Multilingual invitations for Teams Meetings

This new feature for Teams, allows administrator to customise meeting invitations, to display the information of meeting in up to two languages ton all email platforms

In order to enable this, we can apply a new policy in their admin portal by enabling the MeetingInviteLanguages parameter in the CsTeamsMeetingPolicy at the user or group level, or for the entire organization

To enable this, we must use PowerShell, so let’s go:

#connect to Teams PowerShell

Import-Module MicrosoftTeams

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Connect-MicrosoftTeams

#check the current configuration

Get-CsTeamsMeetingPolicy -identity global | fl *lang*

#apply the new config

Set-CsTeamsMeetingPolicy -Identity Global -MeetingInviteLanguages "en-US,es-ES"

It may take several hours before the policy becomes active, but in the end, we will be able to find this in a new teams meeting:

Hope that helps, till nex time!

PassWordless Authentication with Fido 2 Keys – Part 3 – IDMelon

As you probably have seen in my previous posts, security keys are here to stay. They can be used as a separate authentication method beyond secondary authentication. There are multiple manufacturers that help us in our passwordless journey, for that reason, to the realization of this post, I used a IDMelon security key that also supports FIDO2

The main difference here with other security key, is that IDMelon uses is own security authenticator app which I will review during this post.

How it works

First of all, you need to download the app to your smartphone, which can be done in a very simply steps and then plug the security key and install the software.

Once you have done this, you can pair your smartphone and the key:

And you’re ready to go:

So, once you have done, you’re ready to go to https://aka.ms/setupmfa and configure the security key for your user account. I am not going to cover the process because it has been done in previous post, and the process is straightforward (PassWordless Authentication with Fido 2 Keys – Albandrod’s Memory (albandrodsmemory.com) PassWordless Authentication with Fido 2 Keys – Part 2 – Albandrod’s Memory (albandrodsmemory.com)

At first glance, what it takes my attention to, it was the push notification, I was expecting the typical push notification from authenticator, but in the IDMelon security key, it was provided by the application that you have installed in the smartphone earlier.

If you look deeper into this application, you can check the current plan that you have with the security key, and most important, the activity log of the security key, which I think is great!

Now, if we look into the AAD Sign in we are able to review the sign in information regarding the security Key:

To conclude, I found that IDMelon keys are a great product, because not only provides a password less journey to the users, also provides a simply way to manage the activity of the security token and also the signin process.

Thanks to IDMelon for providing this token to test out their solution

till nex time!

Assigning all users to an Azure AD Enterprise app registration

Have you ever tried to create an AzureAD application to give SSO access to an OnPrem application? I had to do it with an SAP application, the process it is straightforward, but what about giving permission to end users?

You can give nominal permission to each user who needs to access to the app or even group, but you must be aware about group limitations:

Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps

My Customer had a complex role based user permission model, so it was impossible for them for using AD/AAD groups. The workaround it is not being granular giving user permissions, it is to grant Everyone access to the app registration. To do this, we must select the “User assignment required” option in the “Properties” blade on the enterprise side of the app registration to no, which allows all logged in users to have access to the service.

Doing this, we rely on the permission given to the app to access

Easy solution, problem solved, till next time!

My two cents for 2022

Nobody can doubt that 2021 has been the year to adopt the cloud (due to COVID of course), mostly because most of us needed to work from home. We can say that business has changed and “Probably” will never go back to was it was.

Remote work will continue growing, so in 2022 we will need to protect our assets much better, and for this, here are my predictions/concerns for the next year:

  • Hacker will continue to try to breach in our systems and try to access by the weak link in supply chains. For this, we need to reduce privileges for internal and external accounts, and not forget about machine identities
  • Every business needs to reduce his own Attack Surface, to reduce the blast radius of any exposure or incident. To achieve this, tools that provide visibility into identities and activities are essential, we need to be sure of what happened and respond quickly to those incidents
  • Protect the data is your responsibility, try to plan and build security controls for your cloud migration roadmap
  • Zero Trust will continue growing, but remember to keep in touch with all the components: network, identity, permissions, configurations… The need of tools that give visibility is essential here.
  • Currently we put the focus on protecting our user identity with MFA controls, but what about machine identities? These identities and permissions are being exploited in every breach to make lateral attacks, so we will need to be aware of that during the next year.

For now, I think that it’s all, stay tuned to the blog and happy new year!

Microsoft Defender for EndPoint

This product is becoming very popular among my customers specially when they’d purchased Microsoft 365 E5 LIcenses, but, let’s have a look how we can implement this technology in our business.

But first, What is Defender for EndPoint? It’s an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Also we can onboars servers and devices indepently to the service, which is great.

What is very cool, MDE is not only available for Windows, also for iOS, Linux and Android, so we can cover almost all the spectrum of corp devices.

And most important, Microsoft Defender for Endpoint integrates seamlessly into Microsoft Endpoint Manager. You only must activate the Intune integration ones during the initial setup and your reports will flow into MEM. This allows you create and configure Security baselines, which are pre-configured groups of Windows settings that help you apply the security settings that are recommended by the relevant security teams.

If you’re using an existing AV solution, you can check out the following guidelines to migrate to MDE:

What are the high level steps to implement Microsoft Defender for Endpoint?

If you want to know more, as always Microsoft Learn is the more technical and comprehensive approach to explain products than on normal Microsoft Docs Practice security administration – Learn | Microsoft Docs and don’t forget to visit the TechCommunity: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP

Lastly, remember, you can access to the M365 Defender portal at https://security.microsoft.com

Keep safe and get some fun!

How we can help our users to avoid phising attacks in M365

As you probably now, phising is being a great threat to every organization, we receveid a lot of malicious contacts, from email to SMS, or lateley even phone.

In the blog, I’ve been taling about technology and how this technology can help administrators to avoid certain threat, but what about the end users? Can we help them of how to identity phising attempts? Yes, of course, let’s talk about some of them:

First of all, I want to talk about corporate branding, do not think in terms of marketing deparment, think about helping users to identify phising. For example, every tenant has the same identical login page, but doing some customization with:

  • organizational logo
  • Background image
  • Company message

with these easy configurations, we will help users to identify threats

Another thing that I strongly recommend to my customers is to use the Microsoft Report Message Add-In, which allows them to report malicious messages directly to Microsoft.

This addin can be deployed centrally to all users 🙂

Finally, if you have the proper license I strongly encouraged you to run regular phising campaigns inernally. With Microsoft Defender for M365 it is very easy. The main point here it is not to catch users, is to awarn them about the threats of clicking in a email.

That’s all, as you probably know, technical solutions does not prevent all situations that we have everyday, so what it is most important is user awareness which will be the first point of security of your organization.

PassWordless Authentication with Fido 2 Keys

This is something I wanted to test some time ago, and now thanks to Feitian I was able to do it. So let’s dig into detail what is passwordless with Fido2 Keys, how we can configure it in AzureAD, and what advantages provide as an end user. ¡Let’s begin!

But before dig in depper, let me explain the basics: A security key is a piece of hardware that you can connect to your computer or phone to verify your credentials when logging, unlike a password, it’s completely safe, because the configuration is different for each system.

So, what does Fido2 Keys? As you probably know, logging into a resource requires a username and password, and with MFA, it usually requires a username/password combination plus one other authentication factor, like a time-based one-time password. In this case, FIDO2 is a standards-based method of user authentication that is passwordless, supporting PIN and biometrics in security tokens

For starters, with FIDO you can:

  • Improve security with crypto-secured passwordless authentication
  • Remove the helpdesk costs associated with forgotten passwords by replacing them with a simple PIN or fingerprint
  • Remove the user-experience annoyances of long passwords to create, remember and reset so that your workforce can get on with their role simply and seamlessly.

What about the preparation of AzureAD?

For IT, At high level there is only two tasks to accomplish:

  • Enable the new authentication method registration on AzureAD
  • Enable FIDO2 as an authentication method

Easy, isn’t it?

What about the registration for end users?

In my case, how the security Key is a biometic security Key, what i needed to do first is to register my fingerprint. Once I did this (manufacturer provide details, you’re ready to go with next steps).

In order to register the security token with AzureAD, the user will need to access to https://aka.ms/setupsecurityinfo where will be able to see all the authentication method available for them:

And once the user have selected the security key option, the process of registration will begin. In my case, I selected USB device and then… I needed to provide a PIN for the security Key:

Things that you have to keep in mind, is we user have to set up their own PIN to use their key, it cannot be enforced or centralized way to manage PIN, so is probably that your users end up using PINs like 123456.

ONce you have registered the key, it will appear in the security Info Panel:

Ok, it’s great what you’re are explaining, but how it is used?

With the following video, I want to show how the process of passwordless authentication in AzureAD is done:

As you can see, the login was done without entering any user or password. If you’re conviced, and you want to start deploying Fido2 Keys in your organization, think first about the following points:

Registration

  • Control to ensure that the employee has been through sufficient identity checks to create a trusted identity.

Issuance

The organisation needs policy control over:

  • The type of FIDO device used (external USB / Bluetooth)
  • The organisation needs to consider the type of user verification required (Fingerprint / NFC)
  • The end user needs a simple experience during registration of a FIDO credential
  • The organization needs to trust the genuineness of the FIDO device being used for the FIDO credential

Lifecycle Management

  • Vision of who has been assigned which FIDO Credentials
  • Ability to simply revoke access to all systems accessed by the FIDO Credential
  • Ability to manage lost devices / replacement devices / back up devices

Authentication

  • The end user needs a simple experience to authenticate to systems, usernameless aids this process.

As you can see Fido2 Keys are great, and what is better, not only works with AzureAD, it can be used to authenticate with oter services like twitter, Instagram, etc…

Link References:

Register your key at https://aka.ms/mysecurityinfo

If you are a Microsoft 365 admin, use an interactive guide at https://aka.ms/passwordlesswizard

Does my organization need Azure AD Conditional Access?

Consider how the authentication process has traditionally worked: Organizations require users to supply a user ID and password. Then, the user can go on to access all the data, applications and other resources they’ve been granted permissions for. But what about if an attacker has stolen a user’s credentials? How can we reduce these risks? It is where Conditional access takes place 🙂

But the question is, do I really need it? It depends your case or scenario 😛 but let’s dig in depending in what you’re using:

  • Security Defaults: To help organizations establish a basic level of security, Microsoft makes security defaults available to everyone at no extra cost. This feature automatically enforces the following policies:
  1. All Users must register for AzureAD MFA
    1. Users must complete MFA challenge when they authenticate using a new device or application
    2. Administrators must complete an MFA step every time they sign in. This policy applies to nine key Azure AD roles, including Global Administrator, SharePoint Administrator, Exchange Administrator, Conditional Access Administrator and Security Administrator.
    3. Any user trying to access the Azure portal, Azure PowerShell or the Azure CLI must complete additional authentication
    4. All authentication requests made using older protocols are blocked
  • Azure AD COnditional Access: But as you can imagine, in some organizations these security defaults are not enough, they want to have more fine-grained controls, so to do this we need Conditional Access, which allows us to:
  • create a policy to require administrators — but not regular business users — to complete an MFA step
    • Use the user location and the type of protocol being used to restrict the access
    • Deny all requests that comes from a particular country, and require MFA for the rest
    • As you can see, you can create multiple policies that work together to put guardrails in place exactly where you need them

Azure AD Conditional Access is an extremely valuable tool for helping you implement a Zero Trust model, protecting the three cores of the strategy:

  • Least privilege — Helps to grant the right access at the right time to only those who need it by enabling trusted locations and IP ranges, implement stronger controls for privileged users, and control access to sensitive applications and content.
  • Verify explicitly — Continually verify identities as users move around the network by requiring MFA when users appear on new devices and from new locations.
  • Assume breach — Weak passwords, password spraying and phishing all but guarantee malicious actors are inside your network. It allows to block legacy authentication and putting stronger access controls in front of your most valuable resources.

As you can see, Azure AD Conditional Access is a powerful tool for strengthening security and ensuring regulatory compliance

Take care!

Deploying Microsoft 365 Apps

This a service that I discovered the other day, which is Office cloud policy service: lets you enforce policy settings for Microsoft 365 Apps for enterprise (what was named in the past Office 365 ProPlus) on a user’s device. It doesn’t matter if the device isn’t domain joined or otherwise managed.

The magic here flows when a user signs into Microsoft 365 Apps for enterprise on a device, then the policy settings roam to that device. Also, some other cool features is that you can enforce some policy settings for Office for the web, and anonymous users.

Some of the policies to configure are also included in GPO or in EndPoint Manager, so take into account this. But also keep in mind the following requirements:

  • At least Version 1808 of Microsoft 365 Apps for enterprise.
  • User accounts created in or synchronized to Azure Active Directory (AAD).
  • Office cloud policy service supports security groups and mail-enabled security groups created in Azure AD.
  • to create policy configurations, you need to have one of the following roles: Global Administrator, Security Administrator, or Office Apps Admin.

To enable security policy recommendations, sign in to the portal for managing Microsoft 365 Apps for enterprise, click Security, and then choose On for the Security Policy Advisor.

How Security Policy Advisor creates recommendations

When a security group has been assigned a policy configuration, Security Policy Advisor analyzes how users in that group work with Microsoft 365 Apps for enterprise. Based on this analysis and on Microsoft best practices, recommendations are created for specific security policies and insights about the impact of those policies on productivity and security.

Recommendations are usually generated within a few minutes of a policy configuration being applied to a group. On rare occasions, it may take longer. In such instances, please revisit Security Policy Advisor to check if new recommendations are available.

that’s all for know, keep playing and discover some cool jewels hided in the M365 portal

till next time!

Nested Virtualization in Azure

This post has to be in common with Nested Virtualization – Albandrod’s Memory (albandrodsmemory.com)

For all those who still don’t know what is Nested virtualization, is a feature that allows us to enable the Hyper-V role within a Virtual Machine in order to host and run Virtual Machines.

So in other words, to run a virtual machine inside an Azure Virtual Machine. When and why should be used? for:

  • Non-production workloads.
  • Testing purposes. Most suitable for scenarios where several hosts are required to test configurations.
  • Training. Building virtual infrastructure for educational purposes.
  • Development. Building and providing dedicated hosts to teams for Application development.

But you hace to be aware that not all AzVM sizes allow Nested Virtualization, I recommend you to always keep an eye for any upcoming updates/changes here.