THE PROMPT for Microsoft Security - Issue #64
Gone to Redmond: Where 3,000 MVPs Try Not to Blue-Screen the Campus (and I Try Not to Blue-Screen from Excitement)
Things from Me
Happy Friday everyone!
I’ll be out of the office next week as I head to Microsoft headquarters in Redmond for the Microsoft MVP Summit (March 24–26, 2026). It’s always one of the highlights of the year, and this time around, we’ve poured months of effort into making it an especially fun, engaging, and deeply technical experience for the entire MVP community.
We’re expecting over 3,000 attendees in total, with more than 1,500 joining us in person on campus—a fantastic turnout that promises incredible energy and connection.
I’m genuinely excited to reconnect with so many familiar faces, make new friends, dive into mind-expanding discussions, and—most importantly—spend time sharing our latest plans and vision with the Security MVPs. There’s nothing quite like being in the room (or on campus!) where ideas spark, collaborations form, and the future of Microsoft technologies takes shape.
I’ll be back in action the following week refreshed, recharged, and full of new insights to share.
Thanks as always for your support and for being part of this amazing community—talk to you soon!
-Rod
Things that are Related
Orchestrating Intrusion Detection and Prevention Signature overrides in Azure Firewall Premium - Azure Firewall Premium provides strong protection with a built-in Intrusion Detection and Prevention System (IDPS). It inspects inbound, outbound, and east-west traffic against Microsoft’s continuously updated signature set and can block threats before they reach your workloads.
Observability for AI Systems: Strengthening visibility for proactive risk detection - Observability is one of the foundational security and governance requirements for AI systems operating in production. Yet many organizations don’t understand the critical importance of observability for AI systems or how to implement effective AI observability. That mismatch creates potential blind spots at precisely the moment when visibility matters most.
Azure Bastion: Enterprise-grade secure access made simple - Managing secure remote access to virtual machines traditionally means juggling public IP addresses, configuring jump boxes, deploying VPN infrastructure, and managing complex firewall rules. Each layer adds cost, complexity, and potential security vulnerabilities. Azure Bastion changes everything. It’s a fully managed PaaS service that provides secure RDP/SSH connectivity to Azure VMs directly through the Azure portal, without exposing VMs to the public internet. No public IPs, no jump boxes, no VPN clients.
Aligning AI agent intent: A framework for secure and governable AI - AI agents can follow user instructions while still violating organizational or developer intent. This research report explores the layers of agent intent and how to align them for secure enterprise AI adoption.
When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures - During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different.
New tools and guidance: Announcing Zero Trust for AI - Over the past year, I have had conversations with security leaders across a variety of disciplines, and the energy around AI is undeniable. Organizations are moving fast, and security teams are rising to meet the moment. Time and again, the question comes back to the same thing: “We’re adopting AI fast, how do we make sure our security keeps pace?”
Things to Have
I'm thrilled to announce that “Into the mind of Microsoft Security - AI-Ready Security Strategy and Architectural Guidance for CISOs and Security Architects” by Sameh Younis is now officially released and available for purchase!
Get it from Amazon: https://amzn.to/4bwOciG
The book, “Protect Your Microsoft 365 Data in the Age of AI” is a collection of articles MVP Dominique Hermans published over the past year in the series “Protect Your Microsoft 365 Data in the Age of AI.”
In the book, Dominique explains how to use Microsoft 365, Microsoft Purview, and Microsoft Defender for Cloud Apps to gain visibility and control over sensitive data shared with generative AI platforms, while still enabling employees to work effectively. He focuses on a flexible, policy-driven, layered approach that aligns technology with an organization’s governance strategy.
Download the eBook: Protect_your_M365_Data_in_the_age_of_AI_dominiquehermans_com_v20260310-HQ
Dominique’s website: https://dominiquehermans.com/
Microsoft Defender Scout - Automated Security Assessment & KQL Query Generation for Microsoft Defender.
Microsoft Sentinel Things
Maximizing Microsoft Sentinel ROI With VirtualMetric DataStream – Part 2 - Microsoft Sentinel is an extremely powerful platform—but at scale, Windows telemetry (especially Security events) can quickly become one of the highest cost and noise drivers in the workspace. If you’re already centralizing Windows logs with Windows Event Forwarding (WEF) into a Windows Event Collector (WEC), you’ve already solved half the problem: you’ve reduced agent sprawl and built a clean collection pattern.
Detect, correlate, contain: New Azure Firewall IDPS detections in Microsoft Sentinel and XDR - As threat actors continue to blend reconnaissance, exploitation, and post-compromise activity, network-level signals remain critical for early detection and correlated response. To strengthen this layer, we're introducing five new Azure Firewall IDPS detections, now available out of the box in the Azure Firewall solution for Microsoft Sentinel and Microsoft Defender XDR.
What’s New in Microsoft Sentinel and XDR: AI Automation, Data Lake Innovation, and Unified SecOps - The most consequential “new” Microsoft Sentinel / Defender XDR narrative for a deeply technical Microsoft Tech Community article is the operational and engineering shift to unified security operations in the Microsoft Defender portal, including an explicit Azure portal retirement/sunset timeline and concrete migration implications (data tiering, correlation engine changes, schema differences, and automation behavior changes). Official sources now align on March 31, 2027 as the sunset date for managing Microsoft Sentinel in the Azure portal, with customers being redirected to the Defender portal after that date.
Turning historical patterns into actionable detection pipelines with Microsoft Sentinel data lake - This article is part of the Sentinel data lake practitioner series. In part 1, we introduced the Operationalization Framework — a structured way to turn exploratory notebooks into reliable, scheduled Spark jobs within the Microsoft Sentinel data lake. Now in Part 2, we go from framework to function — showing how defenders can turn historical data into fresh, actionable insights using modular pipelines built around one of the most persistent threats today: Password Spray attacks.
Microsoft Entra Things
Secure access in the age of AI: Key findings from our 2026 Report - As AI moves from experimentation into everyday workflows and AI agents begin operating more autonomously across systems, access environments are changing in scale, complexity, and speed. Our latest research, Secure access in the age of AI , looks at how security leaders are navigating one of the fastest shifts in enterprise technology adoption, and where existing access models are starting to show strain. For organizations, AI brings meaningful opportunity. But every new AI tool or agent also introduces additional identities, permissions, and access paths. As a result, identity and network access are no longer just foundational controls. They are central to how organizations manage risk in the age of AI.
Defender Experts for XDR Things
Microsoft Purview Things
I Built a Tool That Uses an Agent to Write Data Quality Rules to Microsoft Purview Unified Catalog - You have data assets registered in Microsoft Purview Unified Catalog with zero data quality rules attached. Maybe they came from Microsoft Fabric. Maybe Databricks or Snowflake. It does not matter. Someone wants full dimension coverage across every column of every gold layer table you own. There is no way you are doing that by hand. I built a tool that does it for you.
AI‑Powered Troubleshooting for Microsoft Purview Data Lifecycle Management - Announcing the DLM Diagnostics MCP Server! Microsoft Purview Data Lifecycle Management (DLM) policies are critical for meeting compliance and governance requirements across Microsoft 365 workloads. However, when something goes wrong – such as retention policies not applying, archive mailboxes not expanding, or inactive mailboxes not getting purged – diagnosing the issue can be challenging and time‑consuming.
New Microsoft Purview innovations for Fabric to safely accelerate your AI transformation - Organizations are skeptical about AI transformation due to concerns of sensitive data oversharing and poor data quality. In fact, 86% of organizations lack visibility into AI data flows, operating in darkness about what information employees share with AI systems. Compounding on this challenge, about 67% of executives are uncomfortable using data for AI due to quality concerns. The challenges of data oversharing and poor data quality requires organizations to solve these issues seamlessly for the safe usage of AI. Microsoft Purview offers a modern, unified approach to help organizations secure and govern data across their entire data estate, in particular best in class integrations with M365, Microsoft Fabric, and Azure data estates, streamlining oversight and reducing complexity across the estate.