Hello and welcome to the let's talk Azure podcast with your host Sam Foote and Aaron Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals. It's episode 24 of season five. Alan and I recently had a discussion around the news in June. Here are a few things that we key Microsoft entra and Defender features and updates, Azure changes, new features and retirements. We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's jump in. Hey, Ellen, how are you doing this week?
Hey, Sam. Not doing too bad. Better than last week. Oh, yeah. What happened to our episode last week, Ellen? Actually, what happened to you last week? Some might say I had man flu, I suppose. But I was definitely out for the count last week, losing voice and, yeah, not being very, very active. So trying to do a podcast is a bit difficult. I think we went, well, we did attempt to do it, didn't we? But it just didn't work out. I think if I remember, I think.
You sent me a message saying, hey, should we podcast? And I was like, there's no way we're podcasting tonight. So, no, I think we just had to, yeah. We just had to realize that. Yeah, last week we've had a couple of sort of bumpy weeks, really, haven't we? Because we had a recording issue now, now illness. So, yeah, it's been a bit challenging to get the podcast out on time, that's for sure. Yeah. How are you doing anyway? How's your week been?
Yeah, my week has been good busy, I would say. I don't, I think from, and I think, I think we'll come to this when we go through like, the Azure updates. I think my big focus really at the moment is around sort of defender for cloud. Any updates and changes there. We've been doing quite a lot of work, purview side as well, so, yeah, it's, I don't know, a bit varied at the moment, I would say work wise for me. How about you, Alan?
Yes, yes. Busy. A lot of, yeah, actually some defender cloud, but also entra Iot. It's everything, isn't it? Yeah. Just getting us, getting us through it, isn't it? And trying to keep up, as always, and also worrying about whether I'm gonna be an MVP still. Oh, yeah, when's that? Tomorrow. Well, as we record, that is tomorrow, so. Yeah, good luck, Alan and all the rest of the MVP's that are out there. Hit and refresh. Do you get an email? I assume you must get an email. Yeah. Okay.
Yeah, get an email. I mean, we thought it was Monday and you don't receive an email. You're a bit sort of. Have they forgotten me? But no, it got changed to Wednesday, apparently. So we'll see. I think I'm okay, but you never know. Well, good luck. Hopefully the next episode. Other call out that we missed. I think we've passed our hundredth episode. Is episode 101 now of the podcast. Yeah, this one is. Yeah.
Holy moly. That. Did that go quickly? I don't know. We had a big gap after. Was it season one or season two? We sort of. Season one. We went awol for, I don't know, two years or something like that, didn't we? Right, so 18 months. So no, 100 episodes. What have we learned in a hundred episodes, Alan? Lots of rebrands. Lots of rebrands. Lots of rebrands. Investing kit need good software. Make DRM.
Yeah, DRM audio codec. DRM. Yeah. I must admit I feel like since we changed recording provider and changed microphones, we. Except for that issue with our, you know, our codec or what's it called? Is it like a filter or a plugin or something like that? Except for that DRm issue, we've been touch wood. Pretty, pretty consistent with recording. The technicals of it, I think. I think one thing I'm really sort of happy about is I don't think we've run out of content yet. I never really seem to struggle to find new topics to talk about, even though we release new episodes faster than they release new products, if that makes sense. Right. So I thought we'd need to sort of slow down or expand format. We should probably do that anyway. But, you know. Yeah, it's been interesting that we've made it to 100. 100 episodes.
Yeah, absolutely. So, yeah, let's continue with. Yeah, it's the next hundred. Yes. Right. Alan, news this week. Do you want to kick us off sort of security defender entracide?
Yeah. Short. So obviously from last month, this isn't as insane because obviously it was mugs. It was a load of releases coming out of RSA and build and things like that. But, yeah. Okay, so if we talk about the Defender XDR portal. So that sort of solution there. Content distribution across multiple tenants is now available. So you're now to copy data or copy content into multiple tenants. To customers or to your other tenants, maybe have tenants for each region, maybe within your organization or through m and a merger and acquisitions. You want to standardize your custom detection rules and things like that. You can now sort of do that. From the sound of it.
It's been a lot of like mto, you know, because we had entrance mto, didn't we, recently. And so there's been, you know, seems to be a lot of push to multi tenancy. Yeah, well it's also the, the drive at least in the defender portal because MTA was kind of there for like you know, querying data and seeing instance in one place kind of thing. This is now bringing onto the content. Yeah.
And this is kind of driving that, that push to everything being in the Defender XDR portal. So yeah, you know, you, you know, we're starting to see now you can do queries against sentinel data and defender data in a custom detection rule. You know, at some point you know, analytic rules probably will migrate to custom detection rules. So we'll see. The other part is that you can now filter in preview Microsoft Defender for cloud alerts by the associated subscription id. So whilst it brings them all in across your, as your tenant now rather than being specific to a subscription, you can now filter against a subscription. So maybe you've got some dev ones in there as well. So you need to maybe prioritize your production and things like that. So that's kind of the main ones that are Defender, the Defender XDR portal. There's a bit of an update in defender for endpoint. So there's a preview in effect of Bitlocker support for device control. So allowing you to base policy on device control based on Bitlocker encryption state. So you can say you can't access, you know, you can't write to a, to a drive unless it's got Bitlocker on it kind of thing. So there were some controls like that before, but this is bringing it into the defender for endpoint sort of part of the device control rather than being sort of the native window stuff. So some extra sort of criteria there to, or. Yeah, criteria to determine when you can and can't write to a, to a USB pen. And then kind of a main error really is defend defender for cloud apps. MDA. There's a couple in here, one of them being redirection of the old portal defender for cloud apps or. Yeah, defender, cloud apps portal into Defender XDR. And that redirection being on, you know, permanently now pretty much because it's all been moved another one is, which I think is quite key, is defender for cloud app Discovery, which was only Windows is now on preview for macOS. So now you can start seeing the SaaS applications that your Mac OS users are starting to use. Sasa, quite a good one, the SSPM. So the Sassenhe security posture management capability now is generally available for multiple instances of a SaaS app. So if you've got multiple salesforces and things like that, you can now have all of them sort of feeding in another one. Which is interesting is that if you don't have defender for endpoint or you want to get some other data for the app discovery or the cloud app discovery part, you can now put it into Azure Kubernetes services as a docker container and then be able to send your data to that and for that, for it to then be uploaded, which is definitely a difference from building your own stuff on premise. So you now run it as a service in Azure, which I thought was quite good in itself condition. So the conditional access app control side of things. There's now a new table in Defender XDR portal called cloud app events. This allows you now to see the, the apps themselves, but also see the activity within the, what the user is doing in those session controls in there. So that's really good. And then one final, one kind of tied to that is that previously before you could enroll an entra integrated application enter id integrated application into Defender for cloud apps for session control, you had to go through session, you had to go through a set through the process so that it could then detect it because then you could then apply policy to it. Microsoft is public preview now is automatically onboarded them into the conditional access app control. So anything in there now gets added. So you can almost, you can now automatically build those policies ahead of time before needing someone to go through the session control in monitor mode to even see it. So I think that's a key, key sort of area there. You can still see manual ones and that's if you're using a different identity provider in there. So, so yeah, and that's kind of me really. The only ones probably to look at is probably entra. So in here they did some security improvements to entra connect sync and connect health. And let me just have a quick look. So they've also done some things around Microsoft graph API to support per user multi factor authentication. And then that's probably the only other one in here is the private preview for QR code sign in. So for frontline workers to allow them to be able to sign in to something, they can use their phone to in fact scan it and then sign in using their account. So slightly different. So having to type their username and password, I guess on a laptop or on a device, they can just sign in using the phone. That seems quite interesting itself, but yeah, that's kind of it that I'm seeing at the moment. July is going to be interesting because there's some other stuff going ga that we don't talk about yet. So. Yeah. What about you then, Sam in Azure defender for cloud?
Well, after last month's bumper month, I think everybody's, I don't know, I don't know what it is. Is it end of financial year? I don't know, but we've got, we've had very few Azure direct updates, but I do have a couple right from the start of the month. So generally available now is audit logging in Azure API management developer portal, which is probably because just thinking out loud as I'm talking about it, that's actually quite a sensitive area for people to be accessing and to understand. I know it is security through obscurity, but that is part of your intellectual property. You'd want to protect access to your private API details, if that makes sense. So you can see user sign in and sign out activities are logged viewing of API details. So access to API details, API operation details and products, and also actions taken in the interactive test console because I assume that could be like an attack vector, I assume of people taking actions in the actual test console itself. So yeah, that's all gone Ga as of the 3 June, the only other one that I wanted to talk about, there's only three and there's only a couple that are probably even worth covering to be totally, no offense to, obviously the Azure team, they went to town last month. So Azure resource help health, sorry, has added support for Azure monitor log search alerts. So you can create a resource health alert for specific events and send an alert to notify you when a log search alert rule is unhealthy. So yeah, that could be, that could be very helpful. That's just added in, I assume that's just gone. It's just a feature update that's gone live. The only other one to really talk about I think is defender for cloud. There's a few, few changes there, so there's a bunch of changes for identity recommendation behaviors. So there's just a bunch of those specific identity specific assessments. There's a big long list of them that have updated. I won't go through them individually. Copilot for security, preview for inside of defender for cloud. So that is, I assume that means I'm reading it on learn. So I'm guessing it's public preview. So it's gonna be interesting to see how posture management is controlled with copilot for security. So it seems like they're connecting everything to copilot for security. And the diagrams that I've seen of it, it's sort of becoming the central nucleus of everything, it seems to be. So it makes sense that more and more is going to come through. So one thing, if you're using the infrastructure as code scanning via defender for DevOps, it's now changed over from Terrascan to Chekov. Now you can still use Terrascan, you can configure it through an environment variable, but the default is going to be checkoff from, from now on. So that's probably just a call out to anybody that is using that, because they are two different products. So if you are, you know, you're going to start to see a different output there. Basically, the only other one that I just want to talk about is pricing for defender for containers. Just going to talk about that. It's come out of preview. So it's now six. I'm looking at UK south, but in dollars. Weird. But anyway, UK south in dollars it's $6.86 per v core per month to run defender for containers. So that's quite expensive. I don't know if that's going to. Well, it is going to be expensive. There is another, there is a number four next to it. Let me just. Pricing is performed based on your v calls and your Kubernetes worker nodes. Okay. Yeah. Because the control nodes are hosted by aks themselves so you don't have to. This price includes 23 vulnerability assessments performed in your container registry per charged vehicle. Okay. Whereby the account will be based on the previous month's consumption. Okay. Every subsequent scam will be charged at image digest. The majority of customers are not expected. Yeah. 23 monthly vulnerability assessments in your container registry per v core. That's probably fair because I don't know, I don't know how much, I don't know how many vcores you would have to. You'd need at least, I think you need at least three worker nodes for aks. I think because there's like control nodes and worker nodes. And I believe with AKS you don't provision control nodes. The service is free and they provide that on their side. I think you just pay for the compute of your workers so. And that's $6 per v core per, per month to have defender for containers. So yeah, that's interesting and yeah, so that's interesting to see some pricing coming out of that. So I do know we've got some customers using aks, so I'll check out and see what their likely bills are and get a vibe on how expensive that really is. Sounds expensive to me. Only because if you think something like defender for servers is server based, not vcore based.
Yeah. SQL on a VM though is perennial v core, isn't it?
It's always been licensed like that though, hasn't it? Same as traditionally. So I don't know, just I kind of feel like it should have been per worker not per vehicle. But don't know because it's doing more than that because you can run well, it is doing vulnerability assessment on your container images in your registry, which is something completely different. You don't have that as part of like I suppose you do with defender for defender, for server. Sorry. Because you are getting vulnerability information on that and you can run as many services you want on a VM, can't you? So just something to think about there.
Yeah, but it is based on defend for endpoint at that point though, isn't it? It's not something you'd have in your container. No. But you only pay per virtual machine, don't you? For defender, for server. Yeah, so.
And I suppose because what's defender for server? $15 p two is. Yeah, so yeah, p two and nearly all virtual this generalization. But most servers are going to have at least two v cores, aren't they? Especially if they're running any UI or you know, Windows server graphical interface. It's going to need two virtual cores, isn't it? So I suppose that could penalize the micro machines. But I suppose you're not really running Windows but you are running Linux. I don't know. Anyway, sorry, just trying to work that out of. I'll have a look and report back. But I am personally seeing quite high defender for cloud costs across the board nowadays.
Well that probably ties us into something that's not necessarily in the releases of technology but more around the pricing in that Microsoft have now. I think it was a couple of weeks ago now for at least a way to reserve defender for cloud consumption. So like a reservation for your virtual machines and things like that. You can pay a year upfront and get a discount for defender first cloud services. So yeah, you can buy. So they come in quite like defender cloud units. DC use or something like that.
MDC commit units. Yeah. So it's basically one. One unit is $1. Can I just ask something? No, I just said that because it says MDC. Is that the actual acronym? Because the pricing page has MDC on it and I've never defended. Cloud's been a bit of a weird one for an acronym. I always do see. But I've seen MDFC, I've seen it. Other things I just call it. I just do defend the cloud every time. Yeah. Because it's well known. Anyway. Sorry. Yeah.
Yes. So you can now buy units and get from ten to 22% discount depending on what tier you choose. So it's definitely worth looking into if you, if you're a heavy user and you just want to pay upfront for a year and get a discount for not doing anything apart from paying up front. So.
Yeah, because these workload protections, a lot of organizations aren't going to turn them off, are they? Unless there's another product out there that can do everything that it can do. But they. I get the CSPM part of it that can be, that's, I think that's quite easy to sub out, you know, with open source tooling and other tools. But the workload protections, I don't know of a tool that does all of that end to end in one place.
You know, even just buying your defender first server, even p one, you know, MDE for servers you have to go really through Defender cloud unless you got an EA agreement and get a deal through that. So even just that saving at least 10% minimum is a bonus. Exactly. So that's a guaranteed cost yearly like you said. So. Yeah. So yeah. Nice. Anything else, Alan? Pretty quick episode, this one, because it's not a huge amount of talk.
Yeah, I was just, I was just looking at intune because there has been some releases, there's some new RBAC in there for the endpoint security side thing. So it's kind of tying into Defender XDR portal and things like that to be able to manage those bits. There's a few things around device management, some more RBAC in there. So not still quite a few things. I suppose the only one is if you're using the entra privileged management in effect PiM for applications, they're now supporting MSI and Powershell files. So previously it was just xes and effect that you could update or run. So now you can do Msis and Powershell. So that's, that's quite good, really. It opens up. So. So yeah, that is probably it. I think for this week at least, expect next week's gonna be interesting with a few things starting to go. Gaeheendeh yeah. So what's the next episode? Sam?
Next episode is azure storage actions. Is that the one that we were meant to do? That was the one, no, I haven't seen one. Yeah, it's the same one. Yeah. Sorry. Because I know we, because we missed an episode, we didn't have to do it.
So it meant we know my next episode. And then Alan's like it's news that we didn't do the news. So it's further delayed. Yeah. So yeah, as your storage actions, being able to do mass, more literal storage actions across storage accounts. So changing, modifying, moving and changing the metadata and properties on items in a storage account, which I think is going to be really useful to our sort of security mindset. So yeah, going to do an episode on that pretty cool feature.
Okay, cool. Yeah. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify or YouTube now. Oh yeah. Because we've now moved from Google Chromecast, not Chromecast, Google Podcast now because that's dead to YouTube. So yeah, the episodes are on there.
Now to record us video like declaring who I was, to put our voices on YouTube, look into the camera, say these things. I'm like, what? This is the weirdest. It's like I was applying for a bank account. Sorry to derail the conversation, but I. Don'T think you had to do it twice, didn't you? I think I did it three times. In the end, it took nearly two weeks of you going, hey, is that done yet? Me to actually get it done. So I apologize. Anyway, sorry derailed that.
Yes. So leave, yeah, please consider leaving review on Apple, Spotify or YouTube. This really helps us reach out to more people like yourselves. If you have a specific feedback or suggestions around our episodes, we have a link in our show notes to get in contact with us. Yeah. And if you've made it so far, thanks ever so much for listening and we'll catch you on the next one. Yeah, thanks. All.