Check This Out! (CTO!) Guide (June 2023)
Published Jul 08 2023 10:37 AM 7,655 Views
Microsoft

 

Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.

These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.

From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!

 

BrandonWilson_1-1688836922559.jpeg

 

Title: So, you think you’re ready for enforcing AES for Kerberos?

Source: Ask the Directory Services Team

Author: Chris Cartwright

Publication Date: 6/27/2023

Content excerpt:

We have many customers asking questions about how to track down the usage of RC4 in their environment.  Over the years, we’ve had tons of great articles that, when put together, provide a fairly simple solution to this problem.  (These can be found in the References section at the end of this article.)  However, as Windows Admins, AD Admins, Sysadmins, or whatever title is bestowed upon us, we usually like the solutions wrapped up in one package so we can move on to the next fire or project.  I hope to do that here.

 

Microsoft-logo-flag only.JPG

 

 

Title: Updating your Azure landing zones

Source: Azure Architecture

Author: Ariya Khamvongsa, Thomas Maurer, Jan Faurskov, Paul Grimley

Publication Date: 6/5/2023

Content excerpt:

Landing zones are really a great way to build your Azure environment using best practices and building a platform where you can deploy apps and services. Paul and Jan get asked this question a lot as to “once you've deployed Azure landing zones, how do you keep it up to date?”

 

Microsoft-logo-flag only.JPG

 

 

Title: Breaking Change for VMSS PowerShell/CLI Customers

Source: Azure Compute

Author: Hilary Wang

Publication Date: 6/7/2023

Content excerpt:

We are announcing an upcoming breaking change to the default orchestration mode for Virtual Machine Scale Sets created on Portal, PowerShell, and Azure CLI. This change will take effect over the next few months, starting with Portal in May 2023 and PowerShell, CLI clients in November 2023. Once the change is complete, any VM Scale Sets created on Portal, PowerShell, or CLI will automatically default to Flexible orchestration mode instead of Uniform.

 

Microsoft-logo-flag only.JPG

 

 

Title: Announcing public preview of Azure Container Instances Spot containers

Source: Azure Compute

Author: Athinanthny Senthil

Publication Date: 6/9/2023

Content excerpt:

Today, we are excited to announce a preview of Azure Container Instances (ACI) Spot containers. ACI Spot containers offer an improved pricing plan for ACI by allowing you to take advantage of unused Azure compute capacity at a significantly lower cost. With ACI Spot containers, you can run interruptible, containerized workloads at up-to-70% discounted prices (vs standard containers on ACI) and are billed for per-second memory and core usage like standard ACI containers.

 

Microsoft-logo-flag only.JPG

 

 

Title: Azure portal May 2023 updates

Source: Azure Governance and Management

Author: Allison Cordle

Publication Date: 6/28/2023

Summary:

An overview of the updates to the Azure portal introduced in May 2023

 

Microsoft-logo-flag only.JPG

 

 

Title: Azure Front Door Migration Tool General Available

Source: Azure Networking

Author: Jessie Jia

Publication Date: 6/12/2023

Content excerpt:

In November of 2022, we launched the zero downtime migration tool  in public preview and received a lot of feedback and interest from our users. We truly appreciate your participation and input very much. We’re happy to announce the migration capability is now generally available with improvements in reliability and stability.

We’re also happy to announce the general availability of both Managed Identity  for Azure Front Door retrieval of your own certificate from Azure Key Vault and upgrade your tier  from standard to premium with this release. To migrate from classic to standard/premium, you need to enable Managed Identity as a required step if you’re using your own certification.

 

Microsoft-logo-flag only.JPG

 

 

Title: Announcing Azure Firewall Upgrade/Downgrade General Availability

Source: Azure Networking

Author: Eliran Azulai

Publication Date: 6/13/2023

Content excerpt:

We're excited to see Azure Firewall's growing popularity and the positive feedback we are getting from the market. That's why we're pleased to let you know that Azure firewall Standard and Premium now support an easy upgrade and downgrade operation, which is now generally available.

 

Microsoft-logo-flag only.JPG

 

 

Title: Announcing Azure Firewall Structured Logs General Availability

Source: Azure Networking

Author: Eliran Azulai

Publication Date: 6/13/2023

Content excerpt:

As part of Azure Firewall continues strive to improve its troubleshooting capabilities, we have recently announced New flow logs and latency metrics. Today, we are happy to announce the general availability of Azure Firewall Structured Logs capability.

 

Microsoft-logo-flag only.JPG

 

 

Title: Protect against PaperCut vulnerability with Azure Firewall Premium

Source: Azure Network Security

Author: Eliran Azulai

Publication Date: 6/29/2023

Content excerpt:

On May 16th, 2023, PaperCut, a software company known for its multi-platform print management software, released an update to their advisory, stating that the exploitation of CVE-2023-27350 had been observed in real-world attacks

This vulnerability allows remote attackers to bypass authentication and execute arbitrary code in the context of SYSTEM. It affects PaperCut MF and NG Application and Site Servers version 8.0 and above, across all supported operating systems. A patch was made available by PaperCut in versions 20.1.7, 21.2.11, and 22.0.9 and it is recommended to apply it at the earliest on all vulnerable servers.

Although the vulnerability had already been addressed by a released patch, attackers take advantage of a vulnerability that has been patched but not yet updated by all users. This situation is commonly referred to as an "n-day attack”.

 

Microsoft-logo-flag only.JPG

 

 

Title: AI-based CLI interactive mode

Source: Azure Tools

Author: Jeremy Li

Publication Date: 6/29/2023

Content excerpt:

We are excited to announce that the Azure CLI team combined AI with CLI interactive mode (az interactive) to provide users with an intelligent interactive experience. It is primarily oriented to inexperienced users in interactive mode to help reduce the learning curve, provide an intelligent interactive experience, and improve operation efficiency in complex scenarios.

 

Microsoft-logo-flag only.JPG

 

 

Title: Azure Monitor: Gain Observability Over Guest Users

Source: Core Infrastructure and Security

Author: Bruno Gabrielli

Publication Date: 6/4/2023

Content excerpt:

In this post, I would like to explore something about gaining and keeping observability over guest users. Guest users in Azure Active Directory are external users to which you can grant permission on resources in your tenant, thanks to the B2B collaboration.

Adding an external user to your tenant is remarkably simple: sending an invitation to the user’s email address is more than enough. Once the invitation is accepted, the user can sign-in and access the resources in your subscriptions(s) according to the permissions given to his/her guest account.

 

Microsoft-logo-flag only.JPG

 

 

Title: Moving Cloud PC from One Datacenter Region to Another - Summer 2023 Edition

Source: Core Infrastructure and Security

Author: Atil Gurcan

Publication Date: 6/8/2023

Content excerpt:

As i have mentioned in an earlier post, moving a cloud pc from one datacenter location from another was not possible. This activity was basically a deprovisioning and reprovisioning of the existing cloud pc in the target datacenter. However, due to increasing customer demand, this behavior is being changed right now. Moving cloud pc from one datacenter location to another is currently in preview (June 2023) and probably it will be GA in the coming fall. Let’s take a look at how it is done.

 

Microsoft-logo-flag only.JPG

 

 

Title: Avoiding Disk Export and VHD Download in Azure

Source: Core Infrastructure and Security

Author: Werner Rall

Publication Date: 6/12/2023

Content excerpt:

In an era where cloud computing and virtualization are increasingly taking center stage, Microsoft's Azure is a dominant force. One of the vital components in Azure is the Disk Export and Virtual Hard Disk (VHD) Download functionality. While it offers a wealth of conveniences, it also opens up potential vulnerabilities in terms of data security and regulatory compliance. In addition, the process of exporting and downloading can be time-consuming and resource-intensive, sometimes resulting in performance degradation. This blog post is dedicated to exploring ways of avoiding these risks associated with Disk Export and VHD Download in Azure. Through understanding the mechanisms behind this process, you will be able to design more efficient, secure, and compliant Azure environments, saving both time and resources. 

 

Microsoft-logo-flag only.JPG

 

 

Title: Use Azure Functions to Remove Unauthorized Role Assignments

Source: Core Infrastructure and Security

Author: Bas van Bennekom

Publication Date: 6/14/2023

Content excerpt:

Recently, one of my customers faced a challenge regarding the assignment of Role Definitions to workload teams on their Subscriptions. Their current configuration uses Entitlement Management, in combination with Privileged Identity Management (PIM), to grant a set of standing and eligible Role Assignments to workload teams. In this way, individual users would be able to elevate to the Contributor Role Definition on the scope of their own Subscription.

In this blog post, I will elaborate on the solution that was built to enforce the creation of Role Assignments at the resource scope only. At the end of this article, you can also find a link to the GitHub repository containing all the artifacts that I used to build the solution.

 

Microsoft-logo-flag only.JPG

 

 

Title: Unlocking Insights from Azure Activity Logs with Power BI

Source: Core Infrastructure and Security

Author: Werner Rall

Publication Date: 6/21/2023

Content excerpt:

In this article, we are going to delve into how Power BI, a powerful data visualization and business intelligence tool, can be used to query and analyze Azure Activity Logs. Born out of a request to utilize APIs for Azure usage tracking, we have sought to develop a more streamlined and accessible solution. This innovative approach leverages Power BI’s prowess to transform complex log data into meaningful, actionable insights.

 

Microsoft-logo-flag only.JPG

 

 

Title: Exploring Configuration Manager Automation Fundamentals– SMS Provider

Source: Core Infrastructure and Security

Author: Herbert Fuchs

Publication Date: 6/23/23

Content excerpt:

My name is Herbert Fuchs, and in this blog series, I want to take you on a journey exploring automation and API capabilities within Microsoft Configuration Manager. We will cover the fundamentals, share tips and tricks, and delve into advanced content.

 

Microsoft-logo-flag only.JPG

 

 

Title: Exploring Configuration Manager Automation Fundamentals – WMI

Source: Core Infrastructure and Security

Author: Herbert Fuchs

Publication Date: 6/26/2023

Content excerpt:

Welcome back to our blog series on automation and API capabilities within Microsoft Configuration Manager. In our previous post, we delved into the SMS Provider, the WMI interface that enables interaction with an MECM site. In this installment, we will take a closer look at Windows Management Instrumentation (WMI) and its significance in MECM.

 

Microsoft-logo-flag only.JPG

 

 

Title: Using Resource Locks To Prevent Accidental Changes In Azure

Source: Core Infrastructure and Security

Author: Khushbu Gandhi

Publication Date: 6/27/2023

Content excerpt:

Over the course of my learning with Azure thus far, I have realized that it’s easy to deploy resources in the Azure. In fact, it is this ease of use that has largely catapulted the push towards cloud adoption. But the shortcoming here is that it is just as easy to delete resources in the cloud as it is to deploy them. This is a common concern among organizations wanting to move their infrastructure to the cloud but are skeptical about the safety mechanisms in place to prevent wrongful deletion of critical infrastructure components that could bring an organizations’ business to a standstill. Azure Resource locks allow organizations to put safeguards in place that prevent the accidental deletion or modification of resources in Azure. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when you have an important resource in your subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion.

 

Microsoft-logo-flag only.JPG

 

 

Title: Exploring Configuration Manager Automation Fundamentals – PowerShell Cmdlets

Source: Core Infrastructure and Security

Author: Herbert Fuchs

Publication Date: 6/28/2023

Content excerpt:

Welcome back to our blog series on automation and API capabilities within Microsoft Configuration Manager. In our previous post, we delved into the Windows Management Instrumentation, where we learned about namespaces, classes, properties, and methods. Now, let's shift our focus to the PowerShell cmdlets. As with our previous post, we will start with the essentials and dive deeper into this topic.

 

Microsoft-logo-flag only.JPG

 

 

Title: Exploring Configuration Manager Automation Fundamentals – Administration Service

Source: Core Infrastructure and Security

Author: Herbert Fuchs

Publication Date: 6/30/2023

Content excerpt:

Welcome back to our blog series on automation and API capabilities within Microsoft Configuration Manager. In our previous posts, we explored various aspects such as the SMS Provider, Windows Management Instrumentation (WMI), and PowerShell Cmdlets. Today, we'll delve into the final chapter of this series, where we'll cover the Administration Service and its crucial role in extending Configuration Manager's capabilities.

 

Microsoft-logo-flag only.JPG

 

 

Title: Wired for Hybrid - Deep Dive 2 - Azure Front Door

Source: ITOps Talk

Author: Pierre Roman

Publication Date: 6/7/2023

Content excerpt:

As part of our Wired for Hybrid series, Michael and I have been talking with engineers and product managers about topics that are important when working with azure networking. In this deep dive episode, we’re talking with Duong Au senior content developer.

 

Microsoft-logo-flag only.JPG

 

 

Title: Wired for Hybrid - Deep Dive 3 - Azure Virtual Network Manager

Source: ITOps Talk

Author: Pierre Roman

Publication Date: 6/13/2023

Content excerpt:

As part of our Wired for Hybrid series, Michael and I have been talking with engineers and product managers about topics that are important when working with azure networking. In this deep dive episode, we’re talking with Andrea Michael, program manager in the Azure Networking team.

 

Microsoft-logo-flag only.JPG

 

 

Title: Azure Landing Zone Accelerator for AVS - Using a Central Hub in Azure

Source: ITOps Talk

Author: Amy Colyer

Publication Date: 6/22/2023

Content excerpt:

There are many options for network connectivity when it comes to Azure VMware Solution.  This post reviews utilizing a central hub network in Azure.

 

Microsoft-logo-flag only.JPG

 

 

Title: Increasing Transparency into Azure Active Directory's Resilience Model

Source: Microsoft Entra (Azure AD)

Author: Nadim Abdo

Publication Date: 6/6/2023

Content excerpt:

Over the last two years we’ve been sharing the progress on Azure AD’s resilience investments, such as our 99.99% Service Level Agreement (SLA), our core resilience principles and architecture, and our differentiated resilience features like our automatic backup authentication service, regionally isolated authentication, and continuous access evaluation. 

We appreciate your confidence in  Azure AD as a mission-critical dependency for your applications and service. We also have heard how important transparency is to you in understanding how the service is built for resilience, as well as deeply understanding the actual realized resilience state of your own applications and services. 
Today, we’re excited to announce two new ways that we’re enhancing our transparency into these resilience capabilities and furthering our resilience journey...

 

Microsoft-logo-flag only.JPG

 

 

Title: Microsoft Entra ID Governance is generally available

Source: Microsoft Entra (Azure AD)

Author: Joseph Dadzie

Publication Date: 6/7/2023

Content excerpt:

Today, I’m pleased to announce the general availability of Microsoft Entra ID Governance, our complete identity governance product that ensures the right people have the right access to the right resources at the right time. This cloud-delivered product includes capabilities that were already available in Azure Active Directory, part of Microsoft Entra, plus our most advanced tools that simplify identity, management, and governance of on-premises and cloud apps and resources. 

 

Microsoft-logo-flag only.JPG

 

 

Title: Action required: Last chance to migrate ADAL apps!

Source: Microsoft Entra (Azure AD)

Author: James Mantu

Publication Date: 6/13/2023

Content excerpt:

We are announcing a new Azure Active Directory (Azure AD) recommendation helping customers migrate apps using the legacy Azure AD  Authentication Library (ADAL) to the Microsoft Authentication Library (MSAL).

This is part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications to end support for ADAL. The final deadline to migrate your applications to MSAL has been extended to June 30, 2023.

 

Microsoft-logo-flag only.JPG

 

 

Title: Important: Azure AD Graph Retirement and Powershell Module Deprecation

Source: Microsoft Entra (Azure AD)

Author: Kristopher Bash

Publication Date: 6/15/2023

Content excerpt:

In 2019, we announced deprecation of the Azure AD Graph service. One year ago we communicated that Azure AD Graph will be retired and stop functioning after June 30, 2023. We also previously communicated that three legacy PowerShell modules (Azure AD, Azure AD Preview, and MS Online) would be deprecated on June 30, 2023.  

We want to provide an update on timelines for these changes and offer further clarity on what to expect going forward. No new investment is going into Azure AD Graph and the three PowerShell modules, making it very important that all customers prioritize migration to Microsoft Graph APIs and Microsoft Graph PowerShell SDK to ensure continued support and functionality.   

However, we understand that many customers are not yet complete with these migrations and we confirm our continued commitment to work with our customers during this migration period to minimize and avoid impact.  

 

Microsoft-logo-flag only.JPG

 

 

Title: New App Health Recommendations in Microsoft Entra Workload Identities

Source: Microsoft Entra (Azure AD)

Author: Jeff Sakowicz

Publication Date: 6/29/2023

Content excerpt:

Easily recognizing which identities have risky configurations or should be removed altogether is becoming crucial, so we‘re excited to announce a new feature—app health recommendations—within Microsoft Entra Workload Identities.

 

Microsoft-logo-flag only.JPG

 

 

Title: Microsoft Entra new feature and change announcements

Source: Microsoft Entra (Azure AD)

Author: Shobhit Sahay

Publication Date: 6/20/2023

Content excerpt:

Today, we’re sharing the new feature releases for the last quarter (April – June 2023) and the changes to existing features (June 2023 change management train). We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well.

 

Microsoft-logo-flag only.JPG

 

 

Title: What’s new in Microsoft Intune: 2306 (June) edition

Source: Microsoft Intune

Author: Ramya Chitrakar

Publication Date: 6/22/2023

Content excerpt:

In the June 2023 service release (2306), we're offering significant additions to Microsoft Intune security and productivity features. The first is the release of Mobile Application Management (MAM) for Microsoft Edge for Business on Windows! Then, about a week after the release, you'll be able to use Intune to manage Windows drivers and firmware updates. I'm looking forward to hearing how you adopt these key capabilities.

 

Microsoft-logo-flag only.JPG

 

 

Title: SMB signing required by default in Windows Insider

Source: Storage at Microsoft

Author: Ned Pyle

Publication Date: 6/2/2023

Content excerpt:

Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25381 (Canary, zn_release) Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them.

 

Microsoft-logo-flag only.JPG

 

 

Title: SMB Signing and Guest Authentication

Source: Storage at Microsoft

Author: Ned Pyle

Publication Date: 6/13/2023

Content excerpt:

Heya folks, Ned here again. We recently made SMB signing the default in Windows Insider Enterprise client builds. In doing so, we were quickly reminded of a consequence from an old unsafe SMB behavior that some folks still use: guest authentication. Today I'll explain all this and give you the steps to both fix and workaround the issue.

 

Microsoft-logo-flag only.JPG

 

 

Title: Multi-app kiosk mode now available in Windows 11!

Source: Windows IT Pro

Author: Sydney Bruckmann

Publication Date: 6/12/2023

Content excerpt:

Create a customized and locked down experience for your shared devices using multi-app kiosk mode, now available in Windows 11 with the May 24, 2023 Windows Configuration Update.

 

Microsoft-logo-flag only.JPG

 

 

Title: How Windows manages time zone changes

Source: Windows IT Pro

Author: Farhan Ali

Publication Date: 6/21/2023

Content excerpt:

When it comes to keeping the clocks in your organization running normally, you rely on our Windows engineers. We, in turn, look to governments for timely collaboration. Let's talk about the importance and complexity of time zone (TZ) changes, as well as some best practices to help your organization always be on time!

 

Microsoft-logo-flag only.JPG

 

 

Title: Manage Windows driver and firmware updates with Microsoft Intune

Source: Windows IT Pro

Author: David Guyer

Publication Date: 6/26/2023

Content excerpt:

We're excited to announce the general availability of Windows driver and firmware update management policies and reports in Microsoft Intune!

This new functionality in Intune makes it easier to keep drivers on your Windows devices up to date in two main ways. First, you'll no longer have to do the manual work of downloading, repackaging, and deploying drivers using generic tools. Instead, you can take advantage of driver update management policies and reports built on the Windows Update for Business deployment service.

 

Microsoft-logo-flag only.JPG

 

 

 

 

Previous CTO! Guides:

 

Additional resources:

 

Co-Authors
Version history
Last update:
‎Jul 08 2023 10:37 AM
Updated by: