Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: So, you think you’re ready for enforcing AES for Kerberos?
Source: Ask the Directory Services Team
Author: Chris Cartwright
Publication Date: 6/27/2023
Content excerpt:
We have many customers asking questions about how to track down the usage of RC4 in their environment. Over the years, we’ve had tons of great articles that, when put together, provide a fairly simple solution to this problem. (These can be found in the References section at the end of this article.) However, as Windows Admins, AD Admins, Sysadmins, or whatever title is bestowed upon us, we usually like the solutions wrapped up in one package so we can move on to the next fire or project. I hope to do that here.
Title: Updating your Azure landing zones
Source: Azure Architecture
Author: Ariya Khamvongsa, Thomas Maurer, Jan Faurskov, Paul Grimley
Publication Date: 6/5/2023
Content excerpt:
Landing zones are really a great way to build your Azure environment using best practices and building a platform where you can deploy apps and services. Paul and Jan get asked this question a lot as to “once you've deployed Azure landing zones, how do you keep it up to date?”
Title: Breaking Change for VMSS PowerShell/CLI Customers
Source: Azure Compute
Author: Hilary Wang
Publication Date: 6/7/2023
Content excerpt:
We are announcing an upcoming breaking change to the default orchestration mode for Virtual Machine Scale Sets created on Portal, PowerShell, and Azure CLI. This change will take effect over the next few months, starting with Portal in May 2023 and PowerShell, CLI clients in November 2023. Once the change is complete, any VM Scale Sets created on Portal, PowerShell, or CLI will automatically default to Flexible orchestration mode instead of Uniform.
Title: Announcing public preview of Azure Container Instances Spot containers
Source: Azure Compute
Author: Athinanthny Senthil
Publication Date: 6/9/2023
Content excerpt:
Today, we are excited to announce a preview of Azure Container Instances (ACI) Spot containers. ACI Spot containers offer an improved pricing plan for ACI by allowing you to take advantage of unused Azure compute capacity at a significantly lower cost. With ACI Spot containers, you can run interruptible, containerized workloads at up-to-70% discounted prices (vs standard containers on ACI) and are billed for per-second memory and core usage like standard ACI containers.
Title: Azure portal May 2023 updates
Source: Azure Governance and Management
Author: Allison Cordle
Publication Date: 6/28/2023
Summary:
An overview of the updates to the Azure portal introduced in May 2023
Title: Azure Front Door Migration Tool General Available
Source: Azure Networking
Author: Jessie Jia
Publication Date: 6/12/2023
Content excerpt:
In November of 2022, we launched the zero downtime migration tool in public preview and received a lot of feedback and interest from our users. We truly appreciate your participation and input very much. We’re happy to announce the migration capability is now generally available with improvements in reliability and stability.
We’re also happy to announce the general availability of both Managed Identity for Azure Front Door retrieval of your own certificate from Azure Key Vault and upgrade your tier from standard to premium with this release. To migrate from classic to standard/premium, you need to enable Managed Identity as a required step if you’re using your own certification.
Title: Announcing Azure Firewall Upgrade/Downgrade General Availability
Source: Azure Networking
Author: Eliran Azulai
Publication Date: 6/13/2023
Content excerpt:
We're excited to see Azure Firewall's growing popularity and the positive feedback we are getting from the market. That's why we're pleased to let you know that Azure firewall Standard and Premium now support an easy upgrade and downgrade operation, which is now generally available.
Title: Announcing Azure Firewall Structured Logs General Availability
Source: Azure Networking
Author: Eliran Azulai
Publication Date: 6/13/2023
Content excerpt:
As part of Azure Firewall continues strive to improve its troubleshooting capabilities, we have recently announced New flow logs and latency metrics. Today, we are happy to announce the general availability of Azure Firewall Structured Logs capability.
Title: Protect against PaperCut vulnerability with Azure Firewall Premium
Source: Azure Network Security
Author: Eliran Azulai
Publication Date: 6/29/2023
Content excerpt:
On May 16th, 2023, PaperCut, a software company known for its multi-platform print management software, released an update to their advisory, stating that the exploitation of CVE-2023-27350 had been observed in real-world attacks
This vulnerability allows remote attackers to bypass authentication and execute arbitrary code in the context of SYSTEM. It affects PaperCut MF and NG Application and Site Servers version 8.0 and above, across all supported operating systems. A patch was made available by PaperCut in versions 20.1.7, 21.2.11, and 22.0.9 and it is recommended to apply it at the earliest on all vulnerable servers.
Although the vulnerability had already been addressed by a released patch, attackers take advantage of a vulnerability that has been patched but not yet updated by all users. This situation is commonly referred to as an "n-day attack”.
Title: AI-based CLI interactive mode
Source: Azure Tools
Author: Jeremy Li
Publication Date: 6/29/2023
Content excerpt:
We are excited to announce that the Azure CLI team combined AI with CLI interactive mode (az interactive) to provide users with an intelligent interactive experience. It is primarily oriented to inexperienced users in interactive mode to help reduce the learning curve, provide an intelligent interactive experience, and improve operation efficiency in complex scenarios.
Title: Azure Monitor: Gain Observability Over Guest Users
Source: Core Infrastructure and Security
Author: Bruno Gabrielli
Publication Date: 6/4/2023
Content excerpt:
In this post, I would like to explore something about gaining and keeping observability over guest users. Guest users in Azure Active Directory are external users to which you can grant permission on resources in your tenant, thanks to the B2B collaboration.
Adding an external user to your tenant is remarkably simple: sending an invitation to the user’s email address is more than enough. Once the invitation is accepted, the user can sign-in and access the resources in your subscriptions(s) according to the permissions given to his/her guest account.
Title: Moving Cloud PC from One Datacenter Region to Another - Summer 2023 Edition
Source: Core Infrastructure and Security
Author: Atil Gurcan
Publication Date: 6/8/2023
Content excerpt:
As i have mentioned in an earlier post, moving a cloud pc from one datacenter location from another was not possible. This activity was basically a deprovisioning and reprovisioning of the existing cloud pc in the target datacenter. However, due to increasing customer demand, this behavior is being changed right now. Moving cloud pc from one datacenter location to another is currently in preview (June 2023) and probably it will be GA in the coming fall. Let’s take a look at how it is done.
Title: Avoiding Disk Export and VHD Download in Azure
Source: Core Infrastructure and Security
Author: Werner Rall
Publication Date: 6/12/2023
Content excerpt:
In an era where cloud computing and virtualization are increasingly taking center stage, Microsoft's Azure is a dominant force. One of the vital components in Azure is the Disk Export and Virtual Hard Disk (VHD) Download functionality. While it offers a wealth of conveniences, it also opens up potential vulnerabilities in terms of data security and regulatory compliance. In addition, the process of exporting and downloading can be time-consuming and resource-intensive, sometimes resulting in performance degradation. This blog post is dedicated to exploring ways of avoiding these risks associated with Disk Export and VHD Download in Azure. Through understanding the mechanisms behind this process, you will be able to design more efficient, secure, and compliant Azure environments, saving both time and resources.
Title: Use Azure Functions to Remove Unauthorized Role Assignments
Source: Core Infrastructure and Security
Author: Bas van Bennekom
Publication Date: 6/14/2023
Content excerpt:
Recently, one of my customers faced a challenge regarding the assignment of Role Definitions to workload teams on their Subscriptions. Their current configuration uses Entitlement Management, in combination with Privileged Identity Management (PIM), to grant a set of standing and eligible Role Assignments to workload teams. In this way, individual users would be able to elevate to the Contributor Role Definition on the scope of their own Subscription.
In this blog post, I will elaborate on the solution that was built to enforce the creation of Role Assignments at the resource scope only. At the end of this article, you can also find a link to the GitHub repository containing all the artifacts that I used to build the solution.
Title: Unlocking Insights from Azure Activity Logs with Power BI
Source: Core Infrastructure and Security
Author: Werner Rall
Publication Date: 6/21/2023
Content excerpt:
In this article, we are going to delve into how Power BI, a powerful data visualization and business intelligence tool, can be used to query and analyze Azure Activity Logs. Born out of a request to utilize APIs for Azure usage tracking, we have sought to develop a more streamlined and accessible solution. This innovative approach leverages Power BI’s prowess to transform complex log data into meaningful, actionable insights.
Title: Exploring Configuration Manager Automation Fundamentals– SMS Provider
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 6/23/23
Content excerpt:
My name is Herbert Fuchs, and in this blog series, I want to take you on a journey exploring automation and API capabilities within Microsoft Configuration Manager. We will cover the fundamentals, share tips and tricks, and delve into advanced content.
Title: Exploring Configuration Manager Automation Fundamentals – WMI
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 6/26/2023
Content excerpt:
Welcome back to our blog series on automation and API capabilities within Microsoft Configuration Manager. In our previous post, we delved into the SMS Provider, the WMI interface that enables interaction with an MECM site. In this installment, we will take a closer look at Windows Management Instrumentation (WMI) and its significance in MECM.
Title: Using Resource Locks To Prevent Accidental Changes In Azure
Source: Core Infrastructure and Security
Author: Khushbu Gandhi
Publication Date: 6/27/2023
Content excerpt:
Over the course of my learning with Azure thus far, I have realized that it’s easy to deploy resources in the Azure. In fact, it is this ease of use that has largely catapulted the push towards cloud adoption. But the shortcoming here is that it is just as easy to delete resources in the cloud as it is to deploy them. This is a common concern among organizations wanting to move their infrastructure to the cloud but are skeptical about the safety mechanisms in place to prevent wrongful deletion of critical infrastructure components that could bring an organizations’ business to a standstill. Azure Resource locks allow organizations to put safeguards in place that prevent the accidental deletion or modification of resources in Azure. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when you have an important resource in your subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion.
Title: Exploring Configuration Manager Automation Fundamentals – PowerShell Cmdlets
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 6/28/2023
Content excerpt:
Welcome back to our blog series on automation and API capabilities within Microsoft Configuration Manager. In our previous post, we delved into the Windows Management Instrumentation, where we learned about namespaces, classes, properties, and methods. Now, let's shift our focus to the PowerShell cmdlets. As with our previous post, we will start with the essentials and dive deeper into this topic.
Title: Exploring Configuration Manager Automation Fundamentals – Administration Service
Source: Core Infrastructure and Security
Author: Herbert Fuchs
Publication Date: 6/30/2023
Content excerpt:
Welcome back to our blog series on automation and API capabilities within Microsoft Configuration Manager. In our previous posts, we explored various aspects such as the SMS Provider, Windows Management Instrumentation (WMI), and PowerShell Cmdlets. Today, we'll delve into the final chapter of this series, where we'll cover the Administration Service and its crucial role in extending Configuration Manager's capabilities.
Title: Wired for Hybrid - Deep Dive 2 - Azure Front Door
Source: ITOps Talk
Author: Pierre Roman
Publication Date: 6/7/2023
Content excerpt:
As part of our Wired for Hybrid series, Michael and I have been talking with engineers and product managers about topics that are important when working with azure networking. In this deep dive episode, we’re talking with Duong Au senior content developer.
Title: Wired for Hybrid - Deep Dive 3 - Azure Virtual Network Manager
Source: ITOps Talk
Author: Pierre Roman
Publication Date: 6/13/2023
Content excerpt:
As part of our Wired for Hybrid series, Michael and I have been talking with engineers and product managers about topics that are important when working with azure networking. In this deep dive episode, we’re talking with Andrea Michael, program manager in the Azure Networking team.
Title: Azure Landing Zone Accelerator for AVS - Using a Central Hub in Azure
Source: ITOps Talk
Author: Amy Colyer
Publication Date: 6/22/2023
Content excerpt:
There are many options for network connectivity when it comes to Azure VMware Solution. This post reviews utilizing a central hub network in Azure.
Title: Increasing Transparency into Azure Active Directory's Resilience Model
Source: Microsoft Entra (Azure AD)
Author: Nadim Abdo
Publication Date: 6/6/2023
Content excerpt:
Over the last two years we’ve been sharing the progress on Azure AD’s resilience investments, such as our 99.99% Service Level Agreement (SLA), our core resilience principles and architecture, and our differentiated resilience features like our automatic backup authentication service, regionally isolated authentication, and continuous access evaluation.
We appreciate your confidence in Azure AD as a mission-critical dependency for your applications and service. We also have heard how important transparency is to you in understanding how the service is built for resilience, as well as deeply understanding the actual realized resilience state of your own applications and services.
Today, we’re excited to announce two new ways that we’re enhancing our transparency into these resilience capabilities and furthering our resilience journey...
Title: Microsoft Entra ID Governance is generally available
Source: Microsoft Entra (Azure AD)
Author: Joseph Dadzie
Publication Date: 6/7/2023
Content excerpt:
Today, I’m pleased to announce the general availability of Microsoft Entra ID Governance, our complete identity governance product that ensures the right people have the right access to the right resources at the right time. This cloud-delivered product includes capabilities that were already available in Azure Active Directory, part of Microsoft Entra, plus our most advanced tools that simplify identity, management, and governance of on-premises and cloud apps and resources.
Title: Action required: Last chance to migrate ADAL apps!
Source: Microsoft Entra (Azure AD)
Author: James Mantu
Publication Date: 6/13/2023
Content excerpt:
We are announcing a new Azure Active Directory (Azure AD) recommendation helping customers migrate apps using the legacy Azure AD Authentication Library (ADAL) to the Microsoft Authentication Library (MSAL).
This is part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications to end support for ADAL. The final deadline to migrate your applications to MSAL has been extended to June 30, 2023.
Title: Important: Azure AD Graph Retirement and Powershell Module Deprecation
Source: Microsoft Entra (Azure AD)
Author: Kristopher Bash
Publication Date: 6/15/2023
Content excerpt:
In 2019, we announced deprecation of the Azure AD Graph service. One year ago we communicated that Azure AD Graph will be retired and stop functioning after June 30, 2023. We also previously communicated that three legacy PowerShell modules (Azure AD, Azure AD Preview, and MS Online) would be deprecated on June 30, 2023.
We want to provide an update on timelines for these changes and offer further clarity on what to expect going forward. No new investment is going into Azure AD Graph and the three PowerShell modules, making it very important that all customers prioritize migration to Microsoft Graph APIs and Microsoft Graph PowerShell SDK to ensure continued support and functionality.
However, we understand that many customers are not yet complete with these migrations and we confirm our continued commitment to work with our customers during this migration period to minimize and avoid impact.
Title: New App Health Recommendations in Microsoft Entra Workload Identities
Source: Microsoft Entra (Azure AD)
Author: Jeff Sakowicz
Publication Date: 6/29/2023
Content excerpt:
Easily recognizing which identities have risky configurations or should be removed altogether is becoming crucial, so we‘re excited to announce a new feature—app health recommendations—within Microsoft Entra Workload Identities.
Title: Microsoft Entra new feature and change announcements
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: 6/20/2023
Content excerpt:
Today, we’re sharing the new feature releases for the last quarter (April – June 2023) and the changes to existing features (June 2023 change management train). We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well.
Title: What’s new in Microsoft Intune: 2306 (June) edition
Source: Microsoft Intune
Author: Ramya Chitrakar
Publication Date: 6/22/2023
Content excerpt:
In the June 2023 service release (2306), we're offering significant additions to Microsoft Intune security and productivity features. The first is the release of Mobile Application Management (MAM) for Microsoft Edge for Business on Windows! Then, about a week after the release, you'll be able to use Intune to manage Windows drivers and firmware updates. I'm looking forward to hearing how you adopt these key capabilities.
Title: SMB signing required by default in Windows Insider
Source: Storage at Microsoft
Author: Ned Pyle
Publication Date: 6/2/2023
Content excerpt:
Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25381 (Canary, zn_release) Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them.
Title: SMB Signing and Guest Authentication
Source: Storage at Microsoft
Author: Ned Pyle
Publication Date: 6/13/2023
Content excerpt:
Heya folks, Ned here again. We recently made SMB signing the default in Windows Insider Enterprise client builds. In doing so, we were quickly reminded of a consequence from an old unsafe SMB behavior that some folks still use: guest authentication. Today I'll explain all this and give you the steps to both fix and workaround the issue.
Title: Multi-app kiosk mode now available in Windows 11!
Source: Windows IT Pro
Author: Sydney Bruckmann
Publication Date: 6/12/2023
Content excerpt:
Create a customized and locked down experience for your shared devices using multi-app kiosk mode, now available in Windows 11 with the May 24, 2023 Windows Configuration Update.
Title: How Windows manages time zone changes
Source: Windows IT Pro
Author: Farhan Ali
Publication Date: 6/21/2023
Content excerpt:
When it comes to keeping the clocks in your organization running normally, you rely on our Windows engineers. We, in turn, look to governments for timely collaboration. Let's talk about the importance and complexity of time zone (TZ) changes, as well as some best practices to help your organization always be on time!
Title: Manage Windows driver and firmware updates with Microsoft Intune
Source: Windows IT Pro
Author: David Guyer
Publication Date: 6/26/2023
Content excerpt:
We're excited to announce the general availability of Windows driver and firmware update management policies and reports in Microsoft Intune!
This new functionality in Intune makes it easier to keep drivers on your Windows devices up to date in two main ways. First, you'll no longer have to do the manual work of downloading, repackaging, and deploying drivers using generic tools. Instead, you can take advantage of driver update management policies and reports built on the Windows Update for Business deployment service.
Previous CTO! Guides:
Additional resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.