Infrastructure + Security: Noteworthy News (May, 2020)

Microsoft Azure

How Exchange and Microsoft Teams interact

Microsoft Teams works with several Office 365 services to provide users with a rich experience. To support this experience, you need to enable certain features or services and assign licenses. For the full Teams experience, every user should be enabled for Exchange Online, SharePoint Online, and Office 365 Group creation.

Azure custom role creation in the Azure portal is now generally available

Azure custom role creation in the Azure portal is now generally available. Previously, creating or editing custom roles was only possible through the command-line or Azure Resource Manager API. Now, ease your role-based access control (RBAC) workflow using the new experience.

Azure App Service support for GitHub Actions is in preview

GitHub Actions is now available in preview as an option for CI/CD in the App Service Deployment Center. Selecting this option will put a complete workflow file into your repository that will build and deploy the application to the web app whenever there's a new commit on the chosen branch. This saves considerable time for first-time GitHub Actions users. Additionally, you can always adjust this workflow file as your needs evolve and you become more comfortable with GitHub Actions.

Azure Virtual Network NAT gateway meter name changes

Effective June 1, 2020, the meter names of Azure Virtual Network network address translation (NAT) gateway will change because it will become generally available.

Managed identity support in AKS is now available

Managed identity support in Azure Kubernetes Service (AKS) is now generally available. Use it to allow AKS to interact securely with other Azure services including Kubernetes cloud provider, Azure Monitor for Containers, and Azure Policy, among others. With managed identities, there’s no need to manage your own service principals or rotate credentials often.

Identity recommendations now included in Azure Security Center free tier

Security recommendations for identity and access on the Azure Security Center free tier are now generally available. This is part of the effort to make the cloud security posture management (CSPM) features completely free. Until now, these recommendations were only available on the standard pricing tier.

Azure API Management Extension for Visual Studio Code (Preview)

Use the Azure API Management extension to perform common management operations on your Azure API Management service instances without switching away from Visual Studio Code.  Azure API Management is a fully managed service that helps customers to securely expose their APIs to external and internal consumers.

Monitoring your reservation and Marketplace purchases with Budgets

Budgets in Cost Management help you to plan for and drive organizational accountability. With Budgets, you can account for the Azure services you consume or subscribe to during a specific period and they help you inform others about their spending to proactively manage costs, and to monitor how spending progresses over time.

Administrative units management in Azure Active Directory (Preview)

This article describes administrative units in Azure Active Directory (Azure AD). An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. In this preview release, an administrative unit can contain only users and groups.

Microsoft identity platform access tokens

Access tokens enable clients to securely call protected APIs. Microsoft identity platform access tokens are JWTs, Base64 encoded JSON objects signed by Microsoft identity platform.  Refresh tokens can be invalidated or revoked at any time, for different reasons.  How to handle tokens is highly misunderstood.

Also see ID tokens and Application sign-in flow

Troubleshooting sign-in problems with Conditional Access

The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Azure AD sign-ins log.

Windows Server

Azure File Sync is removing support for TLS 1.0 and 1.1 in August 2020

Azure File Sync service will remove support for transport layer security (TLS) 1.0 and 1.1 in August 2020. All supported Azure File Sync agent versions already use TLS 1.2 by default. If you're not using TLS 1.2, this would most likely be because TLS 1.2 is disabled on your server or (more likely) a proxy is being used.

SCOM management pack for Azure SQL Managed Instance is now available

System Center Operations Manager (SCOM) management pack for SQL Managed Instance is now available in preview. Use it to build hybrid monitoring solutions for your on-premises and data center resources, along with monitoring SQL Managed Instances in the cloud.

New Azure VMware Solution is now in preview

Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to Azure without the cost, effort or risk of re-architecting applications or retooling operations. The new release of Azure VMware Solution is built on Microsoft Azure without the use of a third-party technology. The solution is also cloud verified by VMware and leverages components of the VMware Cloud Foundation framework including vSphere, vCenter, NSX-T, vSAN and HCX.

Maintenance control for platform updates now generally available

The maintenance control feature for Azure Virtual Machines platform updates is now generally available for Azure Dedicated Hosts and isolated virtual machines (VMs). This feature gives you more control over platform maintenance when dealing with highly sensitive workloads. Use this feature to control all host updates, including rebootless updates, within a 35-day window.

Windows Client

Secure Channel/Expired Machine Account Password Concerns Revisited

Due to the huge up-tick in remote workers, there has been a surge in questions/concerns around “stale” device passwords/secure channel issues.  Many people were simply told “Take your PC and go home, right now.”  So, they unplugged their work laptop (or even PC) and left their office building in February or March - and haven’t been back to the office since. Several of us chatted internally and decided it was a good idea to publish a post about this no connectivity scenario, clarifying the situation, as well as sharing a link to a thorough technical blog that has some recent updates.

Top 5 reasons organizations use OneDrive for data security

OneDrive ensures secure and reliable collaboration both inside and outside your organization, with an intuitive and coherent sharing experience that extends across Microsoft 365. Safely sharing and accessing content is becoming increasingly important as the business world shifts to remote work. Users need to get to their files and folders from any number of places and devices, while admins need continued control over how that content is disseminated. OneDrive has the security and monitoring features required by both groups.

Windows Insiders can now test DNS over HTTPS

If you have been waiting to try DNS over HTTPS (DoH) on Windows 10, you're in luck: the first testable version is now available to Windows Insiders! Having said that, if you want to see the Windows DoH client in action and help us create a more private Internet experience for our customers, check out this article.

Security

Azure Automation TLS 1.2 enforcement begins September 1, 2020

Transport layer security and secure sockets layer (SSL) are cryptographic protocols that provide communications security over a computer network. Beginning September 1, 2020, Azure Automation will enforce transport layer security (TLS) 1.2 or later versions for all external HTTPS endpoints. We recommend you ensure all your clients are ready to handle TLS 1.2 or later versions.

Azure Log Analytics agent for Windows SHA-2 signing date has been extended

The Azure Log Analytics agent for Windows will begin to use SHA-2 signing exclusively on Aug. 17, 2020. This date has been extended from May 18, 2020 to give customers more time to prepare.

Azure Security Center-Dynamic compliance packages now generally available

The Azure Security Center regulatory compliance dashboard now includes dynamic compliance packages (now generally available) to track additional industry and regulatory standards. Now, you can add standards such as NIST SP 800-53 R4, SWIFT CSP CSCF-v2020, UK Official and UK NHS, Canada Federal PBMM, and Azure CIS 1.1.0 (new) (which is a more complete representation of Azure CIS 1.1.0).

Protect your customer accounts with passwordless mobile authentication

Finding a mobile authentication solution with strong security controls and an effortless user experience is tricky. Most solutions are either cumbersome for users or lack effective security protections or both. With more users accessing sensitive data via mobile devices and more companies relying on mobile as a factor in Multi-Factor Authentication (MFA) scenarios, organizations need solutions that don't compromise on either security or ease of use.

Require MFA for Azure Management

Organizations use a variety of Azure services and manage them from Azure Resource Manager based tools. These tools can provide highly privileged access to resources, that can alter subscription-wide configurations, service settings, and subscription billing. To protect these privileged resources, Microsoft recommends requiring multi-factor authentication for any user accessing these resources.

Changes to just-in-time (JIT) virtual machine access

Security Center includes an optional feature to protect the management ports of your VMs. This provides a defense against the most common form of brute force attacks.

Deploy Microsoft Defender ATP for Mac in just a few clicks

Microsoft Defender ATP for Mac can be installed and configured through a handful of management tools including Intune, JAMF, or another MDM product. We're excited to share that we've dramatically simplified and eliminated the need for the manual Intune process by offering a new Microsoft Defender ATP for mac app type in Microsoft Endpoint Manager. Now it just takes a few clicks to starting installing and configuring the application. 

Defending networks against human-operated ransomware

Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. Using an attack pattern typical of human-operated ransomware campaigns, attackers had been accumulating access and maintaining persistence on target networks for several months, waiting to monetize their attacks by deploying ransomware when they would see the most financial gain. Read on to discover measure to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement.

Microsoft Information Protection SDK 1.6: Now Available

We're pleased to announce that the Microsoft Information Protection SDK version 1.6 is now generally available via NuGet and Download Center.

Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP

Virtual Desktop Infrastructure (VDI) is fairly common in customer environments, especially in today's world where many are working from home as a result of COVID-19. As such, we want to ensure that Microsoft provides protection for VDI machines, and that you understand how Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) works within your VDI deployment. In this blog post, we'll cover VDI, how it works with Microsoft Defender ATP, best practices, and some lessons learned.

Monitoring Zoom with Azure Sentinel

One of the great features of Azure Sentinel is its ability to ingest and analyze data from any source not just from Microsoft products. In this blog I will show you how you can collect logs from Zoom, ingest them into Azure Sentinel, and how a SOC team can start to hunt in the logs to find potentially malicious activity.

What is Azure Firewall Manager Preview?

Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters.

Azure Service Health security advisories are now available

Azure Service Health now has security advisories. These are a notification type that will communicate urgent security-related information affecting your Azure workloads.

Updates and Support Lifecycle

Reminder of changes coming to Office support in October

We recognize customers are at different points in their journey to the cloud, and we will continue to listen to and support our customers in their transition to Office 365 ProPlus, the subscription version of Office that receives regular security and feature updates. Review to see a reminder of the changes coming as of October, 2020.

Products reaching End of Support for 2020

Microsoft Premier Support News

Check out Microsoft Services public blog for new Proactive Services as well as new features and capabilities of the Services Hub, On-demand Assessments, and On-demand Learning platforms.