Category Archives: SystemPlus

Why I love the Microsoft Authenticator App: because now it sends security notifications!

I cannot hide how I use and love the Microsoft Authenticator App. If you enable MFA logins for all your cloud services, it’s like magic: even without any internet connection, the app generates a code that you can use it as an additional factor of authentication.

How it works now with these additional security notifications? When important events—such as a password change—happen on your personal Microsoft account, Microsoft Authenticator will send you a notification. You can then view your account activity and take actions to protect your account if needed. The goal of these notifications is to increase awareness and help you react quickly if there is unexpected activity. These notifications give you a powerful tool to understand and keep control of your account, like a login from a new device or an unusual location, or even a password change:

Auth app 1 (1)

If you receive an unusual notification, you can immediately check and view your account activity and take necessary actions to protect it.

Auth app 2 V2

 

Thanks for your time!

Four major Azure AD Identity Protection enhancements are now in public preview

More and more enhancements related to Identity Protection have been announced today! So let’s see all of them:

  • Improved user interface that now includes security insights, ability to filter and create reports
  • New APIs that allow you to use all this monitored data to your own ticketing systems
  • Improved risk assessment, so to be able to have a better risk analysis
  • Service-Wide alignment with risky users and risky sign-ins, because we now that very often it’s the user that causes the problem.

All these new features are available to customers with an Azure AD Premium P2 subscription.

 

New user interface

1. Security Overview

This new view provides user and sign-in risk trends, in order to get a better idea of possible attacks. Take a look at the tiles on the right side, they give you valuable information telling you what to do:

Four major Azure AD Identity Protection enhancements 1.png

 

Risky User Report

Really great tool, because it immediately  gives you all the information you need about your users and take corrective action.What I really liked is the Risk events not linked to a sign-in tab: it shows you detections not tied to a sign in. For instance, the user may have reused their credentials at another site that was compromised.

Four major Azure AD Identity Protection enhancements 2.png

 

Four major Azure AD Identity Protection enhancements 4.png

 

And let’s see something new: The Risky sign-ins report gives you a single, integrated view to see basic sign-in info, risk, device, Multi-Factor Authentication (MFA), and policy information.

Four major Azure AD Identity Protection enhancements 6.png

 

Smart feedback  lets you protect your users by acting upon the risk assessment. If you conclude sign-ins were compromised, you can select these sign-ins and click Confirm compromised. Alternatively, you can click Confirm safe.

Four major Azure AD Identity Protection enhancements 9.png

Powerful APIs

All the data you access through the new UX is available to you via the MS-Graph APIs. You can programmatically route Identity Protection data into your SIEM, storage, ticketing, or alerting system through the following APIs.

And let’s talk about the improved risk assessment feature that practically has two options: the aggregate sign-in risk, which is new, considers all the malicious activity detected on a sign-in. It includes real-time detections (detections that trigger during the sign-in), non-real-time detections (detections that trigger minutes after the sign-in), detections made by partner security products, and other features of a sign-in.

The other option is the improved User-risk detection, using advanced machine-learning technology to automatically deal with risky users.

It seems that risky sign-ins and risky users is the most important part of Identity Protection, so it’s redesigned based on these two entities.

table1.png

 

Thanks for your time!

#AzureAD new feature in preview: Roles and Administrators

One more cool feature in Azure Active Directory to make managing and controlling user assignments easier than ever in Azure AD. It provides you with a complete list and description of the built-in directory roles, in case you need to know all the details related to a specific role.

It can also point you to the documentation that you need to read, in order to better understand and utilize the roles. For example, you may need to know how many Global Admins you have or what a specific role does and if you’ve assigned that role to users.

So let’s see how it works.

By using the Azure AD portal, start by clicking Roles and administrators to display the complete list and a brief description of all the built-in directory roles. You can also see your active Azure AD role assignment (if you have one) and can click Your role to access the list of your active assigned roles:

1

Just click on a role to see the users that have assigned that role:

2

and then click Description to see details about that specific role:

3

You can also move to check the details of an Azure AD user, check the roles assigned, but also assign additional roles to this user:

4

Support for Azure AD PIM

If you use Azure AD Privileged Identity Management (PIM) to limit standing admin access, there is a dedicated link to a brand-new experience in those blades as well.

If your organization hasn’t enabled PIM, click the Manage in PIM button for information on what PIM can do to protect your administrators and sign up for a trial.

 

And remember, we offer a list of Azure online courses, so you can get the proper training and gest certified on Microsoft Azure. You can see the courses offered here.

 

Thanks for your time!

CAUTION! New scam e-mail pretending to originate from your e-mail server

Do not click anywhere, just delete it (you can click on the following picture to zoom):

image

#AzureAD Baseline Protection and Policy in Public Preview

It is crucial to protect your admin accounts, especially when we talk about Azure services. There is a new feature in Public Preview to implement it today, that will effectively protect your Azure AD privileged accounts. During the last year, identity attacks have increased by 300%. To protect your environment from the ever-increasing attacks, Azure Active Directory (Azure AD) introduces a new feature called baseline protection. Baseline protection is a set of predefined conditional access policies that can be found in the Azure AD Portal.

You can navigate to the Azure Portal, then go to Azure AD and then to Conditional Access. You can now see that there is a new policy called “Baseline Policy”:

image

The default setting is to enable that policy in the future and enable MFA for the critical admins groups in Azure AD, unless you want to change the default setting and enable it immediately. You also have the option to exclude some groups or users, although this is not recommended.

While managing custom conditional access policies requires an Azure AD Premium license, baseline policies are available in all editions of Azure AD.

The directory roles that are included in the baseline policy are the most privileged Azure AD roles.

If you have privileged accounts that are used in your scripts, you should replace them with Managed Service Identity (MSI) or service principals with certificates. As a temporary workaround, you can exclude specific user accounts from the baseline policy.

Recommendation: Exclude one “emergency-access administrative account” to ensure you are not locked out of the tenant.

And remember, we offer a list of Azure online courses, so you can get the proper training and gest certified on Microsoft Azure. You can see the courses offered here.

Thanks for your time!

#AzureAD Password Protection and Smart Lockout are now in Public Preview

One more cool feature related to Azure Active Directory, especially for those of you that care about security. Remember that the GDPR mandates for a strict security baseline, in order to protect personal data.

So this new feature that was announced in Public Preview, forces or audits the passwords that the Azure AD users use; if a user tries to use an easy password, the admin has the option to just audit this attempt, or block it completely. We also have the option to specify a black list of banned passwords.

In order to configure it, you need to log on to your Azure AD Portal and then navigate to Security –> Authentication Methods:

azureadpass

Let’s talk a bit about the different options that we see here.

  1. Set your custom smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts)

  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list

  3. Extend banned password protection to Windows Server Active Directory by enabling password protection in Active Directory. Start with the audit mode, which gives you the opportunity to evaluate the current state in your organization. Once an action plan is finalized, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

How does the banned password list work
The banned password list matches passwords in the list by converting the string to lowercase and comparing to the known banned passwords within an edit distance of 1 with fuzzy matching.

Example: The word password is blocked for an organization

  • A user tries to set their password to «P@ssword» that is converted to «password» and because it is a variant of password is blocked.

  • An administrator attempts to set a users password to «Password123!» that converted to «password123!» and because it is a variant of password is blocked.

Each time a user resets or changes their Azure AD password it flows through this process to confirm that it is not on the banned password list. This check is included in hybrid scenarios using self-service password reset, password hash sync, and pass-through authentication.

What do users see
When a user attempts to reset a password to something that would be banned, they see the following error message:

“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

It’s not only for the cloud
That’s nice, because you can even use it to prevent weak passwords being used in the organization using Windows Server Active Directory. And yes, we talk about your on-premises environment!

In a single forest deployment, the preview of Azure AD password protection is deployed with the proxy service on up to two servers, and the DC agent service can be incrementally deployed to all domain controllers in the Active Directory forest.

azure-ad-password-protection

Before doing anything, I strongly suggest that you take a look at the official documentation here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises

What kind of Azure AD licenses you need for this? 
The benefits of the global banned password list apply to all users of Azure Active Directory (Azure AD). The custom banned password list requires Azure AD Basic licenses.
Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses.

GDPR: Ήμουνα και εγώ εκεί!

Όλοι έχουμε καταλάβει ότι ο νέος κανονισμός της ΕΕ για την προστασία των προσωπικών δεδομένων μας δημιουργήθηκε για να περιοριστεί η ανεξέλεγκτη διάδοση της προσωπικής πληροφορίας χωρίς την συγκατάθεσή μας.

Ταυτόχρονα όμως δημιουργεί και πολλαπλά ζητήματα τα οποία σήμερα καλούμαστε να αντιμετωπίσουμε. Για παράδειγμα, τι γίνεται με τα πλάνα που παρουσιάζονται από τους τηλεοπτικούς σταθμούς, στα οποία φαινόμαστε όλοι μας και κανένας δεν μας έχει ζητήσει την συγκατάθεσή μας; Θα μπορούσα να θεωρήσω ότι έχω ζημιωθεί όταν φαίνομαι σε κάποιο ρεπορτάζ για την κίνηση στα μαγαζιά του κέντρου της πόλης;

Δείτε λοιπόν στον σύνδεσμο παρακάτω πόσο εύκολα μπορεί να σας εντοπίσει κάποιος από μια φαινομενικά απλή φωτογραφία. Πρόκειται για φωτογραφίες που έχουν ανάλυση τουλάχιστον 2110 megapixels. Επιλέξτε κάποια από τις φωτογραφίες, αφήστε την φωτογραφία να φορτωθεί και μετά δοκιμάστε να κάνετε zoom όσο πιο κοντά μπορείτε. Μήπως ήσασταν και εσείς εκεί;

Δείτε τις φωτογραφίες εδώ.

Σας ευχαριστώ για τον χρόνο σας.