Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide. Ok ok, I’m busted...I didn’t have the opportunity to put together the February post, so in this post, I will cover highlights from both February and March.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Source: Ask the Directory Services Team
Author: Jim Tierney
Publication Date: 2/9/24
Content excerpt:
Hi! Jim Tierney here again to talk to you about Cryptographic Algorithms, SCHANNEL and other bits of crypto excitement. I have elucidated at length on this topic in this post which had been updated a few years back to the aptly titled, Speaking in Ciphers and other Enigmatic tongues…update!
I am creating this brand-new piece of content in this crypto space to further discuss different Microsoft supported methods that can be used to disable weak cipher suites and protocols.
Source: Ask the Directory Services Team
Author: Chris Cartwright
Publication Date: 2/26/24
Content excerpt:
Hello, it's Chris Cartwright from the Directory Services support team again. This is the second entry in a series where I try to provide the IT community with some tools and verbiage that will hopefully save you and your business many hours, dollars and frustrations. Here we’re going to focus on some major direct and/or indirect changes to Active Directory that tend be pushed onto AD administrators. I want to arm you with the knowledge required for those conversations, and hopefully some successful deflection. After all, isn’t it better to learn the hard lessons from others, if you can?
Title: So, you think you’re ready for enforcing AES for Kerberos? - Microsoft Community Hub
Source: Ask the Directory Services Team
Author: Chris Cartwright
Publication Date: 3/8/24
Content excerpt:
Hello, Chris Cartwright here from the Directory Services support team. We have many customers asking questions about how to track down the usage of RC4 in their environment. Over the years, we’ve had tons of great articles that, when put together, provide a fairly simple solution to this problem. (These can be found in the References section at the end of this article.) However, as Windows Admins, AD Admins, Sysadmins, or whatever title is bestowed upon us, we usually like the solutions wrapped up in one package so we can move on to the next fire or project. I hope to do that here.
This article assumes that the reader is well versed in Kerberos Encryption Types. If not, I highly recommend scrolling down to the References sections and reading Understanding Kerberos Encryption Types.
Source: Ask the Directory Services Team
Author: Rob Greene
Publication Date: 3/14/24
Content excerpt:
Hello everyone, this is Rob Greene. I recently had a case where a customer was having trouble with the CAWE pages. I realized that we do not have much useful information on how outdated these web pages are. Customers have been using different default browsers, and while security has been evolving in the Windows environment, these CAWE pages have not adapted to those changes.
Title: THIS JUST IN!!!! High LSASS Usage After Windows Update 3B March 2024 - Microsoft Community Hub
Source: Ask the Directory Services Team
Author: Jim Tierney
Publication Date: 3/25/24
Content excerpt:
Jim and the Directory Services Team here again to alert you to an emerging issue which is an unintended consequence of a recent update released in March 2024.
Title: Change Tracking, Azure Arc, Multicloud, Windows, Enable change tracking (microsoft.com)
Source: Azure Arc
Author: Annu Priya
Publication Date: 2/20/24
Content excerpt:
Azure Arc simplifies governance and management by delivering a consistent way to manage your entire environment together by projecting your existing multicloud/non-Azure and on-premises resources into Azure Resource Manager.
Azure Arc has benefited multiple customers by simplifying governance and management by delivering a consistent multi-cloud and on-premises management platform such as patch management using Azure Update Manager, enabling Security using Defender for cloud, Standardized role-based access control (RBAC), Change tracking etc. for resource types hosted outside of Azure such as Sever, Kubernetes, SQL Server etc. Today, we will discuss and enable Change Tracking service for Arc Onboarded devices.
Source: Azure Architecture
Author: Pratima Sharma
Publication Date: 2/21/24
Content excerpt:
In this blog, we will explore how the Azure Expert Assessment offering can quickly assess and jump start remediations for customers to optimize costs, enhance security, and improve reliability based on insights from Well-Architected Framework Assessments.
Azure Expert Assessment is a cost-free service offering that provides customers with a comprehensive review of their Azure environment by a Azure Certified Expert. It is designed with automation in every step of the engagement and is open to any Azure customers worldwide, who can self-nominate. Azure Expert Assessment can expedite a customer’s unique assessment needs for optimizing their workloads for Security, Reliability, Cost Management and Fin-Ops. This assessment is conducted by a team of Azure Certified Experts who walk through the assessment with the customer, analyze their environment and provide recommendations on how to improve it.
Title: Optimize and secure your cloud with new Azure Optimization skilling events (microsoft.com)
Source: Azure Architecture
Author: Megan Pennie
Publication Date: 2/29/24
Content excerpt:
Optimizing existing cloud environments is consistently the top cloud initiative for nearly every tech company, and the benefits of skilling your organization on optimization abound. Optimizing your cloud usage means saving money, improving efficiency, security, and resiliency, as well as innovating faster, and gaining a competitive advantage in your industry. In this blog you’ll discover how the
tools and learning resources of Azure Optimization can be a value driver for your organization with comprehensive learning opportunities to put you on the right path.
Title: Demystifying Azure VM Maintenance: A Practical Guide to Minimizing Disruptions (microsoft.com)
Source: Azure Architecture
Author: David Santiago
Publication Date: 3/26/24
Content excerpt:
Azure regularly updates its platform to enhance the host infrastructure for virtual machines, focusing on reliability, performance, and security. The updates can range from operating system, hypervisor, various networking components/agents deployed on the host, to hardware decommissioning...
Source: Azure Compute
Author: Kyle Ikeda
Publication Date: 3/8/24
Content excerpt:
If you are using Azure compute services, such as virtual machines, dedicated hosts, or container instances, you may be wondering how to optimize your spending. Azure offers two pricing models that can help you get the most out of your compute investment: Azure savings plan for compute and reserved instances.
But what are the differences between these two pricing models and how do you decide which one to use for your workloads? In this blog post, we will explain the key features and benefits of Azure savings plan and reserved instances, and how to use them together to achieve the best results.
Title: Capacity Reservation for Specialty SKUs—now available - Microsoft Community Hub
Source: Azure Compute
Author: Tarannum Ferdous
Publication Date: 3/25/24
Content excerpt:
Public Preview of on demand capacity reservations for Specialty SKUs for Azure Virtual Machines is now available. On demand capacity reservation would now allow you to deploy and manage the compute capacity required to run Azure VMs on below specialty SKUs...
Title: Refreshed Identity and Access Management CAF documentation (microsoft.com)
Source: Azure Governance and Management
Author: Daniel Söderholm
Publication Date: 2/27/24
Content excerpt:
Today, we launched our refreshed guidance for identity and access management (IAM) in Azure Landing Zones. ALZ is a core part of the Cloud Adoption Framework for Azure. It is aligned to the eight CAF design areas, Identity and Access Management being one of them. You can check out the refreshed guidance over at: aka.ms/ALZ/IAM
Title: Leverage anomaly management processes with Microsoft Cost Management - Microsoft Community Hub
Source: Azure Governance and Management
Author: Antonio Ortoll
Publication Date: 2/29/24
Content excerpt:
The cloud comes with the promise of significant cost savings compared to on-premises costs. However, realizing those savings requires diligence to proactively plan, govern, and monitor your cloud solutions. Your ability to detect, analyze, and quickly resolve unexpected costs can help minimize the impact on your budget and operations. When you understand your cloud costs you can make more informed decisions on how to allocate and manage those costs. But even with proactive cost management, surprises can still happen. That’s why we developed several tools in Microsoft Cost Management to help you set up thresholds and rules so you can detect problems early and ensure the timely detection of out-of-scope changes in your cloud costs. Let’s take a closer look at some of these tools and how you can use them to discover anomalous costs and usage patterns.
Title: Announcing the Public Preview of Change Actor - Microsoft Community Hub
Source: Azure Governance and Management
Author: Ian Carter
Publication Date: 3/5/24
Content excerpt:
Identifying who made a change to your Azure resources and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions....
Source: Azure Governance and Management
Author: Antonio Ortoll
Publication Date: 3/21/24
Content excerpt:
Cloud adoption is not a one-and-done endeavor, but an iterative process. Constant innovation means there are new and better cloud-based solutions available every day. That impacts your cloud workloads and the way you manage them. And as your use of cloud grows, so does the scale of your cloud deployments. If you’re a large enterprise organization, you may have hundreds or even thousands of cloud subscriptions. To keep costs in check, you need to continuously examine your workloads or subscriptions to understand how to get the most from cloud. You need a way to cut through the noise so you can prioritize your attention and resources and focus on your desired business outcomes.
Title: Azure Monitor Availability alerts using Resource Graph Queries - Microsoft Community Hub
Source: Azure Governance and Management
Author: Shishir Garde
Publication Date: 3/25/24
Content excerpt:
We recently announced how you can use Azure Log Analytics to create alerts on Azure Resource Graph queries. Here, I wanted to discuss possible scenarios and examples on how this can be used to check the availability for services across Azure and even on Azure Arc enabled resources.
Title: Four Strategies for Cost-Effective Azure Monitoring and Log Analytics - Microsoft Community Hub
Source: Azure Governance and Management
Author: Freddy Dubon
Publication Date: 3/31/24
Content excerpt:
Effective cost management in Azure Monitor and Azure Log Analytics is essential for controlling cloud expenditures. It involves strategic measures to reduce costs while maximizing the value derived from ingested, processed, and retained data. In Azure, achieving this balance entails adopting efficient data ingestion methods, smart retention policies, and judicious use of table transformations with Kusto Query Language (KQL).
Title: Optimize GPU compute costs: Pause your VMs to save! (microsoft.com)
Source: Azure High Performance Computing (HPC)
Author: Timi Adebisi
Publication Date: 3/18/24
Content excerpt:
We're excited to announce that in April, Azure will be offering customers the ability to optimize GPU compute costs by enabling hibernation on Virtual Machines (VMs). With this feature, users can hibernate their VMs, pausing compute usage while preserving in-memory states. During hibernation, customers will only incur costs for storage and networking resources, significantly reducing compute expenses. When needed, VMs can be resumed effortlessly, allowing applications and processes to seamlessly pick up from their last state.
Title: Avoid the complexity when utilizing Entra ID multi-tenants and School or Work/Microsoft Accounts
Source: Azure Infrastructure
Author: Daichi Isami
Publication Date: 2/14/24
Content excerpt:
Ideally, it would be convenient to manage the Prod env, Test env, and Dev env within a single Entra ID tenant. However, from the perspective of governance and compliance, it is common to separate the Entra ID tenant for the Prod env from the other envs. In such cases, various complexities arise, such as guest invitations for School or Work Account, use of Microsoft Account, and individuals using multiple accounts.
Title: Azure Permissions 101: How to manage Azure access effectively (microsoft.com)
Source: Azure Infrastructure
Author: Aquib Qureshi
Publication Date: 2/26/24
Content excerpt:
While onboarding customers to Azure they ask what permissions do we need to assign to our IT Ops or to partners and I’ve seen customer gets confused when we ask them for Azure AD permission for some task and they say we’ve provided owner access on Azure Subscription why Azure AD permission is required and how this is related. So thought of writing this blog to share how many permission domains are there when you use Azure.
Title: Azure Arc, Azure Monitoring and Azure Workbooks - Microsoft Community Hub
Source: Azure Infrastructure
Author: Prachi Trivedi
Publication Date: 3/18/24
Content excerpt:
This blog discusses an overall approach for monitoring very commonly encountered uscases e.g. performance monitoring for CPU, disk, network, port connections, service status for hybrid VMs that are connected to Azure Arc.
Title: Storage Assessment Beginners Guide - Microsoft Community Hub
Source: Azure Infrastructure
Author: Prachi Trivedi
Publication Date: 3/21/24
Content excerpt:
We have come across customers who are looking for a starting point or a guideline on assessing their on-premises storage for migration or optimizations. This document has been created as a beginners guide to start the process.
Title: Azure VMware Solution Security Design Considerations - Microsoft Community Hub
Source: Azure Migration and Modernization
Author: Rene van den Bedem
Publication Date: 2/6/24
Content excerpt:
A global enterprise wants to migrate thousands of VMware vSphere virtual machines (VMs) to Microsoft Azure as part of their application modernization strategy. The first step is to exit their on-premises data centers and rapidly relocate their legacy application VMs to the Azure VMware Solution as a staging area for the first phase of their modernization strategy. What should the Azure VMware Solution look like?
Title: Azure VMware Solution Landing Zone Review Assessment - Microsoft Community Hub
Source: Azure Migration and Modernization
Author: Mahesh Kshirsagar
Publication Date: 2/22/24
Content excerpt:
Azure VMware Solution is a service provided by Microsoft that allows you to run your VMware workloads natively on Azure. It enables seamless migration of VMware-based workloads from your datacenter to Azure. You can manage your existing environments with the same VMware tools you already know, while modernizing your applications with Azure native services. The solution is verified by VMware and runs on Azure infrastructure. It offers scale, automation, and fast provisioning for your VMware workloads on global Azure infrastructure.
Title: Consistent DNS resolution in a hybrid hub spoke network topology - Microsoft Community Hub
Source: Azure Networking
Author: Sven Baeck
Publication Date: 2/14/24
Content excerpt:
DNS is one of the most essential networking services, next to IP routing. A modern hybrid cloud network may have various sources of DNS: Azure Private DNS Zones, public DNS, domain controllers, etc. Some organizations may also prefer to route their public Internet DNS queries through a specific DNS provider. Therefore, it is crucial to ensure consistent DNS resolution across the whole (hybrid) network.
This article describes how DNS Private Resolver can be leveraged to build such architecture.
Source: Azure Networking
Author: Andrea Michael
Publication Date: 2/20/24
Content excerpt:
Organizations adopting Microsoft Azure strive for a balance between providing application teams with the freedom to innovate while maintaining the security posture of the organization. Azure Virtual Network Manager provides Security Admin Rules to help achieve that goal. Security Admin Rules allow an organization to centrally manage the network security of its virtual networks to maintain compliance with its policies while giving business units the option to manage the network security of their individual workloads.
Before we dive into how Security Admin Rules work, let's first do a refresher of the basics of Azure Virtual Network Manager.
Title: Azure Virtual Network now supports updates without subnet property - Microsoft Community Hub
Source: Azure Networking
Author: Ramandeep Singh Dhillon
Publication Date: 2/27/24
Content excerpt:
Azure API supports the HTTP methods PUT, GET, DELETE for the CRUD (Create/Retrieve/Update/Delete) operations on your resources. The PUT operation is used for both Create and Update. For existing resources, using a PUT with the existing resources preserves them and adds any new resources supplied in the JSON. If any of the existing resources are omitted from the JSON for the PUT operation, those resources are removed from the Azure deployment.
Based on customer support cases and feedback, we observed that this behavior causes problems for customers while performing updates to existing deployments. This is a challenge in the case of subnets in the VNet where any updates to the virtual network, or addition of resources (e.g. adding a routing table), to a virtual network require you to supply the entire virtual network configuration in addition to the subnets. To make it easier for customers, we have implemented a change in the PUT API behavior for virtual network updates. This change allows you to skip the subnet specification in a PUT call without deleting the existing subnets. This capability is now available in a Limited Preview in the EastUS2EUAP region with API version 2023-09-01.
Title: Microsoft ExpressRoute: Components, Models, Resiliency and Failure Scenarios
Source: Azure Networking
Author: Cynthia Treger
Publication Date: 3/13/24
Content excerpt:
This article focuses on ExpressRoute Private Peering only, to connect an On-Prem network and VNets in an Azure hub-and-spoke or Virtual WAN environment.
ExpressRoute connectivity is provided in ExpressRoute peering locations. ExpressRoute peering locations are entry points into the Microsoft backbone, Azure regions are where the Azure resources are hosted: distinct concepts at different locations.
Title: Custom DHCP support in Azure (microsoft.com)
Source: Azure Networking
Author: Cynthia Treger
Publication Date: 3/19/24
Content excerpt:
Azure natively provides DHCP services to all virtual networks created within an Azure subscription. The DHCP service is automatically enabled for each virtual network.
A native service running on Azure hypervisors is taking care of the DHCP functions for a given virtual network...
Title: Advanced routing capabilities using Application Gateway Rewrite Rules - Microsoft Community Hub
Source: Azure Networking
Author: Andy Doyle
Publication Date: 3/27/24
Content excerpt:
For a vast majority of Application Gateway customers, multi-site hosting and path-based routing options are all you need to expose your applications to the world. In the simplest terms, you have www.contoso.com that needs to serve a specific website or service to your visitors. And you may take that a step further and have a completely different site served for all requests to your online store when visitors browse www.contoso.com/shop.
Title: Improve DNS security by using Domain Name Label Scope - Microsoft Community Hub
Source: Azure Networking
Author: Brian Lehr
Publication Date: 3/27/24
Content excerpt:
The reuse of DNS names is a common requirement for cloud customers, as applications and services may need to be upgraded or migrated while still having the ability to deploy using the same DNS name as a pointer. The danger of this practice is that it can leave you vulnerable to a security threat known as a subdomain takeover. This can happen when a DNS name record does not point to a provisioned Azure resource, which means any domain associated with the DNS entry is now considered “dangling”. A malicious actor could take control of the dangling domain by creating a new resource with the same DNS name that points to different resources...
Title: ExpressRoute MSEE hairpin design considerations - Microsoft Community Hub
Source: Azure Networking
Author: Daniel Mauser
Publication Date: 3/29/24
Content excerpt:
In this article, we will explore the concept of hair-pinning, also referred to as MSEE hair-pinning. This involves a process where traffic from a VNET, connected via an ExpressRoute circuit, exits to the Microsoft Enterprise Edge (MSEE) pop location prior to entering the destination Vnet. This default behavior is observed both within a single region (a single circuit with multiple VNet) and across multiple regions (multiple circuits with multiple VNet).
Title: Announcing New Monitoring and Scaling Updates in Azure Firewall - Microsoft Community Hub
Source: Azure Network Security
Author: Suren Jamiyanaa
Publication Date: 2/13/24
Content excerpt:
We are pleased to introduce some new features and improvements for the service today. These features include capabilities that enhance the monitoring and scalability of your Azure Firewall...
Title: Best Practices for Upgrading Azure WAF Ruleset - Microsoft Community Hub
Source: Azure Network Security
Author: Shabaz Shaik; David Frazee
Publication Date: 2/26/24
Content excerpt:
In today’s digital landscape, web applications are the lifeblood of businesses. They enable seamless communication, transactions, and interactions with customers. However, this increased reliance on web apps also makes them prime targets for cyberattacks. To safeguard your applications and protect sensitive data, implementing a robust Web Application Firewall (WAF) is essential...
Title: Azure DDoS Protection – SecOps Deep Dive - Microsoft Community Hub
Source: Azure Network Security
Author: Shabaz Shaik; Saleem Bseeu
Publication Date: 2/29/24
Content excerpt:
Azure DDoS protection is a security solution offered by Microsoft Azure to protect applications and resources from Distributed Denial of Service (DDoS) attacks. DDoS attacks are a type of attacks that attempt to overwhelm a target application or service by flooding it with a massive volume of malicious traffic, thereby rendering it unavailable to legitimate users. Azure DDoS protection addresses these concerns by providing advanced mitigation capabilities and ensuring the availability of resources...
Source: Azure Network Security
Author: Gustavo Modena
Publication Date: 3/6/24
Content excerpt:
In the face of an ever-evolving digital landscape, businesses are constantly under the threat of Distributed Denial of Service (DDoS) attacks. These relentless assaults have the potential to overwhelm network resources, disrupt services, compromise sensitive data, and lead to significant financial losses. As these threats become increasingly common, the need for a robust defense mechanism has never been more critical.
In this blog post we are showing you the scenarios where Azure DDoS Protection can help protect Public IP Prefixes from these attacks.
Title: Navigating Azure WAF Exclusions - Microsoft Community Hub
Source: Azure Network Security
Author: Saleem Bseeu
Publication Date: 3/30/24
Content excerpt:
Exclusions in Azure WAF (Web Application Firewall) are a critical feature that allows administrators to fine-tune security rules by specifying elements that should not be evaluated by WAF rules. This capability is essential for reducing false positives and ensuring that legitimate traffic flows unimpeded. Exclusions are designed to fine-tune the WAF’s sensitivity, allowing legitimate traffic to pass through while maintaining robust security measures. They are particularly useful in scenarios where certain request attributes, such as specific cookie values or query strings, are known to be safe but might trigger WAF rules due to their content or structure.
Title: AKS enabled by Azure Arc is now available on Azure Stack HCI 23H2 - Microsoft Community Hub
Source: Azure Stack
Author: Guang Hu
Publication Date: 2/1/24
Content excerpt:
Azure Kubernetes Service (AKS) allows you to run a managed Kubernetes solution at the edge wherever you need it, with built-in support for Linux and Windows containers and cloud integrated lifecycle management. We are thrilled to announce the general availability of Azure Kubernetes Service (AKS) for the newest Azure Stack HCI version, a key enabler of advancing hybrid cloud to adaptive cloud with Azure. This release represents the convergence of Kubernetes orchestration and Azure Stack HCI capabilities, offering a seamless and efficient experience for our users.
Title: Hyper-V VM Migration to Azure Stack HCI, version 23H2 - Microsoft Community Hub
Source: Azure Stack
Author: Kerim Hanif
Publication Date: 2/12/24
Content excerpt:
Azure Migrate is a unified platform that simplifies migration, modernization, and optimization of on-premises resources to Azure. We have been working very closely with Azure Migrate team to add more destinations for Azure Migrate like VMware and Hyper-V. Last year we launched the private preview of Hyper-V virtual machine (VM) migration with Azure Migrate, and today we are very happy to announce the public preview of this capability. Note: VMware migration is currently in private preview...
Title: Introducing Azure Virtual Desktop workload in Azure Stack HCI Sizer! - Microsoft Community Hub
Source: Azure Stack
Author: Kushmeen Kambow
Publication Date: 3/13/24
Content excerpt:
Earlier in February 2024, we announced the general availability of Azure Virtual Desktop for Azure Stack HCI which extends the capabilities of the Microsoft Cloud to your datacenters and edge locations . Today, we are happy to announce that ‘Azure Virtual Desktop’ is now available as a new workload category in Azure Stack HCI sizer! It enables customers to efficiently plan and size Azure Virtual Desktop deployments on Azure Stack HCI by calculating no. of VM required, suggest per VM configuration and what hardware to purchase.
Source: Azure Stack
Author: Cindy Wan
Publication Date: 3/19/24
Content excerpt:
At this past Microsoft Ignite 2023, we officially announced the public preview of logical networks in Azure Portal for Azure Stack HCI. Logical networks, also called LNETs, are traditional VLAN-based networks. You may have noticed that this construct was previously called virtual networks in Azure Portal. After all, if you compare the Azure Stack HCI experience to Azure, a virtual machine always gets connected to a virtual network; so, why is it necessary to bring in logical networks to Azure Portal for HCI?
Title: Integrity protect blob storage (microsoft.com)
Source: Azure Storage
Author: Shubhra Sinha Kamath
Publication Date: 2/7/24
Content excerpt:
To support customers in regulated industries and compliance scenarios who asked about higher integrity protection of storage blobs, the Azure confidential ledger team has launched a preview of a managed Marketplace application that will further protect data: Blob Storage Digests Backed by Confidential Ledger (Preview).
Data signatures from blob can be harvested and stored in a confidential ledger for tamper protection. At a later point in time and to demonstrate tamper proofness for compliance and auditing purposes, signatures can be recalculated and validated against the signature in Azure confidential ledger...
Title: Blob storage on Windows (microsoft.com)
Source: Azure Storage
Author: Nishant Ranjan
Publication Date: 2/26/24
Content excerpt:
Azure Blob Storage team is announcing the Public Preview of the capability to use Blob storage on Windows using Network File System (NFS) 3.0 protocol, while capability to access Blob Storage using NFS on Linux is generally available (GA).
Source: Azure Storage
Author: Jeff Patterson
Publication Date: 3/27/24
Content excerpt:
Azure Files is excited to announce that geo-redundancy for 100 TiB standard SMB file shares is now generally available, enabling customers to achieve higher resiliency for production scale workloads.
We previously offered 100 TiB standard SMB shares for locally redundant storage (LRS) and zone-redundant storage (ZRS) options but geo-redundant storage (GRS/GZRS) was limited to 5 TiB, restricting higher capacity and performance workloads from using this resiliency option.
Geo-redundancy is critical to ensure high availability and to meet various compliance and regulatory requirements for your production workloads (for example, line-of-business (LOB) applications). Geo-redundant storage asynchronously replicates to a secondary region enabling you to failover to the secondary region, if the primary region becomes unavailable.
Title: Azure Virtual Desktop for Azure Stack HCI now available! - Microsoft Community Hub
Source: Azure Virtual Desktop
Author: Steve Downs
Publication Date: 2/1/24
Content excerpt:
Azure Virtual Desktop for Azure Stack HCI—now in general availability—extends the capabilities of the Microsoft Cloud to your datacenters. IT pros face a complex and challenging environment as they help their organizations move to the cloud, especially when the cloud isn't the best option for every workload. Managing hybrid cloud migrations while meeting the needs of today's distributed workforce takes a comprehensive approach that balances performance and accessibility with security and control. For organizations that need desktop virtualization for applications that must remain on-premises for performance, data locality, or regulatory reasons, Azure Virtual Desktop for Azure Stack HCI may be the right solution...
Source: Containers
Author: Fady Azmy
Publication Date: 2/6/24
Content excerpt:
We’re excited to announce the launch of the Migration and Modernization Solutions page for Windows containers in Azure docs...
Source: Containers
Author: Riya Patel
Publication Date: 3/15/24
Content excerpt:
Windows Server 2025 and the Windows Server Annual Channel, offer a comprehensive array of enhanced features, heightened security measures, and improved overall performance, and with image portability customers can now run Windows Server 2022 based containers on these new versions. To maximize the experience for customers, not only will Windows Server 2025/Annual Channel provide the most efficient versions of Windows Server yet, but also streamline the upgrade process. In pursuit of an enhanced user experience and an unwavering commitment to safety and reliability, we will be retiring Windows Server 2022 on Azure Kubernetes Service (AKS) in 3-years time.
Title: Windows GPUs for AKS - Microsoft Community Hub
Source: Containers
Author: Noah Whitehead
Publication Date: 3/18/24
Content excerpt:
Today we are happy to announce the public preview of Windows on AKS GPU support! This feature aims to provide customers with the options of GPU compute-intensive workloads. A few examples of where a GPU supported node would benefit workloads are video encoding, machine learning, and large simulations. Through this release we hope to increase the parity between Windows and Linux on AKS...
Title: Monitoring for an Azure Server Going Offline - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Paul Bergson
Publication Date: 2/5/24
Content excerpt:
Azure Monitor is a beneficial tool that has low costs for logs that are already in the tool. The main expenses for Azure Monitor come from ingesting the logs, so using the monitoring tool for data that is already there is a good way to help your enterprise reduce their spending. To illustrate how Azure Monitor can assist, an example of checking server availability is shown below.
Title: Test your Patches! A Staged Patching Solution with Azure Update Manager - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Helder Pinto
Publication Date: 2/12/24
Content excerpt:
A common challenge faced by most enterprise organizations who, hopefully, automate their operating systems patching cycles is to ensure that only the Windows and Linux packages updates that were tested in dev/test pre-production environments reach production machines. This article is for those readers who have been implementing automated, scheduled patching with Azure Update Manager and now want to put into practice a staged patching solution following good patching reliability practices. Keep tuned and read the solution my colleague @Wiszanyel Cruz and myself have developed and helped put it in place for some customers.
Title: Protect unmanaged or 3rd party MDM managed iOS/Android devices with MDE - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Arnab Mitra
Publication Date: 2/15/24
Content excerpt:
Mobile devices are increasingly targeted by cyberattacks that can compromise your data, privacy, and productivity. To protect your devices from these threats, you need a Mobile Threat Defense (MTD) solution that can detect and respond to malicious activities on your device and network...
Title: Protecting Tier 0 the Modern Way - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Dagmar Heidecker
Publication Date: 2/19/24
Content excerpt:
Almost every attack on Active Directory you hear about today – no matter if ransomware is involved or not – (ab)uses credential theft techniques as the key factor for successful compromise. Microsoft’s State of Cybercrime report confirms this statement: “The top finding among ransomware incident response engagements was insufficient privilege access and lateral movement controls.”...
Title: Windows Update Compliance Reporting FAQ (microsoft.com)
Source: Core Infrastructure and Security
Author: Jonas Ohmsen
Publication Date: 2/26/24
Content excerpt:
If you spend a lot of time dealing with update related issues or processes for client operating systems, have a look at “Windows Autopatch” HERE and let Microsoft deal with that.
For server operating systems, on-premises or in the cloud have a look at “Azure Update Manager” and "A Staged Patching Solution with Azure Update Manager".
The section: “Some key facts and prerequisites” of the blog mentioned earlier covers the basics of the report solution and should answer some questions already.
Everything else is hopefully covered by the list below.
So, lets jump in…
Title: Zero Trust: Rapid Offboarding with Intune and Microsoft Entra ID - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Jason Cody
Publication Date: 2/29/24
Content excerpt:
I would like to talk about using Intune policies with Microsoft Entra ID Governance as part of the offboarding process. Using the method below you can rapidly offboard an employee/contractor while preserving device data, Entra ID join status, and Intune enrollment. This could be used for multi-user endpoints or in events where forensics may be necessary for the device.
Title: Active Directory Hardening Series - Part 3 – Enforcing LDAP Signing - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Jerry Devore
Publication Date: 3/4/24
Content excerpt:
Hi all! Jerry Devore back again to continue talking about hardening Active Directory. If you have been following this series, I hope you have been able to enforce NTLMv2, remove SMBv1 from your domain controllers, and you are ready to tackle the next important topic which is enforcing LDAP signing. Preventing unsecure LDAP communication by enforcing signing is an issue that the security community feels strongly about, and much has already been written on the topic. However, there seems to be a considerable amount of confusion and misunderstanding about the impact of enforcing LDAP signing. I hope to clear things up today and give you the information you need to move forward with confidence.
Title: Optimize Your Azure Costs - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Saira Shaik
Publication Date: 3/6/24
Content excerpt:
This article will provide guidance to the customers who wants to Optimize their Azure costs by providing tools and resources to help customers to save cost, Understand and forecast your costs, Cost optimize workloads and Control costs.
Title: Azure PowerShell Tips and Tricks - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Paul Harrison
Publication Date: 3/11/24
Content excerpt:
I’ve spent most of my days lately writing PowerShell and using REST APIs as part of my work in Azure. When I’m screen sharing with colleagues, I frequently learn different and better ways to do my work. This post is to share with you several tips and tricks I’ve shared with my colleagues, and I hope helps you shave minutes or hours off of your work.
Title: Mastering Azure Cost Optimization - A Comprehensive Guide - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: 3/14/24
Content excerpt:
I understand and you probably do as well, that cost savings in the cloud is a very hot topic for any organization.
Believe it or not, there is a huge number of people (including me) doing their best to allow you to get the best value for your money. This is imperative for us.
The plan here is to highlight the most used cost savings artifacts as well as the most effective cost savings actions you can take for cost savings.
Title: How To Export Data from Defender for Endpoint to Azure Data Explorer - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Paul Bergson
Publication Date: 3/19/24
Content excerpt:
This blog will lead you through the steps of moving crucial data to a secure spot, just as Raven seeks out her sunny haven. We’ll explore the technical aspects of data exportation, ensuring it’s accessible for future use, similar to Raven’s watchful relaxation in her favorite sunny spot. Join me in learning how our digital guardians keep our valuable information safe, offering a sense of security as dependable as Raven’s attentive repose in her cherished sunny patch.
Title: Azure Monitor: Create Dedicated Clusters Using Any Commitment Tier - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Bruno Gabrielli
Publication Date: 3/21/24
Content excerpt:
You might have noticed the supportability for any existing commitment tier, including the small 100, 200, 300, 400 GB/Day ones, for Azure Monitor Logs Dedicated Cluster have been announced by the Azure Monitor product group. The official announcement went live on January 25, 2024 and can be found HERE.
As short recap, an Azure Monitor Logs Dedicated Cluster might be required if you would like to use one or more of the capabilities reported below...
Title: Securing Monitoring Services - Microsoft Community Hub
Source: Core Infrastructure and Security
Author: Khushbu Gandhi
Publication Date: 3/28/24
Content excerpt:
I get lot of questions around how to secure Monitor services and why Azure monitor needs to be secured. So, I decided to write this blog which explains about securing monitoring services and why we care about Azure Monitor Private Link Scope (AMPLS)...
Source: FastTrack for Azure
Author: Paolo Salvatori
Publication Date: 3/11/24
Content excerpt:
To ensure your security and compliance requirements are met, Azure Front Door offers comprehensive end-to-end TLS encryption. For more information, see End-to-end TLS with Azure Front Door support. With Front Door's TLS/SSL offload capability, the TLS connection is terminated and the incoming traffic is decrypted at the Front Door. The traffic is then re-encrypted before being forwarded to the origin, that in this project is represented by a web application hosted in an Azure Kubernetes Service cluster...
Title: Firewall considerations for gMSA on Azure Kubernetes Service - Microsoft Community Hub
Source: ITOps Talk
Author: Vinicius Apolinario
Publication Date: 2/7/24
Content excerpt:
This week I spent some time helping a customer with a gMSA environment on which they were finding some issues in deploying their app. The issues started when they were trying to figure out why the Kerberos ticket was not being issues for the Window pod with gMSA configured in AKS. I decided to write this blog post to list some of the firewall considerations for different scenarios on which security rules might block the authentication process.
Title: Lightbits for Azure VMware Solution - Microsoft Community Hub
Source: ITOps Talk
Author: Amy Colyer
Publication Date: 2/8/24
Content excerpt:
As users of Azure VMware Solution, we most likely will come across a time where we need to add storage and not necessarily need more compute from an additional host. Lightbits is another option in the Azure Marketplace to add storage that will scale and run storage intensive apps.
Title: Windows Server Advanced Auditing Policies - Microsoft Community Hub
Source: ITOps Talk
Author: Orin Thomas
Publication Date: 2/18/24
Content excerpt:
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows Server and Active Directory environments, security auditing is the features and services that log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
Title: Understanding the Windows Event Log and Event Log Policies - Microsoft Community Hub
Source: ITOps Talk
Author: Orin Thomas
Publication Date: 2/22/24
Content excerpt:
The event log is something that's been built into Windows Server for decades. It's one of those meat and potatoes features that we all have a cursory understanding of but rarely think about in depth. The event logs record events that happen on the computer. Examining the events in these logs can help you trace activity, respond to events, and keep your systems secure. Configuring these logs properly can help you manage the logs more efficiently and use the information that they provide more effectively.
Title: Understanding Group Policies: User Rights Assignment Policies - Microsoft Community Hub
Source: ITOps Talk
Author: Orin Thomas
Publication Date: 2/27/24
Content excerpt:
User Rights Assignment is one of those meat and potatoes features of the operating system that we all have a cursory understanding of but rarely think about in depth. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the User Rights Assignment item.
Title: New Storage and Networking MS Learn modules for Windows containers on AKS - Microsoft Community Hub
Source: ITOps Talk
Author: Vinicius Apolinario
Publication Date: 2/28/24
Content excerpt:
We are excited to announce the release of two new Microsoft Learn modules that will help you understand how to configure storage and networking for Windows containers on Azure Kubernetes Service (AKS). These modules are part of the "Deploy, manage, and monitor Windows containers on Azure Kubernetes Service" learning path and cover the following topics..
Title: Introducing our Security 101 course for beginners! - Microsoft Community Hub
Source: ITOps Talk
Author: Sarah Young
Publication Date: 3/11/24
Content excerpt:
Everyone is involved in cybersecurity to some extent nowadays, it's a team sport. To help everyone upskill in the cybersecurity space, we've released an open-source Security 101 for beginners course that helps explain key concepts of cybersecurity.
Title: Auto rollout of Conditional Access policies in Microsoft Entra ID - Microsoft Community Hub
Source: Microsoft Entra (Azure AD)
Author: Nitika Gupta
Publication Date: 2/6/24
Content excerpt:
In November 2023 at Microsoft Ignite, we announced Microsoft-managed policies and the auto-rollout of multifactor authentication (MFA)-related Conditional Access policies in customer tenants. Since then, we’ve rolled out report-only policies for over 500,000 tenants. These policies are part of our Secure Future Initiative, which includes key engineering advances to improve security for customers against cyberthreats that we anticipate will increase over time.
This follow-up blog will dive deeper into these policies to provide you with a comprehensive understanding of what they entail and how they function.
Title: Introducing Microsoft Entra license utilization insights - Microsoft Community Hub
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: 2/20/24
Content excerpt:
Over 800,000 organizations rely on Microsoft Entra to navigate the ever-changing threat landscape, ensuring their security while enhancing the productivity of their end users. Customers have frequently expressed their desire for greater transparency into their Entra usage, with licensing being a particularly popular request. Today, we’re excited to announce the public preview of Microsoft Entra license utilization portal, a new feature that enables customers to optimize their Entra ID Premium licenses by providing insights into the current usage of premium features.
Title: Keeping track of object deletions in Microsoft Entra ID - Microsoft Community Hub
Source: Microsoft Entra (Azure AD)
Author: Alexander Zagranichnov
Publication Date: 2/22/24
Content excerpt:
Like any other service, Microsoft Entra ID is not immune to human errors, accidental deletions, or malicious attacks that could result in the loss of important data. Therefore, it is essential to have a Microsoft Entra ID recovery strategy, especially for the objects that are hard deleted when removed from the service...
Title: Cross-tenant access settings - Notes from the field - Microsoft Community Hub
Source: Microsoft Entra (Azure AD)
Author: Heiko Bischoff
Publication Date: 3/18/24
Content excerpt:
The introduction of cross-tenant access settings for Microsoft Entra External ID marked a pivotal shift in how organizations manage security and collaboration across different tenants. This blog post dives into the essence of these settings, focusing on their significance for secure B2B collaboration.
Source: Microsoft Entra (Azure AD)
Author: Nitika Gupta
Publication Date: 3/19/24
Content excerpt:
As part of our Secure Future Initiative, we announced Microsoft-managed Conditional Access policies in November 2023. These policies are designed to help you secure your organization's resources and data based on your usage patterns, risk factors, and existing policy configuration, all while minimizing your effort. Our top recommendation for improving your identity secure posture is enabling multifactor authentication (MFA), which reduces the risk of compromise by 99.2%. This is why our first three policies are all related to MFA for different scenarios.
Title: Upgrade your tenant restrictions to v2 - Microsoft Community Hub
Source: Microsoft Entra (Azure AD)
Author: Jeff Bley
Publication Date: 3/21/24
Content excerpt:
In a previous blog in the Data Exfiltration series, we discussed different types of tenant restrictions policy. In this blog, we’ll discuss migrating from tenant restrictions v1 to authentication plane tenant restrictions v2. In future blogs, we’ll discuss migrating to Universal tenant restrictions v2.
Tenant restrictions are a vital tool to help prevent data exfiltration from unauthorized access to external Microsoft Entra ID tenants and consumer Microsoft accounts. Tenant restrictions v1 lets you create an allow list of tenant IDs and Microsoft sign-in endpoints to ensure that users access external tenants that your organization authorizes. While tenant restrictions v1 served well for many years, tenant restrictions v2 offers more granularity and easier policy management with no additional licensing requirements...
Title: Don’t miss out on the newest skilling resources for Azure - Microsoft Community Hub
Source: Microsoft Learn
Author: Deepa Athre
Publication Date: 2/7/24
Content excerpt:
In the ever-evolving landscape of IT—whether you're a seasoned professional navigating complexities or a newcomer eager to embrace the digital frontier—Azure skilling resources help empower your learning journey.
In this comprehensive overview, we highlight the best of this past quarter’s curated learning resources.
Title: Announcing a new way to give feedback on Microsoft Learn - Microsoft Community Hub
Source: Microsoft Learn
Author: Chris Duarte
Publication Date: 2/15/24
Content excerpt:
At Microsoft Learn, we are committed to empowering you with the tools and resources you need to build technical skills and achieve your goals. Your input and suggestions are critical to us in meeting your skilling needs. On Microsoft Learn, you can find documentation, training, code samples, videos, credentials, and more, all in support of Microsoft’s expansive portfolio of products. Thousands of writers, advocates, architects, product managers, and engineers from across Microsoft and our community come together to create and maintain the content you find on Microsoft Learn. We rely on your feedback to keep the content accurate and up to date.
Title: Microsoft Learn for Organizations: Jump-start team technical training - Microsoft Community Hub
Source: Microsoft Learn
Author: Natalie Duryea
Publication Date: 2/20/24
Content excerpt:
It’s no surprise that organizations, teams, and individuals all need technical expertise to succeed. Since today’s teams have limited time to build new skills for their key projects, there’s an increasing demand for technical training that can be covered in self-directed, always-on, digital resources—outside of the classroom. To help meet these team skill-building needs, we’re happy to announce Microsoft Learn for Organizations—a faster, more focused way to help close skill gaps and drive business success across your organization. This valuable resource features curated collections that help take the guesswork out of learning journeys so learners can apply new skills to quickly unblock projects. And this is just the beginning. We’ll make regular updates to include the latest technology and skills, adding collections, features, and more.
Title: Frequently Asked Question about TLS and Cipher Suite configuration - Microsoft Community Hub
Source: Security, Compliance, and Identity
Author: Candace Jackson
Publication Date: 3/5/24
Content excerpt:
Starting with Windows Server 2022, TLS 1.3 is supported by default in all versions. The protocol is not available in down level OS versions...
Source: Security, Compliance, and Identity
Author: Simone Curzi
Publication Date: 3/5/24
Content excerpt:
With this new post, we focus on a different topic: the importance of adopting a threat-based approach. In the process, we discuss how this can be achieved and provide you with a few practical ideas you can apply to your scenarios...
Title: Introducing Microsoft Security Exposure Management - Microsoft Community Hub
Source: Security, Compliance, and Identity
Author: Tomer Teller
Publication Date: 3/13/24
Content excerpt:
In an era of expanding interconnected attack surfaces, organizations face a growing concern about a myriad of exposures, including software vulnerabilities, control misconfigurations, overprivileged access, and evolving threats leading to sensitive data exposure.
Navigating, and, more importantly, understanding this threat landscape and where you may be exposed can be extremely difficult, costly, and complex...
Title: Storage in Windows Server 2025, from the Server Summit - Microsoft Community Hub
Source: Storage at Microsoft
Author: Ned Pyle
Publication Date: 3/28/24
Content excerpt:
Heya folks, Ned here again. The three-day Windows Server Summit 2024 just completed and there are great on-demand sessions about Windows Server 2025 and Windows vNext. Some of the most interesting ones for this blog's audience are below, but the whole summit is worth a watch if you're an IT Pro, decision maker, consultant, architect, or C-level.
Title: Skilling snack: Windows passwordless options | Windows IT Pro blog (microsoft.com)
Source: Windows IT Pro
Author: Katharine Holdsworth
Publication Date: 2/8/24
Content excerpt:
The future is passwordless, and the future is here. Whether you’re new to the conversation or have been keeping up, you’ll find something for you and your users here. Get behind the scenes of how Microsoft embraced passwordless and then skill up to the advanced authentication management level. Notice how passkeys have made their way into the current industry trends? Now just put it all into an easy-bake oven!
Title: Updating Microsoft Secure Boot keys | Windows IT Pro blog
Source: Windows IT Pro
Author: Sochi Ogbuanya
Publication Date: 2/13/24
Content excerpt:
Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates that’ll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future. Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.
Title: What’s new in Windows Autopatch: February 2024 | Windows IT Pro blog (microsoft.com)
Source: Windows IT Pro
Author: Diana Hoffman
Publication Date: 2/14/24
Content excerpt:
The start of the new year brings a great opportunity for positive change, including the release of new features in Windows Autopatch. We heard your feedback! Here are some improvements made in response to your enterprise needs...
Title: Skilling snack: Data security basics for IT pros | Windows IT Pro blog (microsoft.com)
Source: Windows IT Pro
Author: Steve Thomas
Publication Date: 2/22/24
Content excerpt:
Data security is the foundational layer of Zero Trust. Just as you protect your organizational identity, endpoints, applications, network, and infrastructure, you'd also want to protect data. What data to protect and how to protect it? Here's a list of ingredients and recipes for you to try out today.
Title: Skilling snack: Windows Server security | Windows IT Pro blog (microsoft.com)
Source: Windows IT Pro
Author: Gustavo Rubio
Publication Date: 3/7/24
Content excerpt:
As part of our security-focused skilling series, we’re adding a flavor of Windows Server to the mix. Let’s brush up on Windows Server security and get ready for the two events coming up this month: Microsoft Secure and Windows Server Summit. Look for event details below and catch a bite of Windows Server goodness that suits your taste.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)