Welcome to episode 382 of the Microsoft Cloud IT Pro Podcast, recorded live on August 9, 2024. This is a show about Microsoft 365 and Azure from the perspective of IT pros and end users, where we discuss the topic or recent news and how it relates to you. Today, we start diving into tools for safeguarding your organization in the cloud first world, talking about some of the pros and cons as well as when you might want to
use some of these various tools. We start off talking about security defaults in Microsoft EntraID before moving into conditional access. We wrap up the episode discussing Secure Score in Microsoft Defender XDR. Should we talk about something Microsoft 365 related? Let's get into it. M 365 day. It Maybe a little bit of Azure. We'll see what we can work in. This might be a little bit of Entra stuff, which as we have discussed multiple times spans both Entra or both Microsoft 365
and Azure. But this came from kinda some things that people have brought up, questions that have been asked, and it was around security. And I think the specific question, if I go pull it up, was somebody asked more how do you would or how would you how do you how to evaluate new tenants, evaluate security resources out there to get statuses on your tenant. Like, I went and stood up a brand new tenant, again, whether it be Azure or Microsoft 365, I have a brand new Entra.
Where do I go from here from a security perspective? It's the gist of the question. It's an interesting question, right, especially in split brained land where, like you said, Entra comprises functionality across both the M365 stack and Azure as well. Yeah. So security is like a far ranging topic, and I would preface all this with I am by no means a security expert.
But that being said, like, there's a bunch of tools out there that are available to us mere mortals to help us rationalize current configuration. Hey. How does stuff look today? And then maybe for folks like me who aren't experts, what are some logical defaults or some things that I should think about going and configuring to improve the posture of the security configuration of my tenant.
And to a certain degree, not even just my tenant, like, the users who interact with my tenant because users who interact with my tenant could be in my tenant, or they could be guest accounts or other things that are coming in to interact across SharePoint and other workloads like that. We talked before. We are going to I'm not gonna commit to a time, but we are gonna try to keep these somewhat time boxed. So this very well may turn into a multipart episode too. To your point, this is
a very broad topic across everything. So I think from my perspective, where I first start, new clients come to me, and this one is m 365, but it does touch Azure is I have a new tenant. I stood up Microsoft 365. I stood up Azure. I now have Entra. What do I do? And the first thing, and this is a newer one, is by default now, everybody has security defaults that are enabled in your tenant. These are also I don't have these been
turned on by an old tenant yet? I don't I can't remember, and I don't see the timeline on here of when Microsoft was gonna force these on. These should be turned on in existing tenants as well. So at this point, if you have a tenant that was created after 2019, give or take. Like, it it was late 2019, early 2020 when a lot of this stuff rolled out
as far as security defaults. So if you had, like, a new m 365 environment that came up, o 365, you set up a new Azure subscription and a new entry ID tenant or Azure AD tenant as they were called back then, then you should have some permutation of this. Like many things that Microsoft does, I think if you have an established tenancy and you were somebody who, like, looked after it, you were probably somebody who's decided to, like, slow roll it, or maybe you blocked it for a while.
So it it could be in, like, various states within your own tenant configuration today. But it's actually it it's pretty easy to look. So you can hop into the entry ID admin center. You have to have a role that is at least a security administrator.
And then if you go into the identity blade and just the kind of overview of your entry tenant your entry ID tenant, The properties for it, they just have a little, basically, am I enabled or am I disabled for security defaults that you can go ahead and flip through. And, like I said, I think, my approach to to this stuff back when I always used to do it was to
slow roll it and say, oh, yeah. Microsoft gave me an easy button, but I might wanna turn that on a little bit more piecemeal rather than stepping in and having everything all at once, like requiring all users to enroll in MFA, requiring all my admins to do MFA, and all the blocking legacy authentication protocols, a lot of stuff, and, like, doing all those permutations at once, sometimes you wanna slow roll
those and do them yourself. And if you are of that, like, kinda person, right, okay, that's your approach, nothing wrong with it, I think this even that the security defaults are there and documented, like, it's another thing to go and look at and say, k, what's my posture? Where am I at? Maybe I haven't turned it all on, but do I have a plan? Am I aligned to best
practices? Those kinds of things. Yeah. The one thing I would say though so this is my biggest I would say my biggest gripe with security default is you can't slow roll it. You cannot. It is either on or off, and I get why Microsoft did this. Like, you had a bunch of old legacy tenants and new tenants that were getting stood up that people were not doing any sort of security with. And this has a lot of those basic controls
you said. So if you turn this on or if it is on, what security default is requiring MFA for all users, it's requiring or to register for MFA, it's requiring admins to do MFA, multifactor authentication. It's requiring users to do MFA when necessary. So it's not all the time like, this is gonna probably be tied to certain risks or certain conditions that they're triggering. You don't really have any control over it. Microsoft decides
when necessary is and isn't. Like you said, it blocks legacy authentication, and it protects privileged activities like access to the Azure portal. So you turn it on, it's gonna do all those things. You turn it off, it's not gonna do any of those. But there's nothing bad in here. There's the degrees of maturity with your comfort with an environment. So I would go to you, and I would say, hey, Ben. Help me out with the configuration of my AD sorry, enter ID tenant. And
you go, sure. Gotcha. Been doing this for years years. I know where all the knobs and levers are. Let's go turn them. What kind of customer are you? Oh, I see you've got I see you have premium licenses for entry ID. Like, you have a mix of p ones, p twos. Maybe you're all p twos, all p ones, whatever it is. So you're immediately gonna clue into the world of I know what's available to you and where you can really lean into the complexity of that organization's requirements and where they wanna
land. Because they're licensed for it, you'll have access to things like conditional access and CA policies and all the power that comes along with those. And on the flip side, there are people out there who just go and sign up for new GoDaddy tenants, and, yeah, they're Don't do that. No. Don't do it. Nobody. Don't do it. But people do it. Okay. But people do. And for those people who do it, like, they're not the most they're not the deepest into the ecosystem. Right?
They they don't have that same level of maturity. They don't carry the licenses, particularly for some of the more advanced features in things like conditional access. So in that world, security defaults is nice because, yeah, it can cause some pain. We can argue how much the pain's worth it, but it immediately puts your posture in a place where you're at least covered for the vast majority of the basics for free, and you didn't have to do anything and go with it.
Again, if you're a customer out there or you're an administrator, developer, whatever it is, and you're looking at this and you go, I know my way around this. I'm gonna script it out, or I'm gonna click next next next, and I'm really gonna dial it in. Security defaults isn't for you. So, in that case, you can just use the documentation for security defaults as, hey, what are the things that I should think about doing within my environment? Should I require all users to register for MFA?
I might look at that and say, yeah. All users, but not really all users because you're gonna have a segment of users that, you might not want to be eligible for MFA today based on your organizational constraints, maybe like a break glass account or something like that. Right? Like, you you have the exceptions, and you know how to drive into those
and configure those kinds of things. But for those that require the easy button or for those that are net new, I really don't think there's anything wrong with having the easy button enabled by default, especially as long as you can come back and upgrade later or you can disable it. But at least at that point, it's a conscientious decision on your part as a customer to come in
and do it. So I can totally see where, like, as a service provider on the Microsoft side, they're saying, like, hey, we want you to be in the best default posture that you can be. And that's often at the expense of a little bit of pain and a little bit of friction because for better or worse, like, all these things, like turning on MFA and having all the authentication methods and locking users down to things like just certain authenticator apps and things like that.
It's it is necessary, which is sad when that's a conversation for another day. I agree. 100%. All of these are good things to have, and to the pain point, it's not nearly as painful as it used to be. I would say 3 years ago, the legacy authentication would really bite people. They'd go toggle this on and all of a sudden a whole bunch of stuff would break because they were still running old Office clients or they were still using app passwords, that type of stuff. But I am glad they have this as
a default state. There's a few times that I've been in a few situations where I'm like, you know what? I wish I could toggle, like, one of these off where it is. It's a small business. They don't wanna go pay for conditional access, but you run into those weird one off scenarios where legacy authentication is causing an issue.
That's probably the biggest one. But, again, over the last 3 years, as everybody has gone away from legacy auth, this is absolutely a good thing to have in place by default. The only other thing I would say with this is I still see some people that have this auth. They're like, I'm doing, like, the per user MFA, like, the old school per user MFA, and we've talked about that being legacy. That is going to go away at some
point in time. So if you're still relying on that to turn off MFA in certain situations and leaving security defaults off, 1, security defaults gives you a lot more production than just that legacy MFA, and 2, that is gonna go away. I think folks should be prepared for stuff to start getting dialed in and change more rapidly as well. If you go out and you just look at the news for security incidents across Microsoft, Azure, Google, like, the these things definitely exist, right? They're
out there. And then you consider, like, the spread and what's going on between having to protect cloud resources, protect local machines, and all these kinds of things, it's in the service provider's best interest to, like, really start to dial things in and lock things down.
If I was a Microsoft customer, I would go out and look at things like the Secure Future initiative, which has been publicly talked about, but, hey, these these are some thoughts and approaches and ways that we are going to align to being the most secure that we can be. And I'm a Microsoft employee. That bubbles back
to me, actually. So one of the things that was publicly reported last week, I think I saw an article on The Verge about it, was that as a Microsoft employee, I am going to have a specific item on, like, my my annual assessments. I'm gonna I'm gonna have a core priority that basically aligns to saying, what did Scott do to contribute to the overall security of Microsoft? So now it's if it wasn't part of my job, and it was part of my
job, but now it's it's really there. It's front and center, and it's effectively, like, priority 0. Right? I need to get in, and I need to do these things. And as every employee is doing that across every part of the stack, I think you're gonna see an acceleration in not only the features that are available to you, and this is just my hunch.
Right? As we all lean into it, like, you'll see an acceleration in the features that are available, but you'll also probably see an acceleration in application of those features, timelines for implementing those features, things like that, because there's gonna be a rapid desire not only to move, like, internal workloads away from an unsecure posture,
but also to move customers that way. And we'll learn a bunch as we're moving internal stuff that way, and then that'll eventually disseminate out to the rest of the world. But when you're looking at this stuff, I I think just to give you the perspective of, hey, somebody who works at Microsoft,
like, literally part of my job now. And so when I say I'm not a security expert, I gotta become one at least in some ways for like the things I own and the things that I'm accountable for so that I can move that forward because it's gonna be something that directly ties back to my performance at work. Yeah. And with that, it wouldn't surprise me. Like, they have guidance now for how to turn off security defaults, so you can still go
in and disable it. You mentioned if you don't wanna do security defaults, the next logical step is conditional access.
It would not surprise me to see them get to a point where if you turn off security defaults, you either, a, need to go implement certain conditional access policies within x amount of days to not have security defaults turned back on, or even when you turn it off, it goes and automatically creates some conditional access policies to mirror what security defaults did just because you don't wanna find yourself in that state where you're completely
unsecured. And they already give you guidance, they just don't necessarily force you into it yet. It'll be interesting to see if they move in that direction. But you wanna go to conditional access. This is where I tend to go. I tell most of my customers, don't tell Microsoft this, Scott. I think the price of EntraID plan 1 is worth it just for conditional
access and what you can do. And I think we've done whole episodes on that, but it is an EntraID p one SKU, so you have to license everybody for EntraID p one to do conditional access. But then you get all the customization, you can tweak it, and you can even make it more secure. If you want to just make that step and you're like, you
know what? I've had security defaults. I haven't done conditional access yet, but I wanna move in that direction, Microsoft does provide your security foundations category of templates in conditional access. So, essentially, you can go into Entra, go to security I think it's under secure or protection and then security and conditional access, Select templates and they have categories, and one of those is secure foundation, and it has a template for all of those conditional access policies
that that security defaults implements. You can go click through and just deploy all what 7 templates it looks like in conditional access to replicate security defaults within your tenant. So this is one that again, if you're not doing security defaults, absolutely go do this. This is a nice first step for anybody that wants to move in that direction and wants to see how do these conditional access policies work.
Use this template or, frankly, any of the templates in there to start creating those policies and get those in place instead and see what they look like, how those settings look, that type of stuff. It's all well documented. Right? So the other thing is even if you didn't wanna use the template, you can technically go spin this stuff up yourself, and next next your way through it or use the various automation tooling and things like that to get it to where it needs
to be. There's a lot you can do with conditional access. We can do a whole episode on that if we haven't. I'm pretty sure we have. I've done YouTube videos on it. Do you feel overwhelmed by trying to manage your Office 365 environment? Are you facing unexpected issues that disrupt your company's productivity? IntelliJunk is here to help.
Much like you take your car to the mechanic that has specialized knowledge on how to best keep your car running, Intelligent helps you with your Microsoft cloud environment because that's their expertise. Intelligent keeps up with the latest updates in the Microsoft cloud to help keep your business
running smoothly and ahead of the curve. Whether you are a small organization with just a few users, up to 1000 employees, they want to partner with you to implement and administer your Microsoft Cloud technology. Visit them at inteligink.com/podcast. That's intell ing.com/podcast for more information or to schedule a 30 minute call to get started with them today. Remember, IntelliJ focuses on the Microsoft cloud, so you can focus on your business.
What you would do next. So so you either did security defaults, you've done conditional access, you have base I would say that's base authentication security. Right? You're protecting your user accounts and how they're logging in with those 2, but there's a lot more to security than just go in and turn on security defaults or turn on conditional access policies. There's just a hint or a hair or more
to that. Yeah. And if you're we're going going back to the question a little bit is how to evaluate new tenant security, eval, resources, tools. I'm thinking, given the time, maybe we do a third a second one on tools. The next place I go before I would even go implement tools or look at tools is I head over to the security center that you have in Microsoft 365. Security.microsoft
dotcom. If you go to admin.microsoft.com and go to security there, underneath, they keep changing the navigation around in here. I think it is under where did they move it? They moved it under some place in there. You can go search for it. Is you have your secure score. And every time I need it, I'm able to find it, exposure management. There it is. So if you stand out exposure management, you can look at your secure score, and this gives you an overview of
your security posture and your tenant. So it'll give you some score. My score is 53.73%. I have achieved 748.99 out of a possible 1394 points. I don't know about you, Scott. I have never seen anybody get this to a 100. So if you go in here, I think new tenants start out somewhere in the 40 to 50% range if you don't do anything. I continue to not like Secure Score. I wish it was more like Azure Advisor recommendations. K. Here's the set of things that you
should consider doing kinda thing. But the way it's presented as, like, a hard number with a percentage, it really makes you feel like you should get to a 100%, and I don't believe that's the intention behind it. Like, I've never run into anybody who thinks it's that way nor have I met anyone who's ever gotten a 10 to 100. If you ever have, hey, give us a call. Come on the
show. We'd love to have you. Well, walk us through, like, how many prompts your users go through every time they, like, click a button. So the intent isn't to get you to a 100%, but it's in in intended to get you to incrementally approve or improve your posture over time because there could be, like, new rules that are added. There could be new metrics that are evaluated,
things like that. So as long as you're comfortable with it, like, it turns out that, like, your score of 53.73%, that could actually be your version of a 100. Right? K. We're comfortable. We're ready. We're good to go. For somebody else, it could be 60. For somebody else, it could be 40. 50 feels like an actually, like, a pretty good number, like, in the model for what's out there. But, yeah, you're not gonna get to a 100, nor do I believe the intent is
to get you to a 100. Yeah. And that's the way I tell clients to look at it too is within the secure score, you get an overview, but you also get a history. So I can see that my historic score over the last I don't know. I'm looking at the last 3 months has increased 2.19%. So my security has gotten incrementally better. There are times it's decreased, there are times it's increased, but I treat it more as, am I getting better or worse at security? Not, am I getting up to a 100%
when I'm looking at the score. To your point about the adviser, what I like about Secure Score is it comes up with that score based on a list of recommended actions. So if I look at mine, I actually have I should go look at this. I have actions to review 7 are regressed. So something has regressed in my tenant, whether something got turned off or a policy that was applying to devices, a device got removed from it. Somehow, there's something that regressed, and then I have a 126
actions to address. And, again, I would say the dangerous is people look at it and they're like, oh, I got a 126 things I need to fix in my tenant. No. There's a 126 recommended actions that you can go look at, ranging from things like blocking JavaScript or VB scripts from launching downloaded executable content to blocking office applications from creating executable content, unsigned processes running on USBs, disabling basic authentication for the winrm client.
Like, there's a whole bunch of things. And to your point, Scott, I treat this as okay. Let's go look at this. It does give you a percentage. If you go do this, your score is going to increase by 0.57%, by 0.65%. The other thing to call out is your score is different than my score, which is different from the next person's score. And even to, like, the degree of, k, here's your max score and how your percentage is configured
and things like that. Because one of the things that strikes me as I look at yours, you talked about, okay, maybe the default score being someplace in, like, the forties for a new tenant. You're not a new tenant, and you have a bunch of stuff lit up. Like, you have things related to devices
in here. So because Secure Score technically falls under Defender, and it's part of the whole, like, Defender XDR suite thing that's going on, So you're seeing a bunch of things that are potentially applicable, not just to where we started off with entry ID and just access policies around identity. Now we've extended into the world of devices and device specific configuration and the the behaviors of my users that
are out there. And then this takes us back to the same conversation we had with secure defaults versus CA policies and things like you might be able to turn it all on, you might not be able to turn it all on, or it at least points you in a direction where you wanna go. Oh, I thought about Office Mac this is legit.
The last time I thought about Office Macros was probably 2 plus years ago, but maybe seeing it on there is enough to, like, just light up an admin's brain and say, oh, we should go reevaluate that and see if we can improve improve our posture there and move things forward. Or maybe you wanna look at these things by their categories and where they sit, and these things are categorical. Like, even if you look down what you have on the screen right now, it's Exchange Online, it's Teams,
it's Office. It's very workload centric, so you can go in and choose, I I guess, workload or solution or scenario, like, depending on how you slice it. So if you wanted to come in and you wanted to just do, like, the secure score equivalents for identity, you could absolutely dial into just enter ID and the things that are going on there. Yep. And that's 100% what I do. Like, I've looked down this list and I treat it as a checklist, but what you mentioned is a prompt for,
oh, yeah. I didn't think about this. I didn't think about turning on customer lockbox feature, or I didn't think about dial in users bypassing the meeting lobby because I do a bunch of Teams meetings. This does let you sort filtered group by scores, by how you can improve it, by the status, if you've actually addressed it or not, categories for it, identity versus apps, products, devices, all of that. And the other thing I would say too about this, Scott,
is this tries to automate it. It tries to look at your configuration and say, yeah, you've done this or you haven't done this. But there's things like configuring VPN integration or especially when you get into some of the devices, disabling machine account password changes. This, in so much as it can automate it, it depends on you using Microsoft 365 for everything.
Just a little bit. Yeah. If you're using AirWatch for device management or one of the other third parties, if you're using Sophos, I was talking to somebody the other day using Sophos for endpoint management, There may be some of this stuff that you've already addressed via a third party tool that your Secure Score just doesn't know about. So they do give you the option to also manually go in and say it's addressed
or, again, your percentage, it's a guideline. It may not know everything that you have done, especially if you've done it in ways outside of managing it within the Microsoft 365 ecosystem. Yeah. You almost want the button like, I'm never gonna do this. Don't evaluate me on it. Yeah. There are some in here I look at. It's black USB devices from working on your endpoints. I'm like, no. I'm not ever gonna completely disable USB on all my endpoints. Some people may. Some places, it's a requirement.
Mine, it's not. So it's a security risk I'm willing to accept even though it lowers my secure score. But this is after I look at security defaults and conditional access, the next place I would go from evaluating a tenant is just almost working through this with a client. What of these do you care about? Or I tell a client, go look through this list. What of these do you care about? What of these do you wanna know more about? Which ones of these are you like,
yeah, we've already taken care of that? But using it as a starting checklist for what are some other security things I should be thinking about or addressing within my Microsoft 365 tenant. All of this just lets you widen the net. So where should you start? Arguably, identity 100% of the time, right? It's your first gateway into all of these things, like, you're not using Teams until you're logging in through enter ID, full
stop. So start on the identity side, and then this approach of, hey, let's go in and cast a wider net and see what else is out there. Like, the I'm gonna throw a pebble into the pond and see how many ripples it creates kinda thing, and you can start to do that this way. So, great, I've got the identity thing. Oh, it turns out that security score tells me more about identity than even just the security defaults did or than some of the stuff that maybe I saw while I was clicking around in
conditional access or reading the docs. Great. Those are other things I can look at. Now I just looked at identity. What do I wanna look at next? Do I wanna look at my cloud hosted workloads like Teams and Exchange and SharePoint? Or do I wanna look at desktops and devices that that that exist out there? And you can start to just keep searching, right? And every layer you peel back, you you find a new thing, and it gives you more work to do.
And like I said, if there's somebody out there and you're listening to this and you're like, I've gotten a tenant to a 100%, I wanna hear about it. I wanna hear if anybody's even gotten it to 90. I won't even set the bar at a 100. 90%, I would love to hear about it. 90%. Let us know. We have a contact form. You just go to msclouditpropodcast.comormsclouditpro.com. I think we redirect these days, and just hit the contact form, let us know. If you're a member, come ping us in Discord.
We'd love to have you on and participate in real time. We can make it happen. Ben and I are curious. Absolutely. With that, should we wrap it up and continue our discussion next time on evaluating security, whether it be Azure, whether it be third party tools, whether it be some other random security thing we think of? I think next time, because because we did the research on it, we should talk about tools next time and ways to and I consider, like,
Secure Score a tool. Right? Like, you browse to this website, you've pulled it up, it's giving you some actionable information. There's a bunch of other ways to get at this data as well through the API surface that's available in Entra, including our friend, the Microsoft Graph. So we can talk about some tools and some ways to interrogate and visualize tenant configurations through some of the stuff that's out there.
We can also talk about tools and ways to, like, break into your environments and things like that, so, like, vulnerability testing for these environments. Perfect. Sounds like a plan. Thanks, Scott. With that, go enjoy your, hopefully, your hurricane free, hopefully, a nice weather weekend. I'm going to Denver this weekend, so I got a concert at Red Rocks that I gotta get to. I'm jealous. I'm staying in Florida this weekend where it is currently feels
like a 112 degrees outside. So I'm gonna go outside and play pickleball because somehow in my mind, that's a great idea. I was in Denver last week for another concert, and it was 98 degrees Fahrenheit, and there were forest fires. So don't feel bad for me. Alright. I won't. Sounds good. Well, enjoy. Hopefully, you have better weather this weekend, and we will talk to you again soon. Alright. Thanks, Ben. Alright. Thanks, Scott. If you enjoyed the podcast, go leave us
a 5 star rating in iTunes. It helps to get the word out so more IT pros can learn about Office 365 and Azure. If you have any questions you want us to address on the show, or feedback about the show, feel free to reach out via our website, Twitter, or Facebook. Thanks again for listening, and have a great day.