Hello and welcome to the let's talk. Azure podcast with your host Sam Foote and Anne Armstrong.
If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals. It's episode 27 of season five. Alan and I had a discussion around the news in July. Here are a few things that we key Microsoft entry and Defender features and updates, Azure changes, new features and retirements. We've noticed a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to you, it would mean a lot to us for you to show your support to the show. It's a really great episode, so let's jump in. Hey, Alan, how are you doing this week?
Hey, Sam. Not doing too bad. How are you? Yeah, good, thank you. I feel like. No, actually, we had an Azure outage, didn't we? I was just about to say I felt like the Internet calmed down this week and then it got a bit more exciting, didn't it? Yeah, just, just a little bit.
Yeah. So I don't think, I haven't read the full breakdown from Microsoft, but I think they're starting to say that it was triggered by a distributed denial of service attack or that their own infrastructure might have caused some extra issues on top. I don't know. I don't really anymore. Yeah, that's what I'm hearing. It was a DDoS attack and then maybe some processes or mechanisms internally might have amplified it a little bit more. Yeah, than that.
It was really confusing to see it sort of unfold because, like I was, I was looking through some resources and I can't remember what opened. I think it was a standard logic app. It was like, you can't access this resource. And I was like, oh, that's a bit strange. I'm like, I've definitely got like permissions, like, and then I'm thinking, is there a different RBAC here? You know, RBAC on weasels is usually in a different blade. I was like, this is a bit weird. And then it just slowly, like, more, more and more blades slowly broke. But other things were working because they must have been cached in my browser. So. And then I just, I did the first thing of just going security dot Microsoft.com and it worked. And I was like, what's going on?
So, yeah, well, I think it was. I think I said, I think when we were, we were working on something, weren't we, at the time? And I think I said, oh, I can't access Azure and you're like, well, I can, you know, it's all fine here. It must be you, you know, all right, a bit weird. And then, you know, it kind of seen it sort of start sort of spreading, I guess. Yeah.
Yeah, yeah. So we actually, yeah, we had some, we actually had quite a good excuse for not getting through what we needed to this week. But yeah, we want less disruptions, I think I'll say. Because, yeah, it was just interesting because of sort of, you know, business continuity then kicks in because it's like, oh, Azure portal you can't access. Oh yeah, good luck with that, guys.
So yeah, yeah, it's interesting because resources within azure at least were able to communicate still. So like you said, it must have been the portals that were being attacked. Yeah, exactly. I think it was your front door, I believe. But I'm not, I'm not 100% sure. I haven't, I haven't checked back up on it since. Right. Alan, news in July. Do you want to kick us off and take us through your list?
Yeah, sure. So there's a couple of areas. So I'm going to talk about Defender XDR first. And there's quite a few things in here. So one of the things we've been noticing in the portal is that you are now able to see ot devices appearing in that portal. I think I might have mentioned actually on last week's episode around Defender XDR. Yeah. So if you got the license for it, it's now bringing that into the portal so you can start seeing that information. There's been a few features moving into GA, one of them being the unified security operations platform that I did talk about last week and the filtering of defender for cloud by subscription ids that's gone in. There's a couple of previews. So with the exposure management and the critical assets there, they're now tags within the instance and alert queues. So now you can see where your critical assets are being involved in instance. I think that's quite good. I guess it also means you can filter your devices by those as well. What else is in here? A lot of the learning that was in the learning hub within Defender XDR and the various products that's now moved to learn dot Microsoft.com in there. So that's kind of standardizing I guess, where you can get that data now and the other one is the URL click events table in advanced hunting that's now Gaeheenden. So separating or bringing some of that defender for office or capability or data, at least into advanced hunting so you can create your custom detection rules and things like that. Next is defender for office. So there's a one thing in here is that saying that the learning stuff is going to Microsoft learn. So it's like I said, it's across the board, but one of them is that's gone. Generally available is that Secops personnel can now release emails from the quarantine, from quarantine or move messages from quarantine back to users inbox using the quick action or take action in threat hunting or threat Explorer now in advanced hunting. So now it's a simple effect task now that you can do quite quickly without having to go into the quarantine and release it manually there. That seems quite good. Saves a few clicks in the portal. Microsoft Defender for cloud apps so in here you're now able to embed a custom support URL on block pages. So that's when you're doing, let's just check this out. Block experience using. So when you're doing cloud discovery and you're doing block onto Defender for endpoint, you can now have a custom block page URL for support. So it's a little change to help users know where they need to go or to understand why they're being blocked. The other part that's just gone into preview is the in browser protection with edge. So that was generally it's either a public preview gone into GA for Windows, but it's now moving into Mac Os as well now. So that is now starting to roll out into public preview, which is good. So it's just moving along the different tooling. Let's have a look. There's one, let me just find it. So if we look at entra, when I can find that. Yep. So it's now gone generally available that in the conditional access for insider risk. So that insider risk condition is now available Ga if you have some of that capability to be able to use that as a signal to restrict access now. So that's, that's gone quite quick, I think, Sam, hasn't it inter, from private to public to ga, I think. Doesn't seem too long.
Yeah, I think adaptive access from insider risk management is like quite the push now, I think, you know, because I think a lot of people are getting stuck on very sort of binary policies, if that makes sense. So I think, I think this capability really gives you a level of flexibility on risk, I believe. And there's a huge amount of signals in that product. So yeah, it's definitely worth considering. That's if you've got insider risk management configured and enabled.
Yeah. Okay, so another one in here, I'm keeping one till last. Sam will probably know what it is, but we've got an ad FS or active directory federation services application migration wizard now. So you were able to sort of detect or identify application that could be migrated. This sounds like it can actually help with the migration. This one's interesting, Sam, as we've been testing some of this recently. So this, or last month I should say. Attacker in the middle detection alerts in identity protection, it's now gone, has now been put in as a new feature and it feeds into defender XDR. So I think that's where that alert is coming from. From token theft.
Do you think we just found that by coincidence? It was just timing? Yeah, I reckon so. Okay. Yeah, yeah. Interesting. On the bleeding edge without even knowing it. Yeah, well we don't read documentation anyway, do we? That's just standard, isn't it? It's probably been in private preview for public preview for years. Yeah. Anyway, go on.
Yep, that's kind of the entrance stuff. Within intune, there's been some new actions in cloud PKI to be able to delete the certificate authorities, pause them temporarily and revoke the actual certificate authority certificates. So there's some extra bits in there. There are a few other things around application management and device, some new clipboard direction settings for Windows and that they are removing custom settings for Windows for some of the ones that can be done in the settings catalog or very unused, also not oftenly used Omiuri sort of connections or configurations there. So slowly removing that part and move them into the settings catalog, which is where they should be really. And then I think just looking at Defender for cloud, so the deprecation of the mux, the azure monitoring agent, the MMA, whilst that is happening this month in August, if you have Defender for server plan two, they're allowing you to extend it until November 2024. Because from the look of it, it looks like some of the capability, like the foreign integrity monitoring and security baselines, may still need it all. There's, you know, customers still migrating over to any new functionality that might be in the AMA agent part of that. And I think that was it, the deprecation of adaptive network hardening as part of the defender for server SKU. So that's happening in, or starting to happen now there. And I think that was probably it in a quick whistle stop tour of those things. Oh, the only one I forgot about, which I shouldn't have forgotten about because here I've been dealing with it for a long time. Is that within entra global secure access went public preview no, generally available, sorry, it was like the beginning of the month. So that is now there and now we have all the licensing and that. So enter. Well, the private access and Internet access is now available to purchase. So that's quite a big one, I think.
Yeah, probably brand new product. Right. So very interesting to see how that will land and mature and develop because, yeah, it's very early days for it, what we've seen of it so far. It's pretty promising, isn't it?
Yeah. And actually just coming onto that, they've actually brought a new suite, entra suite as well, which includes that plus identity governance verified identity advanced features and identity protection in there. So you can get some discounts if you already got entropy two and or you can do in effect an uplift from entropy two and get a, suppose a discount or some of that functionality you already purchased. So they've removed that cost there and then there's a license for, in effect, entra suite itself. But you've also got frontline workers as well, so you don't have to pay the full, you pay frontline worker pricing for that. So yeah, that, that is now me.
Nice. Quite a few updates because I think last month we didn't have very many, did we? So is this new fy 25 kicking into gear? Kind of seems like it, yeah. So what have you got then, Sam?
Okay, yeah, I've got quite a few bits as well. So Azure load testing, which is a service in Azure for load testing, now supports. It's now generally available that you can do load testing on Azure functions. So load testing is a real key part of validating and queueing any sort of custom applications you might be running. It allows you to identify performance bottlenecks ahead of time so you can simulate certain levels of load. And it's great that it's just part of Azure. There are third party systems that can help with that, but this is, yeah, first party in Azure now. Also generally available, Azure monitor log analytics, dedicated clusters. You can now create them in the portal. Apparently previously, I've never used this resource before personally. Apparently previously you had to either use the Cli Powershell or rest to create them. So apparently you can do it in the UI now. It's not a resource I've ever used, Alan, is it something that you've ever had to look at?
No, I think the only, there's only, I don't know actually, I was trying to think of a reason why you'd have it, but it might be to just have that dedicated resource and I think you can maybe even specify how much storage you might have for your log analytics.
In effect, I think it also supports double key encryption and customer managed keys as well. And there's some sort of availability features there as well. But yeah, nothing that I've ever had to do. Going back to Azure load testing, you can also now put, there's generally available that you can put it in a debug mode so that you get enhanced logging of when you're running your tests to see so you don't get sampled data. You see every request that every failed request during a test run to give you more visibility. Public Preview now Windows Server 2025 is now available. I mean that's not, I'm not like a, I'm not like an IaaS guy really. Maybe securing them around the edge around them in Azure, but not actually like managing them. But apparently there are new capabilities in active directory SMB so yeah, and apparently security updates require fewer reboots now. So yeah, I'm not going to go into a list of all the new features, but it does mention AI as well. So yeah, we got it in there. There's a new public preview for continuous performance diagnostics for Windows vms. So it allows you to, it enhances the on demand performance diagnostics. Data is collected every 5 seconds and updates are uploaded every five minutes to your preferred storage account. And essentially it gives you enhanced logging for performance diagnostics because nothing harder than debugging performance issues on Iaas in Azure. So yes, that could be helpful for people in public preview. Now you can now create Azure cross subscription load balancer. So yeah, so it enables load balancer components to be located in separate different subscriptions. So that could be good if you have say front end and back end instances potentially in different subscriptions. So it's currently in public preview in all public Azure regions. So be interesting to see if anybody's got a use case for that. Azure databricks is like a, as far as I'm aware and I haven't actually used it, but it's like a hosted version of Jupyter notebooks, I believe when you use Jupyter notebooks you essentially, like, if you run them on your local machine, you essentially, it's like a markdown file, it's kind of like a wiki page and you can insert code, you can run it and you can embed text, embed images, write notes. It's really good for prototyping and demonstrating technology. But currently you can run Azure databricks notebooks with serverless compute now so you don't have to provision dedicated resources. Again, not something that I've done and I might have absolutely butchered the intro to databricks notebooks, but go and check it out because serverless computers generally a lot cheaper. And if you imagine if you had a notebook that you were running code and demonstrating code, it might not be a production system, so you might only want it to be running like when you actually run, if that makes sense. So that seems to make a lot of sense to me.
That'd be an interesting one actually. I'm just thinking it depends if, but in effect Sentinel, you can run notebooks juniper or Jupyter notebooks there. I think it uses Azure machine learning instance at the moment. I wonder if they might move to databricks to allow serverless or that service might become serverless maybe.
Yeah, maybe. Again it's not a product I've used, so take what I've said with a pinch of salt. Now generally available you can encrypt backup vaults using customer managed keys. So that is now ga. So if you do have that regulatory compliance requirement or you are, you want to de risk on top of Microsoft's protection, then you have the ability to do that. Now Alan, I'm bringing back Azure Data box, probably my most fun and exciting episode ever to be totally honest with you. Right. We've got a public preview for a physical data box. I don't know how that works. But anyway, Azure Databox now supports selected or select cross region transfers. So it's not just you are in a certain region and you're transferring data to your region, you can now do interregion capabilities. So if you haven't listened to that episode, I would say you should go and listen to it because it's pretty fun. But essentially data boxes, the ability to send and I think it's just send, isn't it? It's just ingest.
Or is it egress as well pull out as well?
I think you can do both ways, can't you? But it's essentially a physical device. It can go anywhere up to, what was it, a palletized box, basically loads of terabytes. And there's a backpack version I believe, even something you can carry. Yeah, so you can do things like copy on premise data from Singapore or India over to west us data center region and things like that. And I believe what it does is you don't send the data across commerce boundaries, you still send it to your local, your region and all of the transfer is done. Microsoft internal network to the destination region, apparently.
Yeah. I wonder if you wanted to send data from say like from the UK over to the us data center where you'd have to get it shipped from the us site and pay the costs of shipping it from there.
Yeah. Or whether, what they would do is they would just provision the data box at the destination and transfer it the other way internally because that's what it's saying. If you're, if you're ingesting your, you know, if you're in the UK, you're sending to your local region and then they're doing the transfer on there on their side. If you were going the other way, they just do the transfer on their side, fill up the device and then send it to you locally. Right? Yeah.
Okay. Now generally available support for Azure key vault certificates inside of Azure container apps I'm a big fan of Azure container apps and now you can use Azure key vault to store and manage your TL's and SSL certificates for Azure container apps at the environment level. You can do it in the portal as well. Now generally available the redis extension for Azure functions. The extension can be used as a trigger in Azure functions, so it allows Redis caches to initiate a serverless workflow. So yeah, for event based architectures, this is going to be really important for people. Azure Lab retirement announcement Azure Blab services have you ever used Azure Lab services, Alan? I believe it's a testing like VDI environment. I've never used it personally I haven't. It will be retired on the 28 June 2027. Don't say we didn't have warn you. It says in bold in the blog post. It says in bold capital letters, we are committed to support you until June 28, 2027 for this service. So yeah, if you're using that service, heads up, you might want to think about planning a migration from it in just under three years time. Retirement on the the August 31 of this year, app service environments V one and V two will be retired. So after the 31 August app service Environment V one and V two and the applications running on them will be deleted and any application data associated with them will be lost.
Wow.
Get wrecked to avoid service disruption. Yeah, yeah, that would be a disruption. Please follow the steps outlined by Microsoft. They've got it in documentation on how to thing and in capital bold letters before the 31 August 2024. Generally available now, new capabilities have been added to azure monitor basic logs plan. Apparently the interactive retention period was previously eight days, it's now been increased to 30 days. And apparently they've adjusted the supported query language capabilities on basic logs from reduced KQL to full KQL on a single table and lookup of additional table and analytics tables. That's pretty handy. Yeah. Public preview 6th generation we're on to six intel based vms, so DV six and EV six. Generally we always look to use the latest versions of vms because generally you get a better price to performance as newer hardware is released and refreshed. There can sometimes be supply constraints with newer kits so it can be hard to get access to it. And also spot instances can be very lucrative of older generations. But these are built on Intel's fifth generation. Why is it fifth and 6th anyway? Doesn't matter. Fifth generation Intel Xeon Platinum 85 37 C emerald Rapids processors the highlights are up to 27% higher VCPU performance and three times the amount of l three cache than previous v five generation vms, up to 192 virtual cores and up to 192 v cpu cores. Apparently there's now a thing called Azure boost which enables up to 400k so that's 400,000 IOP's and 12gb/second remote storage throughput and up to 200 gigabits per second virtual machine network bandwidth.
Wow.
46% larger local SSD capacity at three times the read IOP's NVMe interface for local and also remote disk enhanced security through total memory encryption technology. I haven't looked at that yet, but that's probably one to keep an eye on. Yeah, the DV six is offer a balance of memory to VCPU ratio, up to 128 v cores and 512 gig of Ramirez. The new EV six are ideal for memory intensive workloads, so they go from up to 192 vcpus and up to 1.8 terabytes of ram. Yeah, so initially available in US east and US west. So public preview so if you want if you fancy 1.8 terabytes of Ramdhenne go grab them. Try to think the price of those. And the last one I've got is now in public preview. I mean, sorry Microsoft, I'm not sure I'd be testing this in public preview, but you can convert standard SSD's, standard hard drives or premium SSD V one s to premium SSD V two sdHe. The words they specifically use are confidently move your workloads to pv two. So yeah, so if you want to move to premium SSD V two disks, maybe there's more performance there for you. Or there's a feature that you need. There is now a way to actually do that quotes confidently, but it's in public preview. Those sort of things scare me. So yeah, I'm not going to talk any more about that. Anyway. That's, that's my lot. I think there's been some quite good updates, especially around Azure databox. I think that's probably my, my standout, to be totally honest with you.
Yeah, it's definitely a lot happening, isn't there? Again, it's like you said, it's ramped up. Yeah. New, new Microsoft Fy 25. Let's just crack on and get on. Nice. Cool. Okay, so what's the next episode then, Sam?
Well, as we were doing the Azure storage actions episode, which was maybe two or three episodes ago now, we realized that we hadn't actually done an Azure storage account episode, which is the underlying service that you would use that technology on. So yeah, I'm going to take it sort of back to basics, I suppose, and talk around Azure storage. It's quite a large, I'm going to call it like product suite. So yeah, there should be quite a bit to talk about there.
No, that's going to be a good episode. Okay. So did you enjoy this episode? If so, do please consider leaving us a review on Apple, Spotify or YouTube. This really helps us to reach out to more people like yourselves. If you do have any specific feedback or suggestions, we've a link in our show notes to get in contact with us. Yeah. And if you've made it this far, thanks ever so much for listening and we'll catch you on the next one. Yeah, thanks. All.