Listen to this Post
You Should Know:
Implementing a custom claims provider in Entra ID (formerly Azure AD) allows organizations to extend authentication workflows with custom attributes and authorization logic. Below are key steps and commands to achieve this:
Prerequisites
- Azure AD Premium P1/P2 license
- Microsoft Graph API permissions
- PowerShell modules: `AzureAD` or `Microsoft.Graph`
Step 1: Register an Application in Entra ID
Connect-MgGraph -Scopes "Application.ReadWrite.All" New-MgApplication -DisplayName "CustomClaimsProvider" -SignInAudience "AzureADMyOrg"
Step 2: Define Claims Mapping Policy
Use Microsoft Graph to create a claims mapping policy:
$policyParams = @{
Definition = @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true"}}') | ConvertTo-Json
DisplayName = "CustomClaimsPolicy"
}
New-MgPolicyClaimMappingPolicy -BodyParameter $policyParams
Step 3: Assign Policy to Service Principal
$app = Get-MgApplication -Filter "DisplayName eq 'CustomClaimsProvider'"
$policy = Get-MgPolicyClaimMappingPolicy -Filter "DisplayName eq 'CustomClaimsPolicy'"
New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId $app.Id -BodyParameter @{
"@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/$($policy.Id)"
}
Step 4: Validate Claims in Tokens
Use tools like jwt.io to decode tokens and verify custom claims.
Windows Hello for macOS: Secure Access Without Passwords
You Should Know:
Windows Hello for macOS enables passwordless authentication via biometrics or PIN. Hereβs how to configure it:
Step 1: Enable Device Registration
sudo /usr/bin/dsconfigad -enableSSO
Step 2: Configure Azure AD Join
Register-AzureADJoinDevice -DeviceName "MacBook-Pro" -DeviceType "Mac"
Step 3: Enforce Conditional Access
In Azure Portal:
- Navigate to Azure AD β Security β Conditional Access
- Create a policy requiring Windows Hello for macOS devices.
Active Directory Hardening
You Should Know:
Critical Hardening Commands
1. Disable Legacy Protocols:
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -ComplexityEnabled $true -LockoutThreshold 5
2. Enable LDAP Signing:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "LDAPServerIntegrity" /t REG_DWORD /d 2 /f
3. Audit Sensitive Groups:
Get-ADGroupMember "Domain Admins" | Export-Csv "DomainAdmins_Audit.csv"
What Undercode Say
Custom claims providers and passwordless auth are critical for modern IAM. Always:
– Monitor token claims via `auditLogs` in Azure AD.
– Use `Test-RestMethod` in PowerShell to simulate claims issuance.
– Harden AD with Secedit /configure /db secedit.sdb /cfg baseline.inf.
Expected Output:
- Entra ID Claims Provider: https://lnkd.in/gA64bGYZ
- Windows Hello for Mac: https://lnkd.in/gzvCn32c
- AD Hardening: https://lnkd.in/gNWNFy3a
References:
Reported By: Briandesmond Theres – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
