Welcome to episode 335 of the Microsoft Cloud IT Pro podcast recorded live on May 19th, 2023. This is a show about Microsoft 365 and Asher from the perspective of it pros and end users where we discuss the topic or recent news and how it relates to you. Today's episode starts off with everyone's favorite topic, licensing specifically around Microsoft Defender for Office 365 as it relates to attack simulation. After that, Scott takes us through some recent updates to Azure App Services and Azure
Load balancers. Here we are, another Friday. All that is standing between me and vacation is this podcast and packing. All. Right, well let's get you moving then. All. Right. Well technically I'm not leaving till Sunday morning. , tomorrow's packing. Oh, and I have to make jerky. I need to make some beef jerky before we leave. We gotta get you on that as well. So why don't we go ahead and open with your favorite topic. Licensing license. Is absolutely my favorite topic. Something like that.
Okay, so I have a licensing topic for you here, Scott. We have done some podcasts on this before, so I don't, it was a long time ago, but I have gone back and referenced this episode several times before where we talk about certain, it's tenant level services, right? Services where you essentially get one license in your tenant and it lights it up tenant wide. So there is nothing from a technical standpoint forcing you to purchase certain licenses.
But according to the terms of service and what those say you're supposed to license a certain number of users in this can drastically vary from we're gonna license one user or we're gonna license only users that use this feature. Or in some cases we're gonna license a whole bunch of people.
And one of these I can think about is, there's one I can think about and then one we're gonna talk about today that I encountered is Azure Active Directory and having the ability to block group creation, Microsoft 365 group creation or teams creation, where at least the last time they went looked at all this licensing. Microsoft states that in order to prevent people from creating teams and groups, it is Azure Active Directory Premium.
But you only need to license A, the people that are actually configuring the setting in Azure Active directory, it's PowerShell configuration and B, the people that are going to be creating groups and teams. Mm-hmm . So you don't have to license everybody, you only have to license, maybe it's a handful of people, 10 people, however many people are actually using, I would say using it but not using it. Cuz everybody that you blocked doesn't have to be licensed. So gambling,
they're using it or they're not using it. Yeah. Still that way today. So it's weird. Licensing is just the ad. Like in the case of the a e D group creation, it's basically the admin who messes with the settings. And if you have multiple admins who play with those settings, you gotta license multiple admins.
And then the members of the groups who are eligible to create groups, which is a little bit of a weird restriction, like if you like at the end of the day, like wouldn't you just want to open it up and make it really easy for people to create groups? Cuz more groups means more proliferation means more data stored means more we can charge, but I don't know, it's a Microsoft licensing. It is.
So I ran across another one of these that I had a question about and ended up opening up a discussion about this in as an issue on GitHub on the docs. So this particular doc is getting started using attack simulation and this came up, a customer came to me and said, we wanna use a attack simulation. But the light, the documentation is unclear. I mean imagine that right? documentation not being quite said. We. Saw that coming.
Yeah. And it says in an organization with Microsoft Defender for Office 365, plan two add-on or included, you can use attack simulation training in the Microsoft 365 defender portal to run attack scenarios. And then it goes on to say all of that. And then what do you need to know before you begin attack simulation training requires said licensing and then it has a link to licensing terms, which is actually new. I think they maybe added this since I looked at it because I opened an issue on
this. Look at. That. Actioning your feedback in real time. Yeah. Maybe. So it was a question of, okay, so who actually has to be licensed for a tax simulation? Is it every single mailbox? Does it include like I have a exchange online plan, one license, a user just has a mailbox, I pay what, five bucks a month for it?
Do they actually have to be licensed for defender for office plan two in order to be the recipient of a phishing email in this attack simulation training to see if they click on a phishing email? To me, it seems kind of silly. Now I'm paying five bucks for the license and Microsoft Defender for Office 365, plane two is also five bucks. So now I have to pay an extra five bucks just to be able to see if my users click on a Phish link. Mm-hmm.
to me this feels like one where it's, I have users that are going in and looking at reports, they're setting up attack simulation, they're using the attack simulation configuration testing interface. And I was like, this seems a little bit vague in terms of what do I need to do and how does this have to be licensed. I asked around somebody who's like, just go open an issue on DIS or on docs.com.
So if you ever run into one of these licensing questions, be warned, you may not like the answer , but go scroll all the way down to the bottom and you can submit feedback for this page and essentially open an issue on GitHub. And that's what I did. So I went and opened this issue on GitHub and said, okay, this seems unclear who has to be licensed for this particular feature. And it ended up with some back and forth in terms of
who it actually has to be. And one person was like, what it boiled down to, we'll boil it down, we'll get to the point, boil it down. They were like, well defender plan two is a tenant wide feature that benefits every mailbox. So every user is gonna have to have this regardless of if they're setting it up, if they're receiving emails, all of that. Okay, great, sounds good. I don't like it, I can live with it.
I get their point because defender for play, defender for Office 365 Plan two does include additional security features that you're gonna be taking advantage of. It's not just attack simulation. However, then someone pointed me to the service description for. Which is really where you should have started product.
You should have started in the terms of I should have serviced, like I think everybody forgets the service descriptions are here, but like they're generally the place that you should go start anyway. They're the most confusing part of the whole thing cuz it is really hard to rationalize what you buy like across all these individual plans plus either an M 365 or an OS 365 skew,
all the various things that exist out there. Like, ooh, I'm a Microsoft 365 business premium customer, so what type of add-on license does that come with? Or what type of add-on license do I need to buy? Good luck figuring it out. But it theoretically is possible through the service descriptions. Yes. So this is, and you have already posted this in the Discord chat, but there are four bullet points. The only ones I really cared about were two all exchange online users in the tenant.
This is because plan two features and capabilities protect all users in the tenant well and good. The second one, Scott, all shared mailboxes on the tenant. And this one caused me to go back to my GitHub issue where somebody said license all users and said all users and shared mailboxes . And this created additional discussion because someone was like, no shared mailboxes are included with user licenses, you shouldn't have to license it. And I said, not what the service description says.
This says I need to actually pay $5 per month for every single shared mailbox as well. And the response was, oh I'm checking. And they came back and said the service description is correct. So in this, this one irritates me. I'll be honest, the licensing of this irritates me because up until now, every time I've seen stuff around shared mailboxes is shared, mailboxes are free, they're shared by licensed users. You have to have an exchange online mailbox to even access a shared mailbox.
It's not like I could be licensed for just SharePoint. Mm-hmm and somehow leverage the shared mailbox. I am licensed, I haven't exchange online plan defender plan two license in this case. Let's assume that. So I'm accessing a shared mailbox, but now I also have to go in and license a shared mailbox and count all of my shared mailboxes that get created and license those as well. According to the service description.
And I haven't gone back to this thread I need to, but does this now mean I also have to buy a defender for Office 365 plan two license for every Microsoft 365 and group and every team that I create too, because those also technically have shared mailboxes under the covers. Yeah, it's a weird, an. Email can be question. Question, but it'd be good to like clarify with everybody there. So who you're going back and forth with on the GitHub thread is one of the
technical writers for the security docs. So I would consider them, I guess to be about as authoritative or resources you're gonna get. And then especially once the doc updates land, like that'll be your answer might not be the answer you wanna get though. , again, like be wary opening these because sometimes ignorance is very much bliss in terms of I don't need to license Sharon mailboxes for defender plan two.
Again this one's just weird because you can technically, a shared mailbox shows up as an unlicensed user in Office 365. So now do I like need to go in and actually assign these licenses to shared mailboxes so I know I have license parody. Is it enough that I just have like 50 of these sitting there unassigned because I have 50 shared mailboxes? It's the whole fact that that bullet point is in there. And licensing shared mailboxes for this defender for Office 365
plan two just kind of boggles me a little bit. . It's a weird one. I don't, I don't know, like if I was managing a tendency, I wouldn't wanna have the licenses hanging out like you know, you have that pool of extra licenses there. Yep. I think you'd want to have 'em assigned in the mailboxes. If anything, just have your life easier. So it's not in a spreadsheet somewhere,
but what a royal pain. It's, it's So we were kind of talking before we hopped on, I can't think of any other instances off the top of my head where you have to license a shared mailbox. Like you said, like it's kind of unprecedented. I can't think of any place else in the platforms that forces you down that path and, and many organizations create lots of shared mailboxes because for better or worse, like you said, they're a component and a byproduct of having individual user licenses.
Right. And the other part where this got confusing, and I think I mentioned this in the thread and I don't know that I actually got a straight answer, is Microsoft also allows you to convert user mailboxes to shared mailboxes. We're gonna get into some really weird licensing for a period of time.
You cannot do this for archival purposes, but you can do this for a period of time so that once a user leaves you can essentially reclaim your full user license and then have that shared mailbox around for a little bit because maybe a manager needs to go through the emails or maybe you want to have an out of office set for 30 days. This user is no longer with the company. You wanna monitor their mailbox, make sure nothing important is coming into it.
That type of scenario is supported again, keep it around for a month, two months to monitor the mailbox. Now do I also have to have extra defender for plan two licenses sitting around just to cover users that I'm deprovisioning for a few months and I have to start managing how those licenses apply to essentially temporary shared mailboxes. It's completely baffling again how you'd even start to track this and keep track
of it. I think I'm gonna keep coming. I wanna see, and if anybody's listening on the exchange team or license team and has any additional insight into this, let me know. Cuz again, I'm, this just seems weird to me. . I can't remember running into a customer who had a true up around this. It doesn't mean it doesn't happen, but uh, yeah, , who knows? I. Would also go with that. This is all technically according to what Microsoft says,
what you choose to do is up to you. , I cannot tell you number of tenants I've seen where I said, well technically I feel obligated to tell you this so that I have a clear conscience. But what you do is you are prerogative. Yeah. technically I'm walking away right now. This is you problem, not a me problem. Yeah. Been there, done that. We will end this discussion right here about how people license things in their tenant .
That could be a whole nother discussion because I have brought that up before and they have said, well so and such and such a company told me to do it this way. And I'm like, oh really? such and such a company should know better considering the number of licenses such and such a company sells of Office 365. Yes. Did did you get that in writing and did you have your lawyers stamp it? Yes. They'd. Seen that one before as well. Yeah.
Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity? Intelligent is here to help much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running Intelligent helps you with your Microsoft Cloud environment because that's their expertise.
Intelligent keeps up with the latest updates in the Microsoft Cloud to help keep your business running smoothly and ahead of the curve. Whether you are a small organization with just a few users up to an organization of several thousand employees, they want to partner with you to implement and administer your Microsoft Cloud technology, visit them at intelligent.com/podcast.
That's I N T E L L I G I N k.com/podcast for more information or to schedule a 30 minute call to get started with them today. Remember intelligent focuses on the Microsoft cloud so you can focus on your business. So this has been kind of a side investigative investigatory journey for me over this last week is trying to get to the bottom
of this for a client. Now technically, I don't really wanna go back to the client and say, uh, sorry, , you're gonna have to license a whole lot more than you thought you were because they do have some shared mailboxes. So it's, yeah, this is an odd one. Scott . I don't. All right, I'll see if I can transition you into some happier stuff. All right, I'm gonna take a very roundabout way to get there.
So because we're on the topic of Microsoft Documentation as you called out, Microsoft Docs are, the vast majority of them are hosted in GitHub and because they're in GitHub, you can do things like, you can go open a GitHub issue, you can submit an edit to a document as somebody just externally, like maybe you see something that's wrong in your case you needed clarification.
Maybe you wanna say a better example of something like you can do all that aws I, I don't know how much you deal with AWS customers, if at all, but AWS has, I don't also hosted its documentation on GitHub for quite a while now, like four or five years. It's not like it's a brand new thing where AWS said like, oh, we're gonna put product documentation on GitHub and then publish it through to align with the, the broader AWS service stack and doc set that exists over there.
So a couple days ago AWS announced that they're retiring all of their documentation in GitHub. Like it's too much for the service teams to keep up with. They manage 262 repos. Basically every feature that has DOC for it also lived in GitHub. Tons of overhead to maintain and they didn't necessarily see the ROI in having customers be able to do things like open specific issues like with their own language or submit improvements, anything like that.
I'm a big fan of the Microsoft doc system, like it's truly empowering to me, like as uh, somebody who works in Azure, like it's easier for me to write my docs and work with my content teams to get them out there. I think it's helpful for customers. Like it definitely gives us an idea of the health and validity of our documentation. I was wondering like, would you be burned if Microsoft got rid of its documentation on GitHub?
Like do you find that it's more of a headache or do you like having the ability to go in there and make edits and open these issues and get these answers this way? So from an end user perspective, I like it. I have contributed a few and open some issues and fix some documentation or kind of this standpoint here that we just talked about where I can go in and create an issue and actually have visibility into it.
Where if it was just a button where it's like submit feedback on documentation in an email goes off into a black hole, there's no real way to know if anybody's looking at it to know if anything's been fixed. So from an end user perspective, I absolutely love having it in GitHub. Sean and Discord also said he thought moving the to GitHub was a huge improvement for documentation. I'm a big fan of it, however, I do also, I could see your point and see Amazon's point of that.
It wasn't my point, it was, it was, it was Amazon's point. I thought it was really interesting. Like Amazon points, I, I mean other hyperscalers like, I mean I work for one of the three big hyperscalers, right? Like we all face a lot of the same kinds of issues. Yep. And I try and keep track of what they're doing and like this was one of those ones that kind of came outta left field that was like, oh really? I like AWS documentation for the most part.
Like it tells me the things I need to know the, a lot of the time it is very vague and kind of like doesn't guide you in the right way you would want to for things like, it's not overly prescriptive, but I guess that's okay if you're doing cloud and you've just got building blocks and things like that. But I was trying to imagine in my head like, what if I did, like, would I ever advocate for getting rid of GitHub at Microsoft? Like I, I can't,
right? Like I really like the system and how it comes together. Like I get there's overhead there, there's certainly friction. But you, for me, like the ROI is worth it, right? Like I, I'm, I'm actually really happy, like when a customer can open an issue and can get an answer to, to their question along the way or they can drive an improvement in
the platform. Like I, I go back and forth with customers on GitHub all the time about AZA copy and our SDKs and the way they perform perform and you know, sometimes it's harsh feedback, but I'd rather have to feedback than not have it. Right. Well I was trying to think. So the only reason I can see where this could become a struggle for somebody like AWS or somebody like Microsoft, I mean I was looking through, I don't know that there's a way to see this in GitHub.
Maybe there is is just under like the Microsoft 365 docs, that particular section of the Microsoft Docs repo. I mean you have how many thousands of issues there have been 5,400 closed. There's currently 433 open issues. Like me as an end user opening an issue or two or three is not a big deal.
But somebody like Microsoft or Amazon that is managing, I don't know if there's hundreds of thousands or tens of thousands of markdown files and getting who knows how many issues a day or different commits, forks, pushes, pulls, all of those that they have to manage.
I can't imagine that opening this up to the community does offer an added an added amount or an added quantity of management to just be able to keep track of everything, respond to stuff, verify that poll requests that people have issued are in fact valid updates to the documentation. I would imagine there's a lot of work to maintain this as well. Oh, so again, I like it. I don't.
I don't discount that. Like I think the ROI is there though, you know, at least for, for me, like I said, I I, I see a ton of it. So I thought it was a fun decision that a competitor made . Yeah. So what are they doing? I haven't read the article. You posted it and I haven't looked at it. Is it just gonna be like a closed source website? Did they say what they're doing instead? Kind of like we do in in Microsoft Docs, like we have like a thumbs up,
thumbs down, but it just ties into GitHub metrics. They'll do the same thing. They'll continue to have a thumbs up, thumbs down and then monitor those. So I guess if they get a thumb enough thumbs down on the cloud formation template, blah blah, blah sample doc, they'll go ahead and potentially revamp it. I don't know. We'll. See voter resource [inaudible] I mean when I hear this too, it also makes me wonder from a, the perspective of GitHub is Microsoft.
Like is there some component of that? Well, not publicly admitted in that article that makes them want to pull their documentation out of GitHub. Maybe. Uh, I don't know. Who knows? But um. It's just me speculating. Just. Just another interesting one. All right, so we got a little bit of time left. Why don't we talk about, okay, some uh, fun things that are coming up and have been recently released in Azure land. So we're in like the build up to build, let's see, we're recording on Friday,
may 19 build is next week. So, uh, theoretically by the time folks here this next week build will have already been out with few days of sessions, like maybe we can come back with a session catalog and things like that. But there have been some improvements that have been announced pre-built. One of the kind of fun ones that I wanted to talk about, cause I've done a little bit of this in the past with customers, is scaling web applications and using
the scale components that are inside Azure app service. I don't know, how much do you play around with Azure app service and app service plans and some of the kind of Linux windows compute that's available behind app service plans? I have deploying websites for. Customers of this. Yeah, a little bit. This is not something I dive into a ton. I was looking at one the other day with a customer that scaled up and didn't scale back down. I think it was related to Azure functions. So, uh,
a little bit but not a ton. Gotcha. So app service on the whole is a PAs service for deploying web applications. Be they.net based, Java based Python, like they can run on the Windows stack Linux stack, whatever it is. So think like it's a pool of managed compute that then you can come in and it exposes standard like tcp you know, HB 80, HB port 80, uh, HB S port 4 43, things like that out to the world.
And cause it's pulled compute, you can do things like you can scale it horizontally, like there's elastic scale horizontally where you can scale out and scale in based on the demands that are put on the system. So traditionally the way that is worked is you can say like I don't want to scale, I wanna do things manually like oh I see the service is overwhelmed. I'm gonna come in and I'm gonna crank the slider from one instance to three
instances or three instances to five instances. You know, like whatever number up to like the max of your pool and then maybe you'd drag it back down later. The second option you had was auto scale. So auto scale was, it brought a couple different things so you could do scheduled scaling. So you could say like, hey I know based on seasonality of traffic to my website every Monday at 9:00 AM I need three instances of you know, this web application.
Like maybe it's for your finance team to enter all the orders from last week and then Monday afternoon end of day it spins down to less instances and you don't need it anymore. Or you could have done rule-based scaling which brought in components around like CPU usage across your compute instances, memory usage, all those good kinds of things. There's some downsides to both manual and auto scale though, and I think this is where like this new automatic scaling option is kind of pretty cool.
And those are around things like having pre-war pools or pre-war instances cuz think about like you know in maybe like think VM ss. So when you move that slider in VM s s, you have to wait for that VM to boot in the background. You have to wait for it to be bootstrapped, you gotta wait for your code to be deployed on it, blah blah blah. Like that stuff takes time, right?
It's not unheard of to see like a scaling operation that can take like five minutes plus like, and sometimes on the order of like tens of minutes, like 20, 30 minutes if you're doing like really big beef e VMs depending on what you have going on. So automatic scaling is a new option and basically you come in and you turn it on and you say I wanna do automatic scaling and that's it. You don't worry about things like rule-based scaling anymore.
Like you don't have to configure a specific resource metrics say like CPU consumption on your instances or anything like that. Like in fact you don't have the ability to do that. Like once service degradation starts occurring, the system is automatically going to scale for you and you can scale into not only un warmed instances, but you can also scale into pre-war instances. So you can kind of do this thing where you can say like, okay, maybe you run like a small website.
So I always want to have one instance of that website running like, and I never want to go below one or I never want to go below two, like whatever the number is. But you always have to have at least one running. So let's say like I've got two of them running, I always wanna run two but I only ever want to run a maximum of 10. So you've just got a slider in there now where you set your maximum burst and you go to 10 instances.
You can also configure the number of instances that are kind of always ready or pre-war for you. So I could say like, okay, ten's extreme for me, like that's a lot of seasonality. So going from like two to 10, uh, like I don't need everything to be pre-war, but what you could do is you could say like, hey I always want uh, three instances pre-war. So when I scale from two to five, I'm ready to go.
Like I just go into basically VMs that are already on and all I have to do is deploy my code on them and then I'm up and running in a much quicker fashion. It's a little bit of like a closed box, like you can't see into it as to like what the dimensions or resource metrics that the app service team has chosen to scale on. Like it looks like it's a couple different things. Like it's just HDP scale. So think like maybe like a number of transactions,
number of TCP connections coming into your website. I imagine it's cpu, memory consumption, uh, a bunch of other things that come into play with it. But I like that it's just like it's a checkbox automatic scale and you move to sliders and you're just kind of done with it. Like you don't have to worry about it as long as whatever engine in the background is actually driving scale in the right way.
Like this would be like one of the closest to like set it and forget it kind of scale out services that you potentially have today in web app plan, at least app service and and all the things that come along with app service plans and that underlying compute engine. So I thought that was a really cool nifty one to see.
Yeah, so with automatic scaling, like you have the always ready, the pre-war instances in your scenario where said you want three, you start with two, you scale to five, does it like spin up or prewarm three more instances now. So you're running five, you have three pre-war, assuming your maximum scale limit supports that so that if you have to scale from two to five to eight, you have those pre-war ones there. Does it kinda always keep that pre-war buffer in front of it? It.
Does. Yeah. So the way pre-war works is as you slide the scale. So let's take that example of min two, max ten three pre-war. So I start at two and I want to scale up by three instances and it decides to automatically scale may by three. I'm gonna go into the pre-war instances now, like you would be left without another three to scale into, but what it does is it'll spin up the next three and create another buffer for you of pre-war instances.
And it just kind of continues shifting that buffer over until you hit whatever the maximum scale out limit is. So like whatever you set as maximum burst, if I set 10, I can't exceed 10 instances and and have that out there and be charged. For it. Got it. And it does look like this is only websites cuz you know I've used some of the auto-scaling for functions and it says that this is only in the app service play. Uh, you cannot have Azure app service, web app,
you can only have Azure app service web apps. Yes. And the app service plan where you wish to enable automatic scaling functions, this is gonna be disabled. They recommend Azure functions premium plan instead. Still wouldn't surprise me that if maybe some point in time it came, they probably start with app service and maybe it'll become available for something like functions down the road. I imagine in the future. So, so I, I, I mean functions use like app service plans in the background anyway.
So one would have to think so yep. Like this is probably a good opportunity to like put it out there in preview, vet it, see how it works, dial in what I imagine is probably some kind of like ML model that's looking at things like resource health. It's likely looking at other dimensions.
Like they're very, like I said it's, it's a little bit of like a a black box, like it's kind of closed off the, the way it works but I imagine they're looking at other dimensions that they have access to you or maybe that are driven through like app insights or attached to whatever application you've deployed. Like cuz if it's looking at H T P traffic, that's a little bit different than looking at you know, straight C P U consumption, memory consumption, things like that.
Right. Interesting. Very cool. I am not adding this to my list Scott, my growing list. This is not something that I do enough with that it's on my list yet. This is in the back of my head for if a client ever asks about it. All right. So real quick, I got a couple other ones for you in the kind of MM application, the web application space I guess or applications that are surfaced over tcp. Okay. So I don't know how much folks really do this anymore.
I find myself doing it less and less. But if you ever run into Azure, like you go to ping something and you can't ping it because I C MP echoes are blocked and black holes more and more. Yes. Or if they're not blocked at the VM level, they're often blocked within a service like load balancer. So Azure load balancer slb like standard load balancer now lets you go ahead and do pings against the front end I P V four address if that's a need that you have.
So say you had something monitoring the health of load balancer and for whatever reason like that maybe wasn't based on like an HTP probe or you know a specific HTP response from a webpage or something like that. It was just looking and you just wanted to do like a straight ice A M P echo like hey , you can do that now and turn it on. Which is kind of good. So it's there automatically, it's just, it does require standard load balancers so you can't do it with basic or
anything like that. But uh, you know, if you're a customer who wants to go down that path, you can now just configure an NSG rule if that's a restriction that you have on your side to make sure that the traffic flows and then you can go ahead and ping the slb. So this is still disabled by default. You have to actually configure N S G to enable the pings to be allowed. Uh. Yes. Well, so you don't have to configure the load balancer for pings.
You still have to open up the VMs behind the load balancer to ICMP echos. So, so really what I'm saying adjust n sgs like you're adjusting the N inbound N sgs, which are gonna be thereby default. Like if you haven't messed with anything in like a default VM deployment, you're gonna open up for those ping requests to come through and then you can actually use the responses from your ping to
figure out backend health. So if you get like destination host unreachable, that means every backend instance was probed down by the load balancer. So the load balancer's still up and it's still trying to send out probes to the VMs that sit behind the S L B, but they're all down.
If all the backend instances are off, you're gonna see unresponsive request timed out if at least one instance is up, you just get successful replies and if you get an unresponsive request timed out, no backend instances behind the load balancer or there's just no s slb
routing rules in place. And I think like that's a nice little ad. Like I said, it depends really I guess on kind of your ecosystem and what you're using in front of slb to determine additional health of like whatever that SLB is hosting out and has in place. Got it. I was just looking through the documentation. Yeah,
this is pretty straightforward in terms of being able to test it. Ken, I've never looked at this, I have never looked at denial of service attacks much in terms of actually performing one because I like not being in trouble. could this potentially be used for denial of service though?
So if you are gonna turn this on, is Microsoft gonna put some sort of protection in place or is this on you of, hey, you went in and configured these nsg to allow pings to your backend servers behind your load balancer. You better be careful that this doesn't create some issue due to some crazy high number of pings. You probably should make sure I'll put a link in the chat for everybody.
So there, there's kind of rules of engagement for doing penetration testing on Azure and you can kind of figure out, you know, based on what's out there, like some things just like they're allowed, but you should either give Microsoft a heads up or do them sparingly, like, uh, fuzz testing your endpoints is allowed, you're allowed to do port scans.
You're absolutely allowed to do tasks for like OWA bon vulnerabilities if you're gonna do like owas top 10, cuz I don't know, you turned on web application firewall inside of your front door instance or your web application gateway and you just wanna make sure that like, hey, it's actually doing the security stuff that it's supposed to, whatever that is,
uh, you're allowed to do that. Every customer is also protected by, uh, DDoS basic, I forget all the d the flavors of DDoS that are available in Azure, but by default every customer gets some level of DDoS protection. So it's not like you're going to, I think threaten or take, take anybody else by doing down by doing this, but be reasonable.
Right? So know what's going on, but there are still gonna be some protections in place by default from Microsoft against somebody taking you completely down due to yeah. Opening up pings. Yep. Yeah, I if somebody can take you down just by you opening up pings, you likely have some other issues. Fair enough. I've got a story. We, we don't have time today. Remind me, Scott, record a future podcast. We can talk about some, yeah, we can talk about a recent incident that I'm aware of and
some security stuffer on that too. All. Right, well we'll close out with that teaser then and we can come back next week with one. All right. Teaser for next week. We can talk about it. All. Right, well as always, thank you Ben. Thanks to those that joined us for the live show today. I hope everyone has a good weekend. And for those that are attending build next week, either virtually in person, I hope that's a good show for everyone as well. Yes. Absolutely. Well thank you Scott.
Enjoy your weekend and we will indeed talk to you in a little bit. We'll talk to you after Vacation. . Thanks Ben. If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening and have a great day.