Hello and welcome to the let's Talk Azure Podcast with your host, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals. It's episode 38 of season five. Alan and I recently had a discussion around the news in October. Here are a few things that we covered. Key Microsoft, Entra, Intune and Defender features and updates, many Azure changes, new features and also retirements if we notice that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's jump in. Hey, Alan, how are you doing this week?
Hey, Sam, not doing too bad. How are you? Yeah, really good, thank you. Really good. Do we need to apologize for our lack of episodes, Alan? We've been a bit busy, haven't we, the last couple of. The last couple of weeks, haven't we? Lots of different things that have just stopped us from getting recording and a bad timing to the end of the month I think is probably the fairest way of calling it out. Right, Yeah, I was away when I. So.
Oh, yeah, yeah, that's true. Yeah. No, so, yeah, so we took a little break, but yeah, hopefully. Well, I say not much disruption, but. Not long now, Alan, before you're off to. Is it Chicago this year for Ignite? Yeah, it's not yet. That's right. Sorry. Yeah, I got it right first time. Are you all ready to go?
Looking forward to. Yeah, looking forward to it. Ready. Yeah, it's like next. Next weekend that I pack and get ready to go sort of thing. Yeah, I think pretty much ready. Just testing out some of the labs and stuff that I'm proctoring, make sure they're all working. So, yeah, it's going to be good. Nice. I think Microsoft have got you working quite a lot, haven't they, whilst you're over there? How many labs?
Yeah, so proctoring. Two. Two labs over four days? No, over two days, but they're being repeated. So there's, you know, two. The labs are. Yeah, the. Both labs are both repeated each day, basically on the Wednesday and Thursday. So, yeah, just proctoring those. Oh, sorry, go on. Yeah, Defender for Cloud. Nice side of things. I can't quite remember what the labs are called, but yeah, it's all around securing your environment using Defender Cloud. So should be good.
Nice. And do people just sort of rock up with their Own kit and you know, they spend some time with you and others just learning about Defender for cloud. Is that how it sort of works?
No. So all the machines are provided in the room and in effect you just run through someone presents at the front and in effect we. You run through the labs. Sort of instructor led I guess in some way with other proctors like myself running around if there's any questions, things like that, if it's. You get stuck with any of it. So yeah, and it's. You have to register for it, but it's free. It's not one of the paid pre days or anything like that. But you just got to register for it so that you can get a spot.
Nice. Really good. Can people still register at the time of recording? I believe so. I've not checked to see how busy those, those events are. I've not checked see if we're packed or not. You might have to do a lab or two, Alan. I know, I highly doubt that. They're usually pretty busy, aren't they? Yeah. I can't remember how many people it is. I think it's like 2 or 300, something like that. Is it? Maybe. I don't know. I can't remember the numbers.
Nice, nice. That's really good. It seems like it's going to be a lot bigger event this year. I. I see lots of things on LinkedIn a sphere and Twitter slash X sphere of people talking about it. So hopefully it should bring, I think it should bring partners, customers, you know, and Microsoft product and you know, sort of technical people there all in one space. I think it'll be good.
Yeah, definitely in the time zone's not as bad for us in the uk. I think it's only six, five or six hours now instead of eight. Eight or nine. I think it is. Yeah. Yeah, yeah, that's true actually. Yeah. Seattle to Chicago. Yeah. Nice. So, yeah. Cool. Yeah. Well, hope you have fun and yeah, it sounds like you're gonna, yeah. Be doing a lot for, you know, Microsoft in the community. So. Yeah, good work with that. Okay, Alan, this episode is, I think, news for October, isn't it? Yep.
Yeah. Do you, do you want, do you want to start us off or. I'm happy to go. It's. It's up to you.
Oh, I'll go first. Okay. There's probably. What I'm kind of seeing is there's a few things, some interesting. Well, I think some interesting things, but it doesn't seem like a lot and I can't think why. Maybe it's Because a lot of stuff's going to be announced ignite so it might be all being, you know, SAP. Do they call it sandbagging it ready to release for the event. So yeah, there's a few things. So if we start with Defender XDR Portal they've put in some new unified RBAC roles and this is mainly around if customers who have Microsoft Threat experts sort of capability in effect allowing a role to allow users or yeah consumers of it to ask the experts or Defender experts bit. So you can at least limit who can activate that because I believe that's sort of a paid. You pay for that service but you've got like X amount of asks I think so.
Okay, right.
Yeah you kind of want to limit what you do there I think essentially. And in preview in the advanced hunting you can now use the ARG operator in the Azure resource graph queries. So I guess that's bringing that, that's bringing it across from log analytics from Sentinel. So it's just that helping with that integration sort of side of things. So moving on and if we go into Defender for Office the only, I say the only but the only update in here is that your tenant allow and block lists now support IPv6. So we've started seeing IPv6 being enabled in the various services, things like conditional access and things like that. So just outside of this but yeah, so that's just been added into that. Moving on. Defender for Identity So with Defender for Identity we don't tend to get large amounts of updates. It's more around sort of bug fixes, things like that with sensors occasionally some updates but this month, well October they expanded their coverage of their identity posture recommendations and added 10 new ones which seems quite a large amount to bring in. Yeah so that includes accounts with non default primary group ID change domain controller computer account old password GPO assigns unprivileged identities to local groups with privileged with elevated privileges GPO can be modified by unprivileged accounts. Reversible passwords found in GPOs built in active directory Guest account is enabled Unsafe permissions on the DNS admin group ensure that all privileged accounts have the configuration flag the account is sensitive and cannot be delegated. Chase password of the Kerberos token account and the last one is change password of built in administrator account. They all sound pretty valid in their in their thinking and I guess just adding it's that what they're calling the Identity Security Posture Management ISPM Another acronym.
With the Is that real? Has that just been made up or Is that a thing? I. I hope it is or I hope it isn't. I'm not sure. I don't know how I feel about that. It's part of the spms, I think it's fair to say because you've got like SaaS. SaaS, Security Posture Management, SSPM. So here we go. The co pilots have got like another like sister group, the cspms. Oh my God. Anyway, sorry.
Yep. So that's really good. That's gonna be helping, you know, secure your active directory on prem and things like that. So moving on. And so for Defender for cloud apps, in effect, what we're seeing here is new data going into the advanced hunting cloud app events table in the Defender XDR pool. So they got stuff around, new anomaly data, new conditional access, app control and inline data. What's the other one? OAuth app IDs. So they're just updating. It's probably helping with the integrations in effect to bring some of that extra data first from Defender for cloud apps now being truly sort of integrated into the XDR sort of platform. So extra data that you can create. Yeah. Custom detection rules or. Yeah, yeah, will be custom detection rules to detect threats and things like that. I think that's quite good.
Yeah.
And of course that, that data is included in your, your licensing because it's not being pushed into Sentinel. So that's, that's quite good as well. Entra. So on to Entra. There wasn't anything for Defender for Endpoint this this month. So yeah, that's why we've jumped onto Entra really around here it's all about passkey authentication on Android. So being able to use your passkeys from in your. In for your Microsoft apps on Android using the brokers for Microsoft Authenticator or the company portal. So that's a push to start actually using it on, on mobile devices. And I think that was probably it that's worth talking about on Entra. I do need to check whether they've. Whether they include GSA globes, core access in these updates as well. Or there's another separate page for that because it's kind of different in itself. That makes sense because this is actually Enter id. So yeah, I'll check that in the background. So if we move to defend for cloud within here we've got some deprecations. Let's just look at this. Yeah, so it's a couple of deprecations, it's more around the compliance standards. So they're getting weird, getting weird of Swift CSP version 2020 because it's a 2022 version. So it kind of makes sense. And the CIS Microsoft assure foundational benchmark 1.1 and 1.3 because there's two new versions 1.4 and 2 that have come out and there's some other ones for Defender for cloud standards they're removing the AWS CSPM and GCP cspm. And I think that's more that it's basically being replaced with the Defender. Sorry, not Defender, the Microsoft cloud security benchmark. Because in effect it's the same thing. I think they just use that whilst it was in preview some when it was some time ago. What else they got in here? That's probably it. They've got some improvements to attack path analysis. Yes, probably it worth talking about. That was that one and Intune. So within Intune we had the company portal had a interface upgrade to sort of modernize it with Windows 11 and some of the Defender for Endpoint security settings are now supported in government cloud environments. That's now got ga. So that's available in most places. Yeah, that's probably it. That was worth talking about outside of Windows. Autopilot device preparation support is now available in 21. Is it Vianet for China? Yeah, probably butchered that naming there, but it is what it is. Yeah. The other part was they added a new strong mapping requirement for SCEP certificate authentication to meet with one of the updates that happened recently. Yeah, that was pretty much it. So I think that was in a whistle stop tour. That's kind of everything from my side and we'll just check the background, see if there's anything else in Entra because there's various subsections of that. Of the, you know, that suite. But yeah, I think that was probably it. Like I said, not. Not tons of things. But I think that's because Ignite's around the corner.
Yeah. Yeah. I think your next news episode is going to be pretty beefy, should I say? Sure.
Okay. Right, let's go through some Azure updates. New retirement. It seems like we get lots of retirements now, but I think that's just a function of the amount of different services there are. Does that make sense? I don't think they're actively retiring more stuff. Maybe somebody's run that number or that ratio but Plan service retirement Azure Automation state configuration on September 30, 2027. So that's a long way away. But if you are using state configuration within Azure Automation, you need to plan for that. This one was just cool. I think what was it? Storage box that I think is probably the coolest thing in Azure. I think this is actually probably cooler. Another retirement announcement Unhappy. But anyway, Azure Orbital Ground Station requirement. And then this is a real quote from the update. Customers with existing private spacecrafts with appropriate licenses and authorizations can continue to use orbital ground station service until December 18th, 2024. Okay. Public spacecraft authorizations will end on October 28th. I have absolutely no idea what Azure Orbital is, but there will be an episode on it soon, that's for sure. SQL Data sync another retirement SQL data sync will be retired on September 30, 2027. I believe that is a specific, literally SQL data synchronization tool. So yeah, there's another. Where are we? We're 2024. So that's a what, a three year, three year notice period on that retirement. Moving on. I think that might be the only retirements. Yeah, I believe so. I know there is one more actually in my tabs. Public Preview Azure NMADS MA35D series virtual machines. They're now in public preview in the east region. US east region. They offer, they're specifically optivized for batch and real time video transcoding workloads. It's got an ASIC video processing unit with 8 gigabytes of memory in addition to the actual box itself, which has got 16 virtual CPUs, 32 gig RAM and 76 gig of temporary storage. 4 gigabytes per second, 4 gigabits per second of network bandwidth. Essentially because of that ASIC that it's got on board. It provides much higher throughput and lower latency for video transcoding workloads. It does also support modern codecs such as AV1. So if you do have video coding encoding, sorry, video transcoding workloads that you utilize in the cloud, this could be a lot, a lot better price to performance ratio essentially because you're getting much more throughput through that asic. I don't know anything about price at this moment, but it's currently in public preview. Azure Virtual Network IP Address Management There's a public preview of this new address management feature. It's designed to streamline and help you manage IP address management with extra control and efficiency. If you've got a large amounts of IP addressing and management of that, this is supposed to help you in that space. I got an email tonight about a discount for Copilot365, which I thought was a bit weird and I shared that with you Alan, because I've never got an email from Microsoft about a discount before, so it was a bit weird, especially not for that type of license, if that makes sense. And also apparently there are discounts available so you can save up to 56% on the latest Linux VMs in most regions for a limited time. So it's not actually a 56% saving in this discount, but you get an additional 15% discount in a one year reserved virtual machine instance. So they're adding another 15% on top for reserved. Apparently that offer is available between October 1st and October 1st, 2024. So like now until March 31st, 2025. So yeah, another discount from them. Cool. Azure Spring apps will be retired on March 31, 2028 so Azure Spring Apps is a fully managed service for running literally Java Spring applications. So I think it's built on top of VMware and both Microsoft and Broadcom, they're getting a bit of flack at the moment for VMware. But anyway they've, they've decided decided to retire the service. I don't know why, but that is going to be retired in 2028. March 31, 2028. So little bit of extra information there. I generally see Java being used for more enterprise applications. That's probably unfair to say, I mean outside the mobile space. So this could affect quite large enterprises because this was their version of app service. Basically they are pushing people towards Azure Container apps, so containerizing those applications. I don't know how apps were run on Azure Spring apps, so I don't know what sort of re engineering is required there. So quite a bit one, but with a long retirement date on it in public preview now there's evaluations for indirect prompt injection attacks in Azure Studio. So this is essentially another emerging attack vector with generative AI solutions and prompt based solutions. So it's good to see that there's even more protections and investments in safe usage of AI. Azure SQL updates just got to get like dumped into one essentially one announcement Reduced reducing costs on serverless Compute for Azure SQL databases by lowering the auto pause delay for serverless computes. So this is where in serverless SQL your instance basically wakes up to new interactions and then it pauses after a certain amount of time. They've reduced that pause delay so your instances will shut down more efficiently and quicker. So if you are using that, that is worth having a look at. I don't know if that's something you need to configure. You can now perform bi directional failovers between SQL Server 2022 and Azure SQL Managed Instance. This gives you really Good hybrid disaster recovery. If you're not aware Azure SQL managed instance is. It's not Azure SQL. It is a managed instance of SQL Server sitting in the cloud. So it's really good for sort of hybrid scenarios but also sort of lift and shift into Azure. Because if your workload doesn't support Azure SQL because there are some differences between sort of full fat version of SQL Server then typically for sort of enterprise and SaaS workloads but now there is a bi directional sync between. I'm going to insert the word on Prem SQL Server to Azure SQL Managed Instance. So that will allow you to have like an off site disaster recovery solution and you know, near real time failover into Azure. So if you are running hybrid that could be really advantageous for you. Okay Alan, do you know what the maximum egress speed of general purpose v2 blob storage accounts was and now is. I didn't either. It used to be 120 gigabits per second. Microsoft has now increased this limit to 200 gigabits per second in essentially all the major regions. I'm going to say there's lots of them for us in the uk, not UK west, but UK south is included. So it applies automatically to all existing and new storage accounts. So getting extra bandwidth for storage accounts, egress limits, I don't ever really understand how that works because if you try and pull something down from Blob storage you never get 200 gigabits per second. But anyway, maybe it's like a subscription or a subscription limit or something like that. Maybe, I don't know generally available. There is a new app service environment, memory intensive pricing tier. When I back in my day when I used to write apps, memory was pretty much the primary issue. I would say with past services you would exhaust your memory way quicker than you would CPU. For my types of workloads, B2B SaaS, applications, stuff like that, mainly to do with caching and caching and sort of memory release techniques that were used. And then what that would then mean is that you would need a third party sort of caching system like a MEM cache or a Redis or something like that, which you would incur more cost because your actual API or web servers could cache it locally. So they've got some really good ratios now. So the bottom of the range is 2 virtual cores to 16 gig of RAM. So that is a quite a high. That is doubling the amount of RAM in that base tier. And it scales up to 32v cores with 256 gig of RAM. So yeah, pretty chunky instance 32v core with 256 gig of RAM in app service environment. Lots of different things running app service environments so it's worth checking that out, especially if you've scaled for memory and you've had to take on the extra cores. So it might be worth you looking at resizing your instances if that's the case. Alan, have you heard of VMWatch? Maybe VMWatch now in preview is a standardized, lightweight and adaptable in VM service offering virtual machines and virtual machine scale sets. It runs health checks within the VM at configurable intervals and sends the results via unified data model to Azure. So it's designed for the health results are consumed by Azure's production monitoring AIOps engines for aggression detections and preventions. So it's delivered via the application health VM extension to make it easier to make it easy to deploy some of the checks that you can run outbound connectivity DNS resolution failed connection attempts numbers of current connections established passive connection openings that's on the sort of networking side. There's lots more than this. I'm just pulling out whatever looks good for disk Azure Disk IO used Percentage capacity in bytes Write ops Read ops CPU processing cores usage Total machine CPU usage Processes themselves processes when they're created running processes and uptime so the process the running process is one which you can verify target processes are running hardware health monitoring Collect hardware health info from Windows event log currently only related to critical events such as events id 7 500, 504, 505 etc. Etc.
So it sounds pretty good actually.
Yeah interesting. Yeah I haven't that was it was news for me when I saw it in the in the list basically. So I don't know if that's going to make anything easier in in our world. So yeah, we'll be interesting to see. I'm gonna give that a try at the the weekend now generally available Azure Cobalt 100 ARM based virtual machines we do love an ARM based virtual machine. They basically offer 50% better price to performance than their previous generation ARM virtual machines. So yeah, you're essentially getting a lot more bang for buck with these cobalt 100 machines and they look to be Azure Azure themselves machines essentially. So yeah, that's Microsoft Azure Silicon. So interesting to see it was the.
First round done last ignite I think that's probably what it was. Was it Cobalt Woods? I think.
Okay maybe yeah yeah I'd love to. I'd love to run Some of those and see what. See how. Yeah how they function and what they're sort of useful for. They are. They go down to really cheap basically even pay as you go. The 2V CPU and 1 gig of RAM is only $6 a month and you can put it on a 3 year savings plan and it costs $2.75per month. So yeah, they can even go on savings plans. Azure functions now supports Node JS 20 version 2020 not 2022. So yeah, I don't know if Node. Sorry 2 seconds of Node JS just go to their website. Is that the new LTS? Yes, version 22 is LTS. So that's long term support. So that is an important version to have available generally available now as your app configuration premium placing plan. So this is a premium version of Azure app configuration allows you to sort of support much larger and complex applications basically but you get sort of increased capacity and of configure configuration volumes and throughput global replication. You get one included replica in this premium tier and you also get an improved SLA at this premium tier as well. So if you are relying because a lot of these applications are going to have critical dependency on their configuration right for them to function correctly. So usually as they boot into memory. So yeah this is going to be important to have a high SLA for you to run from. And that's it from me. Quite a few Azure based updates. Sorry, lots of retirements but I. I do feel it's important to call them out especially if it's a buzzword or product that you're currently using. It's worth knowing about.
Yeah, definitely and like you said it's. It sounds like a lot of deprecations but there's probably hundreds of services there so it's actually not exactly that bad. Yeah, yeah, no, no, I don't think they're being over Ocellus basically.
Cool. There wasn't anything else for Entra sort of things. There's been some connector updates for Entra, the GSA client but nothing to really just some enhancements to its stability and things like that. Yeah, I did look at Defender for it as well because it's been a while since we've looked at that again but again it's just some improvements of some extra detections. They've added I think an extra protocol as well so. Because I think the last major thing they did was the integration with Entra for this login for it. Yeah, which was in April it seems. It seems like it was sooner, more recent than that. Yeah.
Nice. Yeah. Cool. So what is the next episode? That's okay.
So I'm going to do an episode on defender for Cloud DevOps Security. It is a more security focused tool, but it's sort of something that you can put in your software development lifecycle and deployment pipeline to protect your workloads that may eventually end up in Azure or I suppose, even another cloud. I suppose. Yeah. It essentially looks at your code base and repositories for vulnerabilities and sort of a security posture. So, yeah, I'll take us through that offering.
Cool. Yeah, I think I've had a little play with it, but probably not configured it to its full potential. Yeah. Cool. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify or YouTube. This really helps us to reach out to more people like yourselves. If you have any specific feedback or suggestions for our episodes, we have a link in our show notes or leave a comment on our YouTube channel.
Yeah. And if you've made it this far, thanks ever so much for listening and we'll catch you in the next one. Yeah, thanks. All.