Welcome to episode 346 of the Microsoft Cloud IT Pro podcast recorded live on August 4th, 2023. This is a show about Microsoft 365 and Azure from the perspective of it pros and end users where we discuss a topic or recent news and how it relates to you today, Ben and Scott discuss how some of the recent attacks on Microsoft 365 customers have led to Microsoft in partnership with CSA or C SS I a offering expanded cloud logging capabilities to all customers for no additional
charge. Did you know, Scott, our breaking news of the day before we get into the topic, Microsoft is shutting down Cortana . Breaking news. Bet. You didn't see that one coming. That's breaking news. I think we did. They announced it a while ago that it was gonna be shut down. Did they. Actually announce that it was gonna be shut down. A few months ago? Yeah, they basically said like, yeah, we're, we're out of this game and you know, it. Makes sense. I I'm, I'm okay with.
It. I am too. The other thing, so this came from nine to five Mac and ironically they said Apple should do the same with Siri. I'm not gonna lie, I am not okay with them shutting down Siri from a pure, sorry. I didn't understand. Hey, Siri didn't understand that from a, I'm sure I understand from a pure AI perspective, like if you ask it to go find information about something or find questions about find answers to something, all of that, I agree, it's horrible.
Most of the time it can't figure it out, but the amount of times I use it for like setting a timer or adding a reminder or setting an alarm or just like little mundane stuff, even sending a text message, that's what I tend to use it for. And I am not okay with losing that to be honest. Yeah. No, I don't think they need to shut it down. They do need to meaningfully improve it. Like Siri is no good compared to either
Google or Amazon. Yeah. Like it's, it's just not like even the timer thing, like it's taken Apple five years to get to the point where like, oh, in a keynote they can say like, Hey, we've got multiple timers now and and that's the place we wanna be and it's good. So no, it's not good and it's horrible and the rest of Siri as an ecosystem is straight trash and straight garbage.
Like they would actually be better served by going down the path of the meta prompt thing like copilots and everything else we were talking about last week. Like just shove your data in there, let a generative AI spit out a response to you and you'll be in a much better spot. So. Yeah, but we'll. See. iOS 17 has, you know, some new functionality baked into it with regard to machine learning and language models. So just like chat G P T,
the G P T part of it, like you're familiar with the acronym, right? I. Don't know that I've ever actually looked it up. I probably should. So.
It's a, it's a transformer model. Okay, so all that stuff that you heard about iOS 17 with regard to transformer models for thing like local transformer models running for things like autocorrect, that is likely to be nothing but goodness, I'm only running the iOS beta on one device right now, so, oh, I don't, I don't know, I haven't been brave enough to get it on all of them yet, but you know, in general like that stuff should be a vast improvement over what
was there before. So, so we'll see. I'm, I'm not, I'm not opposed to like the, again like like the AI models, ML models, all the transformers, things like that. As long as they work and they do generally what they're supposed to do and they provide value. Yeah. So somebody in the chat company like Hey Siri, how can we destroy ai?
The first way to destroy AI is to stop calling it AI and start calling it ml, which is what all this stuff actually is and that's why we ended up in a world where we talk about like AI slash ml because everybody forgot what the difference between them is, but whatever. Yeah, exactly. So back semantics. Yes, but back to the Cortana stuff. Sorrys, I'm still not sure about. That. See? Oh, she's yelling. She heard. You, I'm not gonna say the name again. She wasn't sure about it.
August, 2023. Cortana's gone from Windows as a standalone app. It still works in teams and Outlook for now, but I don't know the last time I've used it in anything to be fair. So go use binging search and Windows co-pilot, they should have just called it binging co-pilot or binging chat co-pilot or something. Anyways, Bing. Chat's a different thing, right?
Bing Chat is the co-pilot that's built into Bing and then you've got the thing over here with the thing over there and the marketing people point their hands and go that way. Yeah, it gets confusing pretty, pretty quick,
but I'm okay with it going away. Yeah, no issues there. Like uh, I'll continue to use Bing chat and Windows co-pilot and all that stuff and I find for most of that, you know, when you're typing some of those things in, you tend to be a little bit more intentional than you are when you're just kind of rambling off. Like there's the whole set of timer thing and then there's, you know, tell me how many home runs Babe Ruth hit in year X, Y or Z.
You know, you can get a little off the rails sometimes in those. So I'd, I'd almost rather have the typing generative AI experience in that case. Yeah. Power automate licensing models. So someone in Discord chat asked about what we think about the new power automate licensing model. Did I miss an announcement about this? I don't know, I , I. Didn't see this. Do we have a link to this? Must. Have Nope. Types to power automate licensing models, standalone power Automate. Oh look at this.
Oh yeah, R P a. How did I, so I see the R P A stuff, that's R P A stuff. There's the power automate pay as you go, which I like the power automate pay as you go. I think it's still more expensive than logic apps per user per flow. Is it just the R P A stuff that changed for the new licensing model where you license it like per bot it looks like or premium? Well. Whatever that power automate premium sitting in the middle is, which includes cloud flows and desktop flows.
So D P A and R P A. All right but uh, yeah. We're gonna have to go look at this because I've not looked at this so I don't have a whole lot of feedback yet, but once I do we'll talk about it. Huh, interesting. I hadn't seen it or looked at that yet. Power automate premium, I mean 15 bucks a month for all your R P A stuff is that. Oh, so it's in a attended mode though. If you're gonna do R P A, it's a good deal. I don't know that I like attended mode because now I can't use my computer anymore. .
What? You wanna be able to use that, come on. Yeah. But if you wanna get into it and test it out and prove out its value, it's a good way to get into it. Interesting. We'll go look at that and come back when we con to it so I could spin up a vm but I don't believe I'm still gonna end up talking about it.
I don't believe that if it's in attended mode you still have to be like logged into that VM the whole time is the big difference between attended and unattended and I suppose I could go spin up a vm, like create an R D P session to it and just leave the R D P session up all the time in the background. But I don't know, I've done some with that. We'll come back to that one. Do you wanna move on to a real topic? Yeah. So uh, before we started and hop on, we were talking about some security stuff.
, I think this is a good one to touch on for everybody given some of the recent disclosures announcements, zero days, cvs, all that kind of stuff in the M 365 space. So there was this weird announcement, well I guess maybe taking a step back, like there's been a bunch of attacks on Microsoft 365 over the years and customers have the ability to audit their environments but only automate their environments to the degree that they've licensed for audit capabilities.
So things like turning on your M 365 audit log is all good. What if you need to retain that data for several years for regulatory compliance issue reasons, right? Uh, well I gotta spin up an extra thing. I potentially have to egress that data out. Does Microsoft give me an egress mechanism for that data? Where else can I store it? Is that place I store it secure?
So there's like all those kinds of issues and then in general there's just been the like hey, if I spin up an M 365 tenant, what do I get access to with, you know, a bare bones ELIC versus an E three versus an E five? Do I need to go and pick up some of the security SKUs to get those additional monitoring capabilities? E even being able to like query the audit log in in different ways. So it's generally been a mess.
Paying for additional security like that is a little bit weird if you think about it because you could go in at any time and do something like turn on the audit log and all your logs were already there , so Microsoft was already storing them, they already had them ready to go, they were available, you just weren't querying them. So they were kind of back to that thing we've talked about in the past. It's just cold data. Cold data is a lot cheaper to store than active and hot data.
So I'm sure that was part of the calculation. And then, you know, you came in, you said okay, I want the ability to query this particular data source and you'd start getting charged money for it. Most people didn't understand that complexity. I think licensing in general and Microsoft land has been difficult.
That hasn't changed as we've gone to M 365 O 365 and and SAS-based workloads and because licensing was difficult and you didn't understand what you got, some people just didn't know, or if you didn't know what was there but you couldn't justify the expense, you were potentially putting yourself into a place where you're just leaving holes open and you're kind of purposefully doing that.
With all these attacks that we've had in M 365 over the years, there's been things like account takeovers, uh, phishing is still very prevalent. There's been zero days for like token takeover and acquisition within Azure Active directory slash Microsoft entra id, all those kinds of things. And you know, this becomes problematic for all these organizations that they don't know it
exists or they do know it exists and they don't wanna pay for it. And uh, the government kind of got involved in the us So in in the government, we, uh, in the US US government, we have a, we have an organization called cisa. It's the cybersecurity infrastructure, uh, cybersecurity and infrastructure security agency. It's basically the United States Cyber Defense Agency. That's their remit and, and what takes us to do.
So they've been around helping a bunch of government organizations when they get into situations where they may be affected by some of these CVEs zero days, things like that, remediate it, make sure they're all set up and ready to go. Sounds like they've been having conversations with Microsoft in the background like hey, you are purposely leaving your customers in a position where they don't have the ability to protect themselves to the degree they should.
And they had this really interesting announcement. So they came out and said CSSA and Microsoft Partnership expands access to logging capabilities broadly. I found it funny that I found this on cssa first be before Microsoft , like their announcement kind of came out first the way I saw it and it's basically an agreement between CSSA and Microsoft where more customers in the O 365, M 365 SaaS space are going to have access to those expanded logging capabilities for no additional charge.
So everybody kind of gets the ability to have enhanced incident response. You get access to all those logging capabilities and, and everything that were there before. So sounds like CIS has been talking to somebody at Microsoft for a while and they're all kind of happy go lucky and ready to go. So I, I really consider this like nothing but good stuff. I get why Microsoft charged for access to logs, but just understanding like why they do it doesn't always make it the right thing to do.
So this feels more like hey this is the right thing to do given the current state of the world and how these workloads are positioned. Right? Although it doesn't give, so it's like they're increasing the standards but you're not getting all the way up to that premium level it sounds like.
So if you go dig through the Microsoft one by default everyone gets this Microsoft Purview audit standard, which is included in like your e threes, your business premiums, essentially everything but the e fives and previously retention periods for that were 90 days now it sounds like it's going up to 180 days with this new partnership and it's also granting you access to 30 other types of log data that was only available at the audit premium level,
but it doesn't sound like it's quite the full level that you still get with premium. They're kind of expanding standard but they're not mashing standard and premium together. You still have that option to go get an E five license or go get like the compliance E five that gives you audit premium, that'll give you access to even more stuff and it also increases that retention I believe up to a year of logs or even longer. And then I think you can actually pay to keep 'em up to 10 years.
So there are still two levels, there's still standard, there's still premium. It's just that there must be some key metrics or key data that was in that standard or wasn't in standard that was in premium that they kind of agreed to open up now to that standard level. And I like the longer data retention too from 90 days to 180 days. I think that makes a big difference.
I was just on some calls too where we were talking through some of this and the other thing is is some of these people will be in there for a long time. 90 days is not as much audit data as it sounds like. So going back 180 days is good. Going back 365 days is even better. Throwing all of this data into some sort of sim to be able to query it and go through all of it is the ideal.
But obviously as you go up it is still gonna cost more money. I. Think having access to more at the lower end, like it's a democratization thing. It generally nothing but goodness there. Yeah. Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity?
Intelligent is here to help much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running Intelligent helps you with your Microsoft Cloud environment because that's their expertise. Intelligent keeps up with the latest updates in the Microsoft cloud to help keep your business running smoothly and ahead of the curve.
Whether you are a small organization with just a few users up to an organization of several thousand employees, they want to partner with you to implement and administer your Microsoft Cloud technology, visit them at intelligent.com/podcast. That's I N T E L I G I N k.com/podcast for more information or to schedule a 30 minute call to get started with them today. Remember intelligent focuses on the Microsoft cloud so you can focus on your
business. It was also interesting, this came out about the same time as all those reports around that stolen Microsoft security key that allowed some tokens to be forged and access to Office 365 email. Like all of this stuff kind of came out at the same time where maybe some of those places that were compromised couldn't get the log data they needed to and this kind of started raising some of these red flags maybe, I don't know. Yeah.
I it's uh, you know, or just coincidental to camel's back, maybe , there have been any number of these over the years, uh, that have come out. Like I said, we've, we've had everything from generic phishing attacks to token acquisition and, and there's been some pretty gnarly ones like, like I remember the one, what was it last year where you could just go ahead and like rename A U P N and your directory to anything you wanted and acquire the token for
another U P N in any other director. Like, like bad, bad stuff. So I'm, I'm all about giving users access to it. I hope there's maybe a little bit more of a concerted effort to help folks understand like when they stand up a new tenancy that they do have access to these things for no additional cost and that they really should be standing them up and kind of integrating them into their operations across the stack.
Yeah, I'm still surprised how many people don't know about the audit log in purview and I mean the amount of information you can grab out of that audit log. I will say the other thing I wish they would do is allow you to download more than 50,000 records out of the audit log at once.
That can be a bit painful for large organizations, but if you have not played with this audit log in purview or gone and looked at this audit log in purview, I think we've talked about it before, I know I've mentioned it before because I've used it for not just security incidents but for who moved my file, who deleted my file, where'd my email go, all of that type of stuff.
This audit log is something you should absolutely go look at and get familiar with and know the capabilities of it in terms of how much information you can pull when people start asking questions about things and that happened in your tenant. Yep. All good stuff. I put a link in uh, in the chat and I'll put it in the show notes as well. They kind of refresh some of the docs here to talk about that comparison of capabilities and audit log stuff.
So if you're looking for what you get in the expanded standard versus the premium audit stuff, I, I think that's a good place to start. It's a pretty succinct table that just kind of says, hey, if you're so, like you said, retention kinds of things, being able to implement additional retention policies, what's available with export search, all those kinds of things, uh, it spells it out pretty well. Yeah, I. Lost my, I had a link too at one point in time for licensing,
but I don't know where it went. Appropriate audit, premium licensing. This was at, this talks about audit standard versus premium licensing too. We can throw this out there, but this is helpful knowing when you have standard and it does give some information too about what you need to do if you want to go upgrade to premium or get that premium level. Okay. Scott, you just said every M 365 0 365 being an Azure subscriber by virtue of Azure ad no enterra, enterra, Enterra, Andra as.
Long as Enterra continues to live in the Azure portal and continues to drive the identity stack for Azure, I don't see it any other way. , I, I used to joke with customers about it all the time when I was doing consulting and training. Like I would go talk to a lot of organizations and they would go, oh, we're just an Office 365 shop and you go like no, where's your identity reside? It resides over in this Azure service that's not really an Azure service that kind of sort of is an Azure service.
So it's not really in Azure or is it It. Is. I mean all the, all, all the infrastructure is right Like, like clearly things like R D F E outages, uh sorry, sorry, like Red Dog front end, like the old infrastructure that A A D was was built on top of and they've been transitioning away like that is all 100% pure Azure cloud infra stuff. So yeah, congrats. You know, every Office 365 tenancy uh, also comes with a little bit of Azure.
It was just did you spend money on it and and do you do all those things? So I get where Microsoft wants to kind of disambiguate but they're so tightly coupled that it's hard to do. It's gonna be hard. I know I do it too. I give you a hard time but the amount of times I still say Azure AD and it's still Azure active directory in the Azure portal if you go through it that
way. So if you do want to bypass the new enter up portal because you can't find anything there because you're not used to how it's all organized yet, if you go to portal.azure.com and then go find Azure ad you still get the old comfortable familiar happy normal Azure ad portal for the time being. So more news, are we gonna talk about the stolen security key at all? I feel like that one's been beaten to death the last couple weeks. Yeah.
You you mentioned it so I'll, I'll put a link in the show notes to anybody that was that that's interested in kind of going back. Uh, it's our friends at Wiz again kind of talking about what the attack vector was for this one and and it's effectively another kind of token takeover kind of thing. So Microsoft's aware they've issued a kind of semi sort of patch for it. , I think the patch that came out was primarily affected like new ad applications, not existing ones.
So I don't know what the plan is to prevent similar things in existing a d applications from happening, but we'll see. Probably something for folks to stay on top of over the next couple weeks. Yeah, I would keep a look, take a look at it. My understanding of it is somehow like there was definitely a flaw and I know they patched this and I think this was cloud wide I guess across all the tenants it had. To be because it was MSAs, right? Well. That's what I.
Was gonna say. It. Was an M s A security key that was stolen that allowed them to forge a token that worked against Azure AD and they fixed that aspect of it where you can no longer use a s a security key to forge an
Azure AD token. Our friends at Wizz, you're gonna get me going on this now, our friends at Wiz, they came out with an article about this that said, so Microsoft essentially said they stole this key, forged this token and were able to access email of, I dunno like 25 different companies And then Wiz came out I don't know a few weeks later and said, well yeah they could have used this token to do a lot more than just email and I
saw a whole bunch of articles about this of it was way worse than Microsoft is saying they could have used this token to access all this other stuff, all the other Azure radio applications and I don't know your thoughts Scott, I read it and I'm like well yes they could have the difference between what it seemed like to me Wiz was reporting on was that the potential was there for this token to access way more than just email.
Which absolutely if you have a token for Azure ad any app that you can is registered with Azure ad I would think you'd be able to access but it seemed like what Microsoft was reporting on was going through a lot of the logs and what they actually saw was accessed where Wiz says all this other stuff could have been accessed. Microsoft was saying yeah but it wasn't the only evidence we have is that it was email that was compromised.
So I was kind of reading a lot of the stuff from Wiz with a grain of salt in terms of yeah I agree it could have been but it doesn't appear that it was. The part that I'm still really curious about through all of this that actually concerns me more than anything was how were they able to steal this key in the first place that they used to forge the token. And that's what I haven't seen anything on is how in the world did they even get access to this security key to begin with.
That is a little worrisome to me is essentially could they do it again and could they actually still get one for Azure ad? So here, let me put a link in the chat for you. I don't, I don't know if you've seen this one yet. This is M S R C, so Microsoft Security Research Center. Basically they're the folks who in our security org at Microsoft who respond to security incidents.
So I think they have a fairly comprehensive, as they tend to do, like if anybody's interested in like even past attacks like the M S C blog has a lot of this stuff on it. They, they have a fairly comprehensive analysis of what happened.
Like you said, there's probably, and I'm, I'm gonna like couch that with like big air quotes, like probably a bunch of just FUD around this because for a security team or a security researcher to say like oh this is bad and here's all the things that could happen. Like that's their job. Microsoft is the vendor also has access to the telemetry that can tell you like what actually happened , right and has has it been patched and is it ready to go?
So you've always gotta kind of weigh that piece out of like the fear, uncertainty and doubt from the folks who frankly did the research. Like they did the thing that identified it, they showed it, that's great, that like moves us all forward and gets us in a better posture but they also need to like sell their services and their consultings and things like that. So um, take it all with like a grain of salt and kind of do your own research kind
of thing. So for this particular attack, you know it was identified back in May it has been completely mitigated like you said all the stuff uh, that we kind of started down the path with CISA and everything, like all affected customers have been notified about the issue.
Like if they didn't know. So if you're sitting here and you're going like, oh like oh my gosh, I gotta worry about this, my tenant, like Microsoft would have told you about this and you would know like that's part of disclosure when these things happen it's never fun to do but it is like part of the job so right. It's like a legal requirement that they need to disclose this to the customers that were affected.
Yep. So like if you're sitting here and like you said you're listening and you're like oh uh, nobody's contacted me, then that means you have not been impacted. Like you're not popping in any of that telemetry or anything that shows what's going on there. I think in particular so, so the kind of attack vector that was found and the token forge and everything, like while they sealed that up, the kind of bad actor is still out there they always refer to like actors by code names.
So this is storms 0 5 5 8 which is a China-based threat actor and they were looking for a way to target customer emails and they 100% found a way to target customer emails with that forged token. I recommend everybody go read the blog post. The other thing that you can do, and I'm glad Microsoft is doing this and has been pushing this more as these things come out, is if you have custom applications that leverage the Microsoft identity stack.
So you use ENT i d formerly Azure Active directory as an identity store, you allow MSAs to log into your account, you're doing Azure active directory B two C, things like that, B two B, all that kinda stuff.
If you're leveraging like Microsoft's identity libraries like SS o, all that stuff, like make sure you're updating that too because as these disclosures come and these things are fixed, quite often they're fixed in not only the underlying APIs and the service but that also bleeds back into changes in the SDKs that consume those APIs and thus your applications as well.
So I know from the stuff that like I do in you know like storage at Microsoft that I have a ton of customers who are running on just super old super janky stuff or it was like an app that was built five years ago and it was deployed and pushed out and now it lives on like an IOT device that's never gonna be updated.
Like if you have the opportunity to update your applications and move them forward and do all that, like it's a good time to go look at your identity stack and those apps as well and make sure you're consuming kind of the latest APIs, latest SDKs and, and you're getting the the latest security fixes and all that stuff too.
So in addition to the M S R C thing, I will also include a link to some of the techniques that they found behind uh, that particular actor that storm 0 5 5 8 and kind of like what they went into to to get access to that. So that should answer like most of the questions.
If it doesn't, you'll likely see more out there just like as information filters out, like sometimes you gotta give the folks in security and M S R C like the opportunity to write the blog post because quite often like when these things are active, and I think we've talked about this before, right?
Like when there's an outage in Azure M 365, something like that, like I can allocate devs to either fixing the problem or to helping me review the blog post for what the problem was and what's going on. Like I want them fixing the problem. Yes. Basically 99% of the time give it time. It's not like somebody's like, oh trying to hide something and it's only gonna come out on a on a Friday or blah blah blah kind of thing.
It's like it'll come once the due diligence is done and the analysis is ready. Yeah, this analysis is fascinating to read through. Just they cover a lot of stuff in this analysis from techniques for access to some of the tooling that they used even down to the actor infrastructure and all of the IP addresses that this particular threat actor used when these IP addresses were first seen when they were last seen the V P N service company that they used to do it all.
There's a lot of stuff in this analysis that, again, this is helpful I would say not just to understand what happened but even from your own perspective to understand how some of these actors move through an environment, how they work, what some of their methods and techniques tend to be so that, well Microsoft does catch a lot of this stuff. I have absolutely seen customers that they themselves get compromised in Office
365. They notice that they've hunt through the logs, but kind of knowing even what to look for in your own logs or what to watch out for if you have them ingested into a sim, what to maybe set alerts on in your sim around some of these logs in Office 365 so that you can catch anybody that maybe gets into your email, sends you a phishing email that someone happens to click on within your company,
, that type of stuff. So absolutely go read that an article, the analysis, help Microsoft or help you protect yourself from some of these actors as well. For. Sure. And hopefully like when you read through that like it does calm down some of the Right, some of the fun factor that comes along with it. Yes. People trying to get you to read their stories and sell their services. It is. Yep. I agree. Believe that.
There was another question in the live chat that they said we didn't have to answer live but we could. Although I have a meeting here in two minutes because . You do. This is my, it's time to. Go to the next thing. It's time to go to my next meeting. It is four 30 on a Friday, Scott and I still have two meetings left. You're. Generally doing it wrong like I usually do on Fridays, so good job. Thanks. I appreciate the congratulatory message
on doing it wrong. I don't know that I should be saying that . Alright, well go enjoy your weekend. Hopefully you did it right and you can quit for the day after this while I go work through my last couple meetings and don't know, some of these meetings may also mean I end up working some this weekend. We are about to go find out. Yeah. Well try not to do too much. Speaking of security, we will see. All right, you too . And we'll get back to it again next week. Thanks Ben. Alright.
Thanks Scott. If you enjoyed the podcast, go leave us a five star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening and have a great day.