents/white papers look through those Vendor forums watch those YouTube videos and Webinars etc. The answers are right there. When people say You wont survive in Cybersecurity if you dont like to research its true. You need to read those long PDF & website documents/white papers look through those Vendor forums watch those YouTube videos and Webinars etc. The answers are right there"
X Link 2024-02-25T01:43Z 17.6K followers, 44.8K engagements
"You might need to check your Teams Admin Center. π© It looks like the defaults for 3rd party apps changed so users can now add over [----] apps to Teams without requiring approval To change this click Actions - Org-wide app settings turn off 3rd party apps (more in next tweet)"
X Link 2024-03-27T18:28Z 17.6K followers, 178.9K engagements
"And there it is - Passkey in Microsoft Authenticator If you'd like to set up Passkeys in Microsoft Authenticator follow along. I'll provide a script to grab all existing AAGUIDs from your environment so we can configure this for testing without breaking existing keys :) While you wait for the preview to arrive to your tenant can I interest you in some passkey documentation π https://t.co/jX6UoZQvlK and for passkeys in Authenticator https://t.co/jChU0Se2Kx While you wait for the preview to arrive to your tenant can I interest you in some passkey documentation π https://t.co/jX6UoZQvlK and"
X Link 2024-04-11T18:52Z 17.6K followers, 73.6K engagements
"Want to dump backup all BitLocker keys from Entra ID instead :) (Get-MgInformationProtectionBitlockerRecoveryKey -All) ForEach-Object $device = (Get-MgDevice -Filter "deviceId eq '$($.DeviceId)'").DisplayName $key = (Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $.Id -Property Key).Key array$bitlockerReport += "$device$key" $bitlockerReport @NathanMcNulty Now do Bitlocker keys. Real ask. Kid you not. @NathanMcNulty Now do Bitlocker keys. Real ask. Kid you not"
X Link 2024-04-29T23:50Z 17.6K followers, 116.8K engagements
"Did you know Entra stores LAPS password history :) The Entra/Intune portal only shows the most recent one so if you happen to do a lot of snapshots/reverts for testing like I do the below command will show you all passwords and when they changed $name is device name $name = 'abc' (Get-MgDirectoryDeviceLocalCredential -deviceLocalCredentialInfoId (Get-MgDevice -Filter "DisplayName eq '$name'").DeviceId -Property credentials).credentials % $.BackupDateTimeText.Encoding::UTF8.GetString(Convert::FromBase64String($.PasswordBase64)) $name = 'abc' (Get-MgDirectoryDeviceLocalCredential"
X Link 2024-05-09T00:40Z 17.6K followers, 53.5K engagements
"Quite possibly one of the most insane defaults in SharePoint/OneDrive: Allow guests to share items they don't own π« Bonus points for hiding it under "More external sharing settings" which is not expanded by default"
X Link 2024-05-22T23:43Z 17.6K followers, 118.9K engagements
"So Microsoft has this really awesome repository with scripts we used to harden privileged workstations with It hasn't been officially updated in years and someone made a huge PR to address lots of issues Nobody has looked at it for over a year. π https://github.com/Azure/securedworkstation/pull/24 https://github.com/Azure/securedworkstation/pull/24"
X Link 2024-08-13T05:47Z 17.6K followers, 98.8K engagements
"You might not like it but this is the new whoami Invoke-RestMethod -Uri "https ://portal.office.com/admin/api/users/currentUser" -Headers @ Authorization = "Bearer $token""
X Link 2024-11-24T00:00Z 17.6K followers, 55.7K engagements
"This is huge We can now see the impact a policy would have had historically without ingesting sign in logs to Azure Monitor π€― There's a new Preview on CA policies that provides insights on a per-policy basis and the way they implemented this is so elegant and fast. I love it :)"
X Link 2025-03-13T16:02Z 17.6K followers, 31.6K engagements
"I'm still in shock. Woke up this morning to a wonderful email letting me know I am now a Microsoft MVP in Security π₯³ I know this program means different things to different people so I'd love to share my journey and thoughts but most importantly they accepted me for me ;)"
X Link 2025-05-01T23:31Z 17.6K followers, 36.8K engagements
"I'm not sure how I missed this article on Entra Kerberos but it's the most comprehensive documentation I've seen yet absolutely fantastic If this is the "Introduction to Microsoft Entra Kerberos" I'm honestly a little scared to see the deep dive π«£π
https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos https://learn.microsoft.com/en-us/entra/identity/authentication/kerberos"
X Link 2025-09-12T04:56Z 17.6K followers, 17.3K engagements
"Insane because Microsoft uses a tool like dnstwist to find lookalike domains in Defender for Office [---]. but you have to pay for it The good news is this tool is FREE so everyone can and should monitor for lookalike domains: https://github.com/elceef/dnstwist https://dnstwist.it/ Crazy stuff that I saw online π rnicrosoft π₯ https://t.co/JUhrFdN6My https://github.com/elceef/dnstwist https://dnstwist.it/ Crazy stuff that I saw online π rnicrosoft π₯ https://t.co/JUhrFdN6My"
X Link 2025-09-20T23:32Z 17.6K followers, 43.7K engagements
"Intune now has dedicated security recommendations docs just like Entra π₯ The Entra security docs are extremely popular and I love seeing other teams publishing this kind of guidance Thanks to my collegaue (@JoshuaGatewood) for pointing this out https://learn.microsoft.com/en-us/intune/intune-service/protect/zero-trust-configure-securitywt.mc_id=MVP_452337 If you work with Entra you'll want to bookmark and monitor this page π Much of this is in Identity / Secure Score but it's great to see security guidance cleanly laid out in one doc You might think this is well known stuff I assure you it"
X Link 2025-10-10T04:47Z 17.6K followers, 26.3K engagements
"If security were easy there wouldn't be a multi-billion dollar industry to "certify" those who "know their stuff" SECURITY IS EASY IF YOU. ignore: business people constraints complexity reality threat but sure: sEcUrItY iS eAsY https://t.co/fcVT0poofl SECURITY IS EASY IF YOU. ignore: business people constraints complexity reality threat but sure: sEcUrItY iS eAsY https://t.co/fcVT0poofl"
X Link 2025-10-17T22:58Z 17.6K followers, 193.9K engagements
"When you registered your security keys the domain was twitter.com Authentication requests from any domain that is not twitter.com like x.com are ignored (phishing resistant) So you must register new passkeys for x.com by November 10th when twitter.com goes away By November [--] were asking all accounts that use a security key as their two factor authentication (2FA) method to re-enroll their key to continue accessing X. You can re-enroll your existing security key or enroll a new one. A reminder: if you enroll a new security key any By November [--] were asking all accounts that use a security"
X Link 2025-10-26T07:26Z 17.6K followers, 107.1K engagements
Limited data mode. Full metrics available with subscription: lunarcrush.com/pricing