Booting high on community energy! In this special in-person episode, recorded on-site at the Microsoft Campus during the MVP Summit 2025, Koos and Chris share behind-the-scenes insights, tech trends, and reflections on the evolving security landscape—all while dodging T-shirt printers and Summit buzz.

🏙️ MVP Summit Experience

• First time recording in person!
• Koos and Chris reflect on how special it is to collaborate live, normally split by time zones.
• Value of meeting with product teams and MVP peers from around the world.

🧩 Capture the Flag Challenge

• Microsoft’s hands-on CTF challenge provided deep XDR visibility.
• Realistic red-team simulation in Defender showed how challenging threat hunting can be.
• Koos & Chris share a new appreciation for SOC analysts sifting through complex telemetry.

🤖 Security Copilot + Agents

• Microsoft announced Security Copilot Agents at Summit.
• These “agentic AI” bots can handle tasks like phishing triage and vulnerability remediation.
• Koos went from skeptic to fan—Agents reduce the need for custom logic app workflows.
• Built-in dashboards now show time saved per task, helping justify ROI.

🕵️‍♂️ Threat Hunting with the GHOST Team

• Microsoft’s GHOST Team: Global Hunting Oversight and Strategic Triage.
• Proactive hunting using advanced logs and behavioral anomalies.
• Emphasis on graph logs and assumed breach strategies.
• Outputs include improved detection rules and real-world attacker insights.

🔐 Identity & MFA – Still the #1 Target

• Identity remains the primary attack vector.
• Stop excluding MFA for office IPs or “trusted” users.
• Embrace phishing-resistant MFA like passkeys.
• Avoid risky group-based MFA exclusions—opt for dedicated groups or per-user control.

⚙️ Conditional Access & workload Identities

• Time to revisit and enrich older CA policies.
• Add device compliance and user risk signals (especially with Entra P2).
• Use tools like risk-based CA and sign-in risk to block compromised accounts.
• Apps and service principals are still a weak link in many orgs.
• Add CA rules to Applications (Workload Identities) to further heighten security (e.g. IP filtering).
• Because App secrets often go unmanaged and unrotated.

🧭 Final Thoughts

• Many attacks still succeed due to weak fundamentals: open ports, unpatched systems, overly-permissive apps.
• Mastering the basics remains critical.
• In-person energy made this episode extra special! 🙏🏻

🛠️ Community Project

Device Offboarding Manager

Microsoft MVP Ugur Koc has created a great PowerShell GUI tool for efficiently managing and offboarding devices from Microsoft Intune, Autopilot, and Entra ID, featuring bulk operations and real-time analytics for streamlined device lifecycle management. At it’s core, the tool features:

• Multi-Service Integration: Manage devices across Intune, Autopilot, and Entra ID
• Bulk Operations: Support for bulk device imports and operations
• Real-time Dashboard: View device statistics and distribution
• Secure Authentication: Multiple authentication methods including interactive, certificate, and client secret

I really like the playbooks feature that allows automation and support for specific custom scenarios.

Check it out on Github