Hello and welcome to the let's Talk. Azure podcast with your host Sam Foote and Anne Armstrong.
If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals. It's episode one of season six. Alan and I recently had a discussion around the new releases in December. Here are a few things that we covered. Key Microsoft, Entra, Intune and Defender features and announcements, Azure changes, new features and also retirements. If you've noticed. We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode. So let's get going. Hey, Alan, happy 2025.
Hey. Yeah, happy 2025, Sam. Yeah, we, we, we had a, I would say a good break over the holiday period. We're a little bit, I say we're a week later than we usually would, but no, it's exciting to get back in and get back recording. Did you have a good holiday break? Yeah, it was good. It was good to rest this time, I think and I think I had quite a lot of it off actually this time and yeah, it was good. What about yourself?
Yeah, good. I did actually, I did actually work quite a bit over the holiday period and actually I think it saved me, you know, from that time in between Christmas and New Year where you don't know what day it is and you know, you, I don't know, haven't changed out your pyjamas for three days that I didn't have that. I went back to normality in between. There was just nobody else in that normality at all because everybody else was vegetating at home. You were just the spectator of that.
Yeah, exactly. So actually it did work out quite well because I ended up having like you know, three, three day weeks or something like that. You know, I can't remember what the exact makeup of it was, but it was actually quite, it was actually quite nice. But yeah, a few days when I went into the office and there was literally, you know, one other person in basically. And I'm like. But no, no, it's all, it's all good. But yeah, okay, so this episode we're going to cover the news of December 24, because we would have done, we did November at the end. Well, end of November, start of December. We're a little bit later in January, but we'll just cover what happened over December. Alan do you want to kick us off with your side of things?
Yeah, sure. Okay. So I normally cover the sort of Defender XDR products and that side of things. All the 365 and licensing side. I guess. So let's have a look. So if we start off with just generally the Defender XDR in general, I guess it's kind of say they've done some, some stuff on GA around content distribution via. Via tenant groups in multi tenant management. So being allowed to be able to distribute content in effect I guess into specific groups that you might create. I guess it's kind of looking at the workspace manager part of Microsoft Sentinel, kind of replicate some of that features there and bring it all into one place. Some of the parts are more around linking to instance in the advanced hunting so you can see the query results. You can go straight to the instant that you find all that's related to it. It's quite good. There's some other bits in here just around some of the KQL functions that are sort of by default in Microsoft Sentinel. They've now brought it into the Defender XDR portal into that sort of KQL engine. Just so I guess that's the part of the start of the migration, I guess with some of the queries that you can do in Sentinel now being able to cross query that with the Defender sort of information as well. Okay, so if we move on to. Let's just take a look at this. So the unified experience within Defender XDR Portal, so the unified SOC Operations platform, what came out in December was that there's some new optimization recommendations based on similar organizations. So I think that's quite interesting. So that's looking at I'm guessing the size of your organization, the endpoints that you have and I guess as it's unified, guess it's also looking at sort of the data sources you might have and trying to understand what optimizations they may take for organizations similar to yourselves. The other part is that the Microsoft Sentinel workbooks now are viewable directly in the Defender Portal and that it doesn't redirect you to the Azure Portal. So that seems quite good. And starting to again bring that single panel or the integration of Sentinel into the portal.
Sorry, do we, do we. Is it now sort of a foregone conclusion that that is essentially that's the way it's going to go now? I don't think there's anything sort of official, but it's definitely, well based on everything now just working in the portal, you know it definitely it's definitely given that indication now.
I was for sure. I was, I was thinking about this the other day because they've. I know it's not the same thing, but they have done the same thing with Purview as well, haven't they? With the new like Purview portal and experience, They've really well integrated. Well, no, actually I'm not going to say they've really well integrated because it is sometimes really confusing when you've got a customer that's on a really high license level and they say that they're on the free version of Purview. That does sometimes get a bit confusing, I must admit. But they've essentially taken the 365 side of unstructured data side of Purview and they've merged it together with you know what, I don't know what the latest iteration of it was. Governance as your Purview governance portal. I think it was good. Now it's. Is it now called Enterprise Purview or something? I. Sorry. But they've essentially done that, haven't they on that side? And so I feel like that's a very similar thing that's happening with Defender XDR and Sentinel, you know, with the sprinkling of security Copilot, I suppose interweave in as well because again that is a, an Azure resource, isn't it? That has to be linked back in and integrated. So yeah, yeah.
I think the other example is also defender for IoT because I think most of that is moved now into the XCR portal and all the licensing got changed in it to site based rather than you having to buy it through consumption. Yeah, yeah, exactly.
So yeah, yeah, it's all going to one place and like you said, you're going to turn up with, and end up with three portals, you know, Identity, Entra, the security, the xdr, one for security and then you can have your compliance one on you so you can have your. Yeah, sci pools.
Yeah, yeah. And to be honest with you, I think that'll make the discovery of a lot of these tools a lot easier to stomach and I think actually using them on a day to day basis, that is going to be better for people, isn't it? You know there's, there's not that kind of awkward bridge between Sentinel and Defender XDR that you've got to like click through. Does that make sense? And where, where does the functionality live? Does, does that make sense? Like how much of Defender, you know, they need to bring into Sentinel and vice versa now at that like aligned next to each other, aren't they? So I think it's only a good thing.
Yeah. And the click through, you know, the workbook one we just talked about, you know, it's fine, I guess it's, it's generally fine for you to jump out into the Azure portal, but then you're somewhere else and you might partially get confused about how you get back.
Yeah, yeah, and I as well. And I, and I genuinely think when you're in that incident, I'll call it incident response mode. Right. You've already got enough to sort of understand and you know, and, and, and work through. Right. You don't need to be jumping through two completely different user interfaces and two separate areas and working out where functionality and data is on either side, you know, because I, I just think like, you know, it's like maintenance of content, isn't it? You've got content in like two places and blah, blah, blah. But I think it's only a positive thing, you know, I think it can only, you know, can only improve the user experience, I'd say.
Yeah, exactly. So, yeah, we'll see. It's go. I think it's going the right direction. It's just, it's not, you know, it is that we're in that transition period, aren't we? But as, as we've seen, more stuff is being enabled to just work in that portal. Probably still backed into Azure for now, but we'll see where the rest of it goes, I guess. Okay, so if we move on, I think. Let me just double check. Yeah, the November stuff. So yeah, that was the only two things that sort of came out for the unified side of things. Defender for Identity. So generally every month normally with this we get a sort of an update to the agents, the, the agent to do new sort of functionality. But I think because of the unified client that's come out for all the. For Defender for Identity, Defender for Endpoint and Endpoint dlp, I think the most focus is there to try and get that rolled out to all platforms and things like that from a, from a, you know, configuration perspective. But it's part of the posture management sort of side of it. In December, Microsoft released a new one for prevent certificate enrollment with arbitrary application policies CSC ESC 15. So yeah, that's another good, good recommendation there to, you know, help secure or improve your, your posture against your certificate authorities. That was it for Defender Identity Defender for Endpoint hasn't had any, any updates suggested, but obviously we have the unifi client come out. So I guess you could technically class that as being an update because it's being enhanced to have the other sensors sort of added into it. Defender for Cloud Apps so again, this didn't have anything this for December. The only thing I will say I probably just will pick up on the November ones because I think I missed them actually to be fair, because I don't remember talking about these. But Session Control is using an Microsoft Defender for Cloud Apps app in Enterprise app. So just recommending not to put any conditional access on it because otherwise it won't be able to run that application in Session Control. So you just want to make sure you exclude it from an all app sort of coverage, which is interesting. I didn't even know that. So that's good to know. The other one is Defender for Cloud Apps now supports Graph API in preview, so can now query data about discovered apps via Graph. Obviously you can. Okay. No, the, the API has been enhanced so you can now query discovered apps via the Graph API.
That's quite cool. Yeah, really good.
Yeah. So that's probably it for now on that one because it was technically November's ones. Microsoft Sentinel. Let's just take a look. So again we've got the new soc recommendations based on similar organizations because they're. They're integrated with the Unified Portal. They've brought out an agentless deployment for SAP applications is a limited preview at the moment. So that's being able to do IT against SAP S4HANA Cloud Private Enterprise Rise with SAP SAP S4HANA On Premise and SAP ERP Central Components, which in brackets ECC. I have no idea what the indications.
Are, but I was just gonna make the joke of you. You said a bunch of words, Alan, but nothing registered in my brain. I was waiting for it. I was waiting for a quote to you. That's why I got in there first. So yeah, so that's really good to bring that. That integration, you know, making it easier because I think there's been a lot of. It's been quite difficult to work out how you collect the logs from it. I think it's fair to say for that. But isn't that the whole point of those types of systems?
Exactly. So I would assume it's been used to. Microsoft have worked with SAP to get that connector working or get the APIs built in this service that you can connect into it. We talked about the Workbooks Unified Microsoft Sentinel solution for Microsoft business apps. So they've built a solution that covers power platform Dynamics 365 customer engagements, Microsoft Dynamics 365 finance and ops or financial operations. This update solution. Yes. So it's removing some of the old ones and they've built a new one now. So that's quite. I'm quite interested in that actually.
Okay. Yeah, interesting. Yeah because it's kind of been a. I suppose it's kind of been a little bit of a blind spot I think it's fair to say trying to get logs out of those systems like easy consider it's first party kind of.
Yeah. And yeah because like from the like compliance space it's always been a bit like disconnected if that makes sense. It's. Yeah, you say it's first party and I completely agree with you. On paper it is but in terms of its integration to anything it's not. In some respects it's worse than other like so, so yeah, I think, I don't know you know, posture data control or whatever it is, visibility logging. I do think that needs to come together in, in some way that's for sure. Make it easier.
Yeah, exactly. There's a new in Preview, a new S3 based data connector for AWS WAF logs, web application firewall logs. So I think that's probably just enhancing it because I think a lot of the our logs now are via an S3, you know, S3 bucket deck connector. So just probably adding it into the list. That's probably it for Sentinel. So actually there's quite a few there with a few interesting ones. Yeah, definitely.
So Defender for Office there wasn't too much on there. It's just enhancements to some of its machine learning and things like that and from its detections Microsoft Entra so one thing that came out was the general availability of a dedicated first party resource application in in Entra which is used for the synchronization between on prem ad so for the Ad Connect or sorry not ad Connect Entra Connect and Enter Connect my words. Jesus. Entra Connect sync or cloud sync connectors in effect now as a, as a single application enterprise application that now you can force the, the service account that that's being used or ultimately generated to only be allowed on that one and blocked from other services just to enhance that least privileged sort of access for it because it does kind of have a fairly high permission there in public preview. Microsoft entrance Identity governance approvers can revoke access in my access now. So that's quite good because I think previously all you could do was they could set the time when they get an access package and they, you know once until that time it expired it would then you know Expire itself they would you know maybe renew kind of from a like an access review perspective this looks like it's like a more of a reactive sort of reactive sort of action that you can now take. There's expansion on this self service password reset policy audit logging so from mid January it's probably around now I guess then there's improved logging for that so I guess that's just to prove which. Which authentications and phases they're going through for that. Oh this is an interesting one. So it's not race security related but update profile photo on my account instead of it being having to go either via teams or via your on prem ad I think so that seems interesting you were able to update your profile from there now quite a good one Generally available for temporary access pass so tap support for internal guest users Tat can be issued to internal guests just like normal members through the entra ID admin or natively through the graph. So yeah I don't know what technically classes an internal guest user.
What's. Is there anything about licensing on that? No, it doesn't say about licensing I think if it's. Yeah, there's nothing saying about. No, no word on price. Yeah possibly it's probably identity governance. Yeah it's probably. That's. That's my. Well that's my. My feeling is. But I don't know I haven't even looked at it. They normally tweet about it.
Yeah these. These previews are. Or the these new feature etc, you know it is suggesting whether they are entra identity governance or not though. Yeah, exactly.
Yes probably it for that one and then intune so with intune. Let's just take a look. There's. There's. There's loads. I mean there is loads of updates here but it's just working out what so ender support for Android device administrator on devices with access to Google Mobile services. So that's been. I mean the admin device Android device administrator sort of mode has been going in support for forever pretty much so yeah December 2024 is basically it's gone now device security so the tamper protection policies that are in Endpoint security settings can now be. Is now supported by the when the device is managed by Defender for Endpoint. So that policy you know Endpoint Policy Manager sort of configuration now supports enabling tamper protection. So that's a. That's a good one to have. Yep there's new. Oh interesting. So there's ending support for administrative templates when creating new configuration profiles.
Yeah I did See that in the portal actually. Yeah. So they're completely getting rid of all of them. That's interesting. They must have moved everything then. Yeah. I have to see how they. How you do some of the other ones then. Or admin templates. Yeah, that's fair because that's in effect the group policy sort of view, isn't it? So that's fine because the catalog settings is. Yeah, it affected a lot better now. Oh yeah, it's. There's so much. Yeah, yeah.
Intune now supports Ubuntu 24.04 LTS for Linux management. It's specified under Linux Ubuntu desktops. So suggesting it should be the desktop version, server version. Whether Intrin can determine the difference might be a question, but yes, some weird. Looking usernames, you know, managing those machines Anyway.
Yeah, I think it's because it's user based, not device based so I think it's the sign in that side of things. Yeah, that's probably it for Intune. Is there anything else talked about all of those I heard. Anything else? No. So that's probably it for me. That's. I mean it's a fair bit there. I think Sentinel was the biggest. Yeah. One there definitely this time. Yeah. So Sam Watts, what's happening in Azure apart from the web page changing?
Okay, I've already got this off my chest to you, but there's been another redesign of the Azure updates. Yeah. Feed. And it's not great for me because I used to be able to click on a button which said everything that happened in December and I could go through, I could literally just pick what I liked, what I didn't and now it's. It's literally chaos for me. So there's going to be an automation created over the weekend I think. Anyway, let's not harp on about that. Okay, Talking of Chaos, first item, there are new built in roles for Azure, Chaos Studio Azure Chaos Studio Experiment contributor, Chaos Studio Operator and Chaos Studio reader. So new built in rules, they do various things. I won't go through them specifically but always great to see one of my favorites and it just so happened to be the first update that I wanted to share. So we're starting 2025.
I'm going to have to make a tally of how many episodes you get Chaos Studio into.
Whoever the team that's working on Chaos Studio and Databox, they are feeding me every month with at least one thing. Right. Because it'll be like we've made a new data boss data box tank that you can drive from region to region or something like that. So yeah, I'm, I'm. I'm happy about, I'm happy about these things. Right. Anyway, okay, I do just have to check some of these because yeah, what's, what's real and what's not is confusing to me. Now. Azure SQL updates for early December. You can now get enhanced monitoring for the dynamic management function. Now that the dynamic management function displays the component causing throttling of the primary log generation rate in Azure SQL Database hyperscale. Again, like your SAP explanation? No idea. But I assume if you're using hyperscale that is important to you. The second point probably more prevalent to other people. You can now do one and three year reservations on Azure SQL Database for zone redundant general purpose databases. And that sounds like quite a reasonable skew, doesn't it? Zone redundant general purpose databases. So I think that's worth calling out because there could be a lot of people. There could be a lot of people using that. Okay. Azure Database for post Postgres flexible Server. There is now general availability of a high availability health status monitoring for Postgres Flexible server so so you can now track and maintain the health of high availability enabled instances a lot easier than you could before. So I assume the health monitoring wasn't high availability awareness previously. I don't use that product, so I don't know but I did think that that would be quite important to talk about. There is a new cloud region in Azure. Can you guess where Alan? Or do you know where it is?
I probably do know it, but I can't think of the top of my head.
We are apparently in New Zealand now. There is an availability zone available there so. Interesting. Not somewhere that I would need to use, but yeah. Hello to all of our New Zealand listeners. There are a ton for Azure Kubernetes service but I'm not going to go through them because I. I'm not the right person to talk to about those things. Okay, there is a private preview. Well actually by the time you're listening to this I believe the change is already being made. But Azure Automation is revising its service and subscription limits. Okay, the revised, revised limits now are the maximum number of Azure Automation accounts in A subscription is 10 for Enterprise and CSP subscriptions only 2 for pay as you go sponsored MSDN, NPM and Azure Pass subscriptions and any one for free trial Azure Student Azure in open. I don't know what that is. Subscriptions can only create one. That last one can only create one automation account per region per Subscription in only six allowed regions. Highly specific. There must have been some issue with scaling or abuse that that feels like to me.
And then they, if they lock that. Down, then yes, I don't know what the previous limit was. I've only got the current limit. Yeah.
Okay, so maximum number of concurrent running jobs at the same at the same instance of time per Automation account. So yeah, concurrent running jobs now 50 for enterprise and CSP subscriptions 10 for pay as you go sponsored MSTN, npm and Azure Pass subscriptions 5 for free trials as you're for Student Azure and open subscriptions. Now it does say on here that your current usage will be honored if it's more than the revised limits. For example, if your current usage is 12 automation accounts and the new limit is 10 for you, you could still continue to use all 12 accounts to create more accounts you'll have to request for quota. So it does also seem like these are the default limits. But it does, in that same sentence it does say that you could request a quota increase. So just a heads up if you're using Automation accounts at scale and you're, you're you're running your non production workloads on your MSDN and NPM accounts. Just a, just a heads up people listening. Anyway, I won't say any more anything more is there anything else here? And I'm going to say the same thing as you. There are tons and tons of Azure related updates every month. I don't cover them all because I only cover the things that I find exciting. But yeah, do check the Microsoft Azure update log because there is a lot of really good information there. You can filter it by different products depending on what you're using so you can keep up to date with with what's what's changing in your environment. There is a public preview for azure database for MySQL bindings into Azure Functions. MySQL is a. I don't know if it's the biggest, I don't have those stats off the top of my head but MySQL is a very very popular database management system and Microsoft has a first party hosted and managed version of it that you can run called Azure database for MySQL and there are now first party bindings for Azure functions. So yeah, if you do have an application that is maybe backed or an infrastructure that's backed with MySQL and you want to start using Azure functions, you can use input and output bindings directly within the functions now, which is very very helpful.
It's MySQL's second on the list. Okay, what's the top? Is it Postgres or. No, no, wait, is SQLite on that list even though it's not a hosted 1? Or third is Microsoft SQL Server. Okay, first it's Oracle.
Interesting. Okay, shout out to all the Oracle devs that listen to this podcast as of June 24th. Okay. Okay, that is all I've got for Azure and again, there is more there, so please do go and check. I'm also going to cover Defender for Cloud for like the biggest update for. One of the biggest updates that we've had is we've had adjustment to the, the scan interval timings. And this is actually, it's interesting that I, I'd never seen the details of scan intervals previously, but, but an update's been published which sort of extend out the scan intervals. So intervals which were set between one and three hours will be updated to four hours. Intervals set to five hours will be updated to six. Intervals set between seven and 11 hours be updated to 12, and intervals of 13 hours or more will be updated to 24 hours. So they're slowing down those, those, those scanning intervals.
Yeah. So I think on the connectors, if I remember, you could specify in hours how, how often? I'm guessing. Yeah, some, some people will send it to one hour, like scans or something.
Again. Yeah, and, yeah, and, and there is obviously, I don't know, with a lot of security tooling that Microsoft has, sometimes it can be, I'll call it different the way that it works in terms of timers and intervals and it's not like, you know, like local on prem immediate. Now does that make sense? You know, a lot of it is time based, but a lot of that information. Yes. When you're setting up like Defender for Cloud, you want that information to drop the first time relatively quickly, don't you, to maybe get, you know, some visibility. But then when it's actually checking over time, a change from, you know, like three to four hours or you know, 13 hours to 24 hours, I probably don't think is, you know, going to be a massive issue there. Cloud connectors associated with AWS, GCP, JFrog and Docker Hub have also been revised as well. You can now set the scan interval to 4, 6, 12 or 24 hours. The default scan intervals for new connectors will continue to be 12 hours. Yeah. Is that what you were referring to? The one hour being able to drop it down? Basically, yeah.
So yeah. So change the interface to meet those numbers and Then basically they're rejigging the current configured ones to match those new values. Don't worry, everybody, you don't have to update that. We'll do that on your behalf, basically. Okay. Defender for Cloud security posture management. CSPM's sensitivity scanning capabilities now includes Azure file shares in GA in addition to blob containers. That's quite good.
Yeah, because. Yeah, a lot of usage of Azure files out there. Apparently the, the setup experience has. Has been revised as well, but I don't have. There's a new guided setup experience of your cloud environment, so that'd be interesting to try. And I think that's it from me on Defender for Cloud. Let me just see. No, I think that's it for me on Defender for Cloud.
Okay, cool. Yeah, I mean, you know, we did have. We did have Ignite November, didn't we? So there's not gonna be huge amounts coming out. I mean, to be fair, there's quite a few on that list between us, so. Oh, yeah, we're at 36 minutes. Yeah, yeah, yeah. And it was December, which is. Let's call it a half month. Right, so. So yeah, yeah, fair play. As, as always. You know, those teams are, you know, keeping us keeping their products up to date and in turn giving us stuff to talk about.
Yeah, no, that's cool. Okay, what's the next episode then, Sam? Yeah, it's my episode. Next time I'm going to cover defender for APIs, which is a workload within Defender for Cloud. Um, so, yeah, I think we've, we've done other Defender for Cloud type episodes. I believe we have jumped into some of the workloads, so we're going to continue on with that with Defender for APIs. Yeah, cool. Yeah, I think it's definitely an interesting one to look at.
Yeah, yeah, yeah. Because. Yeah, because of the sensitivity and complexity of APIs. It's interesting how they've approached the. That workload, I would say. Yeah. And it's integration with sort of a data security lens on it as well, isn't it? Yeah, exactly. Yeah. It's not just the schema and access control methodologies, it's also. Yeah, data as well.
Cool. So did you enjoy this episode? If so, please do consider leaving us a review on Apple, Spotify, on YouTube. This really helps us to reach more people like yourselves. If you have any specific feedback or suggestions for our episodes, we have a link in our show Notes to get in contact with us. Yeah. And if you've made it this far, thanks ever so much for listening and we'll catch you on the next one. Yep. See you later. Bye.