Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: Speaking in Ciphers and other Enigmatic tongues fresh content update!
Source: Ask the Directory Services Team
Author: Jim Tierney
Publication Date: 4/3/24
Content excerpt:
So, your company purchases this new super awesome vulnerability and compliance management software suite, and they just ran a scan on your Windows Server 2008 domain controllers and lo! The software reports back that you have weak ciphers enabled, highlighted in RED, flashing, with that "you have failed" font, and including a link to the following Microsoft documentation…
Title: NTLM vs Kerberos
Source: Ask the Directory Services Team
Author: Josh Mora
Publication Date: 4/23/24
Content excerpt:
In this post, we will go through the basics of NTLM and Kerberos. We will explain using the three Ws, covering what the main differences between them are, how to identify when a protocol is being used over the other, and why one is safer than the other.
Title: Coming Soon: Transition to WS2012 ESUs enabled by Azure Arc
Source: Azure Arc
Author: Aurnov Chattopadhyay
Publication Date: 4/3/24
Content excerpt:
Announced during last week’s Windows Server Summit 2024, customers will be able to transition to Azure Arc for WS2012 Extended Security Updates enabled by Azure Arc for Year 2 if they had purchased Year 1 of Extended Security Updates for Volume Licensing. This experience will ask customers to supply their Invoice Id, corresponding to WS2012 ESU purchases from Volume Licensing.
With its pay as you go flexibility as an Azure billed service and inclusion of Azure management services like Azure Update Manager and Machine Configuration at no additional cost, WS2012 ESUs enabled by Azure Arc offer financial and experience benefits to customers. This is especially critical to support customers in their journey of migrating and modernizing End of Life infrastructure to Azure.
Title: Public Preview of Azure Arc Site Manager
Source: Azure Arc
Author: Nathan Parikh
Publication Date: 4/22/24
Content excerpt:
This week we are excited to announce the Public Preview of Azure Arc site manager. We designed site manager to meet the needs of customers who manage solutions on the adaptive cloud and want to view and monitor their resources according to their physical locations, such as stores, restaurants, and factories. Within site manager, customers can create Arc sites to represent their on-premises environments and see centralized monitoring information across their edge infrastructure.
Title: Cloud Governance Guidance in Microsoft's Cloud Adoption Framework
Source: Azure Architecture
Author: Stephen Sumner
Publication Date: 4/8/24
Content excerpt:
We are thrilled to announce the latest enhancement to Microsoft's Cloud Adoption Framework for Azure. We comprehensively updated our cloud governance guidance in the Govern section of the Cloud Adoption Framework (CAF). The updated governance guidance represents Microsoft's commitment to supporting your organization's cloud journey, offering a clearer, more accessible, and comprehensive path to effective cloud governance. It encompasses identity, cost, resource, data, and AI governance among other areas of governance categories.
Whether you're a startup looking to scale efficiently or a large enterprise aiming to refine your governance practices, we designed this governance guidance to meet your needs and guide you to where you need to be.
Title: On Demand Capacity Reservation is now available in Azure for US Government
Source: Azure Compute
Author: Megan Pennie
Publication Date: 4/29/24
Content excerpt:
Today, we're announcing the general availability of on demand capacity reservations for Azure Virtual Machines in Azure for US Government Cloud . You can now manage and reserve capacity with guaranteed SLA for VM sizes available on Azure for US Government Cloud.
As part of our ongoing commitment to expanding our global reach and providing On Demand Capacity Reservation benefits to our customers, we have diligently worked hard for months to bring this feature to Azure for US Government Cloud.
Title: Azure billing meters: What you need to know about the upcoming changes
Source: Azure Governance and Management
Author: Vahe Minasyan
Publication Date: 4/8/24
Content excerpt:
This article is to inform you of some important changes that we are making as part of our ongoing efforts to improve your Azure experience and increase pricing transparency. We are making changes to the billing meters that could affect some Azure services and resources that you may use, and we want to make sure you understand what the changes are, why we are doing them, and how they will impact your billing.
These updates will not impact your prices, but you may notice some changes in how your Azure consumption is shown on your invoice, price sheet, API, and other Cost Management tools.
Title: Perform bulk NSG rule rollout across multiple target NSGs
Source: Azure Infrastructure
Author: Sourav Bera
Publication Date: 4/22/24
Content excerpt:
Network Security Groups (NSGs) are a fundamental aspect of Azure networking, providing a layer of security to control traffic flow within virtual networks. However, managing NSG rules across multiple NSGs can be a daunting task, especially when done manually. This article introduces a powerful PowerShell script that allows you to perform bulk NSG rule rollouts across multiple target NSGs, saving you time and ensuring consistency across your network.
Title: Enhancing Azure Connectivity: Sharing PaaS instance across customer tenants on Azure
Source: Azure Infrastructure
Author: Aquib Qureshi
Publication Date: 4/28/24
Content excerpt:
I’ve come across a scenario where one of my customer using Azure SQL DB wanted to share their Database with other customer who was also hosted on Azure. They were struggling to establish site-to-site connectivity so that Customer B could access Customer A’s network, enabling them to connect to the Azure SQL DB via the site-to-site tunnel. Though this can be achieved, there are better ways to connect to Azure SQL DB, or any PaaS instance for that matter, with another customer who is using Azure. This can also be used by customers who have multiple Azure AD tenants.
Title: VMware HCX Troubleshooting with Azure VMware Solution
Source: Azure Migration and Modernization
Author: Rene van den Bedem
Publication Date: 4/8/24
Content excerpt:
VMware HCX is one of the Azure VMware Solution components that generates a large number of service requests from our customers. The Azure VMware Solution product group has worked to cover the most common troubleshooting considerations that you should know about when using VMware HCX with the Azure VMware Solution.
Title: Microsoft Azure ExpressRoute Overview Cheat Sheet
Source: Azure Networking
Author: Gene Whitaker
Publication Date: 4/9/24
Content excerpt:
Microsoft Azure ExpressRoute lets you extend your on-premises networks into the Microsoft Cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft Cloud services, such as Microsoft Azure and Microsoft 365.
Use this ExpressRoute Overview Cheat Sheet to quickly learn and gain access to the following information:
- ExpressRoute Main Components
- Key Benefits and Features
- The Different Connectivity Models
- Various Helpful Links
- Diagram demonstrating ExpressRoute circuits along with features such as Global Reach and FastPath
This cheat sheet is compiled with important and most common information to learn ExpressRoute.
Title: Network traffic observability with virtual network flow logs
Source: Azure Networking
Author: HarshaCS
Publication Date: 4/24/24
Content excerpt:
Azure Network Watcher provides network monitoring and troubleshooting capabilities to increase observability and actionable insights with out-of-box health metrics & topology visualization, connectivity monitoring, traffic monitoring and diagnostics suite. For on-premises workloads, network administrators rely on NetFlow or IPFIX to address these use cases. Virtual network flow logs are a capability of Network Watcher service to address these scenarios for Azure and hybrid networks and we are excited to announce that virtual network flow logs are now transitioning from public preview to general availability.
Title: Understanding the core concept and routing of vWAN with Example
Source: Azure Networking
Author: Sourav Das
Publication Date: 4/26/24
Content excerpt:
What is virtual WAN? Azure Virtual WAN is a NAAS (networking as a service) to enable simplified global transit networking architecture that brings many networking, security, and routing functionalities together to provide a single operational interface…
Title: New and improved network topology experience in Network Watcher and Azure Monitor Network Insights
Source: Azure Networking
Author: Sagar Gupta
Publication Date: 4/28/24
Content excerpt:
Azure Network Watcher provides network monitoring and troubleshooting capabilities to increase observability and actionable insights. Network Watcher supports four main scenarios: Connectivity Monitoring detects packet loss and latency, built-in health metrics and topology visualization help to locate issues, traffic monitoring tracks network communication pattern, and diagnostics suite enables troubleshooting.
Title: Apply critical update for Azure Stack HCI VMs to maintain Azure verification
Source: Azure Stack
Author: Kimberly Lam
Publication Date: 4/18/24
Content excerpt:
Azure verification for VMs on Azure Stack HCI makes it possible for Azure-exclusive benefits to work outside of the cloud and in on-premises and edge environments. These benefits include Azure Virtual Desktop for Azure Stack HCI, Windows Server Datacenter: Azure Edition, Extended Security Updates (ESUs) for SQL and Windows Server Virtual Machines (VMs) on Azure Stack HCI, and Azure Policy guest configuration. To keep these workloads continuing to function, periodic updates are required to maintain their security and functionality.
Title: Sneak peek at new Azure edge infrastructure at Hannover Messe 2024
Source: Azure Stack
Author: Cosmos Darwin
Publication Date: 4/22/24
Content excerpt:
This week is Hannover Messe 2024, the world’s biggest industrial trade fair. Microsoft is there, including members of the Azure Stack team, showcasing how the Microsoft Cloud enables end-to-end manufacturing solutions that help securely connect people, assets, and business processes, empowering organizations to be more resilient.
Near the center of our booth, you can watch a robotic assembly line put together battery parts. The line features standard OT assets from our partner Rockwell Automation and shows how an adaptive cloud approach together with open standards like OPC UA can accelerate industrial transformation. Azure IoT Operations enabled by Azure Arc flows data from the production line into Microsoft Fabric, enabling real-time monitoring and analysis in the cloud.
And if you look closer, you may spot an exciting new infrastructure solution hosting it all…
Title: Azure Virtual Desktop for Azure Stack HCI now has autoscale
Source: Azure Virtual Desktop
Author: Jessie Duan
Publication Date: 4/11/24
Content excerpt:
On February 2024, we announced the general availability of Azure Virtual Desktop for Azure Stack HCI, which extends the capabilities of the Microsoft Cloud to your datacenters and edge locations. Today, we’re happy to announce that autoscale support on Azure Virtual Desktop for Azure Stack HCI is now in public preview. With the Azure Virtual Desktop autoscale feature, organizations running virtualized desktops and apps on-premises, at the edge or in their datacenter, can optimize costs by turning off idle Azure Virtual Desktop session hosts running on Azure Stack HCI.
Title: Get Azure Reservations and Savings Plans Insights with the Azure Optimization Engine
Source: Core Infrastructure and Security
Author: Helder Pinto
Publication Date: 4/1/24
Content excerpt:
Azure Reservations and Savings Plans commitments have been adopted by many customers with a predictable and steady Azure consumption to achieve considerable savings over on-demand prices. Depending on your on-demand Azure Compute consumption patterns, you may choose one over the other, or even have both working in tandem…
Title: ConfigMgr: Avoiding Remote Management Point Pitfalls
Source: Core Infrastructure and Security
Author: Pavel Yurenev
Publication Date: 4/4/24
Content excerpt:
I’m Pavel Yurenev, a Support Escalation Engineer specializing in Microsoft Configuration Manager at Microsoft Customer Service & Support (CSS). As Reactive Support, we assist customers with issues arising from Microsoft software products. Unfortunately, some supported product configurations are poorly supportable.
Today, I want to discuss certain design features of Configuration Manager Management Points (MPs) and provide guidance for architects and administrators.
Title: Proxies, proxies everywhere but still no Internet. Overview of the Windows Proxies
Source: Core Infrastructure and Security
Author: Will Aftring
Publication Date: 4/8/24
Content excerpt:
Howdy everyone, a quick tangent from our regularly scheduled Introduction to Network Trace Analysis series to talk about the Windows Proxy ecosystem. A Windows Proxy configuration can be a little tricky, so I wanted to add clarity for configuration methods. Scoping things a bit here I will also only be referring to 64-bit applications.
But first, let’s explain what I mean when I say proxy…
Title: Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos
Source: Core Infrastructure and Security
Author: Jerry Devore
Publication Date: 4/15/24
Content excerpt:
Hi everyone, Jerry Devore here again with another installment in my series on Active Directory hardening. This time I want to revisit a topic I previously wrote about in September of 2020 which is enforcing AES for Kerberos. Since I wrote that blog post a few new tips have come my way. Before we dive in here is a quick re-cap of what was previously discussed…
Title: Controlling AKS egress using an HTTP Proxy
Source: Core Infrastructure and Security
Author: Houssem Dellai
Publication Date: 4/22/24
Content excerpt:
Azure Kubernetes Service (AKS) clusters, whether deployed into a managed or custom virtual network, have certain outbound dependencies necessary to function properly. Previously, in environments requiring internet access to be routed through HTTP proxies, this was a problem. Nodes had no way of bootstrapping the configuration, environment variables, and certificates necessary to access internet services.
This feature adds HTTP proxy support to AKS clusters, exposing a straightforward interface that cluster operators can use to secure AKS-required network traffic in proxy-dependent environments.
Both AKS nodes and Pods will be configured to use the HTTP proxy. Here is an architecture diagram showing the different components.
Title: Building Your Own Copilot for Credit Card Selection
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: 4/28/24
Content excerpt:
Have you ever found yourself lost in the maze of credit card options, navigating through countless comparison websites, unsure of the accuracy and timeliness of their information? I certainly have. Recently, I embarked on a quest to find the perfect credit card, one that rewards my spending habits with frequent flyer points. However, relying solely on popular comparison platforms left me questioning the reliability of their data, often overshadowed by biased advertisements.
But then, a beacon of hope emerged: the realization that all bank product information is accessible through a common API. With this revelation, I set out to craft my own solution – a personalized Copilot to guide me through the sea of credit card offerings.
Title: Cost allocation is imperative for cloud resource optimization
Source: FinOps
Author: Antonio Ortoll
Publication Date: 4/15/24
Content excerpt:
Like most enterprises, you are probably managing your Azure resources and services centrally and need a way to distribute and “showback” or reallocate the cost of services back to the organizational units that use those services.
Sharing cloud services provides greater flexibility and scalability when they can be dynamically allocated. But as your cloud adoption grows, the quantity of billing and usage data and the speed at which it is delivered can make allocation and reporting a challenge without a strategy and a system to efficiently assign the costs of cloud resources to their specific users.
Title: 7 steps for a successful Azure migration
Source: ITOps Talk
Author: Sonia Cuff
Publication Date: 4/9/24
Content excerpt:
Migrating an on-premises environment to Azure requires preparation, planning, and time. Join Microsoft MVP Gregor Reimling and learn seven key steps for a successful Azure migration.
In this video, you will learn…
Title: Wired for Hybrid - What's New in Azure Networking - April 2024 edition
Source: ITOps Talk
Author: Pierre Roman
Publication Date: 4/22/24
Content excerpt:
Azure Networking is the foundation of your infrastructure in Azure. Each month we bring you an update on What’s new in Azure Networking.
In this blog post, we’ll cover what's new with Azure Networking in April 2024. In this blog post, we will cover the following announcements and how they can help you.
Title: Dual-Region Azure VMware Solution design with Global Reach, using Secure Virtual WAN
Source: ITOps Talk
Author: Jason Medina
Publication Date: 4/24/24
Content excerpt:
This article describes the best practices for connectivity, traffic flows, and high availability of dual-region Azure VMware Solution when using Azure Secure Virtual WAN with Routing Intent and Global Reach. This article breaks down Virtual WAN with Routing Intent topology from the perspective of Azure VMware Solution private clouds, on-premises sites, and Azure native. The implementation and configuration of Secure Virtual WAN with Routing Intent are beyond the scope and are not discussed in this document.
Title: Important update: Deprecation of Azure AD PowerShell and MSOnline PowerShell modules
Source: Microsoft Entra (Azure AD)
Author: Kristopher Bash
Publication Date: 4/1/24
Content excerpt:
In 2021, we described our plans to invest in Microsoft Graph PowerShell SDK as the PowerShell provider for Microsoft Entra and transition away from Azure AD and MSOnline PowerShell modules. In 2023, we announced that the deprecation of Azure AD and MSOnline PowerShell modules would occur on March 30, 2024. We’ve since made substantial progress closing remaining parity gaps in Microsoft Graph PowerShell SDK, and as of March 30, 2024, these PowerShell modules are now deprecated:
- Azure AD PowerShell (AzureAD)
- Azure AD PowerShell Preview (AzureADPreview)
- MS Online (MSOnline)
You should migrate your scripts to Microsoft Graph PowerShell SDK as soon as possible. Information about the retirement of these modules can be found below.
Title: What's new in Microsoft Entra
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: 4/1/24
Content excerpt:
With the ever-increasing sophistication of cyber-attacks, the increasing use of cloud-based services, and the proliferation of mobile devices, it’s essential that organizations secure access for both human and non-human identities to all on-premises and cloud resources, while working continuously to improve their security posture.
Today, we’re sharing feature release information for January – March 2024, and first quarter change announcements. We also communicate these via release notes, email, and the Microsoft Entra admin center.
Title: Introducing new and upcoming Entra Recommendations to enhance security and productivity
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: 4/2/24
Content excerpt:
Managing the myriad settings and resources within your tenant can be daunting. In an era of escalating security risks and an unprecedented global threat landscape, organizations seek trusted guidance to enhance their security posture That’s why we introduced Microsoft Entra Recommendations to diligently monitor your tenant’s status, ensuring it remains secure and healthy. Moreover, they empower you to extract maximum value from the features offered by Microsoft Entra ID. Since the launch of Microsoft Entra recommendations, thousands of customers have adopted these recommendations and resolved millions of resources.
Title: Introducing "What's New" in Microsoft Entra
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: 4/15/24
Content excerpt:
Today, I’m thrilled to announce the public preview of What’s New in Microsoft Entra. This new hub in the Microsoft Entra admin center offers you a centralized view of our roadmap and change announcements across the Microsoft Entra identity and network access portfolio. In this article, I’ll show you how admins can get the most from what’s new to stay informed about Entra product updates and actionable insights.
Title: Enforce least privilege for Entra ID company branding with the new organizational branding role
Source: Microsoft Entra (Azure AD)
Author: James Mantu
Publication Date: 4/18/24
Content excerpt:
I’m pleased to announce General Availability (GA) of the organizational branding role for Microsoft Entra ID company branding.
This new role is part of our ongoing efforts to implement Zero Trust network access by enforcing the principle of least privilege for users when customizing their authentication user experience (UX) via Entra ID company branding.
Previously, users wanting to configure Entra ID company branding required the Global Admin role. This role, though, has sweeping privileges beyond what’s necessary for configuring Entra ID company branding.
Title: Onboard to Azure Arc with Security in Mind
Source: Security, Compliance, and Identity
Author: Simone Oor
Publication Date: 4/17/24
Content excerpt:
Azure Arc allows certain on-premises resources, typically servers, to be managed from Azure, depending on the configuration mode selected and currently available features.
While this allows for a more integrated approach to hybrid environments, it also further blurs the administrative boundary between on-premises and cloud.
This increases the risk that a vulnerability on either side lowers the level of security across the entire plane. This article contains tips for managing this risk and approaching Arc Onboarding with security in mind.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)