Forum Discussion
Solved
auto forwarding email removes email address of incoming email
hello all, I created rule for auto forwarding all incoming messages to 2 email address. it works perfect. but office 365 service removes email address of sender. EG. original email has "John S...
Hi NKC25,
Your concerns about assigning roles at the resource group level and the potential security risks are valid. Here are some recommendations to address these concerns while maintaining a secure and manageable environment.
Current Concerns
- Visibility and Access: Assigning 'Virtual Machine user login' or 'Virtual Machine administrator login' roles at the resource group level allows users to see and potentially access all VMs within the resource group.
- Security Risks: Users could gain access to VMs they should not have permissions for, posing a security risk.
Recommendations
1. Fine-Grained Access Control
To mitigate the security risks associated with assigning roles at the resource group level, consider these alternatives:
A. Dynamic Groups and Azure Policies:
- Dynamic User Groups: Use dynamic groups in EntraID to automatically add users to groups based on attributes. These groups can then be assigned the necessary roles at the individual VM level.
- Azure Policies: Implement Azure policies to enforce role assignments. For example, a policy can be created to automatically assign the 'Virtual Machine user login' role to users for new VMs based on predefined criteria.
B. Automation with Azure Functions and Logic Apps:
- Azure Functions: Create an Azure Function that runs whenever a new VM is created. This function can automatically assign the appropriate RBAC roles to the specific VM.
- Logic Apps: Use Logic Apps to automate the process of role assignments based on triggers such as VM creation.
2. Secure Role Assignment
Ensure that only the necessary permissions are granted to users:
A. Custom Roles:
- Create Custom Roles: Define custom roles with only the required permissions. For instance, create a custom role that allows login but restricts other actions.
- Assign Custom Roles: Assign these custom roles to users at the VM level, ensuring they only have the permissions they need.
B. Conditional Access Policies:
- Conditional Access: Implement conditional access policies to restrict access based on conditions such as user location, device compliance, and risk level.
- Access Reviews: Regularly conduct access reviews to ensure that users only have the necessary permissions.
3. Monitoring and Auditing
Implement monitoring and auditing practices to track access and ensure compliance:
A. Azure Monitor and Log Analytics:
- Monitor Access: Use Azure Monitor and Log Analytics to track login attempts and access patterns.
- Alerts: Set up alerts for unusual or unauthorized access attempts.
B. Azure Security Center:
- Security Recommendations: Utilize Azure Security Center to get security recommendations and alerts.
- Compliance: Ensure compliance with your organization's security policies and regulatory requirements.
Practical Steps
Dynamic Groups:
- Configure dynamic groups in EntraID to automatically add users to appropriate groups based on their attributes.
Automation:
- Develop Azure Functions or Logic Apps to automate role assignments for new VMs.
Custom Roles:
- Define and assign custom roles with the minimum necessary permissions.
Conditional Access:
- Implement conditional access policies to enhance security.
Monitoring and Alerts:
- Set up Azure Monitor, Log Analytics, and Security Center to track and manage access.
By implementing these recommendations, you can maintain a secure and efficient RBAC design for your Azure Virtual Desktop environment. These measures will help ensure that users have the necessary access without exposing other resources to potential risks.
I hope these suggestions help! Feel free to reach out if you have further questions or need additional assistance.
Best regards,
Daniel
Victor_Ungureanu
Microsoft
MicrosoftYou should redirect the messages instead of forwarding them.
"Redirected messages appear as though they came from the original sender. Use a redirect message rule when you want replies to redirected messages to go to the original sender."
https://support.office.com/en-us/article/use-rules-in-outlook-web-app-to-automatically-forward-messages-to-another-account-1433e3a0-7fb0-4999-b536-50e05cb67fed
"Redirected messages appear as though they came from the original sender. Use a redirect message rule when you want replies to redirected messages to go to the original sender."
https://support.office.com/en-us/article/use-rules-in-outlook-web-app-to-automatically-forward-messages-to-another-account-1433e3a0-7fb0-4999-b536-50e05cb67fed
