Microsoft Azure

Frequent questions about using Conditional Access to secure remote access

Organizations asking employees to work from home to slow the spread of COVID-19 are making huge organizational and process changes in a matter of weeks, not years. For them, quickly enabling remote work while keeping company data safe presents new challenges and amplifies old ones.  To help, we’d like to share best practices and tips, aligned with the principles of Zero Trust, that we’ve assembled from working closely with customers in these trying times.

Passwordless authentication options for Azure Active Directory

Multi-factor authentication (MFA) is a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.  Each organization has different needs when it comes to authentication. Microsoft offers the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD).

Blocking legacy authentication

To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication.  Today, the majority of all compromising sign-in attempts come from legacy authentication. Legacy authentication does not support multi-factor authentication (MFA). Even if you have an MFA policy enabled on your directory, a bad actor can authenticate using a legacy protocol and bypass MFA. The best way to protect your account from malicious authentication requests made by legacy protocols is to block these attempts altogether.

Perform an internal admin takeover in Office 365

A self-service sign up for any cloud service that uses Azure AD will add the user to an unmanaged or "shadow" Azure AD directory and create an unmanaged tenant, such as PowerBI. An unmanaged tenant is a directory without a global administrator.  If you are an admin and want to take over an unmanaged tenant created by a self-service user signup, you can do this with an internal admin takeover.

Azure Monitor for virtual machines is now generally available

Azure Monitor for virtual machines (VMs), which provides an in-depth view of VM performance trends and dependencies, is now generally available. Get key monitoring data about your Windows and Linux VMs to help you discover dependencies, identify hotspots, and troubleshoot issues faster with Azure Monitor for VMs.

Azure Virtual Network now supports reverse DNS lookup

Azure Virtual Network now supports reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default. Use this to quickly look up name of the VM from its IP address. Previously, using DNS queries to look up the fully qualified domain name (FQDN) for a virtual machine from its IP address would result in an NXDOMAIN response. Now, instead of getting an NXDOMAIN, you’ll receive valid FQDN of the virtual machine to which the IP address belongs.

Direct Upload of Azure Managed Disks is generally available

Direct upload of Azure Managed Disks provides a simplified workflow for uploading an on-premises VHD directly into an empty managed disk or copy a managed disk to another Azure region for regional migration or expansion.

Office 365 Groups will become Microsoft 365 Groups

Microsoft 365 is the world’s productivity cloud and it represents our vision for the future of Microsoft productivity tools—an integrated set of apps and services that puts artificial intelligence and other cutting-edge innovations to work for you. To reflect the fact that Office 365 Groups power collaboration across Microsoft 365, Office 365 Groups will become Microsoft 365 Groups. These changes will happen over time and will be reflected in all the connected endpoints over the upcoming quarters.

Start your Infrastructure as Code journey with AzStackHub

Azure Stack Hub lights up IaaS capabilities in your datacenter. These range from foundational concepts like enabling self-service, having a marketplace of items, or enabling RBAC (all of them concepts we’ve explored in the Azure Stack IaaS series) – all the way to enabling an Infrastructure as Code practice, or enabling hybrid applications.

Windows Server

Windows Admin Center update 1910.2 is now generally available!

Windows Admin Center version 1910.2, which was released to Windows Insiders last month, is now generally available. Version 1910.2 is a cumulative update to our 1910 GA release from last November that includes updates to the platform’s accessibility and numerous bug fixes.

Windows Client

Live response for earlier versions of Windows is now in public preview

Announcing that live response is now in public preview for earlier versions of Windows 10 including 1709, 1803, and 1809.  Each organization has different needs and is on a different timeline for planning, testing, and deploying Windows updates.  The ability to download files using a live response command in the background enables your Security Operations team to continue investigating an impacted device during a file download.

Azure DSC for Zero Trust Windows 10 Devices Managed by Intune

In a zero trust environment with no connectivity back to traditional on-premises or Azure hosted domain controllers, nor any way to VPN into said environment, the security gap between Intune and Group Policy could be a roadblock to more organizations leveraging the power of cloud.  Desired State Configuration (DSC) can be used to monitor and enforce the state of a company’s computer systems are in a desired configuration.

ConfigMgr Bitlocker Management

Configmgr has released BitLocker Drive Encryption (BDE) in v1910 for on-premises Windows clients running Windows 10 or Windows 8.1.

Security

Controlling access to Azure Sentinel Data: Resource RBAC

Users who have access to the Azure Sentinel workspace can typically view all the data.  However; Azure Sentinel has the tools needed to limit such access. The primary methods to enable such role-based access to control data are either to split your Azure Sentinel implementation into multiple workspaces or to use Resource RBAC.  Resource RBAC helps by enabling users who do not have access to the workspace to view telemetry collected for resources as needed.

Quick wins—single sign-on (SSO) and Multi-Factor Authentication (MFA)

With Multi-Factor Authentication (MFA) and single sign-on (SSO) being a few of the most effective countermeasures against modern threats, organizations should consider a Cloud Identity as a Service (IDaaS), and MFA solution, like Azure Active Directory (AD).

Azure Monitor Logs new create workspace experience

Collect and analyze logs from your Azure estate using the power and flexibility of Azure Monitor Logs.  The Azure Monitor Logs workspace is the most basic logical unit used to collect and manage log analytics.  The workspace creation experience has been modernized and there’s a new, full-screen create experience.

Validating Azure Key Vault Threat Detection in Azure Security Center

Azure Security Center includes advanced threat protection for Azure Key Vault. Security Center detects unusual and potentially harmful attempts to access or exploit Key Vault accounts based on behavior analysis using machine learning. To use this threat detection capability, you need to enable the Key Vault threat bundle in Azure Security Center pricing tier

How to isolate an Azure VM using Azure Security Center’s Workflow automation

A common attack that still occurs in the cloud is brute force attacks against the Azure VMs management ports like SSH for Linux and RDP for Windows. While most organizations use Azure Security Center Just in Time access feature there are some that do not.  The workflow automation can trigger an automated security response.

Centralized Policy Management in Azure Security Center using Management Groups

Large organizations that have multiple subscriptions in a single tenant environment are probably already using Azure Management Groups to organize their subscriptions according to the business needs, by creating a hierarchy that applies a policy that reflect the needs of those subscriptions.  When these organizations need to enable Azure Security Center across different subscriptions that have different workloads and therefore different assessment needs, it is also common that they want to customize its policies and control it in the Management Group level rather than in the subscription level.

Announcing timelines for sunsetting label management in the Azure portal and AIP client (classic)

With label management in the Microsoft 365 compliance center now at parity with the AIP portal experience, we are announcing that we will sunset label management in the Azure portal as of March 31, 2021. This extended timeframe will give customers currently using the Azure portal more than twelve months to transition to MIP’s unified labeling platform where the existing AIP value will continue to be fully supported. We are also announcing that the AIP client (classic) will be sunsetting on March 31, 2021. Again, this extended timeframe allows customers currently using the classic client more than a year to transition to either built-in labeling on Office ProPlus or the new unified labeling client.

Microsoft Information Protection SDK 1.5: Now Available

We're pleased to announce that the Microsoft Information Protection SDK version 1.5 is now generally available via NuGet and Download Center.

Security baseline for Microsoft Edge v81

Version 81 of Microsoft Edge adds 15 new computer- and user-based settings.  There are now 285 enforceable Computer Configuration policy settings and 269 User Configuration policy settings.  Using our streamlined approach, our baseline remains at 12 Group Policy settings.

Introducing SDNSecurityToolkit

Every software producer has faced this challenge at some point: balancing flexibility with security. The most basic requirement of quality in any piece of software is that it will not expose the user to attackers, but in some cases the features of the software require us to allow the user to make mistakes that might expose vulnerabilities.  While there is no way that we can ensure that an SLB rule will never be misconfigured, we know how complicated SDN deployments can be and want to empower our users with tools to protect themselves.  To this end, we have created a new tool for analyzing your public VIPs. It is a simple PowerShell module called SDNSecurityToolkit, now available on the Microsoft SDN GitHub.

Updates and Support Lifecycle

Revised end of service date for Windows 10, version 1709: October 13, 2020

To ease one of the many burdens you are currently facing, and based on customer feedback, we have decided to delay the scheduled end of service date for the Enterprise, Education, and IoT Enterprise editions of Windows 10, version 1709. This means devices will receive monthly security updates only from May to October. The final security update for these editions of Windows 10, version 1709 will be released on October 13, 2020 instead of April 14, 2020.

Revised end of service date for Windows 10, version 1809: November 10, 2020

To help ease some of the burdens customers are facing, we are going to delay the scheduled end of service date for the Home, Pro, Pro Education, Pro for Workstations, and IoT Core editions of Windows 10, version 1809 to November 10, 2020. This means devices will receive monthly security updates only from June to November. The final security update for these editions of Windows 10, version 1809 will be released on November 10, 2020 instead of May 12, 2020. For more information, see Windows lifecycle fact sheet and Lifecycle changes to end of support and servicing dates.

Optimize Windows monthly update deployment for remote devices

Microsoft has published guidance around the solutions and opportunities IT professionals can leverage to keep remote workers safe, secure, and productive, the majority of which can be found on Microsoft's COVID-19 response page.  In this post, we will walk you through ways to optimize the delivery and deployment of Windows monthly quality updates (aka patches) to remote devices in your organization. We will offer specific recommendations on minimizing update size and bandwidth utilization, increasing update speed and consistency, and reducing the impact and dependency on end users.

Products reaching End of Support for 2020

Microsoft Premier Support News

Check out Microsoft Services public blog for new Proactive Services as well as new features and capabilities of the Services Hub, On-demand Assessments, and On-demand Learning platforms.