Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: Common Network Device Enrollment Service (NDES) configuration wizard failures
Source: Ask the Directory Services Team
Author: Rob Greene
Publication Date: 7/19/2023
Content excerpt:
We see cases around Network Device Enrollment Service (NDES) failing to successfully complete.
Please keep in mind that you can get these error messages outside of NDES installation, however we are not going to be covering those errors within this blog. This blog is going to concentrate on the assumption that everything is working fine in general with regards to issuing certificates within the environment, but the NDES configuration wizard is failing.
Title: SSH for Azure Arc is now generally available!
Source: Azure Arc
Author: Danny Maertens
Publication Date: 7/18/2023
Content excerpt:
We are excited to share the general availability of SSH for Azure Arc which was released earlier this month. Remote management, and SSH specifically, is a critical tool for programmatic and interactive server administration. SSH for Azure Arc enables you to securely connect to any of your Azure Arc-enabled servers via SSH, without the need for a public IP address or additional inbound ports. This allows you to SSH into your Azure Arc-enabled servers via an Azure CLI or Azure PowerShell command.
Title: Building a Private ChatGPT Interface With Azure OpenAI
Source: Azure Architecture
Author: Shane Baldacchino
Publication Date: July 9, 2023
Content excerpt:
Chat GPT is amazing on so many levels, and it's free. But you know what they say. If something is free, then you are the product!
As part of OpenAI's T&C, your prompts (the questions you ask) will be used to further train OpenAI's LLM (Large Language Model). Are you okay with this valuable stream of data exiting your organisation? If you are reading this and are responsible for your organisaions security posture, how are you ensuring private IP is not being leaked out of your company...
Title: Azure Optimization Mindset - Drive Business Value with Optimization
Source: Azure Architecture
Author: Ariya Khamvongsa; Tanuja S
Publication Date: July 20, 2023
Content excerpt:
As part of digital transformation, an enterprise needs to align both business and technology investments in Azure Cloud services. It’s not just about saving money but to make strategic investments that drive the best return on investment. In the last 4 years, Tanuja has worked with many large organizations and observed common theme of concerns, such as "Cloud is expensive", "I am always over the budget", "I don't have an insight into the cloud spend". The concerns are mostly based on...
Title: Azure OpenAI Landing Zone reference architecture
Source: Azure Architecture
Author: Freddy Ayala
Publication Date: July 24, 2023
Content excerpt:
Azure Landing Zones provide a solid foundation for your cloud environment. When deploying complex AI services such as Azure OpenAI, using a Landing Zone approach helps you manage your resources in a structured, consistent manner, ensuring governance, compliance, and security are properly maintained.
In this article, we delve into the synergy of Azure Landing Zones and Azure OpenAI Service, building a secure and scalable AI environment. unpacking the Azure OpenAI Landing Zone architecture, which integrates numerous Azure services for optimal AI workloads. Furthermore we will also explore security measures and the significance of monitoring for operational success.
Title: ARM Deployment Stacks now Public Preview!
Source: Azure Governance and Management
Author: Angel Perez
Publication Date: July 20, 2023
Content excerpt:
TL; DR – Deployment Stacks is a new resource type for managing a collection of Azure resources as a single unit for faster update and delete (cleanup), as well as more granular capabilities for preventing unwanted changes to resources.
Title: Windows Server end-of-support (EOS): Upgrade seamlessly with Azure Migrate (Public preview)
Source: Azure Migration and Modernization
Author: Anurag Mehrotra
Publication Date: July 17, 2023
Content excerpt:
As Windows Server 2012 and Windows Server 2012 R2 approach their end of support, upgrading these legacy servers becomes a top priority for all IT admins. However, OS upgrade is often seen as risky and complex, involving compatibility issues, multiple stakeholder collaboration and comprehensive application testing. These challenges often lead to delays in OS upgrades, exposing organizations to security risks, limited access to new features, and compatibility problems for new applications impacting productivity.
Title: Announcing Azure Migrate and Modernize & Azure Innovate - offerings to accelerate your cloud journey
Source: Azure Migration and Modernization
Author: Cyril Belikoff
Publication Date: July 18, 2023
Content excerpt:
Cloud adoption has been crucial to the transformation of businesses of all sizes and industries over the past several years and continues to be a key pillar in business strategy. By adopting the cloud, customers unlock many benefits including scalability, cost savings, and flexibility. The recent advancements of AI offer organizations a further opportunity to innovate in new ways such as creating intelligent products and services, predictive & advanced data analytics, improving customer experience, and more.
Title: Azure cross-region Load Balancer is now generally available
Source: Azure Networking
Author: Mahip Deora
Publication Date: July 10, 2023
Content excerpt:
Today, we are so excited to announce the general availability of Azure cross-region Load Balancer in all Azure public and national cloud regions. Since the preview, this product has been used by so many of you, our customers, whose valuable feedback has helped further improve the product. Our Global tier of Azure Load Balancer is ready for you to use in your production workloads. It is backed by the same 99.99% availability SLA.
Title: Exploring Azure Firewall's Threat Protection
Source: Azure Network Security
Author: Eliran Azulai
Publication Date: July 10, 2023
Content excerpt:
In this blog post, I will discuss the various threat protection capabilities that customers are leveraging to safeguard their workload deployments in Azure using Azure Firewall. Azure Firewall is a cloud-native firewall-as-a-service solution that empowers customers to centrally govern and log all their traffic flows using a DevOps approach. This service offers both application and network-level filtering rules, and it seamlessly integrates with the Microsoft Threat Intelligence feed to filter known malicious IP addresses and domains. Moreover, Azure Firewall boasts high availability and comes equipped with built-in auto scaling.
Title: Protect Azure workloads with VM level consistency using Agentless Crash-Consistent Restore Points!
Source: Azure Storage
Author: Aarthi Vijayaraghavan
Publication Date: July 18, 2023
Content excerpt:
Today we are happy to announce public preview support for multi disk crash consistency mode in Virtual Machine (VM) restore points. A crash consistent VM restore point is an agentless solution that stores the VM configuration and point-in-time write-order consistent snapshots for all managed disks attached to a VM. This is same as the status of data in the VM after a power outage or a crash.
Title: Announcing General Availability of Confidential VMs in Azure Virtual Desktop
Source: Azure Virtual Desktop
Author: Derek Su
Publication Date: July 11, 2023
Content excerpt:
Today we are announcing the General Availability of several confidential VM and Trusted Launch security features via AVD Host Pool Provisioning...
Title: Announcing the General Availability of Private Link for Azure Virtual Desktop
Source: Azure Virtual Desktop
Author: Ron Coleman
Publication Date: July 14, 2023
Content excerpt:
We are excited to announce that Private Link for Azure Virtual Desktop is now generally available! With this feature, users can securely access their session hosts and workspaces using a private endpoint within their virtual network. Private Link enhances the security of your data by ensuring it stays within a trusted and secure private network environment.
Title: Announcing Public Preview of Personal Desktop Autoscale on Azure Virtual Desktop
Source: Azure Virtual Desktop
Author: Jessie Duan
Publication Date: July 18, 2023
Content excerpt:
Personal Desktop Autoscale is Azure Virtual Desktop’s native scaling solution that automatically starts session host virtual machines according to schedule or using Start VM on Connect and then deallocates session host virtual machines based on the user session state (log off/disconnect). With Personal Desktop Autoscale, you can save costs by shutting down idle session hosts while ensuring session hosts can be started by users when needed.
Title: Azure Virtual Desktop Watermarking Support
Source: Azure Virtual Desktop
Author: Ryan Clark
Publication Date: July 31, 2023
Content excerpt:
We are announcing the general availability for Watermarking support on Azure Virtual Desktop, an optional protection feature to Screen Capture that acts as a deterrent for data leakage. This watermarking capability was first introduced in Feb 2023 via Public Preview Windows Desktop clients. With General Availability, we’re introducing support for Azure Virtual Desktop web client. Available by downloading and adding administrative templates for Azure Virtual Desktop.
Title: Immutable Blobs Inside Azure Storage (WORM)
Source: Core Infrastructure and Security
Author: Khushbu Gandhi
Publication Date: July 3, 2023
Content excerpt:
The Immutable Storage for Azure Blobs feature, with the Policy Lock option, is designed to meet securities industry requirements for preserving records in a non-rewriteable and non-erasable format. In simple terms, Azure Storage is supporting WORM by default, allowing us to have data stored inside Azure Blobs that is immutable as long as we want. Even the Administrator of the Storage Account is not allowed to delete or modify the content if the WORM is active.
Title: May 2023 Cumulative Update Explained
Source: Core Infrastructure and Security
Author: Helmut Wagensonner
Publication Date: July 4, 2023
Content excerpt:
Mitigating the Secure Boot UEFI bootkit using the May 2023 cumulative update still causes misunderstandings at some of my customers. So I wrote this short article to give you an overview and illustrate how this update works, especially regarding the elemination of the BlackLotus bootkit, covered in CVE-2023-24932. A very detailed description can be found in the official KB article: KB5025885 support page.
Title: Azure Policy Exemption Validation
Source: Core Infrastructure and Security
Author: Paul Harrison
Publication Date: July 10, 2023
Content excerpt:
Q: I’m working on Azure Policy for a large environment, how do I do some basic validation that I didn’t make common mistakes?
A: There are a few ways I’ve validated my environment using PowerShell that I’ll walk through here.
Title: Azure Monitor: How To Use Managed Identity with Log Ingestion API
Source: Core Infrastructure and Security
Author: Bruno Gabrielli
Publication Date: July 13, 2023
Content excerpt:
In one of my recent post, Azure Monitor: Logs Ingestion API Tips & Tricks, I discussed some Tips and Tricks to better deal with the new Logs Ingestion API.
In this new one, I would like to share an example of how to use Managed Identities as authentication method for custom log ingestion, focusing only on the System Assigned Managed Identities. The Tutorial: Send data to Azure Monitor Logs with Logs ingestion API (Azure portal) documentation includes good samples for sending data that use Azure AD application but nothing that uses the managed identity.
Title: Azure Role Assignment Hygiene
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: July 16, 2023
Content excerpt:
Hello, Azure enthusiasts! I'm back again with another insightful blog post. My name is Felipe Binotto, Cloud Solution Architect, based in Australia.
Today, we're going to delve into a topic that is often overlooked but is critical to the smooth operation of your Azure environment - Azure Role Assignment Hygiene.
Title: Customer Offerings: Continuous Collaboration for DevOps in Teams
Source: Core Infrastructure and Security
Author: Werner Rall
Publication Date: July 20, 2023
Content excerpt:
Developers who use Microsoft Teams for daily collaboration are more likely to build for Teams platform. Conversely, if developers do not enjoy using Teams, they will be less likely to want to build integrations that would result in more time being spent in Teams. Thus, winning developers over as end users is crucial to winning them as platform builders."
The "Continuous Collaboration for DevOps in Teams," provides developers, product owners, and any other team member involved in DevOps with the necessary experience to collaborate effectively using Microsoft Teams for software development.
Through a series of seven scenarios representing common job-to-be-done activities, participants will learn and apply best practices for teamwork and collaboration as a DevOps team.
Title: Azure Monitor: Gain Observability On Your DHCP Server
Source: Core Infrastructure and Security
Author: Bruno Gabrielli
Publication Date: July 24, 2023
Content excerpt:
It is common that customers need to expand the observability over the entire IT infrastructure (see Azure Monitor: Expanding the Out-of-the-Box Observability for your IT Infrastructure). This includes one of the requests I got to gain observability over DHCP servers. More in details, a customer of mine wanted to have a sort of dashboard to show DHCP events with the ability to do an easy search.
After 5 minutes of brainstorming I got the solution in mind: I needed to ingest DHCP logs into Azure Monitor, storing them in a Log Analytics workspace and visualize the data through Azure Workbooks. Looks complicated? It is not, but let us go step by step...
Title: Q: My laptop stops charging sometimes, what do I do?
Source: Core Infrastructure and Security
Author: Paul Harrison
Publication Date: July 27, 2023
Content excerpt:
Old computers often work fine but they develop trouble charging. I had my laptop in a docking station today as it has been all week, but it ran out of power and turned off in the middle of a meeting. I immediately scrambled for my personal smart phone and got back into the meeting. My personal cell phone was already connected through Intune to my company and had Teams already installed and configured so it was quick and easy to recover, but hard to present what had just been lost on my laptop...
Title: Deploying Microsoft Defender for Servers in Network-Restricted Environments
Source: Core Infrastructure and Security
Author: Helder Pinto
Publication Date: July 31, 2023
Content excerpt:
Microsoft Defender for Servers (part of the Microsoft Defender for Cloud security suite), being a comprehensive solution for server protection across multi-cloud and hybrid environments, requires the deployment of several agents to achieve its multiple protection capabilities. As many of our customers run their Windows/Linux server environments without direct Internet outbound connectivity, there is the need for guidance on how to successfully deploy Defender for Servers with such restrictions. This article aims thus to bring additional clarity by summarizing all the considerations that must be taken when deploying each Defender for Servers component in network-restricted environments.
Title: How to identify a stopped service in a Windows VM using Log Analytics Workspace
Source: FastTrack for Azure
Author: Aarthi Sukumar
Publication Date: July 5, 2023
Content excerpt:
If you are a Windows user and love playing around with Windows VM on Azure, and if you would like to monitor whether a Windows service is stopped or in a running state using Log Analytics query, here is a post for you.
In order to first monitor a Windows service running on a Windows VM from Azure Portal, from the VM page, Azure Portal gives you one option, the Windows Admin Center, that you can use and leverage, without having to log onto the Azure VM running Windows every time using RDP.
Title: How to configure the RDP connection for Azure VMs via Azure Bastion
Source: ITOps Talk
Author: Vinicius Apolinario
Publication Date: July 27, 2023
Content excerpt:
When connecting to Azure VMs, there are a few ways you can establishing the connection. If using Windows VMs, most likely, you are connecting through Remote Desktop Protocol (RDP) session, so you can open a remote GUI session. However, opening the RDP port (3389) to the internet is not a secure best practice. Instead, many companies are now restricting how their users access VMs on Azure to limit it to Azure Bastion. Azure Bastion operates as a broker to VMs in a specific Azure Virtual Network, allowing secure traffic only (443 port).
When using Azure Bastion, you can either see the GUI of the VM in the browser window or use the native RDP client – and that’s when I started to notice that I could not edit some regular configs that I usually do when connecting to a remote VM.
Title: Azure AD is Becoming Microsoft Entra ID
Source: Microsoft Entra (Azure AD)
Author: Irina Nechaeva
Publication Date: July 11, 2023
Content excerpt:
Today we announced significant milestones for identity and network access, including the news that Microsoft Azure Active Directory (Azure AD) is becoming Microsoft Entra ID.
As part of our ongoing commitment to simplify secure access experiences for everyone, the rebranding of Azure AD to Microsoft Entra ID is designed to make it easier for you to use and navigate the unified and expanded Microsoft Entra portfolio...
Title: Introducing Restricted Management Administrative Units in Microsoft Entra ID
Source: Microsoft Entra (Azure AD)
Author: Stuart Kwan
Publication Date: July 12, 2023
Content excerpt:
We’re excited to share the public preview of restricted management administrative units, a new role-based access control (RBAC) feature in Microsoft Entra ID.
Title: Microsoft Entra ID Governance Introduces Two New Features in Access Reviews
Source: Microsoft Entra (Azure AD)
Author: Joseph Dadzie
Publication Date: July 17, 2023
Content excerpt:
As announced on June 7, 2023, Microsoft Entra ID Governance is now generally available, and with it a set of new capabilities to empower businesses in their pursuit of streamlined access management. This includes machine learning (ML) powered access review recommendations and user inactivity access review scoping. These additions leverage advanced technologies to enhance access reviews, granting reviewers intelligent recommendations and simplifying security management by regularly reviewing and removing inactive accounts.
Title: Microsoft Entra ID Governance Entitlement Management New Generally Available Capabilities
Source: Microsoft Entra (Azure AD)
Author: Joseph Dadzie
Publication Date: July 18, 2023
Content excerpt:
With Microsoft Entra ID Governance, you can effectively manage your organization’s security and identity governance needs and boost employee productivity by implementing appropriate processes and enhancing visibility. The Microsoft Entra platform empowers you with the ability to guarantee that the right people have the right access to the right resources.
We’re excited to announce the general availability of a set of capabilities in Entitlement Management available through Microsoft Entra ID Governance to help you strengthen your identity governance posture.
Title: New Microsoft Entra ID Governance Dashboard Experience Rolling Out Soon
Source: Microsoft Entra (Azure AD)
Author: Joseph Dadzie
Publication Date: July 19. 2023
Content excerpt:
As announced on June 7, 2023, Microsoft Entra ID Governance is now generally available, and with it a set of new capabilities to empower businesses in their pursuit of streamlined access management. If you’re running your organization’s program, your primary job responsibility is linked to the business goal of ensuring that the right people have access to the right resources for the right amount of time. If you’re running your organization’s program, then identity governance – the ability to know who has access to what, when, and why – is foundational to Zero Trust. Regardless of the business objective driving your identity governance and administration (IGA) initiative, you shared with us the importance of implementing and monitoring IGA rollout in a way that demonstrates the effectiveness of IGA controls to your business stakeholders. We heard you!
Title: Enhanced Company Branding for Sign-in Experiences Now Generally Available
Source: Microsoft Entra (Azure AD)
Author: Levent Besik
Publication Date: July 25, 2023
Content excerpt:
I’m pleased to announce the general availability of the enhanced company branding functionality that allows for customization of the Microsoft Entra ID and Microsoft 365 sign-in experience with less effort.
The experience controls apply to sign-in for users in the directory and for external users, including use cases for B2B, B2E, Customer Identity and Access Management (CIAM) and first-party applications running on Entra ID. With enhanced company branding, you’ll be able to create a custom look and feel for the default sign in pages, as well as pages targeting specific browser languages. In addition, you can now customize self-service password reset (SSPR), footer hyperlinks, and browser icon, style sign-in experiences using cascading style sheets (CSS) and enable header and footer using one of the pre-defined templates.
Title: Public Preview: Strictly Enforce Location Policies with Continuous Access Evaluation
Source: Microsoft Entra (Azure AD)
Author: Alex Weinert
Publication Date: July 28, 2023
Content excerpt:
Previously, in the event of an access token theft, attackers could take advantage of the refresh interval to replay the token, regardless of whether it fell outside the location range permitted by a conditional access policy. With our ability to strictly enforce location policies and CAE, CAE enabled applications like Exchange Online, SharePoint, Teams, and Microsoft Graph can now revoke tokens in near real-time in response to network change events noticed by the app – preventing stolen tokens from being replayed outside the trusted network.
Title: What’s new with Microsoft Entra ID Protection
Source: Microsoft Entra (Azure AD)
Author: Alex Weinert
Publication Date: July 31, 2023
Content excerpt:
Microsoft Entra ID Protection (recently renamed from Azure AD Identity Protection) helps stop attacks before they happen. ID Protection blocks identity takeovers in real-time and automates attack mitigation by providing advanced machine learning (ML)-based detections, risk-based access policies, and comprehensive risk reports and insights. To protect customers with our latest innovations, we’re excited to announce key enhancements to Microsoft Entra ID Protection: a brand-new dashboard to provide key insights, new detections to block existing attacks, a new mechanism for Microsoft to rapidly protect users from emerging threats, and the integration with Microsoft 365 Defender. Read below to learn more about these exciting new features.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)