{
	"id": "1e9d2cad-bf94-4da5-b2fa-28388e89167d",
	"created_at": "2026-04-06T00:20:06.474548Z",
	"updated_at": "2026-04-10T03:20:06.961902Z",
	"deleted_at": null,
	"sha1_hash": "63090645c6506ad931d30f4c7d5e486f52f9b5a4",
	"title": "Secure your Microsoft Entra identity infrastructure - Microsoft Entra ID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1168838,
	"plain_text": "Secure your Microsoft Entra identity infrastructure - Microsoft\r\nEntra ID\r\nBy martincoetzer\r\nArchived: 2026-04-05 15:07:01 UTC\r\nIf you're reading this document, you're aware of the significance of security. You likely already carry the\r\nresponsibility for securing your organization. If you need to convince others of the importance of security, send\r\nthem to read the latest Microsoft Digital Defense Report.\r\nThis document helps you get a more secure posture using the capabilities of Microsoft Entra ID by using a five-step checklist to improve your organization's protection against cyber-attacks.\r\nThis checklist helps you quickly deploy critical recommended actions to protect your organization immediately by\r\nexplaining how to:\r\nStrengthen your credentials\r\nReduce your attack surface area\r\nAutomate threat response\r\nUtilize cloud intelligence\r\nEnable end-user self-service\r\nNote\r\nMany of the recommendations in this document apply only to applications that are configured to use Microsoft\r\nEntra ID as their identity provider. Configuring apps for Single Sign-On assures the benefits of credential policies,\r\nthreat detection, auditing, logging, and other features add to those applications. Microsoft Entra Application\r\nManagement is the foundation on which all these recommendations are based.\r\nThe recommendations in this document are aligned with the Identity Secure Score, an automated assessment of\r\nyour Microsoft Entra tenant’s identity security configuration. Organizations can use the Identity Secure Score\r\npage in the Microsoft Entra admin center to find gaps in their current security configuration to ensure they follow\r\ncurrent Microsoft best practices for security. Implementing each recommendation in the Secure Score page\r\nincreases your score and allow you to track your progress, plus help you compare your implementation against\r\nother similar size organizations.\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 1 of 12\n\nBefore you begin: Protect privileged accounts with MFA\r\nBefore you begin this checklist, make sure you don't get compromised while you're reading this checklist. In\r\nMicrosoft Entra we observe 50 million password attacks daily, yet only a fraction of users and administrators are\r\nusing strong authentications such as multifactor authentication (MFA). These statistics are based on data as of\r\nAugust 2021. In Microsoft Entra ID, users who have privileged roles, such as administrators, are the root of trust\r\nto build and manage the rest of the environment. Implement the following practices to minimize the effects of a\r\ncompromise.\r\nAttackers who get control of privileged accounts can do tremendous damage, so it's critical to protect these\r\naccounts before proceeding. Enable and require Microsoft Entra multifactor authentication (MFA) for all\r\nadministrators in your organization using Microsoft Entra Security Defaults or Conditional Access. It's critical.\r\nAll set? Let's get started on the checklist.\r\nStep 1: Strengthen your credentials\r\nAlthough other types of attacks are emerging, including consent phishing and attacks on nonhuman identities,\r\npassword-based attacks on user identities are still the most prevalent vector of identity compromise. Well-established spear phishing and password spray campaigns by adversaries continue to be successful against\r\norganizations that don't implement multifactor authentication (MFA) or other protections against this common\r\ntactic.\r\nAs an organization you need to make sure that your identities are validated and secured with MFA everywhere. In\r\n2020, the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) Report identified phishing\r\nas the top crime type for victim complaints. The number of reports doubled compared to the previous year.\r\nPhishing poses a significant threat to both businesses and individuals, and credential phishing was used in many of\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 2 of 12\n\nthe most damaging attacks last year. Microsoft Entra multifactor authentication (MFA) helps safeguard access to\r\ndata and applications, providing another layer of security by using a second form of authentication. Organizations\r\ncan enable multifactor authentication with Conditional Access to make the solution fit their specific needs. Take a\r\nlook at this deployment guide to see how you how to plan, implement, and roll-out Microsoft Entra multifactor\r\nauthentication.\r\nMake sure your organization uses strong authentication\r\nTo easily enable the basic level of identity security, you can use the one-select enablement with Microsoft Entra\r\nsecurity defaults. Security defaults enforce Microsoft Entra multifactor authentication for all users in a tenant and\r\nblocks sign-ins from legacy protocols tenant-wide.\r\nIf your organization has Microsoft Entra ID P1 or P2 licenses, then you can also use the Conditional Access\r\ninsights and reporting workbook to help you discover gaps in your configuration and coverage. From these\r\nrecommendations, you can easily close this gap by creating a policy using the new Conditional Access templates\r\nexperience. Conditional Access templates are designed to provide an easy method to deploy new policies that\r\nalign with Microsoft recommended best practices, making it easy to deploy common policies to protect your\r\nidentities and devices.\r\nStart banning commonly attacked passwords and turn off traditional complexity, and expiration\r\nrules.\r\nMany organizations use traditional complexity and password expiration rules. Microsoft's research shows, and\r\nNational Institute of Standards and Technology (NIST) Special Publication 800-63B Digital Identity Guidelines\r\nstate, that these policies cause users to choose passwords that are easier to guess. We recommend you use\r\nMicrosoft Entra password protection a dynamic banned password feature using current attacker behavior to\r\nprevent users from setting passwords that can easily be guessed. This capability is always on when users are\r\ncreated in the cloud, but is now also available for hybrid organizations when they deploy Microsoft Entra\r\npassword protection for Windows Server Active Directory. In addition, we recommend you remove expiration\r\npolicies. Password change offers no containment benefits as cyber criminals almost always use credentials as soon\r\nas they compromise them. Refer to the following article to Set the password expiration policy for your\r\norganization.\r\nProtect against leaked credentials and add resilience against outages\r\nThe simplest and recommended method for enabling cloud authentication for on-premises directory objects in\r\nMicrosoft Entra ID is to enable password hash synchronization (PHS). If your organization uses a hybrid identity\r\nsolution with pass-through authentication or federation, then you should enable password hash sync for the\r\nfollowing two reasons:\r\nThe Users with leaked credentials report in Microsoft Entra ID warns of publicly exposed username and\r\npassword pairs. An incredible volume of passwords is leaked via phishing, malware, and password reuse\r\non third-party sites that are later breached. Microsoft finds many of these leaked credentials and tells you,\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 3 of 12\n\nin this report, if they match credentials in your organization – but only if you enable password hash sync or\r\nhave cloud-only identities.\r\nIf an on-premises outage happens, like a ransomware attack, you can switch over to using cloud\r\nauthentication using password hash sync. This backup authentication method allows you to continue\r\naccessing apps configured for authentication with Microsoft Entra ID, including Microsoft 365. In this\r\ncase, IT staff doesn't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved.\r\nPasswords are never stored in clear text or encrypted with a reversible algorithm in Microsoft Entra ID. For more\r\ninformation on the actual process of password hash synchronization, see Detailed description of how password\r\nhash synchronization works.\r\nSmart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get\r\nin. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of\r\nattackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts\r\nand be productive. Organizations, which configure applications to authenticate directly to Microsoft Entra ID\r\nbenefit from Microsoft Entra smart lockout. Federated deployments that use AD FS 2016 and AD FS 2019 can\r\nenable similar benefits using AD FS Extranet Lockout and Extranet Smart Lockout.\r\nStep 2: Reduce your attack surface area\r\nGiven the pervasiveness of password compromise, minimizing the attack surface in your organization is critical.\r\nDisable the use of older, less secure protocols, limit access entry points, moving to cloud authentication, exercise\r\nmore significant control of administrative access to resources, and embrace Zero Trust security principles.\r\nUse Cloud Authentication\r\nCredentials are a primary attack vector. The practices in this blog can reduce the attack surface by using cloud\r\nauthentication, deploy MFA, and use passwordless authentication methods. You can deploy passwordless methods\r\nsuch as Windows Hello for Business, Phone Sign-in with the Microsoft Authenticator App or FIDO.\r\nBlock legacy authentication\r\nApps using their own legacy methods to authenticate with Microsoft Entra ID and access company data, pose\r\nanother risk for organizations. Examples of apps using legacy authentication are POP3, IMAP4, or SMTP clients.\r\nLegacy authentication apps authenticate on behalf of the user and prevent Microsoft Entra ID from doing\r\nadvanced security evaluations. The alternative, modern authentication, reduces your security risk, because it\r\nsupports multifactor authentication and Conditional Access.\r\nWe recommend the following actions:\r\n1. Discover legacy authentication in your organization with Microsoft Entra sign-in logs and Log Analytics\r\nworkbooks.\r\n2. Setup SharePoint Online and Exchange Online to use modern authentication.\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 4 of 12\n\n3. If you have Microsoft Entra ID P1 or P2 licenses, use Conditional Access policies to block legacy\r\nauthentication. For Microsoft Entra ID Free tier, use Microsoft Entra Security Defaults.\r\n4. Block legacy authentication if you use AD FS.\r\n5. Block Legacy Authentication with Exchange Server 2019.\r\n6. Disable legacy authentication in Exchange Online.\r\nFor more information, see the article Blocking legacy authentication protocols in Microsoft Entra ID.\r\nBlock invalid authentication entry points\r\nUsing the verify explicitly principle, you should reduce the impact of compromised user credentials when they\r\nhappen. For each app in your environment, consider the valid use cases: which groups, which networks, which\r\ndevices and other elements are authorized – then block the rest. With Microsoft Entra Conditional Access, you can\r\ncontrol how authorized users access their apps and resources based on specific conditions you define.\r\nFor more information on how to use Conditional Access for your Cloud Apps and user actions, see Conditional\r\nAccess Cloud apps, actions, and authentication context.\r\nReview and govern admin roles\r\nAnother Zero Trust pillar is the need to minimize the likelihood a compromised account can operate with a\r\nprivileged role. This control can be accomplished by assigning the least amount of privilege to an identity. If\r\nyou’re new to Microsoft Entra roles, this article helps you understand Microsoft Entra roles.\r\nPrivileged roles in Microsoft Entra ID should be cloud only accounts in order to isolate them from any on-premises environments and don’t use on-premises password vaults to store the credentials.\r\nImplement Privilege Access Management\r\nPrivileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the\r\nrisks of excessive, unnecessary, or misused access permissions to important resources. These resources include\r\nresources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft\r\nIntune.\r\nMicrosoft Entra Privileged Identity Management (PIM) helps you minimize account privileges by helping you:\r\nIdentify and manage users assigned to administrative roles.\r\nUnderstand unused or excessive privilege roles you should remove.\r\nEstablish rules to make sure privileged roles are protected by multifactor authentication.\r\nEstablish rules to make sure privileged roles are granted only long enough to accomplish the privileged\r\ntask.\r\nEnable Microsoft Entra PIM, then view the users who are assigned administrative roles and remove unnecessary\r\naccounts in those roles. For remaining privileged users, move them from permanent to eligible. Finally, establish\r\nappropriate policies to make sure when they need to gain access to those privileged roles, they can do so securely,\r\nwith the necessary change control.\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 5 of 12\n\nMicrosoft Entra built-in and custom roles operate on concepts similar to roles found in the role-based access\r\ncontrol system for Azure resources (Azure roles). The difference between these two role-based access control\r\nsystems is:\r\nMicrosoft Entra roles control access to Microsoft Entra resources such as users, groups, and applications\r\nusing the Microsoft Graph API\r\nAzure roles control access to Azure resources such as virtual machines or storage using Azure Resource\r\nManagement\r\nBoth systems contain similarly used role definitions and role assignments. However, Microsoft Entra role\r\npermissions can't be used in Azure custom roles and vice versa. As part of deploying your privileged account\r\nprocess, follow the best practice to create at least two emergency accounts to make sure you still have access to\r\nMicrosoft Entra ID if you lock yourself out.\r\nFor more information, see the article Plan a Privileged Identity Management deployment and securing privileged\r\naccess.\r\nRestrict user consent operations\r\nIt’s important to understand the various Microsoft Entra application consent experiences, the types of permissions\r\nand consent, and their implications on your organization’s security posture. While allowing users to consent by\r\nthemselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure, and\r\nother services, it can represent a risk if not used and monitored carefully.\r\nMicrosoft recommends restricting user consent to allow end-user consent only for apps from verified publishers\r\nand only for permissions you select. If end-user consent is restricted, previous consent grants will still be honored\r\nbut all future consent operations that an administrator must perform. For restricted cases, users can request admin\r\nconsent through an integrated admin consent request workflow or through your own support processes. Before\r\nrestricting end-user consent, use our recommendations to plan this change in your organization. For applications\r\nyou wish to allow all users to access, consider granting consent on behalf of all users, making sure users who\r\ndidn't yet individually consent can access the app. If you don’t want these applications to be available to all users\r\nin all scenarios, use application assignment and Conditional Access to restrict user access to specific apps.\r\nMake sure users can request admin approval for new applications to reduce user friction, minimize support\r\nvolume, and prevent users from signing up for applications using non-Microsoft Entra credentials. Once you\r\nregulate your consent operations, administrators should audit app and consent permissions regularly.\r\nFor more information, see the article Microsoft Entra consent framework.\r\nStep 3: Automate threat response\r\nMicrosoft Entra ID has many capabilities that automatically intercept attacks, to remove the latency between\r\ndetection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed\r\nthemselves into your environment. Here are the concrete steps you can take.\r\nFor more information, see the article How To: Configure and enable risk policies.\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 6 of 12\n\nImplement sign-in risk policy\r\nA sign-in risk represents the probability that a given that the identity owner didn't authorize the authentication\r\nrequest. A sign-in risk-based policy can be implemented through adding a sign-in risk condition to your\r\nConditional Access policies that evaluates the risk level to a specific user or group. Based on the risk level\r\n(high/medium/low), a policy can be configured to block access or force multifactor authentication. We\r\nrecommend that you force multifactor authentication on Medium or above risky sign-ins.\r\nImplement user risk security policy\r\nUser risk indicates the likelihood of user identity compromise and is calculated based on the user risk detections\r\nthat are associated with a user's identity. A user risk-based policy can be implemented through adding a user risk\r\ncondition to your Conditional Access policies that evaluates the risk level to a specific user. Based on Low,\r\nMedium, High risk-level, a policy can be configured to block access or require a secure password change using\r\nmultifactor authentication. Microsoft's recommendation is to require a secure password change for users on high\r\nrisk.\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 7 of 12\n\nIncluded in the user risk detection is a check whether the user's credentials match to credentials leaked by\r\ncybercriminals. To function optimally, it’s important to implement password hash synchronization with Microsoft\r\nEntra Connect Sync.\r\nIntegrate Microsoft Defender XDR with Microsoft Entra ID Protection\r\nFor Identity Protection to be able to perform the best risk detection possible, it needs to get as many signals as\r\npossible. It’s therefore important to integrate the complete suite of Microsoft Defender XDR services:\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Office 365\r\nMicrosoft Defender for Identity\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 8 of 12\n\nMicrosoft Defender for Cloud Apps\r\nLearn more about Microsoft Threat Protection and the importance of integrating different domains, in the\r\nfollowing short video.\r\nSet up monitoring and alerting\r\nMonitoring and auditing your logs is important to detect suspicious behavior. The Azure portal has several ways to\r\nintegrate Microsoft Entra logs with other tools, like Microsoft Sentinel, Azure Monitor, and other SIEM tools. For\r\nmore information, see the Microsoft Entra security operations guide.\r\nStep 4: Utilize cloud intelligence\r\nAuditing and logging of security-related events and related alerts are essential components of an efficient\r\nprotection strategy. Security logs and reports provide you with an electronic record of suspicious activities and\r\nhelp you detect patterns that might indicate attempted or successful external penetration of the network, and\r\ninternal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic\r\nanalysis, and more. Alerts provide notifications of security events. Make sure you have a log retention policy in\r\nplace for both your sign-in logs and audit logs for Microsoft Entra ID by exporting into Azure Monitor or a SIEM\r\ntool.\r\nMonitor Microsoft Entra ID\r\nMicrosoft Azure services and features provide you with configurable security auditing and logging options to help\r\nyou identify gaps in your security policies and mechanisms and address those gaps to help prevent breaches. You\r\ncan use Azure Logging and Auditing and use Audit activity reports in the Microsoft Entra admin center. See the\r\nMicrosoft Entra Security Operations guide for more details on monitoring user accounts, Privileged accounts,\r\napps, and devices.\r\nMonitor Microsoft Entra Connect Health in hybrid environments\r\nMonitoring AD FS with Microsoft Entra Connect Health provides you with greater insight into potential issues\r\nand visibility of attacks on your AD FS infrastructure. You can now view ADFS sign-ins to give greater depth for\r\nyour monitoring. Microsoft Entra Connect Health delivers alerts with details, resolution steps, and links to related\r\ndocumentation; usage analytics for several metrics related to authentication traffic; performance monitoring and\r\nreports. Utilize the Risky IP WorkBook for ADFS that can help identify the norm for your environment and alert\r\nwhen there’s a change. All Hybrid Infrastructure should be monitored as a Tier 0 asset. Detailed monitoring\r\nguidance for these assets can be found in the Security Operations guide for Infrastructure.\r\nMonitor Microsoft Entra ID Protection events\r\nMicrosoft Entra ID Protection provides two important reports you should monitor daily:\r\n1. Risky sign-in reports surface user sign-in activities you should investigate whether the legitimate owner\r\nperformed the sign-in.\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 9 of 12\n\n2. Risky user reports surface user accounts that might be compromised, such as leaked credential that was\r\ndetected or the user signed in from different locations, causing an impossible travel event.\r\nAudit apps and consented permissions\r\nUsers can be tricked into navigating to a compromised web site or apps that gain access to their profile\r\ninformation and user data, such as their email. A malicious actor can use the consented permissions it received to\r\nencrypt their mailbox content and demand a ransom to regain your mailbox data. Administrators should review\r\nand audit the permissions given by users. In addition to auditing the permissions given by users, you can locate\r\nrisky or unwanted OAuth applications in premium environments.\r\nStep 5: Enable end-user self-service\r\nAs much as possible you want to balance security with productivity. Approaching your journey with the mindset\r\nthat you're setting a foundation for security, you can remove friction from your organization by empowering your\r\nusers while remaining vigilant and reducing your operational overheads.\r\nImplement self-service password reset\r\nMicrosoft Entra ID's self-service password reset (SSPR) offers a simple means for IT administrators to allow users\r\nto reset or unlock their passwords or accounts without helpdesk or administrator intervention. The system includes\r\ndetailed reporting that tracks when users reset their passwords, along with notifications to alert you to misuse or\r\nabuse.\r\nImplement self-service group and application access\r\nMicrosoft Entra ID can allow nonadministrators to manage access to resources, using security groups, Microsoft\r\n365 groups, application roles, and access package catalogs. Self-service group management enables group owners\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 10 of 12\n\nto manage their own groups, without needing to be assigned an administrative role. Users can also create and\r\nmanage Microsoft 365 groups without relying on administrators to handle their requests, and unused groups\r\nexpire automatically. Microsoft Entra entitlement management further enables delegation and visibility, with\r\ncomprehensive access request workflows and automatic expiration. You can delegate to nonadministrators the\r\nability to configure their own access packages for groups, Teams, applications, and SharePoint Online sites they\r\nown, with custom policies for who is required to approve access, including configuring employee's managers and\r\nbusiness partner sponsors as approvers.\r\nImplement Microsoft Entra access reviews\r\nWith Microsoft Entra access reviews, you can manage access package and group memberships, access to\r\nenterprise applications, and privileged role assignments to make sure you maintain a security standard. Regular\r\noversight by the users themselves, resource owners, and other reviewers ensure that users don't retain access for\r\nextended periods of time when they no longer need it.\r\nImplement automatic user provisioning\r\nProvisioning and deprovisioning are the processes that ensure consistency of digital identities across multiple\r\nsystems. These processes are typically applied as part of identity lifecycle management.\r\nProvisioning is the processes of creating an identity in a target system based on certain conditions. Deprovisioning\r\nis the process of removing the identity from the target system, when conditions are no longer met.\r\nSynchronization is the process of keeping the provisioned object, up to date, so that the source object and target\r\nobject are similar.\r\nMicrosoft Entra ID currently provides three areas of automated provisioning. They are:\r\nProvisioning from an external nondirectory authoritative system of record to Microsoft Entra ID, via HR-driven provisioning\r\nProvisioning from Microsoft Entra ID to applications, via App provisioning\r\nProvisioning between Microsoft Entra ID and Active Directory Domain Services, via inter-directory\r\nprovisioning\r\nFind out more here: What is provisioning with Microsoft Entra ID?\r\nSummary\r\nThere are many aspects to a secure Identity infrastructure, but this five-step checklist helps you to quickly\r\naccomplish a safer and secure identity infrastructure:\r\nStrengthen your credentials\r\nReduce your attack surface area\r\nAutomate threat response\r\nUtilize cloud intelligence\r\nEnable end-user self-service\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 11 of 12\n\nWe appreciate how seriously you take security and hope this document is a useful roadmap to a more secure\r\nposture for your organization.\r\nNext steps\r\nIf you need assistance to plan and deploy the recommendations, refer to the Microsoft Entra ID project\r\ndeployment plans for help.\r\nIf you're confident all these steps are complete, use Microsoft’s Identity Secure Score, which keeps you up to date\r\nwith the latest best practices and security threats.\r\nSource: https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nhttps://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity#block-end-user-consent"
	],
	"report_names": [
		"steps-secure-identity#block-end-user-consent"
	],
	"threat_actors": [],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63090645c6506ad931d30f4c7d5e486f52f9b5a4.pdf",
		"text": "https://archive.orkl.eu/63090645c6506ad931d30f4c7d5e486f52f9b5a4.txt",
		"img": "https://archive.orkl.eu/63090645c6506ad931d30f4c7d5e486f52f9b5a4.jpg"
	}
}