Event banner
Event details
98 Comments
- Will a role other that global admin ever be able to upload Oauth tokens for azure MFA? According to best practice tenants are to have less than 5 global admins. This limits us in remote offices where admins need to be able to setup Oauth Tokens for new hires or as replacements.
- RichardWakeman
Microsoft
We have a new delegated admin role capability broken down into Administrative Units. You can now get very granular in role assignments. Check out https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units. What gets really interesting is layering in PIM on the AU's and enforcing device authentication for the privileged access. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management
- i am wonder, How to extract Azure Resources Changes and Utilization for date range reports?
- RichardWakemanAzure has very extensive utilization reports, especially for billing resources built in. For monitoring and reporting on resource changes, you may leverage Azure logging to analytic workspaces and to Defender for Cloud, together with Microsoft Sentinel, you can report on resource changes and even look for resources that are out-of-compliance or need remediation. Check out our Sentinel CMMC 2.0 Solution for alignment with CMMC. TJ will be blogging on it next week, but I also reference it here: https://aka.ms/CMMCAccelerationProgramUpdate
- What would be the recommendation for an organization that does both CMMC required business and non-CMMC (commercial) business? Would this require one GCC-High tenant for CMMC and a second commercial tenant for the rest of the organization? Thanks!
- It really depends on the size of your organization. With a medium to large organization, it would be possible to create an enclave for the CUI data. But for a small organization it might just be easier to secure everything at that level regardless of whether everyone needs access to CUI.
- Justin_OrcuttHi Matthew - This is really a business decision. There are a number of factors that you need to consider as you plan for CMMC compliance. The two important factors are what types of CUI do you have (and where) and who will need to gain access to that data. We see a variety of configurations across the defense industrial base and the option you mentioned is one variation. In addition, CMMC might not be the only requirement that you have to comply with.
- Thanks Justin. Follow-up question, can you elaborate on the difference between GCC and GCC-High when it comes to CUI/CMMC compliance?
- is this purely a "post" and "reply" style event?
- yes this is all in text 🙂
- Does Microsoft have a Walking Deck that highlights the benefits and details of CMMC? (Like they do around other Cloud Industry Solutions)
jolenetamHi Joshua, not a deck but check out the Microsoft CMMC page and this CMMC overview blog.
- I am new to CMMC. Where do I start with 365?
- Two other helpful links: https://www.youtube.com/watch?v=XSlCENIB5Po https://www.cmmc-coa.com/
- A good place to start is reading the NIST SP 800-171 Doc, this is what CMMCv2 Level 2 (The CUI level) maps to, the version 1 of CMMC includes a couple extra controls though. There's a decent amount of overlap in the M365 compliance manager with this too. So it's a good idea to go through that compliance template before you buy the premium compliance template addon that Microsoft has for CMMCv1 L3 (the V1 CUI level). https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
- adding the assessment objects to my recommendation. It's great for writing up a document to hand off to auditors or for just doing a self-audit. https://csrc.nist.gov/publications/detail/sp/800-171a/final
- Justin_OrcuttHi Colin - You are embarking on an adventurous journey. I suggest you start with the Microsoft CMMC Acceleration Update from March 2022. https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-cmmc-acceleration-update-march-2022/ba-p/3258999. You will find a number of resources to help you along the way including the CMMC Technical Reference Guide and the CMMC Placemat for CMMC 2.0.
- Is this going to be a live presentation or just a form to write our questions?
- jolenetamThis is an hour dedicated to answer your written questions! Fire away!
- Welcome to the Microsoft Government CMMC Ask Microsoft Anything (AMA)! This live hour gives you the opportunity to ask questions directly to the Microsoft team. Please post any questions in a separate, new comment thread on this event. Thanks!
- Is the long term vision for Azure AD B2B for GCC High <-> Commercial to be a fully integrated experience like we get with Commercial <-> Commercial right now? Or will there likely be features that won't ever come?
Paul MeachamHowdy Andy!
Cross cloud B2B (CCB2B) will work the same way as in-cloud B2B works.
CCB2C is currently in a Private Preview. Currently, CCB2B allows for sharing of web documents (OneDrive/SharePoint) and authentication into web apps (apps with a web front end that authenticate to AAD). Web app authentication includes custom LoB apps, 3P SaaS apps, it does not include Teams.
We are working to release the current capabilities as a Private Preview this quarter (Q2CY22) so stay tuned! Additional capabilities such as Teams guesting, and authenticated Meeting Join are still in development and will be made available in a later feature release after the initial Public Preview release.
In order to prepare for CCB2B we recommend that customers review Cross-tenant access settings which give tenant admins granular control over inbound and outbound sharing. Cross-tenant access settings is available in all clouds for "in-cloud" B2B. Cross-tenant access settings will work across CCB2B once it is available publicly. Read more here: Cross-tenant access overview - Azure AD | Microsoft Docs
I hope this helps!
- We have been struggling at implementing MFA for windows login, it seems that the only way to reliably enforce requiring 2 factors is to disable all the built-in credential providers that only use one factor, notably disabling the traditional password provider which breaks things like LAPS. Leaving only credential providers that themselves enforce the 2FA such as smartcard/FIDO token providers, Windows Hello for Business, or third-party providers made by companies like DUO or yubikey. Further when using WHfB there isn't a reliable way to audit which methods users configure for logging in. This is worrying since users can bypass configuring additional credential providers, or at least the fingerprint provider I was able to test with. This happens because the screen the user is confronted with appears to have been reused form the standard OOBE, which has a skip button, which when used will allow the user to bypass the requirement. On subsequent logons only needing a combination of a PIN and password
- RichardWakemanHowdy Seamus, for Windows login, we do recommend WHfB paired with FIDO2 for unphishable MFA. We have a great roadmap to extend to dirived credentials and a managed Authenticator app. Once you establish the hybrid identity / cloud identity with Azure AD, you can support SSO into legacy authn methods like LDAP, Kerberos, NTLM, etc. via proxies. Our first party solution includes the Azure App Proxy. Our partners also offer solutions such as F5, Cisco, etc. As for enforcing the WHfB using a specific authn method, you may control that with GPO's and with MEM (Intune) with local policies. Many of our customers choose to lay down a STIG for Windows & Office to help with hardening the end-point as well, so it may be used as a compliant device in Azure AD Conditional Access Policies. Lots to unfold here, but should steer you in the right direction.
- Thank you for pointing me to the STIGs I've been meaning to take a look in that direction. Currently we are just using the Windows 365 sec baseline in Intune. SSO is also on our radar as something we want to implement. Which is why we are focusing on ensuring the strong token generated by the windows login /WHfB is actually generated from a 2FA authentication and not relying on the devices TPM as an authentication factor (we feel that MFA should authenticate the user not the device). -- We have experimented with the GPO/Intune method. Unfortunately, this does not solve any of the problems I noted. It currently only includes PIN, Fingerprints, Facial recognition and trusted signals as options in the GPO. Is Microsoft planning on adding the other methods to these options such as FIDO keys? Ideally it would be useful to split the policy into two groups, one group of providers that count as a single factor and a second group for providers like FIDO/certificate which are inherently 2FA.
