Tag Archives: spanougakis

CAUTION! New scam e-mail pretending to originate from your e-mail server

Do not click anywhere, just delete it (you can click on the following picture to zoom):

image

Advertisements

#AzureAD Baseline Protection and Policy in Public Preview

It is crucial to protect your admin accounts, especially when we talk about Azure services. There is a new feature in Public Preview to implement it today, that will effectively protect your Azure AD privileged accounts. During the last year, identity attacks have increased by 300%. To protect your environment from the ever-increasing attacks, Azure Active Directory (Azure AD) introduces a new feature called baseline protection. Baseline protection is a set of predefined conditional access policies that can be found in the Azure AD Portal.

You can navigate to the Azure Portal, then go to Azure AD and then to Conditional Access. You can now see that there is a new policy called “Baseline Policy”:

image

The default setting is to enable that policy in the future and enable MFA for the critical admins groups in Azure AD, unless you want to change the default setting and enable it immediately. You also have the option to exclude some groups or users, although this is not recommended.

While managing custom conditional access policies requires an Azure AD Premium license, baseline policies are available in all editions of Azure AD.

The directory roles that are included in the baseline policy are the most privileged Azure AD roles.

If you have privileged accounts that are used in your scripts, you should replace them with Managed Service Identity (MSI) or service principals with certificates. As a temporary workaround, you can exclude specific user accounts from the baseline policy.

Recommendation: Exclude one “emergency-access administrative account” to ensure you are not locked out of the tenant.

And remember, we offer a list of Azure online courses, so you can get the proper training and gest certified on Microsoft Azure. You can see the courses offered here.

Thanks for your time!

#AzureAD Password Protection and Smart Lockout are now in Public Preview

One more cool feature related to Azure Active Directory, especially for those of you that care about security. Remember that the GDPR mandates for a strict security baseline, in order to protect personal data.

So this new feature that was announced in Public Preview, forces or audits the passwords that the Azure AD users use; if a user tries to use an easy password, the admin has the option to just audit this attempt, or block it completely. We also have the option to specify a black list of banned passwords.

In order to configure it, you need to log on to your Azure AD Portal and then navigate to Security –> Authentication Methods:

azureadpass

Let’s talk a bit about the different options that we see here.

  1. Set your custom smart lockout threshold (number of failures until the first lockout) and duration (how long the lockout period lasts)

  2. Enter the banned password strings for your organization in the textbox provided (one string per line) and turn on enforcement of your custom list

  3. Extend banned password protection to Windows Server Active Directory by enabling password protection in Active Directory. Start with the audit mode, which gives you the opportunity to evaluate the current state in your organization. Once an action plan is finalized, flip the mode to Enforced to start protecting users by preventing any weak passwords being used.

How does the banned password list work
The banned password list matches passwords in the list by converting the string to lowercase and comparing to the known banned passwords within an edit distance of 1 with fuzzy matching.

Example: The word password is blocked for an organization

  • A user tries to set their password to «P@ssword» that is converted to «password» and because it is a variant of password is blocked.

  • An administrator attempts to set a users password to «Password123!» that converted to «password123!» and because it is a variant of password is blocked.

Each time a user resets or changes their Azure AD password it flows through this process to confirm that it is not on the banned password list. This check is included in hybrid scenarios using self-service password reset, password hash sync, and pass-through authentication.

What do users see
When a user attempts to reset a password to something that would be banned, they see the following error message:

“Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.”

It’s not only for the cloud
That’s nice, because you can even use it to prevent weak passwords being used in the organization using Windows Server Active Directory. And yes, we talk about your on-premises environment!

In a single forest deployment, the preview of Azure AD password protection is deployed with the proxy service on up to two servers, and the DC agent service can be incrementally deployed to all domain controllers in the Active Directory forest.

azure-ad-password-protection

Before doing anything, I strongly suggest that you take a look at the official documentation here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises

What kind of Azure AD licenses you need for this? 
The benefits of the global banned password list apply to all users of Azure Active Directory (Azure AD). The custom banned password list requires Azure AD Basic licenses.
Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses.

GDPR: Πώς θα ζητήσετε τα προσωπικά σας δεδομένα από 100+ εταιρίες

Σήμερα σας έχω ακόμα κάτι αρκετά ενδιαφέρον για το GDPR 🙂
Ανακάλυψα ένα site όπου σας δίνει την δυνατότητα να ζητήσετε πληροφορίες για την επεξεργασία των προσωπικών σας δεδομένων από 100 και παραπάνω γνωστές εταιρίες, όπως ακριβώς προβλέπει ο κανονισμός.

Θα εκπλαγείτε όταν διαπιστώσετε με πόσο εύκολο τρόπο μπορεί να γίνει το αίτημα προς αυτές τις εταιρίες (και κατά συνέπεια με παρόμοιο τρόπο και προς την δική σας εταιρία).

Στο site με την ονομασία https://mydatarequest.com/ έχετε την δυνατότητα να επιλέξετε από ποια εταιρία θέλετε να ζητήσετε πληροφορίες για τα προσωπικά σας δεδομένα:

Untitled

Ακριβώς επειδή το κάθε site έχει την δική του διαδικασία, η σελίδα σας καθοδηγεί ακριβώς σχετικά με το πως θα κάνετε το αίτημα.

Σας ευχαριστώ για τον χρόνο σας και σας θυμίζω ότι μπορείτε να ενημερωθείτε σωστά για το GDPR μέσα από το online σεμινάριο GDPR Foundation, με παρακολούθηση ακόμα και από το σπίτι σας, ώστε να ενημερωθείτε σωστά για να μην βρεθείτε προ εκπλήξεων.

Καλή συνέχεια σε ότι κάνετε.

GDPR: Ήμουνα και εγώ εκεί!

Όλοι έχουμε καταλάβει ότι ο νέος κανονισμός της ΕΕ για την προστασία των προσωπικών δεδομένων μας δημιουργήθηκε για να περιοριστεί η ανεξέλεγκτη διάδοση της προσωπικής πληροφορίας χωρίς την συγκατάθεσή μας.

Ταυτόχρονα όμως δημιουργεί και πολλαπλά ζητήματα τα οποία σήμερα καλούμαστε να αντιμετωπίσουμε. Για παράδειγμα, τι γίνεται με τα πλάνα που παρουσιάζονται από τους τηλεοπτικούς σταθμούς, στα οποία φαινόμαστε όλοι μας και κανένας δεν μας έχει ζητήσει την συγκατάθεσή μας; Θα μπορούσα να θεωρήσω ότι έχω ζημιωθεί όταν φαίνομαι σε κάποιο ρεπορτάζ για την κίνηση στα μαγαζιά του κέντρου της πόλης;

Δείτε λοιπόν στον σύνδεσμο παρακάτω πόσο εύκολα μπορεί να σας εντοπίσει κάποιος από μια φαινομενικά απλή φωτογραφία. Πρόκειται για φωτογραφίες που έχουν ανάλυση τουλάχιστον 2110 megapixels. Επιλέξτε κάποια από τις φωτογραφίες, αφήστε την φωτογραφία να φορτωθεί και μετά δοκιμάστε να κάνετε zoom όσο πιο κοντά μπορείτε. Μήπως ήσασταν και εσείς εκεί;

Δείτε τις φωτογραφίες εδώ.

Σας ευχαριστώ για τον χρόνο σας.

Use Internal URLs to access apps from anywhere with My Apps Sign-in Extension and the #AzureAD Application Proxy

If you regularly follow this blog, you should already know a lot about Azure AD Application Proxy. I also recommend that you take a look at this presentation here: https://systemplus.gr/training/training-videos/azureadproxy/

 

Now we have the option to access internal resources using internal URLs even when outside our corporate network by using the My Apps Secure Sign-in Extension for Azure AD . When a user types in a familiar shorthand URL such as https://myinternalwebapp, they can be redirected to the externally resolvable URL, https://www.myinternalwebapp.systemplus.gr. This will work with any application that you have published using Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed.

 

You should get the latest version of the extension (supported on Edge, Chrome, and Firefox). Then, type the internal URL of the published application into the address bar. The extension will recognize that the URL has been published through Application Proxy and will redirect you to the external URL of the application.

 

Our users can download these extensions themselves, or admins can deploy the extension using the browser’s group policy settings. The URL redirection functionality is automatically enabled once a user logs into the extension.

 

To learn more about this new feature, you can read the documentation here.

 

Thanks for your time!

New #AzureAD B2C customization options

(Σημείωση: έχουμε ανακοινώσει ένα webinar στα ελληνικά για το Microsoft Azure, ώστε να μπορέσετε να εκπαιδευθείτε από το σπίτι. Δείτε περισσότερες πληροφορίες εδώ.)

 

The Azure AD product group recently announced some exciting new features. Here is a short list:

  • Enhanced flexibility for customizing login and registration experiences.
  • Update the portal experience so that features are more easily accessible.
  • New features that make it easy to use custom Open ID Connect (OIDC) identity providers in built-in policies.
  • New features for how custom OIDC providers work in custom policies to make configuration easier.
  • Azure AD B2C Language customization features are now Generally Available!

Let’s check them now.

 

What’s new in Public Preview and GA

Add custom OIDC identity providers in built-in policies: There is a new feature that enables you to use any OIDC identity provider right out of the box — a feature that used to be only available in custom policies. If you’re running a scenario in which you’re talking to multiple Azure AD tenants, you can now configure a single multi-tenant Azure AD provider with custom policies. This saves you from having a long list of identity providers and you no longer have to configure each tenant individually. This feature directs users to the right directory for authentication based on their email domain.

So you simply need to create a new identity provider and select the social identity provider that you want to use:

1 

2

 

  • Create a policy using ROPC flow: With this feature, your application will be able to gather user credentials in the context of a native mobile app without needing the user to interact with a web browser. The app will authenticate the user with Azure AD B2C via API.
  • B2Clogin.com: To better allow you to customize your login experience, we now have the b2clogin.com feature. With this feature, you can remove the ‘Microsoft’ from your app URL and use <your tenant name>.b2clogin.com instead.
  • New policy portal experience: Now when you are creating and editing a policy (or as we refer to it now, a user flow), we have a new experience that will streamline your tasks and reduce friction in using our features.
  • Language customization: This feature is now generally available! Microsoft provides support for 36 languages and for custom languages when you provide the translations for all the strings.

Thanks for your time!