Enabling zero trust security in your environment

Zero Trust is a principle that is coming to all business, why? because helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement.

So… when we are trying to implement a Zero Trust model, we will touching all components—user identity, device, network, and applications— to be validated and more important to be trustworthy.

But, what about the main components to be aware of? Let’s keep a further detail to that list:

  1. Identity – Identity is the best starting point for Zero Trust. I’am a big fan of AAD identity, and Conditional Access, PIM is a great way to start
  2. Implement conditional access controls – we can stop compromise identity credentials from accessing to corporate resources and more important, avoid a move laterally in the network.
  3. Strengthen credentials – Weak passwords undermine the security of your identity system, so take aware of that and use MFA
  4. Integrate intelligence and behavior analytics – Having tools to automate tasks and detect some behaviours, are great! Keep an eye to ATP, WDATP, MCAS…
  5. Reduce your attack surface – nothing to explain here 🙂
  6. Increase security awareness – Use a Security Information and Event Management (SIEM) system to aggregate and correlate the data to better detect suspicious activities and patterns.
  7. Enable end-user self-help – users are the core of the business, we cannot enable security tools without thinking in them
  8. Don’t overpromise – Zero Trust is not a single ‘big bang’ initiative, so keep in that mind
  9. Show value along the way – One of the most effective ways to build long-term support for a Zero Trust initiative is to demonstrate incremental value with each investment.

As you can see here A Zero Trust model is not easy to achieve, but it’s a key element of any long-term modernization objective for the digital enterprise. If you want to assess your system yourself, keep an eye to the following tool: Take the Zero Trust Assessment (microsoft.com)

What is Azure Data Box?

Azure Data Box is cloud solution that lets you send terabytes of data into Azure in a quick, inexpensive, and reliable way.

Microsoft send the data secured by shipping you a proprietary Data Box storage device. Each storage device has a maximum usable storage capacity of 80 TB and is transported to your datacenter through a regional carrier. The main features of that service are:

  1. Data are protected and secure data during the transit.
  2. Provides simple, secure, SSD disk-based offering for offline data transfer to Azure or from Azure to OnPrem
  3. Transport as much as 40TB of data into Azure by connecting the disks to a computer via USB or SATA
  4. Cost 100€ + shipping both ways + Egress charges if exporting from Azure
  5. 7-10 days processing time from device receipt date
  6. Data on the device is secured with an AES 256-bit encryption at all times.
  7. The device can only be unlocked with a password provided in the Azure portal.
  8. Lastly but not more important, once your data is uploaded to Azure, the disks on the device are wiped clean, in accordance with NIST 800-88r1 standards

Ok, that’s cool, but… what are the use cases?

Data Box is ideally suited to transfer data sizes larger than 40 TBs. The data movement can be one-time, periodic, or an initial bulk data transfer followed by periodic transfers. So… possible scenarios that can be:

  1. One time migration – when large amount of on-premises data is moved to Azure. Moving a media library from offline tapes into Azure to create an online media library. Migrating your VM farm, SQL server, and applications to Azure. Moving historical data to Azure for in-depth analysis and reporting using HDInsight
  2. Initial bulk transfer – when an initial bulk transfer is done using Data Box (seed) followed by incremental transfers over the network. For example, backup solutions partners such as Commvault and Data Box are used to move initial large historical backup to Azure. Once complete, the incremental data is transferred via network to Azure storage.
  3. Bulk export – when using online backup solutions from O365, and you want to transfer back the data to OnPrem. Imagine from O365 to Azure. You can backup the data to Azure, and then ship it to your datacenter
  4. Periodic uploads – when large amount of data is generated periodically and needs to be moved to Azure. For example in energy exploration, where video content is generated on oil rigs and windmill farms

So… as you can see here, Data Box is designed to move large amounts of data to Azure with little to no impact to network

Are you planning to take a Microsoft exam? Get a FREE voucher from Ignite!

You know that getting free training and also a free voucher currently is a bit complicated but… you should know that all participants of Microsoft Ignite 2020 who complete at least one collection in the Microsoft Ignite Cloud Skills Challenge are eligible for a free certification exam. There are up to six different challenges to complete on Microsoft Learn.

Once you have registered yourself to attend to Ignite, you can access to that information Microsoft Ignite | Cloud Skills Challenge

There are almost all of the current general available exams are included, but you can check all the Eligible exams list

Don’t miss the change to get certified!

How to avoid M365 Security Concerns

Using M365 ecosystem enable us to collaborate and share data without problem, but nowadays, companies are concerned about security and the holes that those applications open in organizations.

Even though we are ultimately responsible for protecting our sensitive data, there are native security capabilities to address Microsoft Office 365 security concerns. Moreover, there are third-party solutions that can help us ensure strong security posture across the entire infrastructure.

So let’s list the common concerns that I have gathered from my experience in M365:

  • Unauthorized or External File Sharing: enabling users to collaborate with external users in applications like Teams and SharePoint
  • Privilege Abuse: having a user with more permission than they need. It is obvious, but excessive rights increase risk of data breach…
  • Global Admin Account Breach: this is a game over, if someone gains access to that type of accounts, forget everything, could be a disaster… If you are in that case, apply MFA to that users
  • Disabled Audit Logs: It is not being enabled by default, but for me is very powerful to know which actions are doing the users
  • Short Log: by default Microsoft sores 90 days our logs, if you need to archive those logs for further detail, keep that into account.

So what we can do to overcome those concerns?

  • Enable MFA: it is a very powerful resource, we have it for free, so… use it, it is great, if you have the license try it with Conditional Access
  • Use DLP and email encryption
  • Classify Data: help to understand the value of the content in order to apply appropriate security controls. For example, apply tags to not to share documents with external users or even disable the option
  • Minimize privileges: revoking excessive permission, expiration dates on links
  • Use the Unified Audit Logging: in order to gain visibility across M365 environment
  • use ATP, which can block malicious attachments in phishing emails or even verify URLs in messages and documents
  • Use Cloud App Security: in order to discover Shadow IT, control over permission in M365, application acess, etc…

There is no magic addressing concerns in M365, but the path is to gain visibility in the environment, investigate threats and if you’re case maintain regulatory compliance

Protecting your network: Azure ATP

In a previous blog post (https://albandrodsmemory.wordpress.com/2020/03/10/brief-introduction-to-atp/) I was talkng about the protection measures that we have against attackers, but today I want to go deeper with Azure ATP.

Azure Advanced Threat Protection (Azure ATP) assists security professionals in monitoring on-premises Active Directory to identify, detect, and protect from advanced threats and malicious activities. 

Azure ATP is a cloud-based service that utilizes agents / sensors on the domain controllers to track authentication activities. Azure ATP gives IT the tools to proactively assess the environment:

  • Monitor users, entity behavior, and activities with learning-based analytics 
  • Protect user identities and credentials stored in Active Directory 
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain 
  • Provide clear incident information on a simple timeline for fast triage 

Once the portal and the sensors has been enabled and tuned, ATP gives the possibility to have access to information such as:

  • Lateral movement paths of sensitive accounts 
  • Modification of sensitive groups 
  • Passwords exposed in clear text 
  • Summaries of suspicious activities and health issues 

For those not familiarized with all those language, let me put it clear, Azure ATP gives in a plan language and graphics, which suspicious activities were identified on the network, and the actors and computers involved in the threats.  

Moreover, alerts are graded for severity, color-coded, and organized by threat phase. Each alert is designed to quickly understand exactly what is occurring on the network.

As you can see, Azure ATP is a great tool, and if we combine this tool with MDATP, you will have a clear line of defense against attackers.

Top 20 Use cases for MCAS

Did you know the full capabilities of Microsoft Cloud App Security?Microsoft Cloud App Security (MCAS) is a multimode Cloud Access Security Broker. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services.

But… based in my personal experience with customers, which are the top 20 use cases?

  1. Discover all cloud apps and services used in your organization
  2. Assess the risk and compliance of your cloud apps
  3. Govern discovered cloud apps and explore enterprise-ready alternatives
  4. Enable continuous monitoring to automatically detect new and risky cloud apps
  5. Detect when data is being filtrated from your corporate apps
  6. Discover OAuth apps that have access to your environment
  7. Gain visibility into corporate data stored in the cloud
  8. Enforce DLP and compliance policies for sensitive data stored in your cloud apps
  9. Ensure safe collaboration and data sharing practices in the cloud
  10. Protect your data when it’s downloaded to unmanaged devices
  11. Enforce adaptive session controls to manage user actions in real-time
  12. Record an audit trail for all user activities across hybrid environments
  13. Identify compromised user accounts
  14. Detect threats from users inside your organization
  15. Detect threats from privileged accounts
  16. Identify and revoke access to risky OAuth apps
  17. Detect and remediate malware in your cloud apps
  18. Audit the configuration of your IaaS environments
  19. Monitor user activities to protect against threats in your IaaS environments
  20. Capture user activities within custom cloud and on-premise app.

Conditional Access extension for Chrome

If you’re implementing conditional access in your company and you’re struggling with Windows 10 devices and Chrome support, probably you will need to visit that Docs link: https://docs.microsoft.com/es-es/azure/active-directory/conditional-access/concept-conditional-access-conditions#chrome-support

But in this post, I want to talk about something related to it, in one of my projects, I have a CA policy that required one of the following selected controls: Require MFA or Require Hybrid AAD joined device

My device was Hybrid, so I was fullfilling one of the requirements, for example, when I was accessing with IE or Edge, the device info gets passed properly and MFA is bypassed for hybrid AAD machines.

But with Chrome, even having the Windows 10 Account extension pushed via GPO, I was able to see in the azure sign-in logs that device info is blank except for Browser and OS, so the AAD join status is not passed and MFA triggers. So it was very weird and it was causing me some problems…

So finally, after hours of troubleshooting, i finally figured out what was wrong. When you automatically install the extension, it doesn’t clear some cookies which Chrome will then try to use the old way of logging in. So in this case what you will need to do is access to chrome://settings/content/all and delete the cookies for login.microsoftonline.com

After doing that, everything was working perfectly, keep aware of that!!

What is really PIM?

Currently in all project were I’m involved I’m trying to used Best Practices of Security, including the use of PIM.  Privileged Identity Management it is a service that is available in Azure AD and is part of Azure AD Plan 2, it is used for all admin related tasks, where no employee has standing access within the company, reducing the surface of an attack.

PIM makes it possible to give a user the privilege to elevate his or her access rights for a preset amount of time to a higher role such as User Administrator or SharePoint Administrator.

PIM gives access to huge quantity of roles in Office 365 and Azure resources where the user is by default a reader and can elevate it to be an owner of a resource (group) for a specific amount of time (which is great!)

Enabling a PIM role is done by going to the Azure Portal and select the role you want to elevate. You need to do this for every role separately.

For example, imagine that you have members that need to elevate their account daily to be a SharePoint and User administrator, so they need to do this daily. After enabling they need to sign out and sign in again to make sure the roles are activated.

No more to give the role to a user and forget which role we give to them…


Governance in M365 – Export all Flows in your tenant

First of all, what you will need to do is to install the Power Apps and Flow for Admins module, which can be done using the following command:

  • Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
  • Install-Module -Name Microsoft.PowerApps.PowerShell –AllowClobber​


Once it has been done,d you’re ready to go

Get-AdminFlow | ForEach-Object { $user = Get-UsersOrGroupsFromGraph -ObjectId $_.CreatedBy.userId;[PSCustomObject]@{ FlowName = $_.DisplayName; OwnerName = $user.DisplayName ; OwnerEmail = $user.UserPrincipalName ; }; } | Export-Csv -Path .\Flows.csv

In case you need to export the connections, you can execute the following command:

Get-AdminPowerAppEnvironment -Default | Get-AdminPowerAppConnection

Discover who invited guest users with Log Analytics

Reading my posts, you will probably know that I am a bit fan of Log Analytics, so in this post we are trying to examine the AzureAD logs in order to discover who invited a specific a guest account, because sometimes can be quite a challenging question to find this information…

So first of all, we need to forward the audit logs from AAD to workspace in Log Analytics, once we have done this, we can execute the following query:

| where OperationName == 'Invite external user' and Result == 'success'


As you can see in the image, this query shows some basic information about the users, but if you want to find all accepted invitations, you can execute the following…

| where OperationName == 'Invite external user' and Result == 'success'
| extend InvitationId = tostring(AdditionalDetails[0].value)
| join (
	| where OperationName in('Redeem external user invite')
	| parse kind=regex TargetResources[0].displayName with * "InvitationId: " InvitationId:string ","
on $left.InvitationId == $right.InvitationId

Once we have done that, we can include this information in our Governance Plan or even to create some Log Analytics alerts in order to be sure that everything is doing under our umbrella os security