A MFA fatigue attack is where an attacker will constantly attempt to login as the user causing an MFA request to appear on the users device. If this request is simply to deny or approve, and with enough requests, the user eventually approves to make theses requests go away. Such an attack recently provided very successful at Uber. You can read more about that incident here:
With MFA in Microsoft 365 and the Microsoft Authenticator app you can avoid this by enabling number matching for push notifications. Here’s how to do it:
Navigate to the Azure portal as an administrator and then to Azure Active Directory. Here, select Security from the menu on the left as shown above.
Here, select Authentication methods as shown above on the left.
Now select Microsoft Authenticator on the right.
Select Configure at the top of the page and ensure all the options listed are Enabled for all users. You may want to exclude any break-glass accounts though.
Back on the Basic tab, as shown above, ensure you have Enable set to Yes and you target all the desired users with Passwordless.
Now, when users are prompted for MFA they will see the above on their devices and need to type the number that is on the screen into their device to approve the login. They will also see the geographic location the request came from and application requesting as shown above.
If you want to check yoru environment for MFA fatigue attacks you can use this KQL query in Sentinel:
Online security is something that requires constant adjustment as the bad actors adapt to the protection methods put in place. Number matching in Microsoft 365 is quick and easy to set up using the Microsoft Authenticator and the recommended approach you should take to avoid MFA fatigue attacks.
Slides from this month’s webinar are at:
If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:
Watch out for next month’s webinar.
Microsoft has a new security portal at:
which comes from their recent RiskIQ acquisition. In essence it is a place that you can search for security intelligence and information around all sorts of indicators.
If I for example search for an IP address that showed up in my Microsoft Sentinel as a known bad IP I see the above results.
If you look closely, you’ll see the ‘good’ stuff requires a subscription. How much is a subscription I hear you ask? Well, make sure you are sitting down before you proceed because it is:
Yup, that is US$4,1667.70 per month! Wow!
That said, the free or ‘community’ version does provide a lot of valuable information and I would recommend that you add the site to your list of tools when threat hunting. Personally, I would have liked to have seen a pay as you go (PAYG) option provisioned out of Azure like things such as Sentinel is. Hopefully, the price will come down or at least there may eventually be a tier that smaller business can live with. But for now, have a look and use the features provided for free as there are many. You can learn more from the documentation here:
What is Microsoft Defender Threat Intelligence (Defender TI)?
Another round of updates from the Microsoft Cloud. Also trying a video version of the podcast on YouTube (link below). Also trying an ‘editorial’ section which this month is on Secure Score. Let me know what you think.
Take a listen and let us know what you think – firstname.lastname@example.org
You can listen directly to this episode at:
Subscribe via iTunes at:
The podcast is also available on Stitcher at:
Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.
This episode was recorded using Microsoft Teams and produced with Camtasia 2022.
Brought to you by www.ciaopspatron.com
YouTube version on podcast
Join my shared channel
CIAOPS Monthly webinar
iOS Lockdown mode
Visual Studio Code on the web
Gone phishing tournament
Storyline is in public preview
Microsoft SMB study
A new security option in Microsoft Edge.You’ll find it in Settings | Privacy, search and services as shown above. Three levels are available once you enable it (it is disabled by default).
What is does according to the documentation is:
and more information is found here:
Enhance your security on the web with Microsoft Edge
There is also the option to white list certain URLs if required.
So, if you want a bit more security when using Edge, turn it on! I have.
I am happy to announce that Techwerks 17 will be held in Melbourne CBD on Thursday September 29th 2022
The course is limited to 20 people and you can sign up and reserve your place now! You reserve a place by completing this form:
or by sending me an email (email@example.com) expressing your interest.
The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into the Microsoft Cloud including Microsoft 365, Azure, Intune, Defender for Endpoint, security such as Azure Sentinel and PowerShell configuration and scripts, with a focus on enabling the technology in SMB businesses.
Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.
The cost to attend in Melbourne is:
Gold Enterprise Patron = Free
Gold Patron = $33 inc GST
Silver Patron = $99 inc GST
Bronze Patron = $176 inc GST
Non Patron = $399 inc GST
I hope to see you there.
Once you have added Viva Engage to Microsoft Teams from apps, select it. In the top right corner select the ellipse as shown above. Then from the menu that appears, select Manage storyline.
Turn on all the options you see here.
More information about Storyline can be found here:
Storyline is now open for public preview
If you search the apps available in Microsoft Teams you’ll find a new one from Microsoft called Admin as shown above.
When you add the Admin app to your Microsoft Teams environment you see a number of basic administration options you can alter as shown above.
You can, for example, set some basic meeting settings as shown above.
At this stage the app is pretty basic but it is handy to have many of the common admin settings inside Microsoft Teams overcoming the need to switch out to the admin console. Over time I’d guess that more options will be added to this app to make Microsoft 365 management easier.