Welcome to episode 380 of the Microsoft It pro podcast recorded live on 07/12/2024. This is a show about Microsoft 3 65 in Azure from the spec to of It pros and end users, where we discuss the topic or recent news and how it relates to you. With the recent news about the At and T data breach or data league we start, top off talking a bit about security identity protection into recent security alert in Ben's Microsoft 3 65 tenant.
Then staying along the lines of security, we discussed the recently released Ad ass migration tool in some of our thoughts around migrating from Ad fast to Microsoft Enter Id. Wow. It's a Friday. Scott. It is... Run the right microphones phones for recording, I'm using the right camera, And if you're on At and T your data has been stolen. If you're on any United States carrier, date
has been stolen and at some point. Heck, if you live in the Us, actually, I think if you live anywhere in the world at this point, your data has been stolen. Yeah. I saw 1 the other day it was, like, the largest credential dump is floating around, like the Dark web and it's, like billions of records. Have you had this issue? I've had this issue in Teams. Then we'll go back to At and T where it just randomly switches to a different audio source while you're using Teams.
Is that what just happened? I don't know. Like, my speaker went from my ding to my speakers. Which was weird. Got it. Anyways, Okay. So back to At and T, Yeah. I can't remember if we talked about this or at this somewhere where realistically, you should operate on the assumption that your data has been stolen versus that you're trying to protect your data at this point in time. So there is another article this week. I'll pop a link in the the chat and Show
notes for everybody. So the largest password database leak was also this week. So that was 9 point 948 million unique plain text passwords. Wow. Released by the threat actor dubbed Obamacare as part of the ro 20 24 dot TXT file. Can't make that stuff up. So creative. It's wild. This 1. I don't know did you see this At and T 1. Apparently it came from snowflake. So I'm curious to see more too if this was, like, At and T cr that were compromised to get into snowflake kinda like did they go through
At and T to get to snowflake? Or was there a breach in snowflake? Because there been a bunch of stolen records that have come out of Snowflake. This article talked about... Who was it ticket master lending tree and some others that have all data stolen from snowflake specifically. So it's, like, was there issue. Snowflake. I don't know. It doesn't it doesn't really say, but a hundred and 10000000 At and T customers and it was, like, not just their information, but
who they texted in who they called. So it was records of who called who who texted who didn't contain time date or the data of those, but still being able to draw a bunch of connections between different people based on who they're calling and texting. This is not an insignificant breach. No. It's not. So snowflake had a breach over the summer. And, like okay I guess, we're still in summer so. So
this summer. It's snowflake kinda a breach. There there were, like, a hundred plus customers that were potentially leaked out in that breach, and, if I'm remembering great, it was actually, like, an ex campaign that kinda brought it all to bear. But you'll be happy to know that as of this week, what we're July 12. What is? Today's July July 12 So as of July eleventh, Snowflake has decided to enable and enforce Mfa. Ironic that that came out the day before this did.
Yeah. The, you know, the the the hits just keep on coming. I think it's a good lesson that none of us are actually in control of a lot of the data about our lives once it gets out there, you said, you kinda think about ways to mitigate that and kinda work through it. So I don't know how it works outside the Us, typically with a lot of these breaches in the Us like... And I imagine this will happen in the case of At and T, like, as a major provider with hundred million plus customers.
Usually, they'll reach out, offer you some form of monitoring. So, like, for a credit card beat preach that could come in the form of credit monitoring for things like your credit score and maybe through, like Trans, or Ex ex or or some of the companies that monitor and watch that stuff could be other protections that are out there, like, I don't know. I've had, like, free ex experience and Trans, whatever premium monitoring for what feels like, the
past, like, 5 years. Just because there's always another breach, and I just keep upping it for free. That makes sense. I've done identity theft insurance. So I actually went and bought identity theft insurance for, like, the entire family, and it's relatively inexpensive. I wanna say I pay, like, a hundred and 40 bucks a year or something. It's like 12 bucks a month. And they will monitor a bunch of that stuff as well so that if I didn't actually have free which. I'm like, you. I feel
like, I've had free forever. But then if there is a case where, like, me or 1 of the kids or my wife or we have identity stolen, they are also will help resolve it, take care of any issues, get identities back, all of that. And again, kinda operating on the assumption that it's out there. And if it happens, it's a relatively small price to pay. Because everything I've heard that if your identity does get stolen, it can be a nightmare to get everything un
entangled by yourself. Yeah. So I've never done identity theft in insurance. So last time I looked into it, and again, this could be Us specific. The insurance was very, like specific in the legal east in that they would provide you coverage, but the coverage around costs was related to the recovery process. After you've become a victim of Vice theft, it's not the recovery of funds prior,
we which is a little bit weird. So say somebody spending money on a credit card for illegally for, like, the past year, and they've rung up, like, 50 k and in fraudulent purchases. The 50 k in pro fraudulent purchases isn't what's covered. What's covered is the time and the money to get that fixed. So you're still on the hook for the fraudulent service or you still need to go and work that out with your financial provider. And I couldn't find any... So so maybe you and I left to
chat offline. Maybe you found a better option or maybe you found 1 that did kinda, like, work through this. But it seems to be a pretty big loophole in coverage in that, like, you're effectively still on the hook for the fraudulent purchases. It's more about, like, recovery afterwards. Which in my mind, I'm like, hey, recovery. Wouldn't does that mean covering the fraudulent purchases? It does not... I'd have to look at when this starts. The 1 I have is up to 2000000 dollars for stolen funds and
expenses. So again, when that starts if it, like, is retroactive to when it was originally started or once they discover the fraud, if it's only stolen funds and expenses after you discover it, but, yeah, we can talk more about this 1. And maybe throw some links in the show notes if other people are interested. So 1 other security topic, unless you wanna talk more about identity theft and data breaches I had an interesting 1 in my Microsoft 3 65 tenant
today. Actually. Are you spam again? I am still absolutely getting spam Although I finally got the first 1 to go to quarantine, I've had a crazy spam problem coming from a dot on Microsoft dot com account Neither here nor there, but this is 1, I got an alert Microsoft defender, and I'm not gonna share this 1 because of information that's in it, but essentially, I got an alert this morning that 1 of my guests users in my tenant that I had shared something with that Truth told
it was like 5 or 6 years ago. So this is a lesson learned. 5 or 6 years ago that I shared I invited them to a team channel. The team channel has long. The team has gone, I think the team has gone or archived. The channels got her archived, It was for some training stuff so nothing in there, but I got an alert that I had a user account in my tenant,
accessing my tenant from tour Ip address. And when it it looked in, I will say defender did a good job, like it picked it up pretty quick based on all the audit logs, like, within seconds of the first activity. And actually went in and deleted the guest user. Just remove them from my tenant cleaned it all up. I didn't even recognize the username. So first I was like, oh, who is
this guest username my tenant? I did some searching figured out when I had interacted with them when I had invited them, good thing is again, It didn't have any access to anything in the tenant because everything is long
since come gone. But It appears because this credential was also used like, 4 different times, and this is part of why I got picked up to 4 different times in the course of a few seconds, to access my tenant as a guest, and it looks like it was probably in teams from, like, 4 different countries. Welcome to the fund that is be being on AAA tour. Right? And Right. The layers of the onion and and how all that comes together. It's an interesting thing. So so it's funny you bring this up. We
do annual security training. And part of... Well, I mean, we do it more manually. But part of the latest round of security training. Actually had a section in there that talked about guest users. And actions that we as employees need to take when we're dealing with guest users and things like teams. So it's a very manual process. Right? Like, if you finished a project, like, you said, you've done all the things. You've archived the
team, you've archived the channel. Like, it turns out you actually do have to go and, like, explicitly revoke access from those users to kinda clean it all up. Feels like a great space for, like, an Is or somebody to step in. Just have, like, the tenant monitoring blah blah blah. I'm surprised Microsoft doesn't have it and, like, some kind like, built in life cycle management for guests, but a lot of the onus is still on individuals who are spinning these things up. Have the
context. Like, I get why it's hard automate. You don't know. Like a guess Google dormant for 2 months, and it turns out maybe they're needed later kinda thing, whatever. Yeah. Well it's a hard problem. It feels like a sol 1 as well. May maybe an Ai could solve it for us who knows. Yep. And I haven't not done this in mind. Maybe we should do a podcast on this. They have, like, their life cycle workflows in their identity governance, and the access
reviews, which I would say get close. I don't know that you could build a full life cycle workflow. Because life cycle workflows are usually more onboarding new hires group membership changes, off boarding employees, off boarding employee, off boarding employee. It doesn't look like And I've looked at these some, you can do it for guest users. Access reviews, I know you can set up for guest users that are guests of teams and groups.
Where it would, like, every 3 months that essentially goes through a team in or a Microsoft 3 65 group, re really? Because that's the identity structure under the team. And you can set those up for guests and say, every so often looks roll my teams with guests and send notifications to the owners, Does this guest delete access to this team
group? If not, like, by default, delete them or by default, leave them or after the owner hasn't set it for so long or responded for so long, escalated it to somebody else, but it isn't necessarily I think it falls a little short, and then it doesn't have that ability to necessarily delete the guest from your tenant. Kinda like mine was. The team was gone.
An access review could cleaned them up from the team, and I think I may even manually cleaned them up from the team, but they're still stuck in intra, and even you like At Microsoft, you're not gonna have the ability to go into entrant and delete remove users. So it does have to fall to an admin. Yeah. You really need like, holistic. You almost want like all the life cycle management components to come together. So, like, life cycle for my team, life cycle for the data and the
That exist in there. Life cycle for the users, all the way back down to the identity store, be it And and Id or or whatever kind of thing. Especially for like, these more, like, project driven workflows, like you really would wanna. I think, like, you know, it'd be an interesting world where you come in and you say, hey, I'm spending up a new project and that thing automatically creates a team, and it has some metadata that's says here's the start date. Here's the end
date. And then once you hit the end date, if you haven't extended it, then it goes and kinda runs the machine and does all the other stuff behind it, but it says humans are bad at managing information. I've learned that very well over the course of my career, myself included. You know, sometimes you need, like, the state machine to come and kick things and move it forward and get it going. So... Tl, these things are gonna continue to
happen. They'll continue to be an issue, be vigilant even in your own tenants. Yes. And I will give props to defender. It did a good job. It caught it. It deleted it, and then right from within the incident that it generated. I was able to go, I reviewed all my logs. I'm like, okay. Did this user... Is there data? This guest account accessible. It was in there? Was there data that was still shared with this guest account. Like everything came back,
like, there was nothing there. For all I knew it was still the user that happened to be on a to network with his company account, and opened up teams and hit my tenant because once you're a guest, you have, like, a gazillion different teams, in your tenancy and all it does is just taking it opening up, trying to re in teams to. Yep, pop that up. But yes, Looks like have a safe, but it... It's a new 1 for me. I had not ever seen that before. So like you said, be wary with guest
accounts. And their life cycle and how you manage them? Be beware with your own user accounts too. No Limited it to guests. That as well. Be wary with all the accounts. Yeah. I think people forget about guest accounts. An easy 1 to slip your mind especially when you just shared an document with 1 and didn't, like, that whole process of now they're guest accounts. I do like the 1 time passcode stuff from that perspective where there is some sharing now you can do where
it doesn't create a guest account. It's just like a 1 time Act. Cisco code, you get it and that also can help with some of that. So with that, 20 minutes later, good conversation. Should we jump into our topic that we had planned for today? Jump into this 1 a little bit? You put all this work into planning. We should get to it. We should get to it. And it's still kinda released. To this.
Do you feel overwhelmed by trying to manage your office 3 65 environments are you facing unexpected issues that disrupt your company's productivity? Intelligent is here to help much like you take your car to the mechanic that has specialized knowledge, how to best keep your car running, intelligent helps you with your Microsoft cloud environment because that's their expertise. Intelligent keeps up with the latest updates in the Microsoft cloud to help keep your business running smoothly and
ahead of the curve. Whether you are a small organization with just a few users up to an organization several thousand employees. They want to partner with you to implement and administer your Microsoft cloud technology of Visit them at intelligent dot com slash podcast that's INTELLIGINK dot com slash podcast for more information or to schedule a 30 minute call to get started with them today. Remember intelligent jake focuses on the Microsoft cloud, so you can focus on your business.
So this was an article, take from Tech nut that popped up, and it brought up an interesting conversation. It was from June 26. So this was few weeks ago now, but it's moved to the cloud or move to cloud authentication with the the Ad or active directory Federation services, migration tool. So this was an announcement that the migration tool for Ad fast, to move their apps to Microsoft Enter. Id
is now generally available. They can update identity management, they announced the Efs application migration moving to public freebie back in November, all of that. We can talk about the tool, But what I think
is interesting about this, Scott. And we talked about this a little bit is further down in this article, they have a diagram with Ad efs, and enter Id in highlighting limitations of not transforming to and try Id and benefits moving to Id, but then they also label Ad is the old way in try Id as the new way, and this spurred a very immediate comment on the article.
Given this new tool, the age complexity, security limitations of ad fast and improve technology being available, Do you consider a road map on Ad s d fabrication? And we started talking a little bit? Or 1 about this tool but too about Ad efs and try, comparing them as 2 different ways of authentication, especially in old way in a new way, And I would say even more so that in my head, this triggers eye old way new way, but it's also...
Is Microsoft saying on prem is the old way cloud is the new way versus some of these where it's... They're still providing an on prem solution. This is almost starting to say, and I think where this comment is coming from is, is the on prem identity for something like Ad efs or a lot going away and interest going to be the only way forward or there's a lot of questions, I think. Around just the way some of this was labeled. And I still have customers on Ad s
2, which makes me think about it. I don't think this is too different than what everybody's been hearing for years now. In that there's a focus on the cloud and cloud services. And, you know, it's kind of a a funny list if you go and and look at their they're framing for old way in new way, like, you could apply just about any of these benefits to any cloud solution. Over to, like, remove Ad fast from it. Right and so, like, they talk about, like the new way and the benefits. So benefits,
more agile than responsive Ai future ready. Whatever. We'll throw the Ai thing out the window for a second, but more agile and responsive, sure. Like, if there's an evergreen service that's constantly being updated in the cloud, that's gonna be more responsive. That could be ent, that could be exchange that could be your toaster fridge in the corner and it's firmware, like, like, whatever it is. Right? Like, like those things. If they're running and somebody else responsible for running them
in their data center. Like, they're gonna be more agile more up to date. Reduce costs and operational complexity. Again, that's not Ad efs specific. It's you're just removing the costs and the Capex and Op associated with running on prem kit. So, hey, I don't need to lease new servers. I don't need to worry about getting the latest version of that load balance or or whatever it happens to be those kinds of things. Requirements around where data is home. So you know, if you think about, like, try
versus on prem. Well, on prem. Everything's gotta be an active directory. And then you go, well, Great Scott, Like, everything's gotta be an intro Id in in in the cloud. Isn't it the same. Yeah, kinda sorta of not really though because entry Id is more than 80 domain accounts. It's devices. It's this whole other world of like, constructs and personas and and types of things that exist out there. And then in the last
benefit they had was eliminating vulnerable assets. I kinda put that back under the hidden costs of maintenance of on prem things. Benefit you're moving at a different pace. Somebody else is responsible for the the security and all the other things around it. So in Ad s Land, like, you're like, well, Microsoft is still responsible for the security either way, whether it's Ad efs or whether it's enter in the
cloud. Yes and no. Like, they're responsible for the software, but you're responsible for deploying the software. You're responsible for deploying all the, surrounding kit on those things. Right? Because it's not just an Ad f server. It's usually multiple Ad f servers. Usually those sit behind a load balance. There's probably also, like, firewalls and Ips, Ids, things like that in in line in there that all need to be updated and
configured as well. How I think it was interesting just to kinda see the framing of this. But clearly, there's a desire to, you know, shift customers away. From on prem. And then the reality is, like, once you're in enter in the cloud, like, you're probably not going back the other way either. I would agree on those benefits and how they framed it It's an interesting
comparison to make and. I have started having these conversations with some of my customers that are like, we wanna start getting off of Ed efs. But I've also had conversations. I don't know that I have any customers that I've had it with that I have Ad fest today, but there is... Also still a few feature gaps. I would say between Ad ass and and try d. I don't know what all of them are because I don't do a ton with Ad ass, most
of my customers that have it. I know it's there and we've done some work with it. But I do know 1 that. This is an interesting 1 that comes up over and over and over again is customers limiting the time that people can log in to a service. Like these employees are only allowed to log in between 8AM and 5PM. And there's been various requirements that make valid sense for that. It actually makes sense from
a security perspective. Right? Like, some of my workers that are maybe scheduled to work a particular shift or work certain hours and should not be accessing company data outside of those hours, Some of that I've heard around need to pay them over time if they're accessing company data outside of work hours. Some of it could be a security thing. If they're on the clock, they can access data, but I don't want them logging in anywhere
else when they're not at work. You could argue well you can do device join and some of that. But that's 1 that has come up a lot. And I'm like, yeah. There isn't the way to sell that right now and enter. And I do know that can be solved with Ad s. Because that's been the answer for a long time. So... Again, maybe some of these will start coming to Intro. If anybody's listening on the enter team and wants to add a new feature to Enter, you need something to add in
this next fiscal year. Time bound logins to enter would be on a list of things that I've been asked about. That's an interesting 1. So you're 1 of the few people who I've actually heard frame it as a business problem versus a security problem. So, like, if you go out and you'd look, We talked about this like, last week when we we're going it. So III was kinda looking around. I was like, you know, it's like, it makes sense. Like, why isn't it there? I can see it, like, based on
the way you framed it. And everything that I saw, every time somebody asks about this, they often frame it in context of security. Where they're like, oh, this person not being able to log in at this time is more secure, or I only want admins to be able to log in into these times. Like, And from that lens, it's like, well, no. Not really. It's more like security through
obscurity. Right? Because once you're in with the access rates you have, it doesn't matter if you're doing that at 12AM or 12PM, like, in is in kind of thing. Right. So from a security lens, like, yeah. It probably doesn't make a ton of sense Like, I'm I'm sure there's somebody out there who can rationalize the way into it. But, like, it's just soft to cough, Like, doesn't make a ton of sense from a security perspective. Like, it's more a a piece of business functionality.
And then that actually makes it I think harder to prioritize in today's world, So, like, you know, we opened with the whole credential theft thing. So with And Microsoft being the provider of that service. Do you want them to spend time on a user nice, like, time based to access control? Or do you want them to focus on better audit logs and better restrictions and being able to catch people on to networks or the traffic from
China or rogue actor, things like that. Like, most people are gonna say, like, no. I actually wanna focus on the security stuff. So that's where the time, like, continues to go and lean into. Maybe this manifests in other ways. Like, I I don't know if it ever becomes, like, a core intra thing. Maybe it shows up as you know, something inside of conditional access. Like, they used to have the configure... What were they, like, the adaptive session
lifetimes and things like that. So they've had kind of ish features like this, but they're like, all almost not quite kinds of things. We'll see. And I think to thing for you to do as customers to, like, frame that out and think about it too is what's the Roi? Am I getting it out of it. You know, you're using Ad efs for this thing today, is the writing on the wall that eventually Ad efs goes away. I don't know. But Ad efs also isn't getting meaningful improvements.
So at some point you're gonna kinda be left behind. And this same thing has happened with, like, Sharepoint, with exchange, with all these other things. You're just seeing it on kind of a a different timeline and potentially a different scale depending on your organization and and kinda your applications you host in your company and and the way you do business. So we'll see where it bake out. I don't know. Maybe somebody will step in at some point, like, even if Ad f
goes away. I don't think the ability for ent intro to be a modern identity provider and support things like Sam off and replying parties. Like, I don't think that goes away. So maybe there's an opportunity where even like, another 1 of, like, the cloud vendors picks it up, like, say, like, an O or something like that. So if you maybe fed through O, Oracle Id, maybe, you know, say there's a theoretical world where Ad goes away. Does that mean, everybody
goes to oracle Id or sale pointers. Something. I don't know. You know, we'll see. It's interesting And does that mean... I mean, I feel like almost every organization has something in the cloud But does it also mean for, like, companies that have been purely on prem if this goes away and stops being supported, something like an authentication server, You shouldn't run any software out of support for security reasons. I feel like authentication servers or maybe on another level? Kind of a
important. Right. Is it gonna start pushing some companies? Dan. Like, are they gonna get some kickback? I know at 1 point in time, there was, like, this is the last version of Sharepoint on prem ever. And then there were a bunch of customers that said, can we rethink that? And low and behold we had Sharepoint. Subscription edition, I can't remember if there was even like a Sharepoint 20 19 and then Sharepoint subscription edition after that, how the timing of that worked, But I would
imagine that. And again, this is not... Don't interpret this as Ad s is going away because there has been no announcements about it. But it definitely feels like it's Microsoft trying to push everybody to the cloud for authentication, which good or bad. I mean, space at Microsoft was also in the news for security stuff over the course of the last 6 months. So I don't know. Definitely an interesting discussion and I say especially if you do have an
ad f server. And again, I've had these conversations already with my clients is, do you need to start thinking about... Let's enter in replacing Ad s with Ent. And
they're all already in the cloud. This has already been conversations that have come up for that reason because as they've migrated work workloads to the cloud, and there are challenges that have also come up with Ad aws from their perspective where their like it probably is smart, for us to look at getting rid of our Ad f servers and migrate to given that we're already in the cloud already doing a bunch of stuff for Azure well,
Azure ad with Id, all of that. But I will say, well we have a few more minutes, this also led us to this tool, I gotta find it. And I was trying to remember if I've seen this website before Scott. It is set up dot cloud dot Microsoft. And then in this tool, there is a migrate from Ad to my Microsoft and Id for identity management, and this is the website. And the sub site within the website that this blog post redirected us to where it's like a it's an interesting tool We'll put it at
that. It's not necessarily a click through and go connect to my tenant, like, maybe I anticipated it was, but it's a guide where, like, on the first page, it's for all types of migrations. The following Ad scenarios can't be migrated to end. So it does start right off with certain cases and it gives you a bullet list there of, these can't be migrated to Ad s and
then some stuff are on staged rollout. And if the too select to none of the scenarios apply to my org and I'm ready to move forward, then you can go to the next page, which then walks you through. It's almost like a questionnaire of, then what types of apps are using. They're using office apps, non Microsoft apps Based on those it's an conditional checkbox of Is your Ad efs implementation integrated with Microsoft Enter multi factor authentication server, which has been d by the way.
And based on what you select there. So it's it's like a walk through of getting you ready for it. And then I believe once you get far enough we found it, does provide, like, some scripts you can run links out to different documentation to
begin your... Some actual migration. And, again, not necessarily the tool I was thinking where it's gonna, like, do a bunch of migrations of apps for you and grab all the metadata, and copy it from your Ad f server maybe into entrance and start creating applications there and automate the migration, but walks you through I would say better than maybe the Microsoft learn documentation does around some of the steps and what you need to think about to
actually manage this migration and go forward with that. Migration. I think it abstracts away just like, on the front, like some of the complexities of thinking about, like, sam assertion, Ad what are the potential, like, claim rules that need to be augmented? Like, how do I swing things? How do I roll back? Like, it's not the most. Like un complicated scenario to swing your identity from 1 side to the other and get
it to where it needs to be. So it's know I think it depends on the kind of admin you are, like, hopefully, if you're maintaining Ad fast infrastructure, like, you know all this stuff and you know how to go in and like, augment claims roll with your eyes closed. If you don't, then, you know, wizards like this are kind of nice for you to keep you there. Like, maybe somebody else set it up, and it's just, like a piece of infrastructure to your portfolio.
You need to go back and maintain it and get it to where it needs to be. So I kinda go both ways with it. Like, 1, it's nice to have to wizard, but the other... The reality is, like, you're gonna end up in those deep dive docks anyway. At the end of the day to get to get where you need to be. This site, the the whole setup dot cloud dot Microsoft dot thing. Set up dot cloud dot Microsoft was interesting me. Like, I never really... I mean, maybe at some point, like they
announced this thing or somebody knew existed. I couldn't remember it existed or that it was out there but there's just all sorts of different kind of migration guides. They're they're all in these, like, wizard driven interfaces, right. And so it's like, weird stuff, like, configuring high mode for Microsoft edge. There's a 0 trust setup guide. You can do things by categories. So you can go in and look at like, hey. I wanna look at, like a guide for identity, which would be things like
Ad cleanup, so wanna do security. You mentioned defender, like, kudos to defender, Like, hey, Guess what? There... There's a guy. There's a scenario guide in here. For defender for identity, for defender for Office 3 65, defender for cloud apps. There's a bunch of intune stuff with Md. There's per stuff for compliance. There's team stuff for collaboration and voice Right? So, like, how do you configure teams for a frontline workforce? As a guide that they they have in here.
They have a bunch of employee experience stuff? Like, don't think I've ever seen engage insights goals, like, Fifa engage, insights, v insights, Vivo goals, all that stuff, like wrap together in 1 place like this, product driven guides it's a really kind of a weird site, and then it replicates some other functionality as well and potentially strange
ways. So, like, 1 of the ones you and I were talking about when where we're really looking at this previously was when you do office deployments with the office deployment tool in O t, you have to create some xml to pump into your Ot t file that Xml defines configuration for your office client. Like, what are the things that I'm saw? I'm oh, I'm only gonna saw, excel and word here? And I'm gonna have this turned on. I want a 32 bit.
64 bit architecture, blah all those things. So usually, the way you would do that is there's actually an entire, like, setup and provisioning engine. That's part of the admin center, the interesting thing about the 1 that sits over here is this 1 sits outside the admin center, and you can do it all una a authenticated. Right? Just come in and spin up the Xml and get it out the other side. But then it not only
gives you the Xml. It gives you a whole other set of, like, powershell scripts that are bespoke, for you to actually go and do the Odd deployment, it's really kind of a weird du thing. I don't know. But if nobody's seen it I did like, like, the wizard driven interface, the next next next, like, hey, Explain it to me as I go kind of thing, like some of that was nice. Again, It felt like... Even though it duplicated it it puts some of that in, I would say more logical order if you're brand new to
it. To your point if you've been doing this for a while, I don't know. Like you and I how beneficial this really is because it does... I would say it tends to focus on a little bit more of the basic stuff. Deployed the Microsoft 3 65 apps, I didn't know look what was in there like for defender. Set up your 0 Trust security model. That 1 be interesting to walk through to see how detailed that 1 gets. Deploying configure defender for endpoint, defender for Office 3 65,
analyze security posture. And like you said, some of the stuff that's in here, then you have that mixed in with die mode for edge. I don't I don't know, Scott. You know, you gotta sprinkle the legacy in there with the new stuff. It's it's it's 5. To play and configure edge with a step by step experience. Microsoft search setup guide is somehow under edge. Don't know that I would consider Microsoft search setup up got under edge, but we'll go with it. Yeah. I would say worth exploring.
There's... 61 different guides in here, so it is not gonna be all inclusive. Tell me everything I need to know about deploying Microsoft 36C5? There might be couple in here that you find interesting. Preview security are the big ones, V. Yeah. There's 9 of them for Viva. C There was a bunch of. Is it insights goals, engaged that they were all there. There's 1 for Am 2 Scott, which technically isn't even a product anymore. Just in case. I mean, just in case someone's still using the upper.
Yes. Which has steve engage. Just think we've engaged. Let's just rec categorize it. Yeah. So nifty tools. If you are still any D ass, you're looking to migrate. There's a click through to maybe help you, I would say to help you think through it. But given some of these, I would also say if you're on Ad ass, and especially if you're already using Ent for identity, this is probably something you wanna start thinking about doing. Or even start to think about, like, how you scope those things down
and segment them to? I think... Some folks view, identity is, like, an all or nothing scenario. And, you know, so, like, all my users are in the con domain. Therefore everyone has to authenticate through 3 D efs? Well, maybe maybe not. Right? Like, you might want more security for, like, your admins and your admin accounts and maybe that actually requires, like, a different tenant with a different configuration and maybe the that stuff does go through Ad efs or it goes through some other
security token service. Right? That can just sit out there as a relying party and and do what it needs to do. I live in that world for sure. I have multiple Pcs for my employer. Like, I have basically, like my prod identity. And then I have another, like, admin identity, and that's the thing that gets me into the admin stuff. But the admin stuff actually happens on, like, at this point, a dedicated machine. It flows through its own dedicated identity provider, like, all, all
these different things. Like, it is truly, like, segmented. And I think that's kinda funny too. Like, that very much reminds me of, like, the old school worlds. We're like, hey, we used to have separate, like, user Ids and admin Ids and then for a while, we've... Floated back. And we said, well, why do you really need an admin id when you can just pi in and you can do all
this other stuff. Right? And it turns out that III now live in a world where I still have separate Ids floated I still have to pi in, but when I pi in, I'm not only logged into my admin account, but then I'm still pi or doing, like, just in time, request or things like that. Even on that admin account for the additional layer that goes in there. It's all just very cyclical. Right? We always come back around.
Yes. And then you set up different authentication or different Mfa options for your admin account that to make Mfa more secure for admin versus normal user and there's all. Kinds of things. And I've started doing some of that too. I've seen some of the security stuff, and I now have 2 accounts, my end and 1 has Pam it requires strong Mfa. My normal 1, not quite as. Not quite the same level of Mfa requirements. It's a thing. So, like, separate identities, separate devices.
I saw the other day that it looks like Microsoft is position for, like, employees in China that they can only use iphones due to security threat. I saw that. So it's even coming down to potentially that point as well. Not only, like, do you have to use this identity in this
thing? You also have to potentially use this device from this manufacturer, which is kind of funny as well, like, not like, funny sad, but more like, funny, like, That was come all the way back around to, like, you can use any device to access anything, and now we're into, like, oh, you must use this device kinda thing. Yeah. This was I've mean, here's a news article for it. I'm sure there's a better 1 out here because I think this came from
somewhere else. But Msn... Yeah. Microsoft employees in China. Now have to use authentication apps installed exclusively on iphone devices. Part of Microsoft secure future initiative announced last year. We'll that 95 Mac reports. 9 to 5 Mac has some... It's interesting what shows up on 9 to 5 Max sometimes go with that. So interesting. Lots more always always something new to talk about with security and authentication.
You know, it's... Just keep on coming. With that, I have meetings, I actually have a presentation coming up. Ironically enough. I have a presentation like 2 hours today, Scott. On Ad... Id. No. Id best practices or security best practices an Id. That is some I have to spit into like, Step 1 do Ad efs? What what which which way you lean in? No. My... Slide 1 is turn on Mfa. Slide 2 is turn on Mfa. Slide 3 is... Turn on... No.
Sounds about right. Yeah. No. Mfa, secure off, or anti phishing Mfa because I have also seen a lot of... Articles recently and how actually scar easily it is to bypass, certain M mfa methods. Oh, yeah. With the can't... It's it's not it's not called man in the middle, but it's essentially a man in the middle and stealing the session token and the need for the anti phishing
Mfa. So I'm dying some about anti phishing Mfa, the guest access thing I talked about reviewing guests, how long they've been in there who has access. So Can't remember. And pull up my slides. We can turn this into a future podcast topic. Maybe, adjusting authentication methods. Yeah. Limits me your admin roles, some of the Pi stuff we talked about auditing and alerting.
I might bring up, like, I'm borderline, like some of the global secure access stuff, senior best practice, maybe borderline, but beneficial from a security perspective, probably. So I have way more slides that I'm gonna cover so I may kinda just pick and choose through my slides as well as I. So that's the rest of my Friday. And with that, I'll let you go enjoy your Friday. Sam like a plan. Thank you, Ben. Alright. Thank you, and we will talk to you again soon.
If you enjoyed the podcast, runs go leave us a 5 star rating in itunes. It helps to get the word out so more It pros can learn about Office 3 65 in Azure. If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening and have a great day. On