Microsoft Sentinel Graph with Microsoft Security Solutions
Why I Chose Sentinel Graph Modern security operations demand speed and clarity. Attackers exploit complex relationships across identities, devices, and workloads. I needed a solution that could: Correlate signals across identity, endpoint and cloud workloads. Predict lateral movement and highlight blast radius for compromised accounts. Integrate seamlessly with Microsoft Defender, Entra ID and Purview. Sentinel Graph delivered exactly that, acting as the reasoning layer for AI-driven defense. What's new: Sentinel Graph Public Preview Sentinel Graph introduces: Graph-based threat hunting: Traverse relationships across millions of entities. Blast radius analysis: Visualize the impact of compromised accounts or assets. AI-powered reasoning: Built for integration with Security Copilot. Native integration with Microsoft Defender and Purview for unified security posture. Uncover Hidden Security Risks Sentinel Graph helps security teams: Expose lateral movement paths that attackers could exploit. Identify choke points where defenses can be strengthened. Reveal risky relationships between identities, devices, and resources that traditional tools miss. Prioritize remediation by visualizing the most critical nodes in an attack path. This capability transforms threat hunting from reactive alert triage to proactive risk discovery, enabling defenders to harden their environment before an attack occurs. How to Enable Defense at All Stages Sentinel Graph strengthens defense across: Prevention: Identify choke points and harden critical paths before attackers exploit them. Detection: Use graph traversal to uncover hidden attack paths and suspicious relationships. Investigation: Quickly pivot from alerts to full graph-based context for deeper analysis. Response: Contain threats faster by visualizing blast radius and isolating impacted entities. This end-to-end approach ensures security teams can anticipate, detect, and respond with precision. How I Implemented It Step 1: Enabling Sentinel Graph If you already have the Sentinel Data Lake, the graph is auto provisioned when you sign in to the Microsoft Defender portal. Hunting graph and blast radius experiences appear directly in Defender. New to Data Lake? Use the Sentinel Data Lake onboarding flow to enable both the data lake and graph. Step 2: Integration with Microsoft Defender Practical examples from my project: Query: Show me all entities connected to this suspicious IP address. → Revealed lateral movement attempts across multiple endpoints. Query: Map the blast radius of a compromised account. → Identified linked service principals and privileged accounts for isolation. Step 3: Integration with Microsoft Purview In Purview Insider Risk Management, follow Data Risk Graph setup instructions. In Purview Data Security Investigations, enable Data Risk Graph for sensitive data flow analysis. Example: Query: Highlight all paths where sensitive data intersects with external connectors. → Helped detect risky data exfiltration paths. Step 4: AI-Powered Insights Using Microsoft Security Copilot, I asked: Predict the next hop for this attacker based on current graph state. Identify choke points in this attack path. This reduced investigation time and improved proactive defense. If you want to experience the power of Microsoft Sentinel Graph, here’s how you can get started Enable Sentinel Graph In your Sentinel workspace, turn on the Sentinel Data Lake. The graph will be auto provisioned when you sign in to the Microsoft Defender portal. Connect Microsoft Security Solutions Use built-in connectors to integrate Microsoft Defender, Microsoft Entra ID, and Microsoft Purview. This ensures unified visibility across identities, endpoints, and data. Explore Graph Queries Start hunting with Sentinel Notebooks or take it a step further by integrating with Microsoft Security Copilot for natural language investigations. Example: “Show me the blast radius of a compromised account.” or “Find everything connected to this suspicious IP address.” You can sign up here for a free preview of Sentinel graph MCP tools, which will also roll out starting December 1, 2025.
/security/secureScoreControlProfiles with skiptoken error: "Query option 'SkipToken' is not allowed"
Graph api /security/secureScoreControlProfiles with skiptoken is been failing for a few days. The first request /security/secureScoreControlProfiles works correctly: but since it has too many results, when getting the next page with the nextlink request, it fails with: The query specified in the URI is not valid. Query option 'SkipToken' is not allowed. To allow it, set the 'AllowedQueryOptions' property on EnableQueryAttribute or QueryValidationSettings.Enable Password Expiration - Update-MgUser -PasswordPolicies None does not work
Hello, good morning everyone! I hope all is well with everyone. Well, I need to activate the option to force passwords to expire every period. I used the Admin Center for this. However, I noticed that the accounts always remain this way UserPrincipalName // PasswordNeverExpires email address removed for privacy reasons // False I get the impression that the accounts will not expire the passwords as I wish. I use the command Update-MgUser –UserId <account id> -PasswordPolicies None but absolutely nothing happens. I really need to activate this. Is there an internal case that I can resolve or that requires intervention from MS Support?
New Blog Post | Microsoft Quarterly Cyber Signals Report: Issue 5, State of Play
At Microsoft, we believe that security is a team sport and by sharing what we’re learning, we can all make the world a safer place. Cyber Signals aggregates insights we see from our research and security teams on the frontlines, leveraging trillions of daily signals to provide guidance and security insights into the threat landscape. Opportunistic threat actors exploit target-rich environments This edition of Cyber Signals explores how threat actors exploit high-profile events, particularly in connected environments, introducing cyber risk for organizers, facilities, and attendees. The National Cyber Security Centre (NCSC) found that sports organizations are increasingly targeted, with 70% of those experiencing at least one attack per year, higher than the United Kingdom’s business average. Read the full blog here: Microsoft Quarterly Cyber Signals Report: Issue 5, State of Play - Microsoft Community Hub
Programatically retrieve Secure Score Activities
Hi there, I am wondering if it is possible to retrieve a list of activities taken to increase/decrease a tenant's Secure Score. I can see that it is possible to export to CSV from the frontend, but we are looking to do this programatically. Is there a way to export these events to another Azure service, or retrieve them from the Graph API/another service?
New Blog Post | Improving efficiency of your eDiscovery workflows with Microsoft Purview
Improving efficiency of your eDiscovery workflows with Microsoft Purview - Microsoft Community Hub The demands of digital transformation are leading organizations to increasingly rely on collaboration platforms, resulting in a surge of Electronically Stored Information (ESI). This trend presents additional challenges for eDiscovery teams to sift through the vast amounts of data for investigations and litigations. According to Statista, the size of the digital universe is expected to reach 180 zettabytes by 2025, further compounding this challenge. Moreover, global economic headwinds are putting pressure on organizations to find ways to do more with less, causing tighter budgets and resource constraints. Today, we are excited to announce several new capabilities within Microsoft Purview eDiscovery (Premium) to help drive efficiency, improve workflows and reduce costs for litigations and investigations.
Azure Active Directory Identity Protection - QRadar Integration
Hi all We would like to integrate our Azure Active Directory Identity Protection system with QRadar on Cloud, in order to forward alerts directly to the SIEM dashboard. In the discussion opened in 2020, they say that we can do that with Graph API: https://www.ibm.com/docs/en/qradar-on-cloud?topic=options-microsoft-graph-security-api-protocol-configuration Is that possible even at the current versions of both AADI and QRadar?Apply Sensitivity Labels using Graph APIs
While using Beta Graph API for Sensitivity Label - (https://graph.microsoft.com/beta/drives/myDriveID/items/myItemID/microsoft.graph.assignSensitivityLabel), I get the below error. I am using Delegated App Permission. { "error": { "code": "notSupported", "message": "AssignSensitivityLabel API is not yet available", "innerError": { "date": "2022-09-29T16:30:30", "request-id": "edd756cc-12f2-4781-ba07-004d601f42a0", "client-request-id": "edd756cc-12f2-4781-ba07-004d601f42a0" } https://graph.microsoft.com/beta/drives/DriveID/items/ItemID/microsoft.graph.extractSensitivityLabel - This works very well using the same token and other permission levels. Please help. VasilMichev
