Hello and welcome to the let's talk. Azure podcast with your host Sam Foote and Aaron Armstrong.
If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals. It's episode 16 of season five. Alan and I recently had a discussion around what Microsoft released in April. Here are the things that we covered. Passkeys in Microsoft Authenticator Fido, two authentication in Android web browsers, and lots of Azure changes, new features and requirements. We've noticed a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's jump in. Hey, Alan, how are you doing this week?
Hey, Sam. Not doing too bad. How about you? Yeah, yeah. Good, thank you. I've had a co pilot for security week I think has been a large part of my week this week. Yeah. I haven't had too much exposure to some of that, but, yeah, it's definitely the talking point of the last month and continuing on, isn't it?
Yeah, I think as of recording, we're a month from Ga, aren't we? It's a month old. Happy birthday. Yeah, yeah, no, I'm definitely, I'm definitely seeing more people starting to talk about it and I think validating it and sort of pushing it to its limits is really what we're trying to do day to day. So be interesting to see what the updates and changes look like for that product over the next few months.
Yeah. And I think everyone's just starting to understand the licensing for it as well. You know, the consumption and things like that. There's more, more information has come out, hasn't it, to how best to use it and things like that.
Yeah. And I think it's, for me, it's a, it's a net new, it's a net new, you know, productivity tool really, you know, in our security space. So it's, it's definitely taken me some time to get my head around it and to prompt correctly, I would say that's a big part for me, is being specific enough and really refining prompts and building prompt books. So.
Yeah. But I've had some really good calls with sort of Microsoft product team. They're hot on it. It's the big thing at the moment. So they've been absolutely rapid at getting back to us with any of our queries and questions. So, yeah, fair play to Microsoft Teams for helping us with that, yeah, there.
Was something around, there's some community CCP sort of engagements around it. But one of the sort of things which I can talk about, it wasn't necessarily private preview, was that it's the prompting part, as you said, is, you know, is key. And a lot of us have got used to searching in search search engines and just typing keywords to get the results you need kind of thing without any context. And now with co pilots and generative AI in general, you kind of have to give some context about what you're looking for to make it more specific, which is quite interesting.
Yeah. And I think that's, you know, with any sort of natural language, LLM based tool, you know, I think giving it as much context as possible, you know, and being as specific as you possibly can, we yield you the best results, you know, and, you know, it's not so much of an issue with 365 copilot because, you know, if you, if you like, if you're not specific enough in your prompt and you don't get the data back that you need, then you can just tweak it go again. It also, you know, offers you some prompts about, you know, what to maybe change, what you should ask next. But in security copilot, I think because of the way that it's built, I think it's really important to be really specific and to, and to be sort of cautious with how widely scoped your request is, if that makes sense. I think it's really important to narrow down and be very specific in what it is that you want to return back. The counter to that is there is an element of learning the tool, understanding it. But I think if you're going into copilot for security thinking that it's just going to be an out of the box turn on go without some level.
Of. Skilling up, learning how to do that, then I think it's not going to work well. But I think that's also true for a lot of copilot products. You need to know what to ask it to get the best results. Yeah, yeah, exactly. Right. What are we, what are we talking. About this week, Alan? Well, it's our news episode, isn't it, for April, and I can't believe it's episode 16. Yeah, yeah.
Seems mad. That's like in our normal, you know, last year or the year before sort of terms. That's three quarters over, three quarters of the way through a season. Not this time. We're going all the way, aren't we?
Yeah, exactly. Yeah. So, yeah, this this news is updates kind of in April because sometimes we pull things in. I don't think we've pulled anything in for another month. I know we talked about, took about copilot for security going ga last month even though it was technically April. So we do the rules a little bit. But I know mine, mine are all April only. Yeah, yeah, I did. I have brought one to light again, this thing because it was too cool to talk about to not leave out.
That's all cool. The rules are meant to be there, to be broken. Broken. Bend it. Cool. Do you want to kick us off, Alan, with your, your updates?
Yeah. Okay, so one good one around defender for cloud. Is that the defender for containers? That's, that was going into AWS and GCP is now generally available. So it means that, you know, protecting those, you know, the Kubernetes, the containers in those environments. Now it, like I said, is generally available. It's not in preview, public preview anymore. So that's, that's quite good. Kind of going back on what I said last, last time. Defender XDR and the unified security operations platform. So bringing in, you know, Defender XDR alongside Microsoft Sentinel. So bring a sentinel into that portal. We're starting to see, starting to see a couple of our customers now starting to do that so they can query against, you know, Defender XDR tables when they're hunting alongside the ones in Sentinel. So you can just do a query, you know, query against the tables, you know, there and right there. So that seems quite powerful because, you know, there's a lot of data from the Defender XDR products, you know, going in there, especially defender for endpoint. There's so many logs in there. So we had a query, all of that. Oh, sorry.
Gonel yeah, sorry. No, I was just going to say just, you know, it's quite powerful to do against you other non Microsoft feeds, you know, like your firewall, things like that. See where ips are being used. Yeah.
What do you think about the actual Sentinel interface in, you know, with unified, because I enabled it and when you go into the sentinel sort of section, it asks you to search. The interface is very different from what I've seen. It's not just like I framed the Sentinel workspace in, there's elements of it, but it's definitely like a new interface, isn't it?
Yeah, they've definitely done a lot of adapting to the portal, upgrading some of the areas to the portal. You're right, some of the bits are brought over, but really I think it is just pulling from the sentinel sort of, I guess the API is the data there directly and then re engineering into the, into the view to bring it in. I think it's, yeah, it's definitely been doing that and it's good that they're bringing in the, the analytic rules. You know, your, your connectors, all that sort of stuff. You know, it's, it all isn't all tied in now. So you can, I think you can do a lot of it now from that portal without needing to go to the other one. There's probably still a few things.
Do you think it's the sort of the defender analysts pulling data from sources from Sentinel more than the other way around? The main value, if you've got your SoC analyst seam, do you think they're still going to live on Sentinel side and then jump across to remediate defender or do you actually think that we're going to see people stop using sentinel interface in the portal?
From my view of it all and my sort of opinion, I guess I think it's going to move into the Defender XDR pool. And the reason I think that is now we're starting to do MXDR managed services or even just internally you're needing. To.
Before this was possible you had to jump between two portals to see the raw data from your firewall, to see if there's activity there or even from azure activity or, you know, Office 365 activity at that point. You know, this is now allowing you to say, I'm seeing this weird activity on Office 365. I can now query the IPS, what machine is it coming from? Or are we seeing other machines accessing those ips or something like that? It's definitely moving into having more data available to you to be able to do your queries, to do your continued hunting. I think, yeah, that's what I think is going to happen.
And are you sort of seeing that the vast majority of Sentinel like Siem customers are connecting Microsoft log sources anyway? Right? So, you know, even if they do have, you know, other vendor logs going into Sentinel, it still makes sense to have it in, you know, defender because you've got more context, you know, even if you're not, you're looking after EDR potentially. Yeah.
I mean the, one of the things that's always been a question is for, you know, Sentinel has been bringing in the roll logs from Defender friend point because there's a lot like a lot of detail, there's a lot of networking information there and that's useful to build, you know, to build analytic rules, queries hunting, etcetera. But there's always been the restriction of cost because there is so much data there. You know it could be, you know if you're a large organization it could be looking at 1015 you know, 20 gigs a day of data which is quite a lot of money to have when it's sat in you. Defender XDR in effect including the price for the services and that you know if you wanted to query you have to basically switch, switch portals in effect. Now this is allowing you to do it in the same portal because the interface allows you to cross query against the two data sources quite easily as well.
Yeah, yeah, no, having, having a single, you know, unified place for it you know, seems to make 100% sense to me. You know. You know from security perspective I assume at some point we'll just have well what we have we'll have entry dot Microsoft.com security dot Microsoft.com and compliance to Microsoft.com. At some point I assume just three portals for the three different areas I suppose.
Yeah, I mean like you said defender, defender for cloud incidents and alerts now can feed into, you can now view them in Defender XDR and I think as well you can see the attack surface reductions and things like that in there. So it comes part of that exposure management side of things. One place. Yeah, one single unified place. That's great.
So yeah, that's why that one came back again this month. And then really the next sort of area for me is really around entra. So there's quite a lot of entra updates in April. I think it's like eight or nine. So I just grabbed a quick, I say quick a snapshot of some of them. So one of them is being able to, when you're accessing entra application, we're signing into entra. You can now do Fido two authentication in an Android browser. So that is in Chrome and edge. So that's quite good. That means that if you've got a folder two key that is compatible you have to be able to be read, you know, read by Android either plugging it in or NFC. This, this allows you to passively sign into your 365 environment which adds another, I guess another potential blocker for passwords at that point. So that's one of them sort of carry on with passwordless. Microsoft released in public preview the use of Passkeys in Microsoft Authenticator. So again in effect a software based rather than hardware sort of Fido two mechanism using Microsoft authenticator for pass keys. We are seeing now a lot of that's really good for Microsoft Entra and organizations. But generally I've been seeing a lot of other SaaS applications now supporting passkeys. I've seen Google Gmail, I think Facebook's now using it, I think even GitHub I think you can now use it. So definitely starting to see pass keys being used more often now. One thing that I didn't know about which is quite interesting because I have had some customers talk about this, but general availability of the ability in the Azure mobile app to approve and activate PiM roles, previous identity management roles on your phone, which I thought was interesting.
That's going to be very handy. Yeah. Because I thought about this and I guess that you go to the Azure portal page probably quite, may not be user friendly in some forms. I don't know, I've never tried it. And then trying to do a role. It must be at least like six, eight clicks, mustn't it? And a search sometimes. Unless you've bookmarked it on your homepage.
Yeah, exactly. So having that brow, having the Azure app and I'm guessing the Azure app is probably app protection policy enabled, I assume we have to have to double check that. So it's protect, you know, protected environment. So it means that you can go in there and you know, approve any requests I guess that you've got from, from your team or, or from your organization or actually activate yourself. So yeah, that was quite a good one. Yeah, nice. Yeah.
We've also got the general availability of Microsoft graph activity logs so that you can feed that into Microsoft Sentinel and that is showing the interactions with Microsoft graph. So if you've got SaaS applications or in house applications that are using graph to pool data, that's now audible, auditable, you know, in the logs there. So you can now either send those into another seam and then maybe detect your activity that way. So I think that's quite powerful as well. I know it did go, it was in preview and public preview recently, but now, you know, it's now ga. So that's good. And then the last one is around security group provisioning. So there was some previews with the entra connect sync to do group right back version two it might have been called, I think that's now been deprecated. So that, and that was announced quite some time ago that was going to be deprecated but Microsoft in effect replaced it with this, with this capability into the cloud sync connector. So the one that's all cloud based. So the ability to provision security groups from entra into active directory. So allowing you to start to allow entra to be the master of the groups in effect. So mastering the groups and then dropping them down into entrance. So that's, that's quite key as well. It's another sort of good one to do because that means you can do dynamic groups, I think in entra to automatically populate them and then they get populated on prem in theory, I've not tested that, but I guess that's a win for that part. And then that's, that's kind of, that's kind of it for me. There were a few others in there, but that's the ones that caught, caught my eye with it. So how about Usam and Azure?
Okay, so first one is as a public preview for Azure backup long term retention for MySQL flexible server. So you can now support retaining backups up to ten years. You know, every, lots of customers have long term retention policies dependent on the industry they're in. So having more flexible backup options. And I assume that Microsoft wants you to retain backups for as long as possible anyway. So yeah, that is now in public preview. I can't remember which month it was, but I talked to previously about the Azure API management developer portal. Got a refresh that is now GA as of the 1 April. So there's a new layout with sort of easier management. I think it's quality of life improvements there and I believe it works on multiple form factors now. So yeah, so there's a UI refresh that's gone GA on that side. Okay. And with shortly after that update we also got Azure API management new v two tiers for pricing. So I don't know if you remember Alan, but API management pricing there was 123456 skus for V, what they're now calling classic tiers. You know, it went all the way from consumption based cost all the way through to isolated sort of environments. And premium I think is about nearly $3,000 a month, something like that. V two is a slightly different pricing model and it's a lot more simplified. There's basic and standard. Basic is $150 a month starting and it gives you one sort of scale unit basically for requests. I haven't actually taken a look at it, I'm just sort of describing you guys through it. So you're paid by scale out units for sort of traffic and also you are charged per API request as well. So you get 10 million API requests included and $3 per 1 million additional API requests. And then dependent on if you go basic or standard for standard, you get things like multiple custom domain names, virtual network support. But standard is $700 a month base, $500 a month per scale out unit, and then $2.50 per 1 million additional API requests. I haven't seen about retirement of the old plans, I've just seen the new ones. So I think it's something that needs to be investigated because from what I can see, there's no consumption, there's no consumption based billing anymore for that. You know, for lightweight testing, the classic tiers are still listed so, but I think because they referred to them as classic tiers, I spidey sensors are slightly concerned that that might be retired.
Yeah, yeah, definitely need to look at that.
There's a GA for postgres, SQL flexible server now with Azure private link support. So yeah, it basically gives you private network access to what's the best way of describing it to effectively give you a managed connectivity endpoint, you know, for other, other services, you know, that gives you better security and isolation. So yeah, so that, that's really good to see that that functionality is baked into that product. Now another one, a lot of database y related ones that I picked out this time. There's been a GA for elastic jobs in Azure SQL database. What this allows you to do is it allows you to run a T SQL job, which used to be called a stored procedure to me back in the day, but it's called a T SQL transact SQL job. But you can schedule these so you can automate management tasks like deploying schema changes, index rebuilding and collecting telemetry data from the databases or the database servers. I should say probably you can effectively do anything that you can do in T SQL store procedure, so you can move data, aggregate data, those types of things on a job. So yeah, that's really, I hadn't, that had completely, that completely missed me, to be totally honest with you. The only thing I don't have to hand is any pricing on that side. So there is a screenshot in the blog post I've got on screen of an elastic job agent costing $25 a month. So I assume you run an agent alongside to actually orchestrate the processing of that. But cool feature. Definitely something that's really important for sort of database data layer folk. And the last one I just wanted to call out is app service environments versions one and two will be retired on the 31 August 2024. So that's just something to make everybody aware of that. It's worth calling out that the messaging from Microsoft is that after the 31 August 2024 app service environments, one version one and two and the applications running on them will be deleted and, and any data associated with them will be lost. So just calling that out that you should complete your migrations. If you have those in your environment. I think we should probably put out like a message to some of our customers to check. So, yeah, just a call out there if you're using any of these app service environments.
Yeah, they, they announced in August 2021, didn't they? So it's been three years. So yeah, not, not to say that, you know, it's a couple of times. Yeah. So, yeah, so, yeah, and that's pretty much it for me this, this month. They're not that there wasn't a lot of updates. There just weren't a lot of updates that was personally that excited about, unfortunately. So, yeah, just, just a few updates from your, this month.
No, that's cool. I think the only one I had that was additional to mine around Defender for cloud was, let me find it quickly. He was on the second is, it's on the second page. Just the, the general availability of Defender for cloud protective workloads against a sure database for my SQL flexible server as well. So I think you mentioned about flexible server going ga for. Net, was that net private network or private endpoint? Wasn't it, was it mysql or postgres? What you're talking about?
I'm talking about Mysql. Yeah, that was, that was backup retention as you're back. Okay. Yeah. Nice. Yeah, that was. Anyone I, I seen quickly skimming the, the vast amount of updates in Azure. I mean, it's just crazy. It's two pages, just general of general availability, let alone, you know, the public previews and stuff. Yeah. Crazy. Cool. Okay, so Sam, what's on, what's your next episode? What are we doing next week? Next week we are talking about Azure databox. Alan, ever used it?
Never heard of it.
To be fair. That's why I picked it. This one's going to be great. Azure data box. Have you got a large amount of data that you need to move to Azure? Do you have a very slow Internet connection? Well, Azure databox could help. Not going to give you any more than that, but I picked this one because as I was trying to pick up the next episode, I started to look, I was like, oh, I've never seen what data box is. And then the more that I read through the learn pages on it because it's definitely not a service I've ever used or will probably ever use. It just got more ridiculous as I read in a good way. So that's, that's why I picked it for next week. It should be a, should be a good episode.
Okay. Yeah, that will be interesting because I do know about some of that high level migration to Azure and maybe 365 kind of stuff, how you may do it in the past, probably six, seven years ago. So. Okay.
That will be interesting. Cool. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple Spotify. This really helps us reach more people like yourselves. If you do have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. Yeah. And if you've made it this far, thanks ever so much for listening, and we'll catch you on the next one. Yeah, thanks. All.