Core Infrastructure and Security Blog

16 MIN READ

Check This Out! (CTO!) Guide (December 2023)

Microsoft

Jan 07, 2024

Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.

These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful.

From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!

Title: Renew Certificate Authority Certificates on Windows Server Core. No Problem!

Source: Ask the Directory Services Team

Author: Robert Greene

Publication Date: 12/18/23

Content excerpt:

Today’s blog strives to clearly elucidate an administrative procedure that comes along more frequently with PKI Hierarchies being deployed to Windows Server Core operating systems.

Title: Keep your Azure optimization on the right track with Azure patterns and practices

Source: Azure Architecture

Author: Ben Brauer

Publication Date: 12/13/23

Content excerpt:

Businesses are at a pivotal juncture in their cloud migration journeys, as the question is no longer “Should we do this?”, but “What’s the best way to do this?” With questions of cost, reliability, and security looming over any migration plans, Microsoft is driven to fortify your organization for a successful transformation to Azure. That’s why we offer two complementary frameworks that together provide a comprehensive approach to cloud adoption and optimization. With best-practice guidance and checklists to keep your cloud modernization on track, our goal is to help your organization avoid costly mistakes and save time by leveraging proven strategies. The Microsoft Cloud Adoption Framework (CAF) and Well-Architected Framework (WAF) are resources that businesses can leverage to confidently transform their operations into being cloud-centric and build/manage cloud-hosted applications securely and cost-effectively. In this blog we’ll take you through the purpose of each framework and how you can start applying them to your cloud migration today.

Title: How to use Azure Front Door with Azure Kubernetes Service (Tips and Tricks)

Source: Azure Architecture

Author: Pranab Paul

Publication Date: 12/26/23

Content excerpt:

As its definition says – “Azure Front Door is a global, scalable, and secure entry point for fast delivery of your web applications. It offers dynamic site acceleration, SSL offloading, domain and certificate management, application firewall, and URL-based routing”. We can consider this as an Application Gateway at global scale with CDN profile thrown in to spice it up. AGIC or Application Gateway as Ingress Controller is already available and widely used. I received this question recently, asking whether Azure Front Door can be used in the same way. I didn’t have to reinvent the wheel as so many blog posts and YouTube videos are already there on this topic. In this article, I will only discuss different options to implement Azure Front Door with AKS and will add some critical tips you should be aware of.

Title: Public Preview Announcement: Azure VM Regional to Zonal Move

Source: Azure Compute

Author: Kaza Sriram

Publication Date: 12/12/23

Content excerpt:

We are excited to announce the public preview of single instance VM regional to zonal move, a new feature that allows you to move an existing VM in a regional configuration (deployed without any infrastructure redundancy) to a zonal configuration (deployed into specific Azure availability zone) within the same region. This feature announcement continues the momentum with our earlier announced VMSS Zonal expansion features and reinforces the Azure wide zonal strategy, that enables you to take advantage of higher availability with Azure availability zones and make them an integral part of your comprehensive business continuity and resiliency strategy.

This feature is intended for single instance VMs in regional configurations only and not for VMs already in availability zones, or VMs part of an availability set (AvSet) or Virtual Machine Scale Sets (VMSS).

Title: Interconnected guidance for an optimized cloud journey

Source: Azure Governance and Management

Author: Antonio Ortoll

Publication Date: 12/11/23

Content excerpt:

The cost of cloud computing can add up quickly, especially for businesses with a high volume of data, high traffic or mission-critical applications. As organizations increasingly put cloud capabilities to work, they are constantly looking for ways to trim costs and focus their cloud spend to align to the right business priorities. Cost optimization is key to making that happen. But how do you know when there are opportunities to optimize?

To make it easier for you to identify cost optimization opportunities during every step of your Azure journey, we provide resources, tools and guidance to help you evaluate your costs, identify efficiencies, and set you up for success. From building your business case to optimizing new workloads, you’ll find interconnected guidance and assessments designed to continually increase the value of your Azure investments and enable you to invest in projects that drive ongoing business growth and innovation. Whether you're migrating to the cloud for the first time or already have Azure workloads in place, these cost management, governance and monitoring tools can help you visualize your costs and gain insights.

Let’s take a closer look at each of these tools and how you can use them to understand and forecast your bill, optimize workload costs, and control your spending.

Title: Azure Firewall: New Embedded Workbooks

Source: Azure Network Security

Author: Eliran Azulai

Publication Date: 12/4/23

Content excerpt:

After our previous announcement in August 2023, we want to delve deeper into the enhanced capabilities of the new embedded workbooks. Within Azure, Workbooks serve as a versatile canvas for conducting data analysis and generating visually compelling reports directly within the Azure portal. They empower users to access diverse data sources across Azure, amalgamating them into cohesive, interactive experiences. Workbooks enable the amalgamation of various visualizations and analyses, making them ideal for unrestricted exploration.

Notably, the Azure Firewall Portal has now incorporated embedded workbooks functionality, offering customers a seamless means to analyze Azure Firewall traffic. This feature facilitates the creation of sophisticated visual reports within the Azure portal, allowing users to leverage data from multiple Firewalls deployed across Azure and unify them into interactive, cohesive experiences.

Title: Azure Firewall's Auto Learn SNAT Routes: A Guide to Dynamic Routing and SNAT Configuration

Source: Azure Network Security

Author: David Frazee

Publication Date: 12/21/23

Content excerpt:

Azure Firewall is a cloud-native network security service that protects your Azure virtual network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. However, some Azure Firewall customers may face challenges when they need to configure non-RFC-1918 address spaces to not SNAT through the Azure Firewall. This can cause issues with routing, connectivity, and performance. To address this problem, Azure Firewall has introduced a new feature that allows customers to specify which address spaces should not be SNATed by the firewall. This feature can help customers reduce the overhead of managing custom routes and NAT rules and improve the efficiency and reliability of their network traffic. In this blog, we will explain how the feature works, what Azure Route Server is, and how to enable it. We will also provide a QuickStart guide and some examples to help you get started with this feature.

Title: Securely uploading blob files to Azure Storage from API Management

Source: Azure PaaS

Author: Una Chen

Publication Date: 12/26/23

Content excerpt:

This article will provide a demonstration on how to utilize either SAS token authentication or managed identity from API Management to make requests to Azure Storage. Furthermore, it will explore and compare the differences between these two options.

Title: The Twelve Days of Blog-mas: No.4 - Sync Cloud Groups from AAD/Entra ID back to Active Directory

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/1/23

Content excerpt:

For a loooong time, you and I have been waiting for the ability to sync ‘cloud-born-and-managed’ security groups (and their memberships) back into on-premises AD. This takes us further on our journey of moving "the management plane" from on-prem AD to the cloud - and provides you the ability to create/manage groups in the cloud to manage resource access in Active Directory.

Title: The Twelve Days of Blog-mas: No.5 - The Endpoint Management Jigsaw

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/5/23

Content excerpt:

Most orgs (hopefully) have a well-developed ‘practice’ around Endpoint management, combining people, process and technology to deploy, configure, operate and support a fleet of devices that adhere to corporate policy. This has been a main-stay of endpoint IT Pros for decades.

As IT Pros, whether we like it or not, we’re continually expanding our knowledge and skills to account for the ever-growing scope that we’re accountable for and the winds of change in technology. The cloud, mobile devices, BYO, VDI and other flavors of endpoints – as well as a global pandemic - have all pushed or pulled (or dragged) us to where we are “today.”

Title: Switch to the New Defender for Resource Manager Pricing Plan

Source: Core Infrastructure and Security

Author: Felipe Binotto

Publication Date: 12/5/23

Content excerpt:

In case you missed it, a new pricing plan has been announced for Microsoft Defender for Resource Manager.

The legacy pricing plan (per-API call) is priced at $4 per 1M API Calls, which can become a bit expensive if there is a lot going on in your subscriptions.

The new pricing plan (per-subscription) is priced at $5 per subscription per month.

We have made available a workbook which provides a cost estimation for all the Defender plans across all your subscriptions.

Title: The Twelve Days of Blog-mas: No. 6 - The Reporting Edition - Microsoft Community Hub

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/6/23

Content excerpt:

Good morning, Internet! At first glance, this post may appear a weeee bit thin ... but sometimes, less is more. Who doesn't need/want more reporting/visualizations and tracking of what’s going on within an environment?

I think it's safe to say that when it comes to "Reporting," it often feels like less actually is 'less' (and sometimes, 'more' is even less 'less,' or 'more less?' How should one say that?). Reporting is never 'enough' or 'done' but we steadily expand and improve that aspect of our services - and we're constantly doing more.

Title: The Twelve Days of Blog-mas: No. 7 - Architecture Visuals - for Your Reference or Your Own Docs

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/7/23

Content excerpt:

A softball for #7 … enjoy!

Title: The Twelve Days of Blog-mas: No. 8 - The Evolution of Windows Server Management

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/8/23

Content excerpt:

As was discussed previously, our Endpoint Management modernization story is compelling. The server team overheard that good news and is curious - but the Server Management discipline is quite different than Endpoint management.

Server teams manage/operate systems that are usually locked away in datacenters – either their own and/or a cloud provider. They’re usually not exposed to physical loss or theft, nor people shoulder-surfing at a coffee shop. They’re usually only accessible via remote management capabilities. They usually have much more stringent change control and update processes - and often extreme business sensitivity to reboots (especially unplanned, but planned ones, too).

So, what is our Server Management story then, circa 'Holidays 2023?'

Well, I'm glad you asked - and I get this question a lot these days.

Title: Introduction to Network Trace Analysis 4: DNS (it's always DNS)

Source: Core Infrastructure and Security

Author: Will Aftring

Publication Date: 12/11/23

Content excerpt:

Howdy everyone! I'm back to talk about one of my favorite causes of heartache, the domain name system (DNS). This will be our first foray into an application layer protocol. The concept of DNS is simple enough, but it can lead to some confusing situations if you don't keep its function in mind. No time to waste, let's get going!

Title: The Twelve Days of Blog-mas: No.9 - It’s a Multi-Tenant and Cross-Platform World: Part I

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/12/23

Content excerpt:

Greetings! Before the cloud, when on-prem Active Directory was the hub of many enterprise architectures, business needs often drove the requirement to expand single-domain AD forests into multi-domain AD forests. Even in the NT days, one might have 'Account Domains' and 'Resource Domains' - connected via one-ways trusts. As was often the case, multiple existing NT 4.0 domains were 'upgraded' into a single AD forest, as additional domains. These days, a single-domain AD Forest is pretty rare for main-stream use.

Title: The Twelve Days of Blog-mas: No.10 - It’s a Multi-Tenant and Cross-Platform World: Part II

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/13/23

Content excerpt:

In Part I of this mini-series, I discussed some of the new hotness around multi-tenant capabilities in our Entra ID space. In Part II, I'll cover cross-platform support across several of our cloud services. The cloud era ushered in mainstream cross-platform support from many Microsoft services. Like the title of this post says, anymore, it's a cross-platform world.

Title: The Twelve Days of Blog-mas: No.11 - The Kitchen Sink

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/14/23

Content excerpt:

I am running out of days for my “Twelve Days” timeframe, so I’m dropping a pile of topics here that I feel are important/helpful but less-known.

Apologies in advance for the brevity and link-breadcrumbs.

Title: The Twelve Days of Blog-mas: No.12 - Copilot(s) - Your AI Assistant(s)

Source: Core Infrastructure and Security

Author: Michael Hildebrand

Publication Date: 12/15/23

Content excerpt:

Now, you didn't really think I would go for 12 without one about Copilot, did you?

Our AI/ML efforts have been on-going for a long time, but very recently, they've gone mainstream -and SUCH a cool logo/icon. Be aware, though, for now, this space changes frequently, varies by region/market and software version (Windows, Office apps, Edge, etc.). Docs, product names, major and minor functionality are all moving very fast. Do your brain a favor and make some peace with that - but then, jump into the pool!

Title: Designing Cloud Architecture: Creating Professional Azure Diagrams with PowerPoint

Source: Core Infrastructure and Security

Author: Werner Rall

Publication Date: 12/17/23

Content excerpt:

In the fast-evolving landscape of cloud computing, the ability to visually represent complex architectures is not just a skill but a necessity. Among the myriad of tools and platforms, Microsoft Azure stands as a titan, offering a vast array of services that cater to diverse computing needs. However, the true challenge lies in effectively communicating the structure and functionality of Azure-based solutions. This is where the power of visualization comes into play, and surprisingly, a tool as familiar as PowerPoint emerges as an unlikely ally.

Title: Windows 365 deployment checklist

Source: FastTrack

Author: Josh Gutierrez

Publication Date: 12/22/23

Content excerpt:

We’re excited to announce that we’ve just released an updated Windows 365 deployment checklist in the Microsoft 365 admin center (MAC).

Title: Known Issue: Some management settings become permanent on Android 14

Source: Intune Customer Success

Author: Intune Support Team

Publication Date: 12/18/23

Content excerpt:

Google recently identified two issues in Android 14 that make some management policies permanent on non-Samsung devices. When a device is upgraded from Android 13 to Android 14, certain settings are made permanent on the device. Additionally, when devices that have been upgraded to Android 14 are rebooted, other settings are made permanent on the device.

Title: Transforming the iOS/iPadOS ADE experience in Microsoft Intune - Microsoft Community Hub

Source: Intune Customer Success

Author: Intune Support Team

Publication Date: 12/19/23

Content excerpt:

In July of 2021, we announced that Running the Company Portal in Single App Mode until authentication is not a supported flow by Apple for iOS/iPadOS automated device enrollment (ADE). Since then, we’ve been hard at work to improve the ADE experience through the release of Setup Assistant with modern authentication, Just in Time (JIT) registration and compliance remediation, and the "Await until configuration" setting.

Title: Wired for Hybrid - What's New in Azure Networking December 2023 edition

Source: ITOps Talk

Author: Pierre Roman

Publication Date: 12/20/23

Content excerpt:

Azure Networking is the foundation of your infrastructure in Azure. Each month we bring you an update on What’s new in Azure Networking.

In this blog post, we’ll cover what's new with Azure Networking in December 2023. In this blog post, we will cover the following announcements and how they can help you.

Enjoy!

Title: Deploy secret-less Conditional Access policies with Microsoft Entra ID Workload Identity Federation

Source: Microsoft Entra (Azure AD)

Author: Claus Jespersen

Publication Date: 12/4/23

Content excerpt:

Many customers face challenges in managing their Conditional Access (CA) policies. Over time, they accumulate more and more policies that are created ad-hoc to solve specific business scenarios, resulting in a loss of overview and increased troubleshooting efforts. Microsoft has provided guidance on how to structure your Conditional Access policies in a way that follows the Zero Trust principles, using a persona-based approach. The guidance includes a set of Conditional Access policies that can serve as a starting point. These CA policies can be automated from a CI/CD pipeline using various tools. One such tool is Microsoft365DSC, an open-source tool developed by members of the Microsoft Graph Product Group, who are still actively involved in its maintenance.

Title: Enhancements to Microsoft Entra certificate-based authentication

Source: Microsoft Entra (Azure AD)

Author: Alex Weinert; Vimala Ranganathan

Publication Date: 12/13/23

Content excerpt:

At Ignite 2022, we announced the general availability of Microsoft Entra certificate-based authentication (CBA) as part of Microsoft’s commitment to Executive Order 14028, Improving the Nation’s Cybersecurity. Based on our experience working with government customers, PIV/CAC cards are the most common authentication method used within the federal government. While valuable for all customers, the ability to use X.509 certificate for authentication directly against Entra ID is particularly critical for federal government organizations using PIV/CAC cards and looking to easily comply with the Executive Order 14028 requirements as well as customers who want to migrate from a federated server like Active Directory Federated Server to Entra ID for CBA.  

 Since then, we’ve added many new features and enhancements, which made CBA available on all platforms, including mobile, with support for certificates on devices as well as external security keys like YubiKeys. Customers now have more control and flexibility to tailor authentication policies by certificate and resource type, as well as user group and select certificate strength for different users, use CBA with other methods for multi-factor or step-up authentication, and set high affinity (strong) binding for either the entire tenant or by user group.  

Vimala Ranganathan, Product Manager on Microsoft Entra, will now talk about how these new features will help in your journey toward phishing-resistant MFA.  

Title: Introducing New Features of Microsoft Entra Permissions Management

Source: Microsoft Entra (Azure AD)

Author: Joseph Dadzie

Publication Date: 12/14/23

Content excerpt:

Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that helps organizations manage the permissions of any identity across organizations’ multicloud infrastructure. With Permissions Management, organizations can assess, manage, and monitor identities and their permissions continuously and right-size them based on past activity.

Today, we’re thrilled to unveil the details of our Ignite announcement and introduce new features and APIs for Permissions Management, enhancing your overall permissions management experience.

Title: Advancing Cybersecurity: The Latest enhancement in Phishing-Resistant Authentication

Source: Microsoft Entra (Azure AD)

Author: Alex Weinert

Publication Date: 12/15/23

Content excerpt:

Today, I’m excited to share with you several new developments in the journey towards phishing-resistant authentication for all users! This isn’t just essential for compliance with Executive Order 14028 on Improving the Nation's Cybersecurity but is increasingly critical for the safety of all the orgs and users who bet on digital identity.

Title: Strengthening identity protection in the face of highly sophisticated attacks

Source: Security, Compliance, and Identity

Author: Alex Weinert

Publication Date: 12/12/23

Content excerpt:

When it comes to security at Microsoft, we’re customer zero as our Chief Security Advisor and CVP Bret Arsenault often emphasizes. That means we think a lot about how we build security into everything we do—not only for our customers—but for ourselves. We continuously work to improve the built-in security of our products and platforms. With the unparalleled breadth of our digital landscape and the integral role we play in our customers’ businesses, we feel a unique responsibility to take a leadership role in securing the future for our customers, ourselves, and our community.

To that end, on November 2nd, 2023, we launched the Secure Future Initiative (SFI). It’s a multi-year commitment to advance the way we design, build, test, and operate our technology to ensure we deliver solutions that meet the highest possible standards of security.

Title: A new, modern, and secure print experience from Windows

Source: Security, Compliance, and Identity

Author: Johnathan Norman

Publication Date: 12/13/23

Content excerpt:

Over the past year, the MORSE team has been working in collaboration with the Windows Print team to modernize the Windows Print System. This new design represents one of the largest changes to the Windows Print stack in more than 20 years. The goal was to build a more modern and secure print system that maximizes compatibility and puts users first. We are calling this new platform Windows Protected Print Mode (WPP). We believe users should be Secure-by-Default which is why WPP will eventually be on by default in Windows.

Title: Plan for Windows 10 EOS with Windows 11, Windows 365, and ESU

Source: Windows IT Pro

Author: Jason Leznek

Publication Date: 12/5/23

Content excerpt:

Windows 10 will reach end of support (EOS) on October 14, 2025. While two years may seem like a long runway, ensuring a modernized infrastructure will help keep your organization productive and its data secure. We're encouraged to see organizations realizing the benefits of Windows 11 by upgrading eligible devices to Windows 11 well ahead of the EOS date. Consider joining organizations like Westpac who recently leveraged Microsoft Intune, Windows Autopatch, and App Assure to efficiently move 40,000 employees to Windows 11, while also incorporating new Windows 11 devices as part of a regular hardware refresh cycle.

In this post, learn about the various options you have to smoothly transition to Windows 11, including extended protection for those needing more time.

Title: Upcoming changes to Windows Single Sign-On

Source: Windows IT Pro

Author: Adam Steenwyk

Publication Date: 12/14/23

Content excerpt:

Microsoft has been working to ensure compliance with the Digital Markets Act (DMA) in the European Economic Area (EEA). As part of this ongoing commitment to provide your organization with solutions that comply with global regulations like the DMA, we will be changing the ways Windows works. Signing in to apps on Windows is one area where we will be making such changes.

Title: Skilling snack: Network security basics for endpoints

Source: Windows IT Pro

Author: Clay Taylor

Publication Date: 12/14/23

Content excerpt:

Why is network security important? In the chip-to-cloud environment, every component adds a layer of protection. It's the Zero Trust approach to Windows security. We've already covered the basics of endpoint, identity, and data security in Skilling snack: Windows security fundamentals. You can also dig into another layer with Skilling snack: Windows application security. Today, let's bake in a high-level overview of network security capabilities and options.