Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey, everybody. Welcome to episode 105. This week is myself, Michael, with Mark and Sarah. And our guest this week is Meryl Fernando. He's here to talk to us about that kind of Entra ID and some of the tooling that he's worked on over the years. But before we get to our guest, let's take a little lap around the news.
Sarah, why don't you kick things off? Well, it'll depend when you edit this. But at the time we're recording this, it is next week, it is Microsoft Ignite. So depending on when you listen to this, that might have already happened. If it has already happened, then we will upload lots of sessions on YouTube so you can watch them later. If it hasn't happened, then of course, remember that the in-person tickets are sold out, but you can still watch the live stream for free.
For better or worse, you'll get to watch me doing some of the interstitial programming. That's what it's called, the bits in between the exciting bits. But I get to interview some cool people. So of course, go check out Ignite. And if this is post-Ignite, which is the 18th to 22nd of November 2024, you can go and catch up on sessions online. And of course, there's lots of announcements about things. That's all I can say. So go and check that out. So that's my first one.
That's taking up a lot of my time at the moment, pretty much every waking hour, actually. Then next up, we have support for FIDO 2 authentication. In fact, our guest probably knows more about that than I do. But we're of course supporting pass keys for passwordless authentication. We're all trying to move there and non-fishable creds. So of course, the more you can use that, the better.
And then finally, last but not least for me, confidential containers are now in public preview on Azure Red Hat OpenShift. So we love a confidential container because it means that it's cloud-native confidential computing and there's a trusted execution environment. So you can have everything nice and secure and it runs in its own little enclave, I believe is the correct word. So go check that out. If that's something you're interested in using. And that's me done for the news. All right.
I have a few items. The first one is there's now REST endpoints, REST APIs for managing private endpoints in Fabric. This allows you ultimately to help sort of automate and streamline workflows because now you have access to these APIs, which historically you didn't have. Next one is Application Insights, Availability Tests. TLS 1.0 and 1.1 is being retired. This will take effect, I believe, March the 1st, 2025. So you do have plenty of time.
But at the end of the day, that day is going to creep up on you. And if you're not ready for it, then any client code that you have that's not using TLS 1.2 or 1.3 is going to break. There's no fallback at that point. And in fact, there's going to be a note as well because there's another item, which is just an overarching update on the retirement of TLS 1.0 and 1.1 across various Azure services. Again, this is something that you're going to see across every single Azure service.
So you really need to start working on all your clients, verify that your client code is using TLS 1.2 and above. What that really means from a programmatic perspective is make sure you're not hard coding things like TLS 1.0 and 1.1, or you're using, for example, really, really old runtimes or really old versions of browsers or operating systems or mobile operating systems that don't support TLS 1.2 and 1.3.
The original announcement for this was actually made in November the 10th, 2023, so a year ago. So I'll give you a list or a link to a page that just has some updated information about how you can make sure that you're ready for this transition. I think the overarching transition is going to be end of August 2025. But again, things in the rear vision mirror are closer than they seem. So yeah, don't do nothing about this. When the time comes, stuff's just not going to work.
Okay, that's all I have in the area of news. So in my world, kind of piggybacking off of what Sarah was talking about, I will be at Ignite as well. So I'm going to be speaking on the Friday there. I'm going to be talking about the top 10 Zerotrust controls that you can implement today. So I'm very much focused on actionable guidance for Zerotrust there.
And I'm going to be sharing the stage actually with someone from NIST, Maruja Supaya, as well as from one of our customers in a large Swedish bank. So really excited to be presenting with Maruja and Ulf and talking through what they've learned on their Zerotrust journey and their actionable tips as well. The other thing that happened recently was I spoke at the Open Group Conference in Houston, Texas.
And we kind of unveiled our vision for what we're setting out to solve with those security standards. For those that aren't aware, I'm the security forum chair for the Open Group. So help guide and steward those standards and figure out what we need to be doing there and all that kind of stuff. And very interesting kind of a different role for me to be working through that. And I figured, hey, if I'm in the role, I might as well do something good with it.
And so we're working on filling the gaps, building on existing standards, kind of connecting the dots and addressing some of the things that just aren't addressed or aren't addressed well in industry. So things like mapping it to the defenders to the attackers activity, defining the security roles in sort of a relatable kind of normal way, just connecting the dots between a whole lot of things. So got some exciting stuff.
We'll have some webinars that we'll be doing here in the next couple of months probably to kind of reprise that on a live broadcast medium. So that's the main stuff. And I'll throw in a few links to some of the existing Open Group standards for folks to check out. But that's all I've got. So now we're going to move on to our guest, Meryl Fernando, who is a principal product manager in Entra. He also lives in the same town as me, but ironically, when we're recording this, he's actually in Sydney.
So Meryl, welcome. Do you want to tell us, well, quickly introduce yourself to our listeners and tell us a bit about yourself. Thanks a lot, Sarah. So I'm super excited to be here as a guest. My name is Meryl Fernando. I'm a CXP, or customer experience, principal product manager in the Microsoft Entra team. And I love building tools and helping the community and connecting folks in the community in cybersecurity.
And I spend way too much time than I should on LinkedIn and Twitter and Blue Sky and all the social media accounts. That's me. So while we're talking about what we're going to talk about on this episode, one thing that became abundantly obvious is that you've worked on a lot of tools over the years. So we're going to talk about some of those tools. So let's just get started with the first of those tools, which is Maester. So my first question is, what on earth is Maester and what does it do?
Thanks. Yes. So I'll tell you a story because that's how I like to introduce all these different tools. They always start with some story. So with Maester, I was helping a customer. They were going through troubleshooting some conditional access policy, and we were trying to work through that. And while we were looking at that, we just realized that they had a CA policy. They had targeted for a group, like all the guests in their tenant.
And that group, they had a policy which said guests need to sign in every day because they could be coming in from unmanaged devices and their tokens could be stolen and they needed to secure it. So they had created this policy and they thought it was all good and their tenant was secured. But about 10 months ago, someone had gone in and either they deleted the group or they just cleared out all the users in that group. So this policy was sitting there.
They thought the policy was working, but there was no protection for them. The guests were happily signing in and staying on with long-lived tokens, which could be stolen as we know, and people could be replaying them and their tenant was not secure. So this got me thinking about how I can bring some of my DevOps, SecDevOps practices to identity and move the industry forward in applying SecDevOps practices to identity and things like the control plane and conditional access.
So I got together with a few MVPs, Fabian, who had created something for Sentinel based on PowerShell Pestor testing framework. And Thomas, his name is another MVP in Germany who did a lot of Entra config settings, like how to harden your environment. So we got together and we built out Maester, which is like a PowerShell based test automation framework. We started with Entra, but it's like we launched in March last year. It's grown so much that we have people contributing.
We have like 50, 60 plus contributors, bought 200 plus checks. People have written ready-made checks. I built it for writing tests for your own config, but people have started plugging in like the CESA tests for Exchange, for Azure, for Intune. And so it's become this huge open source framework and folks are starting to use it in really new and innovative ways to make sure their cloud config is what they think it is.
But not hoping that no one went in and made a change that they don't know about. So that's Maester. So, Meral, I do have to ask, where does the word Maester even come from? Cool. Yes. So Maester comes from the Game of Thrones. And for those who watched the show or read the books know that Maesters in the Game of Thrones world, they were the learned people, the wisest folks. That's who people went to to get advice.
And they lived in this tower with a light, with a fire that always kept burning and they held all the knowledge. So I needed something that I could get the domain on and something that people could easily remember. So yeah, all of that combination came together. I didn't want to name it Microsoft Cloud Security Test Automation Framework, which would have been the typical name. So we just came up with Maester for that.
I may actually be the only person in the world who has not seen Game of Thrones or read the books, but it is what it is, I guess. So Michael, you're not alone in not having seen or read Game of Thrones. So you have company, so at least two of us on this podcast share that. So something that's near and dear to my heart is I really love the work that your team has done on the Zero Trust workshop that recently was announced and released publicly. So can you tell our folks about that?
Yes, absolutely. So the team that I'm in, I'm part of the Entra product group and we focus on Entra and we help customers deploy Entra, secure Entra, harden it, you know, what are the right conditional access policies, what they need to do and how they can plan out. Because a lot of our customers don't know how like they've got Entra when they got M365.
They don't really, they haven't really done the work to go through and look at how they've deployed, whether they've deployed all of the features that are there. Like my day job is literally getting folks to deploy and use the features they've already paid for and secure their tenant. So I'm from the Entra team and we have counterparts in the Intune team, in Defender, in Purview, like the whole of the security org. Our day job is helping a lot of our customers deploy things.
And what we found out over time is we had a lot of knowledge in what someone needs to do. Like we could go through and ask questions and then come up and say, okay, you need to do this first before you can do this. For example, if you want to do like device compliance checks in conditional access, then you first need to do hybrid join or Entra join. And then, you know, you might not have configured the Connect Sync properly. So you need to do that first if the devices are not being synced.
So there's a sequence to do things. And we knew it. We could just explain it to people. But most folks didn't know where they should start. And Zero Trust has always been people sell it as, you know, just deploy this one product and you have Zero Trust. But it's like a more holistic thing that you would need to do, especially the Microsoft Security Suite. We have so much. And folks don't know where they should begin.
So that's how we came up with this idea of let's help people and make it really short and succinct and give them a blueprint. Let's help them assess and give them a roadmap for the next like two to three years on how they can be well deployed with a proper Zero Trust framework across all of the products. And so that's how we got together and started brainstorming ways how we can do this.
And we really wanted to scale it like it was not scalable with me doing like two or three customers at a time. We wanted it to help our whole industry move forward in adopting these practices. So the Zero Trust workshop, we just launched it last week. And there are lots of options people can self-serve and go through the workshops. We do like one to two hour workshops with each pillar in Zero Trust. Right now it's launched with identity devices and data. And we plan to add the others in.
So it could be a self-service thing. It could be you could bring in a Microsoft partner who we trained on and they can help guide you through. It can be through our teams like Microsoft Fast Track, etc. You can reach out to Microsoft account team and they can help you with that. And for our own customers who we manage, we run these as well with them. So at the end of these workshops, they get like a ready-made customized map of what they should do.
It's broken down into first, then next and sort of guides them. So they have it's really useful. Some of my customers got like funding from their stakeholders by showing this. And they were able to then actually go ahead and implement it over the next two years. So we've been running this in private preview for about two years and refining it with like 70 plus large customers who gave us a lot of feedback. And it's a continuous like it's a living thing that we're building.
And we're going to keep on evolving this as new threats come on board and we have new features and so on. So that's aka.ms slash ztworkshop. If I can add on there, one of the things that just always fascinates me about security, because we also have a set of workshops that we deliver through our unified around the security adoption framework or SAF.
And those generally hang out at the architecture level and at the program and metrics and success and architecture and how it all fits together kind of thing. But then there was this entire layer that we missed that your team did a great job on sort of, okay, what are the technical features and capabilities that need to be turned on? And then of course there's the how to actually turn them on.
And it's just one of the things that I'm always amazed at is just how complex security is because there's so many different people that need to be doing those jobs. And that doesn't even get into all the business teams and all the other things that need to happen as well. So it's just it's always amazing to me how much needs to get done and how important it is to have those prescriptive first, next, later kind of checklists for those different abstraction levels and roles.
Yeah, one of the key things we do in the workshop, we ask that they bring all the stakeholders. Like when you're doing zero trust, it can't be just identity. So even though we might be doing an identity workshop, it can't be just the identity folks. You need the devices, folks, because you need to protect the device they're coming in from. You need the SIEM and the SOC team. You need the architects in there.
And a lot of the times we notice that this was the first time that all of them sat in one room. Because you end up with a lot of folks working in silos, especially in large enterprises. And half of the time it's mostly folks talking to each other for the very first time and collaborating and thinking about what their overall security posture should be and what's the best way to do that. So it's a very complex process.
It's all if you're in mining versus education or in fintech, you have different challenges and the priorities and what you consider as your zero trust baseline differs. But yeah, this bringing of all of the folks together is a thing that I learned has not been happening quite a lot.
And the workshops are really powerful when you can bring all of those key stakeholders and those different teams together to go through what zero trust means for them and then help them look at what their gaps are in where they stand today. Yeah, we see the same thing. It's so important to break the silos apart. There's almost like a joke in there around the one thing that we all have in common is that we don't talk to each other.
But yeah, we see that dynamic a lot and it's just amazing how much magic happens when people start talking to each other about, hey, how do we drive this outcome that requires your expertise, my expertise, and each of the tools that we manage and technology and whatnot. All right, so a couple of other tools that you have, Merrill. The first one is, I don't know if these two are related or if they're sort of back to back or whatever, but Graph X-Ray and Graph Permissions Explorer.
What problem are you trying to solve with those and how you go about it? Yes, Graph X-Ray is a tool. It's a Chrome extension. You can think of it like Fiddler for Microsoft Graph. You can run Fiddler to see what's happening behind the scenes. So when you go to the portal and when you click on different things, you can, you know, you do something, right?
So my struggle I had was I was writing PowerShell scripts and I would go and create a group, like a dynamic group, or I would go and create a conditional access policy or going to Intune and configure whole compliance policy and so on. And then I knew how to do it in the UI, but then to write the script took me a while. And we didn't have ChatGPT like a few years back, but even that I had to tell it, you know, describe all of what I wanted to do even today.
So I knew how to do things in the UI and I wanted to get to the code as soon as possible from that point. And it took a while to go search the docs and find out the API and find out the parameters I needed to pass and would take me like half an hour to an hour to figure out like how to do something. So with Graph X-Ray, it's an extension you install and you just do the action in the portal.
And if the portal is, you know, using Graph X-Ray, it'll give you the PowerShell command for the action that you just did. So if I created a dynamic group, it'll give you the exact command for doing that. It also supports multiple languages, C Sharp, JavaScript, Go. So you can just flick through and get to the code just from the portal itself. So it helps quite a lot when it comes to DevOps and automation
and you need to create like a hundred access packages. You can do one and use Graph X-Ray to see what's happening behind the scenes. So it's more like a DevOps tooling that I built to help in that. It came out as part of like a hackathon we did about three, three, four years ago. Graph Permissions is a website that I built. The problem I was trying to solve there is the docs in the Microsoft docs for the Graph APIs
are all focused for developers. So you can go find out an API like create a conditional access policy or some other config in Graph, maybe create a Microsoft Teams site. But you couldn't find out, like if I give something permission like sites.read.all, what is it that a developer can do? Like what are all the APIs they have access to? So I had a security architect come and ask me, hey, someone's asking me for this permission, which is files.read.write.all
or directory.read.all. What I'm actually giving them when I give them this access? And the answer that I had to give him was you need to go through search for this and look at all the APIs and any of those APIs, what they can call. So this got me thinking and then I sort of wrote a script that passed all the markdown files in GitHub for Microsoft Graph. And then I created a page which says, okay, if it's sites.read.all, these are all
the APIs that someone can call. So it's sort of like a different view into the Graph permission. So it's been really useful for a lot of the cybersecurity teams and the architects to really know what permission, what the permission does and what it is that they're doing when they're consenting to an access permission in the tenant. You know, what are the things that developer can do? Are they the least privileged
permissions that they can have if they need to? So this was just a stopgap that the product team is looking into having this built into our tools itself so it will make it easier. So for now, the site lets you find out whether you're giving a big scary permission or is it the right fit for what the app is trying to do?
I'm really glad that you brought that up about least privilege. So you do actually find things that could be violations of least privilege because right now, this is something that we're heavily focused on as you're in general, especially under the if you look at the Zero Trust, sort of the three pillars of Zero Trust at Microsoft, one of them is least privilege. And we're certainly spending a lot of time looking at applications and looking at
privileges that they've been assigned. So this could be used as a tool, as a general tool, to start saying, okay, you know, what does our set of permissions look like across the whole of our Azure environment? I mean, could you use the tool for that? I mean, is it designed for that? Or is it really something that requires a little bit of interpretation?
This is a little bit of interpretation and this one is only focused on graph permissions, so not really the Azure graph, which is a slightly different API endpoint to the next one. Okay, okay. All right. Yeah, that makes sense. Yeah, we're still reviewing graph permissions as well. So, okay, that's cool. So the next tool is ID Power Toys. What on earth is that? The key part of this tool is something I call the conditional access visualizer.
So we have a really good blade UI to create conditional access policies and it's really easy to create them. But when you want to understand what your security config is in your conditional access settings, you know, it's the gateway to all of your Microsoft environment,
right? Like whether you're going into Azure or into Graph or into any of the apps that you have set up, the conditional access policies are the gateway and they define whether you do MFA or not, who is excluded and what's happening. I was helping a customer troubleshoot a conditional access another time and it was really hard to figure out what the policies were doing because you have to click about six times or seven times to get an idea of what one policy is doing.
And conditional access is a combination of all of the policies put together. So it is really hard to figure out what exactly is happening in this customer's config when it came to conditional access. So that got me thinking about like how can I visualize it? Like people might know me from my posts on LinkedIn and so on. I try to always make it simple and easier
to understand with sort of a very visual way. And that got me thinking and I came up with this whole way to export it into PowerPoint where you get a visual view of the whole CA policy in one deck, in one slide, and then all of the CA policies put together so you can quickly scroll through and see, okay, I like print them up, put them up on a wall, and you can see what is happening in your tenant, what's configured, who is excluded from
policies, what's included. And it's been quite popular with a lot of folks to help as they have 50, 100 policies to know what's really happening in their security landscape. It's with identity, we see identity as a new control plane, conditional access policies are the way to get there, and this was just my contribution to make it a lot easier to visualize what's happening in your settings.
So, Meral, I know because I have seen you post about it on socials and you have tagged me many times, thank you, that you also have a newsletter that you like to, that you send out pretty regularly. Do you want to tell the folks who are listening about that? Yes, yeah, absolutely. So, like I'm working at Microsoft and I read all of the internal things and I'm across what Entra does, but even I struggle with all of the different, just in my product, in Entra, all of the different features and new
things that come out. And I read a lot of what IVPs and the folks who write about Entra and the different features. I love reading that because these folks are in the forefront and they're deploying things, they come across issues and they are thankfully sharing their knowledge of, I came across this, this is how I fixed it, or this is a better way to do it, and so on.
And this, like that knowledge and experience is not something that I as one person can gain from what I do in my day job with the few customers I help. So, it helps really to scale your knowledge and I spend a lot of time reading and staying up to date and all of that. And I was collecting all these links and then I thought, I'm sure others would find this useful as well. And I'm a huge
fan of Hacker News. There's this Hacker News newsletter which just sends you a weekly list of links of interesting things and every week I'll just scan it in five, ten minutes and click on things that interest me. So, I was like, let me do this because the community, we need one place to go in and read about what happened this week in Entra. So, that's how it started. I started putting it together and sending it out, like I started last year. We have like
70 plus issues out right now. So, every week I send out on Sunday for me in Australia, a newsletter that lists, like these are the new features that Microsoft officially announced. These are all the things that the community created and shared about Entra and then I summarize some of my LinkedIn posts and things that I've shared as well. So, just a way to share like, hey, this new podcast came in about Entra, this new toolkit, someone released a new tool or a red team tool or a blue team tool
and I just sort of summarize that and send through. And yeah, it's become quite popular there. We have like more than 11,000 plus subscribers and I get my son to help me out with it. So, I get to spend some time with him as well. So, it's been a really fun experiment. I didn't think I could keep it up, but yeah, we've been doing it for about a year plus now and one of my highlights for the week is creating that and sending it out.
Yeah, and we'll pop in the show notes how you can go and subscribe to Merrill's there if you want to. Yeah, we'll add links to all the tools that we've spoken about so far as well. And there's other tools as well, so you'll see other tools that are up there. On the newsletter thing,
you've made a phrase that I use a lot, which I'm a big fan of. But back in the day when I first started at Microsoft, I worked on the C++ compiler for Windows developers basically, back when everyone knew what a message pump was in Windows. Because I had access to a lot of latest updates to the compiler, latest updates to Windows, tips and tricks from the SDK, all that sort of good stuff. It was really appreciated by the development community.
Never underestimate how something that you think may be simple and quite straightforward to put together. Never underestimate how useful that is to other people. So, yeah, I applaud you a lot for doing the newsletter. I know that a lot of people will find that of use. Thanks. It's a fun part of my weekend. I learn more than, like I learned so much more from all the MVPs and the folks who share content.
They give their time freely to help us as a community, as an industry to be better and help improve our products as well. So I'm super grateful for all of the time and effort folks put into all of this. And even like, you know, talk going out and giving out presentations on all these different various topics. So I just want them to be highlighted. So this is my way of giving back. So, Meryl, what does a typical day, this is something we started asking our guests, what does a typical day look
like for Meryl when you're at work? What do you get up to? Yes, yeah. So I'm remote. I'm in Australia and I'm like 100% remote. So it starts with we are in different time zones. So I'm in Australia and a lot of my team are in Redmond and actually spread across the globe. So my days usually start really early in the morning and I have lots of meetings with teams learning about what are the new features that we are building, talking with different feature PMs and so on.
So most of that happens during the day, during my early morning. And then I get to, luckily for me, I work on the Zero Trust workshop these days. We are building some cool assessments. So I get to write a lot of PowerShell and a lot of scripts and go through, look at different settings and try and I sort of get to hack things and build out all these things. So I do that for much of the day.
We might be working on some new feature that I might be involved in. The last one I was involved in was this Entra external auth method, which was really fun. We brought in this integration from other vendors like RSA and Ping Identity and integrating those with Entra in a plugin model. So I would sometimes work on features. So we would work on reviewing specs. And I bring the customer lens. I'm sort of the voice of the customer inside
Microsoft. And I call out saying, hey, this won't work with customers. We should be doing this. And I look at ways on how we can improve those. I do spend a lot of time on different forums helping, you know, just replying to the comments people post and ask advice on. Then I do have in Kenya, some of our team are based in Kenya where they do a lot of the graph and the PowerShell work. So evening my time, I do get to sync up with them a few times.
And I love working at Microsoft because I get to do all this while I'm at home. So I can go drop by four kids, drop them in school in the morning. Then I go out for like long walks in the middle of the day with my wife. And it's an amazing life and culture at Microsoft. And I really love this lifestyle. For me, it's like I'm in retirement. It's like doing the thing I enjoy the most and I get paid for it as well. You can't ask for anything better than that.
That's fantastic. What would you like to leave our listeners with as sort of a final thought? Yeah. So something we've been telling folks quite a lot is, you know, do MFA. It's amazing the number of people who we still have tried to convince to do MFA and do MFA everywhere. And now you would have noticed that Azure has started enforcing MFA for any access into Azure. I would say for everyone listening in, don't wait till Microsoft starts enforcing for M365, for Entra, for the security portals.
Just do that now for yourself while the Azure MFA enforcement is rolling out. I know a lot of orgs have delayed it. They had the option to push it back by three months. It's going to come for everything. So try to plan and do this as a once effort across your org and focus on getting that messaging out to your stakeholders and then to everyone else to say, let's just roll out MFA for everyone. Don't have exceptions. It's not your trust when you do that.
And yeah, so that's the one message is, get ready for MFA and do it all in one go for all of your users, for all of the apps, so you don't need to do a thousand cuts and just do it one at a time as Microsoft is enforcing it, if you can, if you are that luxury. I think everyone who's been on that even touches Entra ID or touches identity or authentication and authorization, their final thought has always been use MFA.
So there must be some credence to it, right? If everyone's saying it. I agree 100%. I also think it's great that you're taking walks with your wife every day. I do the same, but that's mainly because the doctor told me I had to, but that's a whole another discussion. Anyway, let's bring this episode to an end. Meryl, thank you so much for joining us this week. This has actually been a really, for me anyway,
I've learned a lot. I'm certainly going to dig into some of these tools. I'll be frank, my knowledge of Entra ID is not the best. I know the basics of it, but when it comes to anything beyond the veneer of Entra ID, that's when I start to get lost. I'll start to dig around with some of those tools. Alright, so again, thank you for joining us this week and to all our listeners out there, we hope you found this episode of use. Stay safe
and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Setpod. Background music is from ccmixtor.com and licensed under the Creative Commons license. Music playing Music playing