I've been putting together a process for detecting breaches in Microsoft 365 and Entra ID accounts, and it's become a common topic in discussions. My approach includes checking sign-in logs, identifying hidden inbox rules, mailbox delegation issues, OAuth consent abuse, and signs of token theft using specific PowerShell commands. I'm curious, what steps do you take to detect a breach in under 10 minutes?
1 Answer
Setting up conditional access properly is a key step. If it's done right, it can help significantly reduce the number of questions you get about breaches.
Absolutely! Conditional access is essential, and while it can't cover everything, it's a strong starting point. Plus, diving into sign-in logs can reveal a lot of useful details.