In this blog series, I’ll be covering Microsoft Purview, starting with an introduction and then exploring the features Microsoft Purview has to offer in further posts.
Please don’t forget to subscribe so you’re notified via email when new posts are published
Why Microsoft Purview? Microsoft Purview is a comprehensive set of tools designed to help organisations govern, protect, and manage their data across various platforms and environments. It provides a unified platform for data governance, security, and compliance, making it easier to manage data and meet regulatory requirements, wherever the data is stored.
Data often moves across boundaries and is shared with external partners or accessed on personal devices. Ensuring consistent security is key. Relying on multiple tools can lead to inefficiencies and gaps. To understand where critical data resides often requires a comprehensive review across on-premises and cloud environments.
Data is being created, stored, and shared at unprecedented rates. With increasing regulation and complexity, understanding how to secure and manage data effectively is more important than ever. One of the biggest challenges organisations face is becoming overwhelmed by the sheer volume and complexity of managing data. It can be difficult to keep track of what data is out there and ensure it’s all properly protected throughout its lifecycle.
By 2025, it’s estimated that the world will produce up to 175 zettabytes of data, a tenfold increase from 2016. This rapid growth brings new challenges for organisations trying to manage a wide range of data types, including emails, documents, instant messages, videos, and images. Generative AI adds further complexity by introducing new layers of data and risks like privacy concerns and misinformation.
As data grows, so do the demands for protecting it. The need for strong controls around sensitive data is more critical than ever. Without a robust data management strategy, organisations risk financial penalties, reputational damage, and loss of customer trust.
Managing and protecting data is a growing challenge. Research highlights that:
88% of organisations lack confidence in their ability to detect or prevent sensitive data loss.
More than 80% of corporate data remains “dark”, meaning it isn’t classified, protected, or governed.
Protecting and governing sensitive data is one of the biggest challenges for compliance with regulations.
As the environment grows more complex, so do the risks of data breaches and non-compliance.
This is where Microsoft Purview can help. This service provides organisations the ability to configure features such as, but not limited to, Data Loss Prevention (DLP), encryption of sensitive data, and insider risk management. According to research by Microsoft in 2023, 20% of data breaches were due to internal actors, costing businesses an average of $7.5 million annually.
Utilising Microsoft Purview offers a unified approach ensuring consistent classification, labeling, and protection of sensitive data, no matter where it resides. Microsoft Purview can be configured to provide a bird’s eye view of an organisation’s entire data landscape, helping them discover, classify, and manage their data with ease. This data could reside in a number of locations including Software As a Service applications (such as Dropbox, Salesforce), Azure, Microsoft 365, AWS (Amazon Web Services), Google Cloud, on-premises and more.
Another useful feature offered by Microsoft Purview is Information barriers. Information Barriers is a tool that helps you control communication and collaboration between different groups of people in Microsoft Teams, SharePoint, and OneDrive. It’s often used in industries with strict regulations to prevent conflicts of interest and to keep sensitive information secure between different departments inside an organisation.
There is more! Microsoft Purview Privileged Access Management (PAM) helps organisations control who can perform important admin tasks in Office 365. It protects your organisation from breaches by making sure only the right people have access to sensitive data or critical settings, and only when they need it. User’s must request temporary access to perform special tasks, which is approved through a specific process. This way, users get just enough access to do their job without risking the security of sensitive information.
Furthermore, Microsoft Purview can be configured to scan your data, provide a data map and identify and secure sensitive data which you may not be protecting. Microsoft Purview can provide you with the insights your organisation requires, not only helping identify and protecting your data, but providing insights on how that data is used.
Microsoft Purview can also assist your compliance and risk teams by providing tools to audit your data and whether you’re meeting compliance standards. The service also offers tools you can use in the event of a legal issue, known as eDiscovery. These useful insights are provided via an easy to understand reporting dashboard.
Microsoft Purview is structured into three pain pillars, these include Data Security, Data Governance and Risk & Compliance. These pillars combined provide organisations with a powerful platform for governing and securing data across the entire data estate. More info on the three pillars can be found at the following Microsoft Learn link, Learn about Microsoft Purview | Microsoft Learn.
I hope you have a basic understanding on what Microsoft Purview has to offer. I’ll explore the Microsoft Purview portal and features in further detail in this blog post series so stay tuned and don’t forget to subscribe, so you don’t miss the latest posts.
Microsoft have announced an all new free plan for GitHub Copilot, available for everyone today in VS Code. All you need is a GitHub account.
No trial
No subscription
No credit card required
GitHub Copilot is an AI coding assistant that helps you write code faster and with less effort, allowing you to focus more energy on problem solving and collaboration. GitHub Copilot has been proven to increase developer productivity and accelerate the pace of software development.
With GitHub Copilot FREE you get 2000 code completions/month. That’s about 80 per working day, which is a lot. You also get 50 chat requests/month, as well as access to both GPT-4o and Claude 3.5 Sonnet models.
If you hit these limits, ideally it’s because Copilot is doing its job well, which is to help you do yours! If you find you need more Copilot, the paid Pro plan for $10 per month is unlimited and provides access to additional models like o1 and Gemini (coming in the new year 2025). There are also other plans on offer, such as Business and Enterprise.
Passkeys in the Microsoft Authenticator app using an iPhone
Setting up a passkey via a physical Yubikey 5 (usb-c)
Note: This post is targeted at users who want to set up passkeys in the Microsoft Authenticator app or register a physical key. Your administrators must have enabled the capability to use passkeys before you can complete the steps below. To use passkeys via the Authenticator app, you need Android 14 or later, or iOS 17 or later (at the time of writing this post). Additionally, make sure that your Microsoft Authenticator app is updated to the latest version.
Configure Passkeys in the Microsoft Authenticator App on an iPhone
Access https://mysignins.microsoft.com and login
Click security info from the left pane
Click + Add sign-in method
4. Click the option, Passkey in Microsoft Authenticator
5. You may be prompted to go through MFA before you are able to add a new sign-in method. Please continue with this. When done, continue to step 6.
6. Read the pre-reqs and click next
7. Don’t click Next just yet. You will need to follow the instructions mentioned on your screen first.
Open the Microsoft Authenticator app on your phone. Tap on the account/email address you will be setting this passkey for. Keep the app open while you proceed with the setup.
Click Create a passkey. If this option does not appear, ensure that you have met the pre-reqs I mentioned at the beginning of this post.
8. You will be prompted to sign-in. Click the Sign-in button and login
9. If it is the first time you’re setting up a passkey via the Microsoft Authenticator app, you’ll be prompted to enable a couple of settings on your phone before you are allowed to continue.
10. We’re done with the configuration on the phone. Continue to the step 11 below.
11. Return to your laptop/desktop and click next to complete the process.
That’s it. If you’re interested in configuring a physical key, such as a YubiKey, the next section goes through the process.
Configure a passkey via a physical Yubikey 5 (usb-c)
Access https://mysignins.microsoft.com and login
Click security info from the left pane
Click + Add sign-in method
3. Click the option Security key
4. You may be prompted to go through MFA before you are able to add a new sign-in method. Please continue with this. When done, continue to step 5.
5. Select the type of security key. I select USB device
6. Have your physical key ready, after clicking next, you’ll be prompted to plug it in.
7. Click next and then select Security key (If this option does not appear, click the option other ways to sign-in and then click Security key). Click next.
8. Read and click OK
9. Read and click ok
10. You will be prompted to insert you physical key
11. You will be prompted to create a new PIN
12. Your physical YubiKey will flash and you will be prompted to place you finger on it
13. Passkey saved, click ok
14. Finally, you will be prompted to give your Physical key a name so you can easily identify it.
15. Done
I hope you found this post useful. Catch you at the one
In this blog post, I demonstrate how to use an Adversary in The Middle (AiTM) phishing attack to capture a user’s session token utilising a tool called Evilginx. There are several methods to protect against such attacks and I will be concentrating on phishing resistant MFA.
IMPORTANTDISCLAIMER: The user accounts involved are demo user’s. The information provided in this blog post is intended for educational and demonstration purposes only. Evilginx is a powerful tool that can be used to steal session tokens, which can lead to unauthorised access to user accounts. This tool should only be used for legitimate penetration testing on systems where you have explicit permission to do so. Unauthorised use of Evilginx or any similar tool is illegal and unethical, and can result in severe legal consequences. Always ensure you have proper authorisation before conducting any security testing.
What is Evilginx? Evilginx is an advanced phishing framework that provides a way to bypass multi-factor authentication (MFA) protections by capturing session tokens. It operates as an Adversary-in-The-Middle (AiTM) proxy, intercepting communication between a victim and a legitimate service to steal authentication credentials and session tokens. Unlike traditional phishing attacks that trick user’s into divulging their passwords, Evilginx focuses on obtaining credentials and session tokens, enabling attackers to login without entering user credentials. This makes it a powerful tool for penetration testers and security researchers who need to assess the resilience of their systems against such sophisticated attacks, however, it can also be used by bad actors.
Here’s how it works in few steps:
Attackers create fake login pages that look almost identical to legitimate ones, such as login pages for Microsoft, Google, Facebook and more.
When user’s enter their credentials, Evilginx captures them and forwards them to the real site, making it seem like a normal login process.
It can also intercept multi-factor authentication (MFA) codes, allowing attackers to gain unauthorised access.
This makes Evilginx particularly dangerous because of its capabilities to bypass security measures like MFA.
To protect yourself, always verify the URL of the login page, use phishing resistant MFA, and be cautious of unexpected login requests.
Let’s dig deeper and understand the process via the diagram below
How does Adversary-in-The-Middle (AiTM) take place using Evilginx
Click the image below to enlarge
Now, let’s see the process in action
Note: I’ve already installed and configured the Evilginx application.
Let’s explore how Evilginx can capture a user’s session token and gain access to data.
I launch Evilginx on my server
2. I type:
lures create microsoft365 lures get-url 0
Click image to enlarge
3. I copy the fake url as shown in the image above. A bad actor now requires a user to click on this fake url which could be via phishing email.
For the purpose of this demo, let’s assume that a user has clicked the link which was sent to them via a phishing email.
I launch a browser and type the fake login page url.
Enlarge the image below.
Question: Can you locate anything suspicious in the image below?
Incase you were not able to locate the suspicious disguise, check the website address. The letter o after micros has been replaced with a zero.
Bad actors will use such cloned login pages which sometimes look convincing and genuine. It’s important that we continue to educate and remind ourselves about phishing attacks.
WARNING:Please do not access the fake url above on your device
4. Ok, so now the user logs in. I am going to use a demo account.
My demo account is ceo@imranrashid.co.uk
The account is protected with MFA via the Microsoft Authenticator app. Not phishing resistant MFA at the moment.
I’m going to login to the fake page. The Evilginx application is listening in and recording logs.
5. I click next and I am prompted to enter my password to authenticate with Entra ID.
6. I enter my username, password, click sign in and go through MFA when prompted. I do not currently have phishing resistant MFA enabled as yet.
I am logged in and then auto signed out, but the required information has been captured by the Evilginx tool.
7. Let’s see what I get with Evilginx
8. I have the user credentials including username and password
Evilginx has captured the user’s session which includes MFA acceptance. Let’s dig a little deeper.
9. I type sessions and can see the username, password and the token has been captured.
10. I type sessions 13 and press enter
11. Here is the captured session token.
12. Next, I am going to replay this stolen token. I highlight and copy the text.
13. I have downloaded Firefox and installed a cookie editor extension.
14. I launch Firefox and access office.com
15. I click the Sign in button and I am redirected to the Microsoft login page
16. I clear all the cookie information in the cookie editor extension.
17. Inside the Cookie editor extension, I click the option to import and paste the session cookie I copied earlier. I then click import again.
I am back at the fake login page. I type my username and click next, but instead of entering a password, I select the option Use your face, fingerprint, PIN, or security key instead as shown in the image below.
2. I am being prompted for a security key for the fake url as shown in the image below. My passkey is registered to the real domain of login.microsoft.com and not login.micr0soft.com, therefore the user is unable to authenticate and provide Evilginx with the session token it is trying to capture.
No sessions saved by the Evilginx app
I hope this post was useful. Thanks for reading and see you at the next one.
In this 2 post blog series, I’ll explore emergency “break glass” account best practices, the importance of phishing resistant MFA (Multi Factor Authentication), how phishing-resistant MFA can protect against credential and session token theft via a phishing attack by a bad actor, and finally I will go through a step by step demo on configuring a physical FIDO2 (Fast Identity Online) supported passkey, specifically a YubiKey. I purchased a YubiKey for 30 euros from Yubico. Please note that Yubico offers various types of YubiKeys including different types of USB connectors and physical keys which meet different compliance standards, so it’s essential to research your options before making a purchase. Additionally, since FIDO2 is an open standard, several other vendors offer physical keys, giving you multiple options to choose from.
IMPORTANTNOTE Part 2 will provide a detailed, step by step demo on configuring a YubiKey. I recommend reading this post (Part 1) first to understand best practices and how FIDO2 works to secure your account. However, if you wish to skip to Part 2, click the following link: Part 2 – Configure a YubiKey For An Emergency Access Account In Entra ID | Cloud Build
Image of a Security Key NFC (Near Field Communication) by Yubico. This is the key I purchased.
Explanation of NFC: Near Field Communication (NFC) is a wireless technology that enables devices to communicate with each other when they are in close proximity, typically within a few centimetres. Think about when you touch your card or Apple Pay on your phone against a card reader to make a payment. If supported, you can utilise the NFC capabilities allowing you to touch they key on a NFC reader built in to your phone or a internal/external NFC reader built in to your laptop.
As mention above, part 2 covers the step by step demo, so before diving into the steps for configuring my YubiKey as a secure phishing resistant MFA method, I’d like to go through some important points, starting off with best practices you should consider when setting up an emergency access account.
Emergency Access “Break Glass” Account Best Practices
Emergency accounts also known as break glass accounts are crucial accounts that provide access to critical systems during an emergency. Microsoft recommends that organisations have two cloud only emergency access accounts permanently assigned the Global Administrator role. These accounts are highly privileged and should not be assigned to specific individuals. They are limited to emergency scenarios only and where normal accounts can’t be used or all other administrators are accidentally locked out. Here are a few points to note when creating your emergency break glass accounts:
Assign Both Emergency Accounts Permanent Global Administrator:
Having two break glass accounts ensures that if one account becomes inaccessible, you have a fallback account.
Use Non-Obvious Names:
Avoid obvious names like emergency@.onmicrosoft.com or breakglass@.onmicrosoft.com. Instead, use random human names to make the accounts obscure, making it more challenging for attackers to target them during attacks like password spraying.
Create Cloud Identities:
Create your break glass accounts using the *.onmicrosoft.com domain inside Entra ID. Avoid syncing accounts from on-premises to prevent access issues if on-premises systems fail.
Configure Complex Passwords:
Use strong passwords, ideally with a minimum of 16 characters as recommended by Microsoft at the time of writing this post. Although it is possible to create passwords up to 256 characters long, a minimum of 32 characters is common. Feel free to increase the length of the password as per your requirements. However, be aware that no matter how strong the password, bad actors can still steal user credentials via a phishing attack, therefore still a potential risk and the reason why it is recommended to use phishing resistant MFA, such as FIDO2 supported devices. More on this later.
Secure Password Storage:
If you’re using passwords, follow Microsoft’s recommendation to separate the password into two or three parts, write each part on separate pieces of paper, and store them in secure, fireproof safes in different locations. Ensure only authorised individuals have access.
Use Phishing Resistant MFA:
For multi-factor authentication (MFA), use a phishing resistant method like a FIDO2 Security Key. Again, ensure you store these physical keys in a safe location and only allow authorised individuals access.
Audit and Monitor Access:
Configure monitoring to notify you if the emergency break glass accounts are used, allowing for swift action.
Diversify MFA Methods:
Avoid using the same MFA method as your admins. For instance, if admins use passkeys via their phones or certificate based authentication (CBA), use a physical pass key for the emergency accounts to avoid issues affecting mobile devices such as a wider mobile network outage.
Avoid Assigning to Individuals:
Do not attach break glass accounts to an individual, such as an engineer’s mobile phone, to prevent issues if the person is unavailable. Just imagine if that individual is on holiday, it’s not good practice from both a convenience and security point of view.
Exclude from Conditional Access Policies:
Ensure at least one emergency access/break glass account is excluded from all Conditional Access policies.
Regular Validation and Documentation:
Validate your emergency accounts every 90 days or sooner if needed. Document a step by step process to allow authorised IT staff access to the accounts in emergencies. Training and clear documentation are crucial. The last thing you want is to discover an issue during a real emergency which could have been prevented through testing and validation.
Now that we have covered best practices for emergency break glass accounts, you may have read or heard that Microsoft announced mandatory multi factor authentication (MFA) will be enforced for Azure sign ins. This will gradually be rolled out to other portals, such as admin.microsoft.com, and more. So, what does this mean? Well, any user account logging into the admin portals will be required to enable MFA before they can log in.
Previously, it was possible to log into the Azure portal using an account without MFA enabled, but this will no longer be possible going forward. Why? Because one of the most effective security measures available to organisations is multifactor authentication (MFA). Research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks. Since emergency accounts are commonly used to log into admin portals, these accounts are not exempt from this new rule. Attackers could exploit emergency break glass accounts to access your environment with Global Administrator privileges and cause significant damage. Previously, a large number of organisations would create emergency break glass accounts without enabling MFA, which was normal. However, this recent announcement from Microsoft means that organisations will no longer be allowed to login to admin portals using any account including emergency break glass accounts with a password alone. MFA must be enabled with phishing resistant MFA being highly recommended, however, other MFA methods are allowed. In my opinion, it makes sense to secure these highly privileged accounts.
Great, we’re nearly there. What’s next? I would like to provide a quick overview of passkeys and how passkeys can protect you against a bad actor stealing user credentials and session token via a phishing attack using tools such as Evilginx. Let’s learn more.
What are passkeys? Passwords can be compromised through various methods, including phishing attacks, regardless of their complexity. FIDO2 supported passkeys enable phishing-resistant, passwordless authentication. They replace weak credentials with strong, hardware backed public/private key credentials, reducing the chances of user credentials and session token being stolen.
A common attack method involves a bad actor attempting to steal user credentials by tricking them into clicking a malicious link. Adversary in the Middle (AiTM) attack tools, such as Evilginx, can intercept communication between the user and login providers like Microsoft, Facebook, or Google, capturing the necessary information to access the user’s data. Evilginx is capable of capturing session cookies, which validate a user’s session after MFA is completed. Put simply, Evilginx can bypass non-phishing resistant MFA, making it ineffective and allowing unauthorised access to the user’s data.
When configuring a FIDO2 supported method, such as a physical YubiKey, the process involves the generation of two keys:
A private key, which remains on the physical YubiKey and never leaves the device. This is similar to how other phishing resistant methods function, such as Windows Hello For Business. This private key never leaves the physical device, so in the case of a YubiKey, the private key is stored securely on the YubiKey. With Windows Hello for Business, the private key remains on the device, such as the laptop, stored in a secure TPM (Trusted Platform Module).
A public key is provided to the relying party. In my case, the relying party is Microsoft, because I’ll be using my FIDO2 supported physical passkey to log in to admin portals such as the Azure portal.
Because passkeys are phishing resistant, they are highly recommended. Apart from physical FIDO2 security keys, there are other phishing resistant MFA methods available, including Certificate Based Authentication (CBA), passkeys via the Microsoft Authenticator app and one I mentioned earlier, Windows Hello for Business.
Why are passkeys secure? When configuring a passkey, there are a number of security features that prevent a hacker from misusing your credentials. One of the key security features is proximity, which means the user must have proximity between the authenticator and the laptop. In this case, the authenticator could be a physical FIDO2 security key or a passkey on the Authenticator app. This prevents users from being tricked by a bad actor, for example, if the bad actor attempts to steal a user’s session token via a phishing attack, it would be of no use, because the hacker is most likely sitting someplace far away from the laptop, and therefore the proximity check fails and access is denied.
Another important security feature is that the FIDO2 supported device is tied to a specific website address or relying party. This means that if a bad actor tries to fool the user by directing them to a fake URL via a phishing attack, the authentication attempt would fail when the user attempts to use their phishing resistant device, such as a YubiKey. This is because the private key stored on the device will only respond to the specific website it was originally registered with. So, even if a hacker tries to mimic the real website by creating a good looking clone pointing the user to login.micr0soft.com (disguising the o for a zero), the FIDO2 supported key won’t complete the authentication process because it was originally registered against login.microsoft.com and not the fake login.micr0soft.com.
Still confused? I demonstrate the YubiKey registration process in the diagram below.
Click the image below to enlarge.
How does a hacker steal user credentials and session token?
One of the methods I am focusing on in this post is where bad actors steal user credentials via a phishing attack, by fooling the users to click a link which directs the user to fake login page. The user assumes that they are accessing a genuine login page and upon the entering a username, password and even going through non-phishing resistant MFA, the bad actor captures the users session token and then replays it on their own device. Yes, there are tools such as Evilginx which can bypass MFA. This allows the hacker direct access to the user’s data such as email, one drive data and so on, without having to authenticate again.
In the video below, Merill Fernando (Principal Product Manager @ Microsoft Entra) demonstrates how Evilginx works and provides a couple of controls which can prevent such an attack when an Adversary in the Middle (AiTM) attack tool such as Evilginx is used.
DISCLAIMER: Evilginx has the potential for malicious use. It’s crucial for defenders to account for such attacks and devise strategies to safeguard their users from these types of phishing threats. Evilginx should only be employed in lawful penetration testing engagements with explicit written consent from the targeted entities or for educational objectives.
Note While phishing-resistant MFA provides strong protection against phishing attacks and greatly reduces the risk of credential theft, it does not completely prevent token theft, for example, if a bad actor uses malware on a user’s device. This is why it’s essential to adopt a defense in depth strategy, which includes multiple layers of security measures, including endpoint protection on your devices.
In the below video Alex Weinert (VP Identity Security at Microsoft) provides several solutions to help protect against token theft.
Passkeys Available via Phone Using the Authenticator App In the next post, I demonstrate how to set up a physical FIDO2 support passkey from Yubico. However, I wanted to mention that passkeys are also available without needing to purchase a physical key. Modern smartphones come equipped with built in FIDO2 authentication capabilities, providing you with phishing resistant protection and allowing you to use biometric features like fingerprint or face recognition as passkeys. With the Microsoft Authenticator app, you can register and use these passkeys on your iPhone or Android phone to securely log into your accounts. This provides a convenient and cost effective way to enhance your online security without having to purchase physical security keys.
I know what you’re thinking! “If passkeys are available for free using phones via the Authenticator App, why should I purchase a physical key?”
Great question! While passkeys on smartphones offer a great level of convenience and security, there are several reasons why an organisation might still opt for physical security keys. Here are a few benefits:
Device Flexibility: Physical passkeys can be used with any device, including shared workstations, without relying on employees’ personal mobile phones. If you don’t allow the use of personal mobile phones in your organisation, you could purchase physical passkeys.
Enhanced Protection: Physical keys can offer an extra layer of protection against malware and other attacks that might target vulnerabilities in mobile devices.
Compliance Requirements: In some industries, compliance requirements may mandate the use of physical keys. Therefore, while smartphone based passkeys are excellent for many users, physical keys still play a crucial role depending on your organisational requirements.
Emergency Break Glass Accounts: A physical FIDO2 key would be a better option than a mobile phone for an emergency break glass account. It ensures that access is not dependent on the availability or functionality of a specific mobile device. YubiKeys don’t contain moving parts and are designed to be simple and robust, with a solid construction that contributes to their reliability. They don’t require batteries or an external power source, as they draw power directly from the USB or NFC connection when in use, making them ideal for offline storage and offsite locations.
