OATH Hardware Tokens for AzureAD

As you probably have been reading in my previous posts, I’ve been talking about FIDO2 keys, and how it can be used as a secondary authentication when signing in AzureAD.

PassWordless Authentication with Fido 2 Keys – Part 2

PassWordless Authentication with Fido 2 Keys

Today, I want to talk about OATH hardware Tokens, known as Time-based One Time Password Tokens as well.

As you are aware, some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Azure AD Multi-Factor Authentication or SSPR.

The following table outlines when an authentication method can be used during a sign-in event:

But, OATH TOTP is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes. OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token.

In this post, I will show you how the OTP C200 token from Feitian can be configured in Azure AD and how it works.

First of all, what you have to do is to register the key in Azure AD, in order to do this, you will need the Serial Number from the Key, and the secret key provided by the manufacturer, and then you need to create a CSV file with all the information:

Once you have done this, these keys must be input into Azure AD: Multifactor authentication – Microsoft Azure

Upload the file, and activate the key in the portal, once it is have been done, it will show you a screen like the following:

If you have any error during the upload, it will be shown in the portal itself:

You must consider that you can activate a maximum of 200 OATH tokens every 5 minutes.

Also, as you probably figure out, users may have a combination or OATH Hardware tokens, Authenticator App, FiDO Keys, etc…

Be aware that users con configure their default sign in method in the security info web: My Sign-Ins | Security Info | Microsoft.com

So, once the key has been configured for the user, which is the flow to access to the account?

I have compared the Authentication flow with the Fido2 Key Flow, the difference that you can appreciate is with FiDO2 Keys is not necessary to include my password

Finally, check out the following table from Microsoft, where you can see different persona cases and which passwordless technology can be used for each one of them

IMHO, FiDO Keys are great, but thinking as an end user they have problem: the first setup: We must rely on end user about how they configure the key and associate it with azure AD (remember the previous table). FiDO keys has the advantage to be able to be used to sign in instead of using a password in the computer.

In the other hand, OAUTH keys are great, because you as an administrator, can configure the keys in the AAD Portal, and once have been activated provide them to end users, without necessity to do any other action from the end user perspective, and the most important part, are very easy to use

Thanks to Feitian for providing such amazing tokens

How to stop Azure Application Gateway and Azure Firewall

Hi folks, summer is here and my holidays are very near, so I’m wrapping everything up to close my laptop and relax for a few weeks.

But before my deserved rest, I need to give you an FinOps advice:

If you’re like me and often makes demo setups in your Azure subscription that involve resources like Azure Firewall and Application Gateways, you probably have realize that there is no easy way to gracefully shutdown all those “hungry” resources to save some money.

To stop VMs, we can simply use the Azure Portal start/stop buttons, or use automation accounts or whatever, but Azure Portal doesn’t allow you to stop application gateway or Az Firewall. In such cases, Azure PowerShell helps:

# Get Azure Application Gateway
$appgw = Get-AzApplicationGateway -Name "appgw_name" -ResourceGroupName "rg_name"
 
# Stop the Azure Application Gateway
Stop-AzApplicationGateway -ApplicationGateway $appgw
 
# Start the Azure Application Gateway
Start-AzApplicationGateway -ApplicationGateway $appgw

After executing the stop, we will be able to see that the Operational State change after 1 minute or so:

and for the AzFirewall we can use the following:

$firewall=Get-AzFirewall -ResourceGroupName rgName -Name azFw
$firewall.Deallocate()
$firewall | Set-AzFirewall

$vnet = Get-AzVirtualNetwork -ResourceGroupName rgName -Name anotherVNetName
$pip = Get-AzPublicIpAddress -ResourceGroupName rgName -Name publicIpName
$firewall.Allocate($vnet, $pip)
$firewall | Set-AzFirewall

Now, you know how to save some money using those resources and I’m able to go to holidays to rest a while

Happy holidays!

Admin App for Microsoft Teams

Microsoft has announced the release of a new Admin App for Microsoft Teams. This app simplifies top management options and showcases them in one place.

• Optimize ‎Microsoft Teams‎ meetings, messages, webinars, and more for everyone in your organization
• Add and remove users and reset their passwords
• Add and remove teams and manage team members
• Assign and remove licenses for users

Discover advanced settings, training, and support resources

To get started with the new Admin app experience, you will first need to head to the Microsoft Teams app store. Then, search for “Admin” and download the app in Microsoft Teams.

Once you have installed the app, you can manage some tenant settings and Teams configurations:

Admin app It is a great step to put teams as a central hub for everything, making easier for IT Pros to access settings and perform key management tasks across Microsoft 365 and Teams, but keep in mind that the Admin app is available for all users in the App Store, but you must have administrative rights to use it.

Multilingual invitations for Teams Meetings

This new feature for Teams, allows administrator to customise meeting invitations, to display the information of meeting in up to two languages ton all email platforms

In order to enable this, we can apply a new policy in their admin portal by enabling the MeetingInviteLanguages parameter in the CsTeamsMeetingPolicy at the user or group level, or for the entire organization

To enable this, we must use PowerShell, so let’s go:

#connect to Teams PowerShell

Import-Module MicrosoftTeams

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Connect-MicrosoftTeams

#check the current configuration

Get-CsTeamsMeetingPolicy -identity global | fl *lang*

#apply the new config

Set-CsTeamsMeetingPolicy -Identity Global -MeetingInviteLanguages "en-US,es-ES"

It may take several hours before the policy becomes active, but in the end, we will be able to find this in a new teams meeting:

Hope that helps, till nex time!

You should remove that basic authentication from Exchange…

Now more than ever, you should disable your legacy authentication in Exchange Online, last year Microsoft announced that they will remove that basic Authentication next October (https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-may-2022/ba-p/3301866)

Did you know that:

• More than 99 percent of password spray attacks use legacy authentication protocols
• More than 97 percent of credential stuffing attacks use legacy authentication
• Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
  

Disabling legacy authentication for users is a must-do on your identity security checklist

Why? becasue is a security gap and Microsoft took a lot of effor to promote Modern Authentication. So, you can disable now this basic Authentication in very simple steps:

If you don’t want to use this option, you can block the access to those protocols by using Conditional Access, understanding in a very simple way the impact of the policy.

What are you waiting for?

Secure your AzureAD Identity infrastructure

In the Global Azure I had the oportunity to talk about how to secure our Azure AD. Now Microsoft has published a new link about how to protect our AzureAD: https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity

So now, we have official documentation to support my recommendations 🙂

Plan your SQL 2012, Windows Server 2012 and 2012 R2 End of Support

SQL Server 2012, Windows Server 2012, and 2012 R2 End of Extended support are approaching per the Lifecycle Policy

But you can migrate your VMs to Azure to have Extended Support:

More info at: https://cloudblogs.microsoft.com/sqlserver/2021/07/14/know-your-options-for-sql-server-2012-and-windows-server-2012-end-of-support/

Idle timeout in Microsoft365

With the new feature Idle Timeout, you can protect your data from unauthorized access. This setting automatically times-out inactive users, making your data more secure and less prone to unauthorized access. You can enable it in 3 simple steps:

Do you know how to debug Teams Diagnostics?

Having information about how Teams app is running is important, so this quick post will overview how a snapshot collection of important diagnostic logs for troubleshooting can be done

Important tips!

• Read logs with text editor​
• Latest entry on top of the list​
• Use keywords!

Once you have enabled the diagnostic logs, those will be created in the downloads folder:

Hope that helps to troubleshoot your Teams deployment!

Meet Microsoft Entra

Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:

Protect access to any app or resource for any user across hybrid, multicloud, and beyond;

• Secure and verify every identity including for employees, customers, partners, apps, devices, and workloads;
• Provide only necessary access by discovering and right-sizing permissions, and managing access lifecycles for any identity; and
• Simplify the human experience with simple sign-in, intelligent security, and unified administration.

But, what it is really Microsoft Entra? A unified portal for securing and managing every identity – The admin center for Microsoft Entra facilitates identity and access management, multicloud permissions management, and administration of verifiable credentials, all in one place.

When Entra will take place? In May 31st

And what happens to my AzureAD? Azure AD continues to be the foundational infrastructure for all new products in Microsoft Entra family. Innovation and investment in Azure AD continues, including the popular Application Gallery, Conditional Access, multifactor authentication, passwordless, and more.

Will I still be able to access my Azure AD Admin portal? short answer yes, long answer see below:

1. The Azure AD admin center (aad.portal.azure.com) will continue to function for the next 12-18 months, and then redirect to entra.microsoft.com in 2023 after extensive customer notice.
2. The Azure portal at portal.azure.com will also continue to offer Azure AD for Azure customers.
3. The M365 portal Azure AD admin page will be redirected to entra.microsoft.com later this summer.

So, can I Buy Microsoft Entra? Microsoft Entra is a product family. Products within Microsoft Entra are available for sale but there is no Entra bundle to purchase

This new product family has an impact on licenses or billing? No, but if you’re interested in sing Microsoft Entra Permissions Management will need to obtain a license for the solution. Microsoft Entra Verified ID is a free service but some scenarios, integrated with Azure AD capabilities, may require an Azure AD P1 or P2 license as a pre-requisite.

More info at: Secure access for a connected world—meet Microsoft Entra – Microsoft Security Blog