Hello and welcome to the let's talk. Azure podcast with your host Sam Foote and Alan Armstrong.
If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals. It's episode 32 of season five. Alan and I recently had a discussion around the news in August. Here are a few things we key Microsoft entra intune and Defender features and updates Azure changes, new features and retirements. We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's jump in. Hey, Alan. How are you doing this week?
Hey, Sam. Not doing too bad. How are you? Yeah, good, thank you. Good, thank you. I think our british summer is now over. Now that August is behind us, we've had our. I'm gonna go for ten days of uncomfortable weather. Do you think it's more than that? Probably not. It's. I don't think it's been like ten days. Terrible in a row. I was just thinking. Oh, yeah, I meant overly hot weather. I was just trying to think. Okay.
But no, yeah, I think. Oh, it's September now, as we're, as we're recording this. So I think. I say the world's worth. The world is waking up a little bit. I would say a lot less. A lot less people out on their summer holidays. Yeah, definitely. Yeah. Work has definitely started to kick into gear with customers coming back and stuff. For sure. Yeah, yeah, definitely. Really good. Anything you want to cover over before we dive into the news?
I can't think of anything. I've got my. Got my little puck for my MVP award this week, so get to add that to. I've got two of those now and hopefully many more to come, but no, I think that's probably it. We had our. I think we had an in person meeting this week, didn't we? Which was kind of bit odd to us in some sense. Does that make sense? Wasn't it? It's the first time, I think, for a long time, like, proper meeting.
Yeah. Seeing people that you've only seen in two dimensions and hunched over their laptop in a quarter of a room. Yeah, it was. Yeah, it was definitely refreshing to get back in person, that's for sure. Feels a lot more. Yeah. A lot more real and a lot more personable. Right. So definitely. Very refreshing. Right, Alan, do you want to kick things off with your sort of key highlights of news this month I can. Do, unless you want to shake it up and you want to go first this time.
I don't mind. Yeah, let's go through Azure first. There's quite a few updates actually, so. Yeah, let's do that.
Okay, so yeah, we're covering August 1, it's, you know, it's the start of September for us now, but we cover other previous months worth of news. So yeah, I'm going to kick us off with Azure. So bit of a weird one this. I'm going to throw it out to start off with Azure, API management has a WordPress plugin now which is in preview, which I had to sort of like double read it because I didn't really understand it, to be totally honest with you. This feels like a very specific enterprise requirement that's bubbled through into a public preview. Anyway, so the WordPress plugin allows customers to integrate WordPress to build their own unique developer portals. So apparently it's an open source WordPress plugin and essentially it allows you to customize the developer portal experience with sort of some of the power and flexibility of WordPress. So things like localization, collapsible and expandable menus, custom style sheets, etcetera. So I wonder if this is organizations that maybe have got an internal, maybe they've got an internal API directory or something. Maybe some organizations are using WordPress for that. Or maybe other organizations that use WordPress for their end user docs potentially. So yeah, very interesting to see that plugin. I'd be interested to see. I haven't installed, well I haven't installed WordPress or a WordPress plugin for a long, long time to be technical.
Yeah, it's definitely an interesting one, isn't it? It's a very simple, you said it's good.
Yeah, I mean WordPress still does. I think the stat in the blog post was something like WordPress still powers 40% of the Internet so it's still, it's still massive. Maybe it's just not massive in my world, you know. So next one, a GA sort of update. So you can do vaulted backups for Azure blob storage now. So essentially a layer of additional protection for your, for your backup needs for azure blob storage. So I'm assuming if you've got highly sensitive information that you want another level of a vaulted backup on top of blob storage, you've got an option there to do that, which is now GA an interesting new public preview, Azure carbon optimization. So this is a new blade which is currently in preview, which allows you to see the monthly emissions, carbon emissions of your specific resources. Now what I thought was interesting about this, okay, so, you know, obviously reduction in carbon dioxide is, you know, I think we can all agree dependent on your stance obviously on climate change, it's a good thing to reduce as much carbon as possible. But, but I'm going to come at it from a slightly different angle. So if you do have a corporate or a social responsibility mission, you can get granular emissions data on your specific resources. What's interesting is that if you think about cloud costs, the underlining unit really is energy, isn't it? You know, the more powerful your processors, the more energy you use, if that makes sense. Right. So in a proxy way, you know, you are paying for more energy which in turn increase. You know, I suppose it's not a linear scale but you kind of get what I'm saying. But what it is is it can give you recommendations to help you reduce carbon emissions by deleting or right sizing underutilized resources. So I'm not sure if this is just another sort of viewpoint of Azure advisor, but I assume that one of the first compelling strategies I suppose, for reducing your carbon footprint is to actually just right size resources into what you actually need. And we do talk to customers about this because a lot of customers still provision like they are provisioning on premise or co located resources. So I think it's cool that you're seeing more recommendations there. Again, if it's, we don't know if it's more than Azure advisor, but what's also there is also a view of carbon equivalents. So it helps you to visualize your environmental impact in more sort of relatable terms. Such as? Such as planted trees. So they've got like different dimensions to the amount of carbon that you're sort of producing. So yeah, I think, yeah, something different, not directly related to cloud platform, but obviously still an important topic to, to understand. So I'm glad Microsoft are making investments there.
Yeah, I think you're right. It's another angle, isn't it, to reducing your, like you said, reducing your carbon footprint kind of stuff, but also, yeah, reducing another way to show you can reduce compute and stuff and which is obviously cost saving you money at the same time. So it's kind of like a two reasons why to right size.
Yeah. And we, you know, we talk to, or we're more in security, but we still talk to our customers about the waste that they have in Azure, you know, so it's like a double whammy really. You know, save your wallet and save the trees, save the world, I don't know, save the climate. Alan, have you ever heard of an Azure extended zone? No, no. I seen this in the list. I thought it was a bit odd.
Okay, so I hadn't heard of this until I saw this, this, this item. I don't know if this is the first one, but there is now an Azure extended zone in Los Angeles. And apparently they're small footprint extensions of azure place within side of dense cities or industry centers or specific jurisdictions. And essentially these sort of facilities are designed for the lowest latency and also data residency concerns. So I believe it's a small subset of Azure services that are supported there. Virtual machines, containers and storage are there. So yeah, it's interesting to see these Azure extended zones in action. So yeah, if you have some of those requirements and you want to get your cloud as close to your users as possible, then that is now starting to become possible. Next one that I've got is dev containers. Templates for Azure SQL are now generally available. These templates provide a streamlined way to set up a development environment with all the necessary tools and dependencies pre configured. These give you the advantage of having efficient local development and faster time to work essentially. So yeah, check that out. If you're using Azure SQL database to get dev containers up and running quicker.
Nice. That quickly. That extended zone is the first one. It was only launched in August.
Great. I hadn't delved in the blog post was quite descriptive about what an extended zone was, so it felt like they were introducing it to me for the first time, if that makes sense. Right. So yeah, very interesting to see that sort of sprawl happening. You can now enforce passwordless authentication with azure cache for redis. That's now generally available. Typically with a redis cache you would use a key based authentication. We're generally sort of evangelical, I would say, with resources that are running in the cloud to use managed identities or service principles instead of using key based authentication. It's essentially just more complicated in every way to keep it secure. So you can now disabling key access on Azure cache for redis. That would be good for regulatory compliance.
Nice.
Azure Chaos Studio, my favorite, generally available now is network isolation vault for virtual machines. So you can drop all packets for a specific duration as part of a chaos experiment. Pretty nasty I would say. So, yeah, really great. Again, update for testing the resilience of your, of your machines. I wouldn't say that networking DNS is the no I'm going to say it, my gut is the network and DNS are the two biggest culprits of issues into the cloud and downtime that we see. So making sure your applications are as resilient as reasonably possible to network outages is probably a good thing. Public service announcement enable multi factor authentication for administration admins of your tenant by the 15 October. I've got in my notes. Is that right Alan? All administrators of will require MFA enrollment to access the azure portal, including your break class accounts, I believe so, yeah. Make sure you're ready for that. Yeah. Anything you want to add on that sort of side of things?
Yeah, well, I was going to use this one mine, but it's fine. But yeah. Portal. Yeah, the azure portal, the intune portal. Yeah, it's quite a lot of the admin portal side things, but yeah, you're right. It's not just because I expect most organizations today, you'll say most organization, they would probably have MFA at least for their admins and their admin accounts. So generally it's probably not too much there. It's going to be the break glass accounts where you exclude them from conditional access so you can access them. So I think the recommendation is to around your break glass accounts is to not set up MFA on phones that are, you know, specific to a, to an individual because you've got the problem of if they leave, how do you get, you know, it configured again, things like that is to use fire two keys and the certificate based authentications in entra, I think is the recommended ways to keep it still completely separate.
Nice. Yeah, yeah. I don't know whether we should do. Should we do an episode on that? Like a PSA episode on the best way to approach that for organizations? Yeah, we should do one on. We should probably do one on break glass accounts. Definitely. Anyway, about what best practices around that. Yeah, I've just incorporated.
Yeah. I've just seen some conflicting guidance, I would say, and some confusion, maybe that was a few weeks ago, but my gut is that as we creep up to that deadline, it's going to become more important, I think.
Not necessarily the problem, but this has been done in phases. So phase one is in effect. User interface portal access is being blocked by MFA. Second phase, which I think is late, is maybe next year. I'd have to double check my notes is that it's going to be programmatic access. So Powershell, terraform and other things as well. If you're not using, I think probably if you're not using a mash identity and things like that. Or use mash density. Well, yeah, mash identity or user assigned identity. You'll probably need to MFA to still have access, which is obviously a bigger break as well.
Yeah, because I bet nobody uses their admin accounts for programmatic access to certain integrations and applications, right? Yeah. Or you create, you create a service account, don't need to be able to do the things it needs to, but yeah, it's gonna access, you know, in effect, you know, admin roles. So that's then gonna need MFA in theory.
Okay, another retire another public service announcement for retirement starting the 31 October, all Azure services will require connections using TL's 1.2 or higher. Support for TL's one and TL's 1.1 will end on October 31, 2024. Now this is, I believe, mainly going to be an issue for older SDKs you may be using. I've seen this in other areas where there's like older, I'm not going to blame open source, but older open source or proprietary tooling that was maybe created x amount of years ago and you haven't patched since because you've got a critical dependency in your application stack X, Y and Z. So this is a bit of a tricky one, I would say, because it could be quite silent, if that makes sense. So just something to be aware of that could be quite dangerous. A lot of the Azure PaaS services allows you to enforce minimum TL's versions, so just maybe take a look at potentially testing that ahead of time by using some of those controls if you haven't configured them. I believe TL's 1.0 and 1.1 are pretty old as well. So I don't know if this retirement feels reasonable to me. Azure app service environments v one and v two by the time you're listening to this, well as we're recording as well, have been retired on the 31 August. So yeah, a bit too late for a public service announcement, but I hope that went well for everybody. What am I going? What's my next one? Another retirement. Azure Logic apps integration service environment ise is retired again as of the 31st of the August 2024. So you needed to move over to logic app standard. So yeah, apparently your apps and resources may be deleted. May have been deleted, I should say, because it's past tense now. Another cool public preview is now you can have instance mix on virtual machine scale sets of so you can mix and match various vm sizes within a side of a single scale set to better align with your workload requirements.
That's an interesting one, isn't it? What this is cool for is cost optimization. So in your scale set you could have a base set of quite chunky virtual machines and then have smaller instances as scale units because they're more likely to be provisioned during scaling. And you might get better performance over multiple individual machines. Potentially it's that.
And also if you only need scale, it's that whole thing of you can spin up four or five of them as you need. If say a server can handle 1000 users, I'm sure they can handle more in your main set. And then you have to scale and scale by one user, say that's another machine that can now do a thousand they don't need. So by halving it or quartering it, you can actually only do 250. There's a cost saving there and I guess a carbon footprint saving.
Nice. And yeah, the last one, which is a little bit, I suppose a little bit more niche, is in azure API center. I'm not sure I've ever used that previously. But you can enable linting of your APIs inside API center. I believe Apicentre sits above API management, doesn't it? As a management of the management. Pretty new, I think, isn't it?
Yeah, but there's a linting capability there, which I thought was interesting, and what it does is. Oh, sorry. A linter is an analysis tool that developers will use to check things like code quality. It's probably unfair to say code quality, but sort of adherence to your coding standards. So, you know, if you've got like a variable naming, a variable naming style rule inside your organization, an indentation, those types of things, a linter can say, hey, you didn't indent properly, please indent this properly before you commit your code. So yeah, that's actually available in Apicenter to look at your API definitions to make sure that they adhere to organizational style rules, to maintain consistency across all your APIs. So yeah, interesting to see that it's in the cloud side because a lot of the time you'll want that linting to be done before you make changes, if that makes sense. But if you're documenting all of your historical APIs, that could give you some good guidance on a rework that you might want to do. Refactoring, I should say.
Yes, I see the value in that. I was just thinking, like you said, if you'd integrated into a, a pipeline or something like that, you might do that check there, I guess before, I suppose you actually do it before when you do in the tool.
Yeah. Ideally you want to do that as early in the development cycle as you possibly can because a developer noticing something early on and making a change before it hits and goes through QA and change and X, Y and Zenith. But again, if you're documenting your legacy API estate, that might also help you to guide you to make those changes to your existing estate. That's all my updates for orchestra. Alan, do you want to cover your items?
Yeah, sure. Okay, so for defender, for identity, first we have a new entra connect sensor. So this sits on the, yeah, as it says, the intra connect server. And looking for unusual behavior and things like that on there because potentially that is a core service that someone could potentially look to attack. And there's potential ways of getting some information, I guess. So there's kind of two parts to it. Is there two? Yeah, two parts. We'll say two parts. One part is posture recommendation. So there's a few, there's three recommendations that you can do. Once it's been deployed to the entry connect server, it will tell you whether some changes to, in effect, you know, harden the, the server or the, the service at least to make sure one of them is like remove unnecessary replication permissions from enter connect account, change password for entra seamless SSO account configuration and rotate password for the account. So it just shows you some of those for the hardening. And then the other part is actually detecting behavior, unusual behavior. And again, some of this is like suspicious in interactive log on to the intra connect server user password reset by intra connect account. So the account actually doing itself because in theory it shouldn't need to do that. It should be the service behind it. And suspicious right back by interconnect on a sensitive user.
So nice.
There's some key ones there. Yeah. Okay, so defender XDR. So the actual portal or the unified portal itself, they've just, there's a preview at the moment for your sentinel data is now available in the new Microsoft Defender multi tenant management. So previously it was only XDR sort of information that you could use there. And the defender multi tenant management is in effect. If you had multiple tenants and you had multiple, then you had multiple defenders in effect for maybe different parts of your organization. You can then see it all in one place or manage it from one place. This is now allowing you to bring up the sentinel data as well as that integration continues. That was pretty much it for the Defender XDR portal in general, defender for office. So in here we've got a new simulation for QR codes, payloads so now you can, you can now test your use, see if they try and scan a QR code that they might get an email, they might win some free coffee or something, I guess. Orlando, some user training. So yeah, so that's in there, in defender for cloud apps. That's the September 1, we can't talk about that yet. So really in here. They reorganized all the defender for cloud apps documentation to make it more easy to work out where you need to go for some of it's quite a, quite a few areas in that. And there's a public preview for large scale export of activity logs. So you can do the new experience allows you to export up to six months back of data or 100,000 events. So if you're a large organization that might be easily captured, it's a definitely, probably not going back six months for that, I expect. But yeah, there's a way to export the data. I guess you would use that if you were doing some investigation, you wanted to see specific activity over the last six months and you could pull out then do some analysis on it. That's that one. Microsoft Sentinel. So we are going everywhere on this one. So you can export and import automation rules using Arm templates now. So you can now start look to build that into a CI CD process. Previously I think that was, you couldn't do any of that. That was all done through the, through the portal originally. So that's quite a win.
Yeah, that's really good change, isn't it?
Yeah. Yes, it's just those niggly bits that you can't, you can't automate from deployment. We talked about Sentinel being in multi tenant Defender. There's a preview connector for the premium Microsoft Defender threat intelligence. So feeding that into your seam and probably one of the main big changes is the unified AMA based connectors for syslog integration. So I think this is now bringing in the Syslog CEF common event formats and new custom log via AMA. Bringing that all into the connectors or making sure they're there now as MMA is now, I think officially gone end of life and not being supported. So that's a good view of that. Yeah. Okay, so for fed, for endpoint, the only one in here for August is around network protection features enabled by default. Mainly this is around Android Defender friend point on Android. In effect it's enabling the network protection it's on by default. So that's app protection and web protection there. So I think previously you might have to either be a manual process or you had to do config within your MDM solution to to enforce it. Microsoft entra so we talked about the big one about MFA being enforced. What else do we have in here? There's some new UI updates to the my sign in information. There's an API to allow you to provision FidO, two keys. You can enable, disable and delete synchronized user accounts with lifecycle workflow. So that's probably quite a big one from a GML process perspective. Yeah, I think that's probably. There's quite a few in here. I'm just trying to pick out some of the key ones. That's probably the main ones there.
Nice.
Intune. Again, there's quite a few areas. So there's an easy creation of privacy management, elevation rules, support approval requests and reports. They've just improved the sort of process as part of the intune suite there. For Windows devices, we've got new home screens, we've got some new configuration settings for Apple devices. So a few there. I'm not going to go through all of the different settings in there. Quite a few. It's for iOS and ipados as well as macOS. There's quite a few actually for macOS, yes, probably it from there. Defender for cloud September's because already loads in September and we're only five days in. So there's a preview for. So because of the MMA agent going end of life, there's a new version of file integrity morting and it's based on Defender for endpoint. So it's using defender for endpoint data because in effect Defender can see everything running on that machine. It's using that data to be fed into the service that was previously there. So I think you've got to check the box to say, yes, I want to use the new version of it. But it does also mean you need Defender for endpoint deployed to get that functionality. We've got a deprecation of defender for cloud alerts integration with Azure web application firewall. I won. I don't know if there's any reasoning around that. That doesn't say anything, but I do wonder that's going September 21. September is when that's that integration is going. It might be that's, that kind of thing might be being fed into the defender XDR portal maybe in the future. That's what kind of feels like to me. And then the last one in here is you can now enable Microsoft Defender for SQL servers on machines at scale. So when, now when you enable it, you can now select multiple machines rather than having to go to each individual machine I think previously to enable it. So if you've just, you know, enabling deploying defend for cloud first time and you need to either do your Azure resources or your on prem resources via Azure arc, it looks like now you can select them all and go deploy, which sounds like a win, a win for consumption costs.
No, that does sound. Yeah, yeah. A lot less tedious, that's for sure.
Yeah. And that's all I had. Even though I believe that some global secure access stuff came out. It's just interesting. It's not in the interest stuff. I believe that private DN DNS became public preview. Yes, it's somewhere, but yeah, I think it went public preview which means you can now in the quick access, you can now just add your, your domain suffix in there so that all the traffic can then go across that and it will help, it will know to go through the private access tunnel. And it also means that you can then do SSO Kerberos and I think it's NTLM and certificate based SSO against your applications or your services on that on the other side. So that's quite a good one as well.
Yeah, really good. But yeah, I think that is all of my stuff as well. There's quite a few things there. Nice. Yeah, yeah. Lots of good updates I think across the Microsoft Teams and we are coming into ignitey sort of season, aren't we? The build up to that. So be interesting to see how much more we see being released. Yeah. Okay, cool. So what's the, what's the next episode then, Sam? Yeah, I'm gonna have a look at the Azure VM image builder tool. Have you ever used that, Alan, to build images?
I haven't, I haven't. But I remember when it got announced and stuff, it seemed quite a cool thing to use. Yeah. Because I think, I think a lot of people have the sort of requirement of building custom images and yeah, I just thought it would be good to sort of visit that tool because it is, it is pretty powerful for what it is. There are some other third party tools that you can use as well so I'll probably mention those as we, as we go through as well.
Yeah, I think. Wasn't it based on one of those or very similar to. If I remember. Yeah, I can't, I can't really remember. It has been a while since I've had to deploy like a custom VM image. So yeah, I'm going to revisit it in some spare time and see how it works and what the latest functionality is.
Cool. Okay, so did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify or YouTube. This really helps us reach out to more people like yourselves. If you do have any specific feedback suggestions on episodes, we have a link in our show notes to get in contact with us or leave a comment on the episode. Yeah, and if you've made it this far, thanks ever so much for listening and we'll catch you on the next one. Yeah, thanks all. Bye.