TCA Podcast Episode 46: Teams and PowerShell with Lee Ford

Microsoft Teams has seen some incredible growth in recent months as many organizations worldwide adjust to a new normal that involves a remote, work from home workforce. In late April, Microsoft announced that it had seen a 70% increase in Teams usage, increasing to more than 75 million daily active users and seeing 200 million meeting participants in a single day for the first time. In this episode, we talk to MVP Lee Ford about his experience working with Teams, adoption of Teams features such as direct routing and some really handy PowerShell scripts he’s written.

A transcript of this episode can be viewed here and can also be downloaded in the following formats:

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Ignite 2020 Special Edition'

It’s almost time for Microsoft Ignite 2020, but this year things are going to be a little different. In this special episode, Anna Chu (a.k.a The Community Khaleesi) gives us some inside info about what to expect this year and how you can get involved! If you’re interested in being part of Ignite this year, the Microsoft Ignite Call for Moderators is now open and closes on August, 24.

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 45: Microsoft 365 Security for IT Pros

There is no denying that the rate of change in the Microsoft Cloud in astounding. Microsoft continues to innovate and improve very rapidly with new features often being deployed weekly. Security and Compliance is understandably a huge area of focus and it can be a challenge to stay up to date with all the continuous change - this challenge requires an innovative solution. We’re excited to talk to our old friend and fellow MVP Michael Van Horenbeeck about his new book project ‘Microsoft 365 Security for IT Pros’ - a book all about Microsoft 365 Security with a monthly update cadence.

Check out Microsoft 365 Security For IT Pros here

A transcript of this episode can be viewed here and can also be downloaded in the following formats:

For more information on The Cloud Architects podcast, check us out on SoundCloud

Thanks for all the phish..

This post was originally published on the ENow Software Blog, you can view the original post here

There’s a running joke in the industry at the moment that the COVID-19 pandemic has done more to drive digital transformation in organizations than any consultant, project team or CTO! While this may be a slight exaggeration, there is definitely an element of truth to it. Many organizations have historically been slow to adopt remote working practices, but the pandemic and associated lockdowns have forced organizations all over the world to change their work from home policies and accelerate the deployment of tools to support telecommuting. In fact, Microsoft recently reported a staggering increase of more than 30 million Teams users in a single month. Even more surprising is that these same organizations who were once against it are now seeing the productivity benefits and opportunity for cost-reduction and may never go back to the old ‘open-plan office’ way of working again.

As much as the pandemic has helped many organizations realize that working from home isn’t the death of productivity and drive the adoption of tools to support this new normal, it has also given bad actors a new and exciting target. Zscaler observed an increase of 30,000% in phishing, malicious websites, and malware targeting remote users since January 2020. Some of these attacks are pretty basic and are relatively easy to spot such as the example below:

Others are more sophisticated with actors often targeting an organization and registering a legitimate domain name similar to that of the target, for example conotso.com instead of contoso.com. In many instances, these domains are using trusted certificates on the spoofed login pages and even have the appropriate DNS records to ensure that email isn’t discarded as spam. These attacks also typically include impersonation and use terminology associated with working from home to encourage the victim to click the link or perform an action. The example below illustrates how this approach might be used to trick an end-user:

One particularly popular variation uses a combination of these methods in an attempt to persuade accounts payable or a procurement officer to transfer funds or make a payment to a new account. Unfortunately, I’ve heard of several of these attacks being very successful recently. These attacks are usually targeted and extremely sophisticated, often involving what appear to be the correct document templates, signatures and so forth. Here’s an example of what these attacks could look like:

How can you be safe?

You may be asking yourself, “what can I do to ensure my organization is protected from these types of attacks?” and the good news is there is a lot you can do – the better news is that you likely won’t need to spend any money or buy additional licensing to improve your security posture.

It all starts with user education. Bad actors continually evolve their methods, your training methods and user education should also be updated regularly in order to ensure your end-users are aware of how they may be targeted. If you’re not already performing simulated phishing campaigns, I would strongly encourage you to start. If you have the Office 365 Advanced Threat Protection (ATP) Plan 2 license, the Attack Simulator in ATP is a very useful tool for these simulations:

In addition to being able to identify a potential phishing attack, it is important that your end-users have a mechanism to report them and that they are taught the importance of using the reporting mechanism.

Use multifactor authentication (MFA). No, really! If you do nothing else, enable MFA on all accounts in your organization, not only the admin accounts. If you have a plan that supports conditional access, you can configure rules for when MFA is required – such as when a user attempts to connect from an untrusted network location. Even without conditional access, you can enforce MFA on all users accounts in Office 365.

Get your DNS records in order. Sender Policy Framework (SPF) records have been around for some time now and most organizations have these in some form or fashion. These records help identify which mail servers are allowed to send email on behalf of your organization. The challenge with SPF records is that they are often not restrictive enough or were put in place a long time ago and are not being maintained.Domain-based Message Authentication, Reporting, and Conformance (DMARC) records are a more recent addition to the landscape and is not as widely adopted. When used with SPF and DomainKeys Identified Mail (DKIM) to authenticate mail senders, these records can provide additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks.How does this work? An email message may contain multiple sender addresses which are used for different purposes. The “Mail From” address is used to identify the sender and specifies where to send return notices if any problems occur with the delivery of the message. This address appears in the envelope portion of an email message and is not usually displayed by your email client. The “From” address is the address displayed in the From field of your email client. This address identifies the author of the email. These addresses can be seen in the following DMARC forensic report (RUF) for a failed message:

SPF uses a DNS TXT record to provide a list of authorized sending IP addresses for a given domain. SPF checks are typically only performed against the “Mail From” address. This means that the “From” address is not authenticated when using SPF by itself and allows for a scenario where a bad actor can craft a message which passes an SPF check but has a spoofed “From” address. When DMARC is used in combination with SPF, the “From” address is also validated and this scenario can be mitigated.

Additional resources

While the benefits of DMARC are evident, many organizations find it difficult to extract actionable intelligence from DMARC reports which are typically XML files containing a large amount of IP addresses. Instead of manually parsing this massive amount of XML-based IP address data, there are many vendors who provide DMARC reporting services. Valimail is one of these vendors and they offer this service free to Microsoft Office 365 customers.

Microsoft has also published a lot of detailed information to help organizations be more proactive in protecting, detecting, and defending against attacks. I’d encourage you to check out this information as well.

TCA Podcast Episode 44: "Security is a business enabler and a risk reducer.."

In this episode we delve into Cybersecurity, something that has been very topical for many organizations as they have been forced to operate remotely during COVID-19. Our guest, Francisco Donoso helps unpack and explain some common security concepts and shares the top three things you can do to help your organization be safer in today’s cyber world.

A transcript of this episode can be viewed here and can also be downloaded in the following formats:

For more information on The Cloud Architects podcast, check us out on SoundCloud

Microsoft Passwordless Authentication 101

This post was originally published on the ModernCISO Blog, you can view the original post here

Passwords have long been a daily part of our lives, but in today’s modern, cloud-first world the use of passwords alone leaves us increasingly more vulnerable to compromise. Large-scale data breaches are being reported more and more frequently in the media with more than 80% of hacking-related breaches involving compromised or weak credentials.

Traditional password management

Traditionally, we overcame weak passwords by implementing password complexity and expiry policies with the addition of multi-factor authentication (MFA), but these practices were not always user-friendly and were burdensome to manage. Password complexity policies make passwords more predictable and often lead to poor security practices like the old ‘password on a post–it’ scenario. Users will inevitably find the easiest, most convenient way to meet the complexity policy. The latest NIST password guidelines, published under NIST 800-63, recommend against both password complexity and password expiry. Microsoft says that MFA-enabled accounts are 99.9% less likely to be compromised, however, less than 10% of enterprise users use MFA. There is no denying that passwords are the weakest form of authentication and in order to improve our security posture and appropriately secure our digital assets we need to consider a more modern approach to authentication.

A modern approach

Passwordless authentication is a modern approach to authentication that offers improved security and better user experience. While traditional MFA requires something you know (password or PIN), something you have (smart card or token), or something you are (biometric), passwordless authentication adds convenience by replacing the traditional password with something you have – in this case a device or a security key – and also requiring something you are or something you know.

Microsoft currently offers the following three passwordless authentication options:

  • Windows Hello for Business
  • Microsoft Authenticator app
  • FIDO2 security keys

Fast Identity Online or FIDO2 compliant security keys are standards-based cryptographic credentials that are available in many different form factors such as USB keys or NFC-enabled smartcards from several different providers. These are particularly interesting as they allow organizations to choose the technology that best suits their needs and doesn’t have specific hardware and operating system requirements.

Each of the above-mentioned authentication options offers a unique set of pros and cons, giving organizations the ability to use the method that best caters to its unique requirements. Perhaps different user personas within the organization have different needs – for example, requiring fingerprint biometrics for factory workers who use gloves all day wouldn’t be ideal, so it is possible to mix and match these options as needed.

Not a silver bullet

Enabling passwordless authentication in Azure Active Directory is fairly straightforward, however simply enabling the feature doesn’t solve all the problems associated with passwords and this causes much confusion. While passwordless authentication does a great job of straddling the line between security and convenience, it does not (yet) eliminate passwords completely from the environment. Users will still have the option of logging in with their traditional password if they so choose. It is therefore vitally important to take the following actions prior to implementing passwordless authentication:

Enable MFA

If you haven’t already implemented MFA, I would strongly recommend that you do. This change is very visible to the user community, it requires communications and end-user training which could take a considerable amount of time in large organizations. While you prepare to introduce MFA into your environment, you can dramatically improve your security posture by enabling MFA for all your privileged accounts. MFA is also a prerequisite for passwordless authentication and if you plan to use the Microsoft Authenticator app option for passwordless authentication you will have a head start since your user devices will already have the app installed.

Reduce user-visible password prompts

Implementing single sign-on (SSO) will help reduce the number of times users are prompted for their password. This will in turn will reduce the likelihood of a user surrendering their credentials during a phishing attack since users who are constantly prompted for login are conditioned to entering their credentials and don’t always take the time to examine the legitimacy of every login form. SSO also requires modern authentication methods and this will expedite the remediation of any applications that still rely on legacy authentication.

Improve your password management practices

Since user passwords are not eliminated entirely, it is important to adopt modern, up to date password guidelines such as NIST 800-63. Self-service password management capabilities should go hand-in-hand with updated password policies. Allowing users to manage and reset their own passwords will help ease the administrative burden.

Consider using tools like Azure AD password protection to ensure that users are not using weak or banned passwords.

In closing

Passwords are outdated and cannot be relied on to provide any significant form of security by themselves. Passwordless authentication is a form of multi-factor authentication that is both secure and convenient and can be implemented in different ways based on the needs of the organization. Since passwords are not currently completely eliminated from the environment, it is important that the implementation is accompanied by an up to date password policy.

You Suck at Office 365 Logging

This post was originally published on the ModernCISO Blog, you can view the original post here

One of the misconceptions about cloud services is that you have to surrender all control when you sign-up. While it is true that you may no longer have racks of servers with blinking lights humming away in your data center, it doesn’t mean that you no longer have any visibility into how your users use and interact with the service.

Office 365 is no exception and the service includes several auditing and reporting features that can be used to track user and administrative activity within a tenant. Unfortunately, there is no singe place to view all audit logs and in some instances this functionality is not enabled by default which causes confusion. The good news is that once enabled, this audit data is available to consume directly from the Security & Compliance Center or Admin Portals without the need for a security information and event management (SIEM) platform.

Office 365 audit logs

The audit information and reports available in Office 365 can be used to effectively manage user experience, mitigate risks, and is required in many instances to fulfill compliance obligations. Audit logging is not enabled by default in Office 365 and must first be turned on in the Security & Compliance Center before audited activities can be searched.

There are two main types of activities that are tracked in the unified audit log, these are:

  • Admin activities
  • User activities

While mailbox audit logging in Exchange Online has been enabled by default since early 2019, only users with E5 licenses will return mailbox audit log events in audit log searches in the Security & Compliance Center. Mailbox audit log entries for users without E5 licenses can also be retrieved after mailbox auditing has been manually enabled on those individual mailboxes.

Azure Active Directory (Azure AD) also provides several reports to help keep track of user sign-in activity and security. Unlike Office 365 auditing, these are enabled by default. It is important to note that it could take 30 minutes to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search.

Log retention

When an audited activity is performed by a user or admin, an audit record is generated and stored in the Office 365 audit log. The length of time that an audit record is retained and searchable depends on your Office 365 or Microsoft 365 enterprise subscription the type of the license that is assigned to a specific user. Similarly, Azure AD activities are maintained in accordance to the Azure AD plan in use.

The takeaway

Logging is an essential part of your cloud service and can help troubleshoot user issues, mitigate risks, and fulfill compliance obligations. Office 365 includes several auditing and reporting features, however not all logging is not enabled by default. The following table provides a summary of some of the most important logging available to Office 365 administrators:

Audit Item Location Enabled by default Retention
User Activity Office 365 Security & Compliance Center No 90 days
Admin Activity Office 365 Security & Compliance Center No 90 days
Mailbox Office 365 Security & Compliance Center / Exchange Online Yes – requires manual intervention for non-E5 users 90 days
Sign-in Activity Azure Portal Yes 30 days (P1/P2 only)
Users at Risk Azure Portal Yes 7 Days / 30 days (P1/P2)
Risky Sign-ins Azure Portal Yes 7 Days / 30 days (P1/P2)
Azure MFA Usage Azure Portal Yes 30 days

TCA Podcast Episode 43: "Skype is an apple, but Teams is a fruit salad.."

There is no denying the ever-increasing popularity of Microsoft Teams. Microsoft recently reported an unprecedented spike in Teams usage due to the ongoing COVID-19 situation, with usage rising to more than 44 million daily users - showing an increase of 12 million users over the course of just seven days. When I sat down with fellow MVPs Paul Bloem and Andrew Morpeth in Auckland, New Zealand last month, we would never have predicted the current work from home situation that most of us find ourselves in at the moment. We did however talk about their favorite new Teams features, social contracts, Teams modes and of course the adoption of various features and functionality in Teams.

A transcript of this episode can be viewed here and can also be downloaded in the following formats:

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 42: Multi-Vendor Cloud Management with Azure

Multi-cloud is a hot topic at the moment and in this episode we’ll talk to Rick Claus and Joey Snow - a.k.a Patch And Switch from Microsoft about this new trend. Is Azure the cloud to rule them all or is a sound multi-cloud strategy essential in today cloud world?

Be sure to check out their podcast Patch And Switch

A transcript of this episode can be viewed here and can also be downloaded in the following formats:

For more information on The Cloud Architects podcast, check us out on SoundCloud

TCA Podcast Episode 41: Azure AD B2B, bring your own identity and viral accounts

Azure AD business-to-business (B2B) collaboration allows organizations to securely share applications and services with guest users from any other organization, while maintaining control over their data. In this episode we chat to returning guest Elisabeth Olson about some of the improvements in the B2B experience, the new bring your own identity functionality and she even helps Warren solve his viral account problem.

Here are some links to the admin take over process discussed during the episode:

For more information on The Cloud Architects podcast, check us out on SoundCloud