This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Hi everyone! Brandon Wilson here once again with this month’s “Check This Out!” (CTO!) guide.
These posts are only intended to be your guide, to lead you to some content of interest, and are just a way we are trying to help our readers a bit more, whether that is learning, troubleshooting, or just finding new content sources! We will give you a bit of a taste of the blog content itself, provide you a way to get to the source content directly, and help to introduce you to some other blogs you may not be aware of that you might find helpful. If you have been a long-time reader, then you will find this series to be very similar to our prior series “Infrastructure + Security: Noteworthy News”.
From all of us on the Core Infrastructure and Security Tech Community blog team, thanks for your continued reading and support!
Title: Announcing Landing Zone Accelerator for Azure Arc-enabled SQL Managed Instance
Source: Azure Arc
Author: Lior Kamrat
Publication Date: October 12, 2022
Content excerpt:
With both Azure Arc-enabled servers and Kubernetes Landing Zone Accelerators already generally available, today we're launching the Azure Arc-enabled SQL Managed Instance landing zone accelerator within the Azure Cloud Adoption Framework.
The new solution provides hybrid and Multicloud scenarios within the Azure Cloud Adoption Framework, a proven set of guidance designed by subject matter experts across Microsoft to help customers create and implement the business and technology strategies necessary to succeed in the cloud as well as a way to automate a fully deployed Azure Arc-enabled SQL Managed Instance environment, making implementation faster.
Title: New Hybrid Deployment Options for AKS Clusters From Cloud to Edge, Enabled by Azure Arc Title
Source: Azure Arc
Author: Abhilasha Agarwala
Publication Date: October 12, 2022
Content excerpt:
Since announcing the availability of Azure Kubernetes Service (AKS) on Azure Stack HCI and AKS on Windows Server, we’ve seen customers run their containerized workloads on AKS clusters in datacenters, retail stores, factories and even ships.
Today, we’re excited to introduce new features for at-scale AKS hybrid cluster life cycle management and the opportunity to utilize existing on-premises investments and help reduce costs that often come with modernization efforts. We’re also introducing a new AKS hybrid deployment option so you can run lightweight managed AKS on small, remote edge devices.
At Microsoft Ignite 2022, we’re announcing new features and hybrid deployment options from cloud to edge, enabled by Azure Arc, for AKS clusters running in your datacenter, branch offices, and edge locations.
Title: Active Directory Connector (ADC) for Arc-Enabled SQL Managed Instance Is Now Generally Available!
Source: Azure Arc
Author: Mikhail Almeida
Publication Date: October 13, 2022
Content excerpt:
Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication.
To facilitate this, Azure Arc-enabled data services introduce a new Kubernetes-native Custom Resource Definition (CRD) called Active Directory Connector. It provides Azure Arc-enabled SQL Managed Instances running on the same data controller the ability to perform Active Directory authentication.
Title: Consistently Upgrade Your Server TLS Protocol Using Azure Arc and Automanage Machine Configuration
Source: Azure Arc
Author: aurnovcy
Publication Date: October 27, 2022
Content excerpt:
The need to upgrade server TLS protocols is clear given the security vulnerabilities identified with TLS versions 1.0 and 1.1 Notable cryptographic threats impacting these previous TLS versions include BEAST, POODLE, and HEARTBLEED. As of 2020, TLS versions 1.0 and 1.1 are no longer supported. TLS 1.2 is required to maintain secure connections and offers higher performance on top of improved reliability.
Using Azure Automanage Machine Configuration, you can configure your secure communications protocol across servers running both within and beyond Azure. Through Azure Arc-enabled servers, you can extend Azure Policies to deploy and audit configurations in-guest through Azure Automanage Machine Configuration to non-Azure infrastructure. This is because the Connected Machine agent, powering Arc-enabled servers, has a built-in Machine Configuration component.
Title: Announcing Sustainability Guidance in the Azure Well-Architected Framework
Source: Azure Architecture
Author: Tobias Zimmergren
Publication Date: October 12, 2022
Content excerpt:
Increasingly, customers are asking questions related to sustainability and energy efficiency, such as: ‘Is our application efficient?’ ‘Are we utilizing the allocated resources fully, and are these optimized enough?’ By efficiency, the expectation might be energy efficiency, hardware efficiency, or efficient use of any other consumed resource. These questions highlight the growing importance of sustainability in cloud optimization, from reducing carbon emissions and energy utilization to refactoring for agility at a lower cost.
As part of Microsoft’s ongoing commitment to promote sustainable development and low-carbon business practices globally, we’ve recently released sustainability guidance within the Azure Well-Architected Framework (WAF) designed to help you optimize cloud workloads for green IT.
Title: Setup Hybrid Joined AVD Single Sign-On
Source: Azure Architecture
Author: Mei Liu
Publication Date: October 10, 2022
Content excerpt:
Azure virtual desktop SSO allows us to skip the session host credential prompt and automatically sign the AVD users when connecting to the VMs. Without SSO, the AVD client will prompt end users for their session host credentials for every connection.
Single sign-on is available on AVD session hosts using the following operating systems:
- Windows 11 Enterprise single or multi-session with the 2022-09 Cumulative Updates for Windows 11 Preview (KB5017383) or later installed.
- Windows 10 Enterprise single or multi-session, versions 20H2 or later with the 2022-09 Cumulative Updates for Windows 10 Preview (KB5017380) or later installed.
- Windows Server 2022 with the 2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381) or later installed.
Title: Optimize and Maximize Cloud Investment with Azure Savings Plan for Compute
Source: Azure Compute
Author: Kyle Ikeda
Publication Date: October 12, 2022
Content excerpt:
As a cloud provider, we are committed to helping our customers get the most value out of their cloud investment through a comprehensive set of pricing models, offers and benefits that adapt to customer’s unique needs. Today, we are announcing Azure savings plan for compute. With this new pricing offer, customers will have an easy and flexible way to save up to 65%* on compute costs, compared to pay-as-you-go pricing, in addition to existing offers in market including Azure Hybrid Benefit and Reservations.
Title: New Regions and Managed Identity Support for Azure Container Instances with Azure Virtual Networks
Source: Azure Compute
Author: MacKenzie Olson
Publication Date: October 5, 2022
Content excerpt:
With this update, Azure Container Instances customers can now:
- Deploy container groups in an Azure Virtual Network in nearly every supported commercial ACI region with a maximum resource request of 4vCPU and 16GB
- Use Managed Identity to store and access credentials for container groups running in an Azure Virtual Network
- Connect securely to critical network-protected resources such as Azure Container Registry (ACR) and Azure Key Vault (AKV) using Trusted Services authentication
Title: General Availability: Simplified Disaster Recovery for VMware Machines Using Azure Site Recovery
Source: Azure Compute
Author: Sharmistha Rai
Publication Date: October 9, 2022
Content excerpt:
Today we’re officially announcing the general availability of a simpler, more reliable, and modernized way to protect your VMware virtual machines using Azure Site Recovery, for recovering quickly from disasters. We are now offering these enhancements:
- Stateless ASR replication appliance
- Automatic upgrades for ASR replication appliance and mobility agent
- Easier scale management
- High availability for appliances
Title: Now in Preview – Spot Priority Mix for Azure Virtual Machine Scale Sets
Source: Azure Compute
Author: Rajeesh Ramachandran
Publication Date: October 12, 2022
Content excerpt:
Today we are announcing the preview of Spot priority mix for Azure Virtual Machine Scale Sets (VMSS) with flexible orchestration. This new capability allows you to create and expand a VM (virtual machine) scale set containing both Spot VMs and standard VMs. You will now have the flexibility to run a mix of standard and Spot VMs for VMSS deployments, and easily achieve a balance between availability and lower infrastructure costs based on your workload requirements.
Title: Create Emergency Access Accounts for Azure AD and Use Log Analytics to Monitor Sign-ins from Them
Source: Core Infrastructure and Security
Author: Michael Hildebrand
Publication Date: October 31, 2022
Content excerpt:
Hopefully, you have monitoring and alerting for sign ins by your elevated/sensitive/admin IDs – likely via a SIEM. This should include the break-glass IDs, obviously.
However, you might consider a simple Azure Monitor/Alert for these BG accounts, too. In my example here, every 5 minutes, a query runs against my Azure AD Sign in log data (that is streaming into a Log Analytics Workspace), trolling for attempted sign in events from the specified IDs.
Title: Estimating Azure Diagnostics Cost
Source: Core Infrastructure and Security
Author: Helder Pinto
Publication Date: October 24, 2022
Content excerpt:
There are many good reasons to enable Azure Diagnostics on your Azure PaaS resources, for example, auditing who has been accessing a Key Vault, troubleshooting failed requests to a Storage Account, doing a forensics analysis to a compromised Azure SQL Server, etc. Azure resource logging is recommended as part of the Operational Excellence and Security pillars of the Well Architected Framework. Furthermore, you’ll also increase your Azure Secure Score, as enabling auditing and logging is one of the assessed controls of your security posture.
Title: Introduction to Network Trace Analysis 2: Jumping into TCP Connectivity
Source: Core Infrastructure and Security
Author: Will Aftring
Publication Date: October 17, 2022
Content excerpt:
Howdy everyone, I hope you're hungry we have a feast of information we will be going through today. Our topic will be the transmission control protocol (TCP) and what you need to know.
Now TCP is a monster so to keep this post from being too long, I'll save TCP performance for another day.
Why is this important?
You may be wondering why I am dedicating a full post to a single protocol, well it's really very simple. All your favorite applications and protocols use TCP!
- HTTP
- SMB
- Windows Communication Foundation
- And many more!
Title: Internet of PowerShell
Source: Core Infrastructure and Security
Author: Felipe Binotto
Publication Date: October 9, 2022
Content excerpt:
I’m excited to write this post because I bumped into this nice little app which connects to an IoT Hub and lets us run scripts on-premises or in the cloud from anywhere in the world without any requirement for inbound ports.
The credits go to @Scott Holden (AUSTRALIA) who wrote the app (I’m also borrowing his app name as the title of this post) and @Marc Kean who told me about it. I have forked his project for this demonstration, but you can find the original project HERE.
I have recently used its functionality as part of a Start/Stop VM solution based on Automation Account. The customer was using SCOM on-premises and had the requirement to put the server in maintenance mode before the server could be stopped. The Automation Account can’t access on-premises resources and I would have to use a Hybrid Worker; however, this is much cooler and simpler.
I won’t get in the details around SCOM, but I will demonstrate how you can set it up and run the script from anywhere with a simple call to the IoT Hub.
Title: Azure Enterprise Policy as Code – Azure Landing Zones Integration
Source: Core Infrastructure and Security
Author: Anthony Watherston
Publication Date: October 3, 2022
Content excerpt:
Welcome to Part 2 in a series about using the Enterprise Policy as Code project to deploy and manage Azure Policy in your environment. This article covers integration with Azure Landing Zones and how to integrate the policies applied in that solution with this code.
Title: Announcing General Availability of Support for Azure Availability Zones in the Host Pool Deployment
Source: Azure Virtual Desktop
Author: Tom Hickling
Publication Date: October 10, 2022
Content excerpt:
I am pleased to announce that you can now automatically distribute your session hosts across any number of availability zones. This enables you to take full advantage of the built-in Azure resiliency options from within the same deployment process.
This has been a feature request from many of our customers, and I'm pleased to announce the host pool deployment process has been improved so it now supports deploying into up to three availability zones in Azure regions that support them.
Title: Azure Premium SSD v2 Disk Storage: General Availability
Source: Azure Storage
Author: Aung Oo
Publication Date: October 12, 2022
Content excerpt:
We are excited to announce the general availability (GA) of Premium SSD v2, the next generation of Microsoft Azure Premium SSD Disk Storage that offers the most advanced general purpose block storage solution with the best price-performance. Premium SSD v2 offers sub-millisecond disk latencies for demanding IO-intensive workloads at a low-cost. Customers can use that to improve the price-performance of a broad range of enterprise production workloads such as—SQL Server, Oracle, MariaDB, SAP, Cassandra, Mongo DB, big data, analytics, gaming, on virtual machines, or stateful containers.
Title: Workload Deployment Shouldn’t Be Different On Cloud & On-Premises Infrastructure
Source: Azure Stack
Author: Kilol Surjan
Publication Date: October 12, 2022
Content excerpt:
A hybrid strategy in IT infrastructure shouldn’t be cumbersome for your application team. The fact that your IT needs to span across cloud and on-premises infrastructure shouldn’t mean that your app owners have 2X more work in order to provision & manage their applications.
In Azure, we believe that the concepts of provisioning & managing a workload should be the same no matter where it is being deployed. The tools should not change whether you are managing your workload in Azure public cloud or on Azure Stack HCI in your datacenter or edge location. And that is why we are introducing Azure Resource Manager (ARM) templates for end-to-end automated deployment of your workloads.
Title: Retrieve Cloud Service Extended Support detail via PowerShell
Source: Azure PaaS
Author: Jerry Zhang
Publication Date: October 12, 2022
Content excerpt:
This blog is mainly about how to retrieve the CSES configuration via PowerShell and REST API. It will cover the following sections:
- PowerShell command to get the CSES configuration
- PowerShell to send out REST API request to get the CSES configuration
- Sample to retrieve OS Family, OS Version and any other data
Title: Deployment Failure of Private Endpoint Via Managed Application or ARM Template
Source: Azure PaaS
Author: Mo Shi
Publication Date: October 17, 2022
Content excerpt:
The purpose of this blog is to share the one of the failure scenarios that users may encounter during the deployment of Private Endpoint via Managed Application or ARM template.
Symptom:
In complete mode (Deployment modes - Azure Resource Manager | Microsoft Learn), the resources in resource group that are not specified in the template will be deleted by Resource Manager. However, during the deployment of Private Endpoint, the Network Interface (NIC) is being generated automatically as a separate resource with random given name so this means that this NIC cannot be defined in the template. As a result, the NIC is not defined in the ARM template will be deleted in the complete mode of deployment, while this action will be blocked because the Private Endpoint is currently referencing this NIC.
Title: Azure DDoS Standard Protection Now Supports APIM in VNET Integration
Source: Azure Network Security
Author: Saleem Bseeu
Publication Date: October 4, 2022
Content excerpt:
Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against volumetric and protocol DDoS attacks, such as Adaptive real time tuning, always-on traffic monitoring, Azure DDoS Rapid Response support, cost protection telemetry, monitoring, and alerting.
DDoS protection standard currently supports Public IPs in ARM based VNets such as Load Balancers, Bastion, Azure Firewall and Application Gateway. Now you can also protect your public IPs attached to VNet integrated Azure API Management (APIM) instances with Azure DDoS Protection Standard.
Title: Public Preview: Immutable Vaults with Azure Backup
Source: Azure Governance and Management
Author: Utsav Raghuvanshi
Publication Date: October 26, 2022
Content excerpt:
Azure Backup recently launched the public preview of immutable vaults that can help you protect your backup data better against ransomware attacks and other malicious actors. Immutable vaults protect your backups by blocking any operations that could lead to loss of recovery points if misused. Further, you can lock the immutability setting to make it irreversible, which can prevent malicious actors from disabling immutability and deleting backups.
Immutability is supported for Recovery Services vaults as well as Backup vaults.
Title: Azure Portal September 2022 Updates
Source: Azure Governance and Management
Author: Allison Cordle
Publication Date: October 25, 2022
Content excerpt:
The update for this month in the Azure portal includes updates to Azure Service Bus.
Messaging Services > Service Bus
Messaging Services > Service Bus
Messaging Services > Service Bus
Intune
Title: Generally Available: Simplify Management and Operations with Azure Automanage Machine Best Practices
Source: Azure Governance and Management
Author: Akanksha Agrawal
Publication Date: October 12, 2022
Content excerpt:
We are thrilled to announce that Azure Automanage Machine Best Practices is now generally available for Azure VMs and Arc-enabled servers!
Azure Automanage machine best practices is a consolidated management solution that simplifies daily server management through effortless automation by handling the initial setup and configuration of Azure best practice services such as Azure Monitor, Backup, Microsoft Defender, Update Management, etc. Automanage continuously monitors machines across their entire lifecycle automatically bringing them back into conformance should they drift from the desired state.
Title: Azure Policy Announces Enhancements for Gradual Rollout, Custom Evaluations & Kubernetes Policy!
Source: Azure Governance and Management
Author: Neha Kulkarni
Publication Date: October 12, 2022
Content excerpt:
Azure Policy is excited to roll out some new features & additional support for the features you've gotten to know and love. These features provide enhancements to roll out your policies in a safe & secure manner, easily exempt or apply policy evaluation to certain resources at-scale, create policies for your Kubernetes clusters, as well as, for the first time, reflect your custom attestation scenarios in Azure Policy!
Title: Upgrading Your Server and Client TLS Protocol Just Got Easier Using Automanage Machine Configuration
Source: Azure Governance and Management
Author: Jodi Boone
Publication Date: October 12, 2022
Content excerpt:
Ensuring secure communication protocols across server environments has been a clear requirement for IT admins, operators, and developers for the past two decades. What wasn’t clear was how to set a desired communication protocol and maintain this at scale, until now.
To prevent bad actors from accessing or disrupting sensitive data as it moves through the internet, we have relied on various cryptographic protocols over the years, namely Secure Socket Layers (SSL) and Transport Layer Security (TLS). As weaknesses were discovered, new versions of SSL and then TLS were created and although technologies have evolved, so have the tactics of hackers and other cyber criminals.
Title: Deliver Organizational Messages with Windows 11 and Microsoft Intune
Source: Windows IT Pro
Author: Jesse Stein
Publication Date: October 12, 2022
Content excerpt:
Based on ongoing conversations with IT admins, Microsoft recognized that global organizations that adopted hybrid work needed better tools to onboard, connect, and engage their users.
We developed organizational messages for Windows 11. It is configurable through Microsoft Intune to provide IT admins the ability to reach people within their organization with key messages that are delivered natively on Windows 11. IT admins identified onboarding and information updates as the main areas of opportunity for user engagement. As a result, we have enabled organizational messages delivery from IT admins natively in Windows 11 in the Get Started app to support user onboarding and in the taskbar and Windows notifications to support information updates. Admins use these messages to help users ramp up in new roles, learn about their organization, stay informed of new updates, and schedule requisite trainings.
Title: Windows Hello for Business Hybrid Cloud Kerberos Trust is Now Available!
Source: Windows IT Pro
Author: Sayali Kale
Publication Date: October 12, 2022
Content excerpt:
We are excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model that enables a passwordless sign-in experience. With this new model, we've made Windows Hello for Business much easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI) and Azure Active Directory (Azure AD) Connect synchronization wait times.
Title: DCOM Authentication Hardening: What You Need To Know
Source: Windows IT Pro
Author: David Zhu
Publication Date: October 19, 2022
Content excerpt:
Hardening represents a means of investigating and reducing the number of systems across your organization with potential weaknesses, and then taking steps to securing them from malicious actors and their increasingly creative cyberthreats. Hardening has been applied across the industry to servers, software applications, operating systems, databases, networks, projects, repositories, services, policies, platforms, and more.
In this article, we'll explore how we're hardening Distributed Component Object Model (DCOM).
Title: Create an Azure Kubernetes Service (AKS) Cluster with API Server VNET Integration Using Bicep
Source: FastTrack for Azure
Author: Paolo Salvatori
Publication Date: October 4, 2022
Content excerpt:
This article shows how to deploy an Azure Kubernetes Service (AKS) cluster with API Server VNET Integration. AKS clusters with API Server VNET integration provide a series of advantages, for example, they can have public network access or private cluster mode enabled or disabled without redeploying the cluster. You can find the companion code in this GitHub repo.
Title: App Service Hybrid Connections: Is It Fast Enough?
Source: FastTrack for Azure
Author: Andre Dewes
Publication Date: October 4, 2022
Content excerpt:
App Service Hybrid connection offers a quick and uncomplicated way to reach your on-premises services in scenarios where there aren't other networking solutions like VPN or ExpressRoute available. Normally, you don't even need to open any firewall ports in your on-premises environments because it only requires outbound HTTP connection over port 443 towards Azure to work. Behind the scenes, it is a TCP relay proxy over websockets. It only works to reach services that run on TCP protocols and not UDP.
Therefore, it might be a good fit if you are planning to migrate your application(s) to Azure App Service but this app has dependencies to on-premises databases or APIs and your networking team is not yet ready to set up a VPN/ExpressRoute connection between these environments. The migration work can be unblocked using Hybrid connections towards these external dependencies with no code changes within your app.
Title: Use Azure AD Workload Identity for Kubernetes with a User-Assigned Managed Identity
Source: FastTrack for Azure
Author: Paolo Salvatori
Publication Date: October 17, 2022
Content excerpt:
This article and the companion Azure code sample show how to use Azure AD workload identity for Kubernetes in a .NET Standard application running on Azure Kubernetes Service. It leverages the public preview capability of Azure AD workload identity federation and a user-assigned managed identity.
Title: Microsoft Expands Device Management for Android
Source: Endpoint Management
Author: Priya Ravichandran
Publication Date: October 5, 2022
Content excerpt:
Microsoft is pleased to announce the ability to manage and protect data on corporate devices that run on Android Open Source Project (AOSP) is generally available with Microsoft Intune as a part of Microsoft Endpoint Manager.
Title: Reduce Your Overall TCO with a New Microsoft Intune Plan
Source: Endpoint Management
Author: Dilip Radhakrishnan
Publication Date: October 12, 2022
Content excerpt:
We are pleased to announce that Microsoft will launch a new suite of advanced endpoint management solutions in March 2023 together in one, cost-effective plan. This new plan will help you go further in simplifying endpoint management, protecting your hybrid workforce, and delivering better user experiences across your organization.
Title: Introducing the Microsoft Intune Product Family
Source: Endpoint Management
Author: Michael Wallent
Publication Date: October 12, 2022
Content excerpt:
Today, we're announcing that Microsoft Intune will be the name of the growing product family for all things endpoint management at Microsoft. We are committed to continued investment in the core of Intune with enhancements to the features, performance, and Microsoft 365 integration you expect from us. Another critical part of our vision is building our suite of advanced endpoint management solutions in the cloud, all under the Intune product family. Configuration Manager will remain a key part of that family – and we will continue to meet you where you are with co-management capabilities that help you migrate workloads to the cloud. The name Microsoft Endpoint Manager will no longer be used. Going forward, we'll refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.
Title: PowerShell 7 – Latest Features, Roadmap and a Chat with the PowerShell Product Group
Source: ITOps Talk
Author: April Edwards
Publication Date: October 17, 2022
Content excerpt:
Many of us use PowerShell every day and we each use various versions in our personal and corporate environments. PowerShell 7 has some awesome features that many of us don’t even know about. Thomas Maurer and I took some time to speak to the PowerShell Team to find out all about PowerShell 7. We were joined by Jason Helmick, Michael Greene, Damian Caro, Danny Maertens, and Stephen Bucher...all of whom taught us so much in this video.
Title: Protect Your Environment Against Hybrid Identity Attacks
Source: Microsoft 365 Defender
Author: Eran Nachshon
Publication Date: October 10, 2022
Content excerpt:
Most organizations are on a path to fully migrating to a cloud-based identity and access management (IAM) solution like Azure Active Directory (Azure AD). Platforms like Azure AD are more scalable, more secure, and support the latest methods of user authentication when accessing organizational resources and applications. However, transitioning from on-premises IAM solutions takes time - and while customers embark on that journey, Microsoft offers cloud-powered protections for those on-premises resources to ensure that they’re best protected against the latest identity-targeted threats.
Microsoft 365 Defender provides comprehensive protection for identities across the Microsoft identity stack. Within that, Defender for Identity supports hybrid identity configurations via an Active Directory Federation Services sensor, to protect the AD FS infrastructure and alert security teams to AD FS-based threats. This enables Microsoft to protect environments where AD FS is in use, as Defender for Identity goes beyond just relying on the authentication happening on the domain controller, and instead collects additional context and data directly from AD FS.
Title: Announcing Microsoft Cloud Security Benchmark (Public Preview)
Source: Microsoft Defender for Cloud
Author: Jim Cheng
Publication Date: October 13, 2022
Content excerpt:
Today, we are announcing the successor of the Azure Security Benchmark - the Microsoft cloud security benchmark. The Microsoft cloud security benchmark (MCSB) v1 is an expanded and enhanced version from Azure Security Benchmark v3 with a new layer of multicloud security guidance. Currently, a full set of security guidance for Amazon Web Services has been developed for all security domains in the Benchmark. In addition, you can now monitor the MCSB controls across Azure and AWS using Microsoft Defender for Cloud. Similar to Azure, MCSB monitoring is enabled by default in MDC for AWS environments, with GCP coverage coming soon.
Title: Announcing a New Azure AD, Part of Microsoft Entra, Region in Japan
Source: Microsoft Entra (Azure AD)
Author: Shobhit Sahay
Publication Date: October 13, 2022
Content excerpt:
Today we're delighted to announce that starting in October 2022, Microsoft customers in Japan can access Azure Active Directory (Azure AD), part of Microsoft Entra, features through our infrastructure in Japan. This replaces the system where the Azure AD data of customers based out of Japan was stored in other global regions. With over 500 million monthly active users, 500,000 customers, and 45 billion daily authentications, Azure AD enables organizations and individuals across the globe to achieve more by addressing their key security and privacy requirements. Microsoft’s Identity and Access Management solutions powered by a Zero Trust framework provide a secure platform for businesses and individuals alike to accomplish their goals.
Title: Public Preview: Conditional Access Filters for Apps
Source: Microsoft Entra (Azure AD)
Author: Alex Weinert
Publication Date: October 26, 2022
Content excerpt:
Today we’re excited to announce the public preview of filters for apps! Filters for apps provides a new way to manage Conditional Access (CA) assignment for apps and workload identities at scale.
Protecting all apps is key to achieving a Zero Trust security posture. Currently, policies explicitly list apps. With filters for apps, admins can tag applications with custom security attributes and apply Conditional Access policies based on those tags, rather than individually selecting apps. With this approach there is no limit on the number of apps covered, and new apps you add with the attributes are automatically included in the policies! Attribute assignment builds on top of custom security attributes, delivering attribute customization and a rich delegation model.
Title: Apply Zero Trust Principles to Authentication Session Management with Continuous Access Evaluation
Source: Security, Compliance, and Identity
Author: Anna Barhudarian
Publication Date: October 3, 2022
Content excerpt:
Today we’re sharing our thoughts around managing and securing cloud authentication sessions. In the past, “authentication session management” referred to static updates to the session duration. That approach no longer provides adequate security for modern usage patterns where a user’s context changes multiple times after the initial authentication. This can occur due to moving between locations, a need to collaborate inside and outside of an organization or multi-device scenarios.
So how can we secure authentication sessions without affecting user experience and productivity? Or how do Zero Trust principles apply to authentication sessions? These are the questions we asked as we embarked on a journey to modernize session management.
Previous CTO! Guides:
Additional resources:
- Azure documentation
- Azure pricing calculator (VERY handy!)
- Microsoft Azure Well-Architected Framework
- Microsoft Cloud Adoption Framework
- Windows Server documentation
- Windows client documentation for IT Pros
- PowerShell documentation
- Core Infrastructure and Security blog
- Microsoft Tech Community blogs
- Microsoft technical documentation (Microsoft Docs)
- Sysinternals blog
- Microsoft Learn
- Microsoft Support (Knowledge Base)
- Microsoft Archived Content (MSDN/TechNet blogs, MSDN Magazine, MSDN Newsletter, TechNet Newsletter)