Hey folks!

There was a very recent announcement about the new Azure Active Directory External Identities Licensing and in fact, it’s still in preview. This new announcement benefits most of the enterprise organizations that are using External Identities. Without explaining much about External Identities which you can anyways read here, let me get to the point right away

Azure Active Directory (Azure AD) External Identities is a cloud-based IAM solution that secures and manages customers and partners beyond your organizational boundaries. So, let’s see what’s changed

Before the licensing announcement

Before this licensing announcement B2B guest user licensing is automatically calculated and reported based on the 1:5 ratio for using P1/P2 features. Additionally, guest users can use free Azure AD features with no additional licensing requirements. Guest users have access to free Azure AD features even if you do not have any paid Azure AD licenses.

• Examples: Calculating guest user licenses:

  Once you determine how many guest users need to access your paid Azure AD services, make sure you have enough Azure AD paid licenses to cover guest users in the required 1:5 ratio. Here are some examples:
  

  • You want to invite 100 guest users to your Azure AD apps or services and provide access management and provisioning. For 50 of those guest users, you also want to require MFA and Conditional Access, so for those features, you will need 10 Azure AD Premium P1 licenses. If you plan to use Identity Protection features with your guest users, you will need Azure AD Premium P2 licenses in the same 1:5 ratio to cover the guest users.
    
  • You want to invite 60 guest users who all require MFA, so you must have at least 12 Azure AD Premium P1 licenses. You have 10 employees with Azure AD Premium P1 licenses, which would allow up to 50 guest users under the 1:5 licensing ratio. You will need to purchase two additional Premium P1 licenses to cover 10 additional guest users.
    

After the licensing announcement:

After the licensing announcement, you will now be able to use the first 50,000 Guest users with Azure AD P1/P2 features without purchasing any additional licenses. This would mean that the first 50,000 Guest Users will be able to use your P1/P2 features like MFA, Conditional Access & Identity Protection. You will be charged only after you cross 50,000 MAUs which you can see here

Few more important points to take note of

• This billing model applies to both Azure AD guest user collaboration (B2B) and Azure AD B2C tenants
  
• Azure Active Directory (Azure AD) External Identities pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month
  
• You will have to link your Azure AD Tenant to a subscription to get started. After you complete these steps, your Azure subscription is billed based on your Azure Direct or Enterprise Agreement details, if applicable.
  

Hope this article helps you understand the new licensing model for External Identities. This is a very important step taken by Microsoft to encourage customers to use more external collaboration scenarios with Azure AD

Fahad, Founder & CEO, kloudynet Technologies

LinkedIn: https://www.linkedin.com/in/fashaik/

Microsoft Gold Partner and Experts in Azure | Cybersecurity & Governance | Intelligent Automation

Azure Sentinel is a cloud-native Security Incident and Event Management (SIEM) solution built to provide security analysts with a powerful tool to detect and respond to cyberattacks. Azure Sentinel also contains a Security Orchestration and Automated Response (SOAR) capability. But before we answer why “Azure Sentinel” its important to understand the current Threat landscape and challenges organizations are facing

Current Threat Landscape:

NotPetya is seen as one of the worlds most sophisticated and disruptive cyberattacks that began in Europe in June 2017. NotPetya was meant for pure destruction, and although it pretended not to be a ransomware, there was no chance for the victim to restore the infected machines because the data was made indecipherable with encryption.

The component of NotPetya that made it so lethal was that it contained multiple lateral movement techniques to spread quickly following the initial infection. According to an assessment, the total financial damage from NotPetya attacks totaled $10 billion!

Furthermore, statistics say

• 86{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of all breaches are financially motivated, where threat actors are after company financial data, intellectual property, health records, and customer identities that can be sold fast on the Dark Web.
• 70{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of breaches are perpetrated by external actors, making endpoint security a high priority in any cybersecurity strategy.
• 55{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of breaches originate from organized crime groups.
• Attacks on Web apps accessed from endpoints were part of 43{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of breaches, more than double the results from last year.

Source: https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

Security Challenges for SecOps:

For most organizations, the Security Operations Team (SOC) is the central hub responsible for identifying and responding to cybersecurity threats. Mitre (attack.mitre.org) defines the SOC as “a team primarily composed of security analysis organized to detect, analyze, respond to, report on, and prevent cyber security incidents. The commonly found pattern would include

Tier 1 – High Speed Remediation

Tier 2 – Advanced Analysis, Investigation, and Remediation

Tier 3 – Proactive Hunting and Advanced Forensics

Microsoft today has adopted the fusion center model for cyber defense operations known as Cyber Defense Operations Center (CDOC)

Resource Challenges:

Staffing shortages have hit Security Operations Center especially hard for a few reasons

• SOCs run operations 24X7X365 and therefore require heavy investments in security personnel
• Security analysts require unique set of knowledge and skills that are difficult to find
  • Understanding of common attacker techniques
  • Have strong intuition
  • Have a desire to dig into the details and volumes of alerts and logs
  • Be driven to continuously learn

With these challenges CISOs and SOC leaders are looking for solutions that make their analysts more efficient; reduce the volume of mundane, manual tasks; and provide robust automation and orchestration capabilities

Security Data Challenges

Security teams are drowning in the volumes of data generated by the digital assets they are required to protect. IIOT devices, smart sensors, BYOD, and other devices which are connected

• Security teams are often required to forgo connecting data sources because of the costs associated with scaling out their SIEMs
• Search and correlation engines cannot not handle large volumes of data and analysts’ queries
• Static correlation rules often miss anomalies that indicated that an attacked has successfully infiltrated the system
• Typical, early SIEM systems were not built on machine-learning models to help identify such anomalies
• Hiring so many data scientists to build, test and deploy their own models is expensive and hard
• Many SIEM deployments are done with a “deploy and forget mentality”. This results in analytics working on a higher number of false positives that strains personnel and makes identifying the true, high-value events difficult.

Azure Sentinel: Cloud-native SIEM

Azure Sentinel has been engineered to address the SecOps challenges identified earlier in this article

• Automatic scaling up to meet the data and storage requirements for enterprises of any size. All the log data for Azure Sentinel is stored in an Azure Log Analytics Workspace
• Integrating directly with the Microsoft Threat Intelligent Security Graph to help increase the likelihood of detecting advanced threats by leveraging Microsofts and its partners intelligence
• Integrating endpoint protection logs for early detection. Securing endpoint is the future of cybersecurity based on the data provided early in the article
• Reducing the need for human intervention by leveraging an open and flexible automation capability for investigating and responding to alerts
• Including the advanced anomaly detection using Microsofts machine learning algorithms (FUSION)
• Providing dashboards and user interfaces that are intuitive to analysts and built to streamline the typical operations within an SOC

Azure Sentinel: Core Capabilities

Azure sentinel provides security teams with unprecedented visibility into their digital estates

• Data collection and storage across all users, devices, applications, and infrastructure – whether on-premise or in the cloud
• Threat detection that leverages Microsofts analytics and threat intelligence
• Investigation of threats by hunting for suspicious activities at scale
• Rapid response to incidents by leveraging built-in orchestration and automation of common tasks

Azure Sentinel: Components

The below diagram shows the major components of Azure Sentinel

• Analytics: Analytics enables you to create custom alerts using Kusto Query Language (KQL). You can further take actions on these alerts by attaching the analytics to playbooks. Playbooks are created using Azure Logic Apps

• Cases: Also called as incident, is an aggregation of all the relevant evidence for a specific investigation. It can contain one or multiple alerts, which are based on analytics that you define

• Hunting: This is a powerful tool for investigators and security analysts who need to proactively look for security threats. The searching capability is powered by Kusto Query Language

• Notebooks: By integrating Jupyter Notebooks, Azure Sentinel extends the scope of what you can do with the data that was collected. One of the major reasons for using Jupyter Notebooks is the complexity of what you are trying to do with Azure Sentinels built-in tools becomes high
  • When the number of queries in your investigation chain goes high
  • Doing complex KQL query gymnastics to integrate some external data or extract some specific entity type from data

Most of Azure Sentinels Jupyter Notebooks heavily depend on msticpy Python package which is developed by Microsofts Threat Intelligence Center

• Data Connectors: Built-in connectors are available to facilitate data ingestion from Microsoft and partner solutions. Below is a list of some of the Microsoft and non-Microsoft connectors with Azure Sentinel. Note that this is not an exhaustive list of the built-in connectors
  • Amazon Web Services
  • Azure Active Directory
  • Azure Active Directory Identity Protection
  • Azure Activity
  • Azure Advanced Threat Protection
  • Azure Information Protection
  • Azure Security Center
  • Azure Security Center for IoT
  • Barracuda CloudGen Firewall
  • Barracuda Web Application Firewall
  • Check Point
  • Cisco ASA
  • Citrix Analytics (Security)
  • CyberArk (Coming soon….)
  • DNS
  • F5 BIG-IP
  • F5 Networks
  • Fortinet
  • Microsoft Cloud App Security
  • Microsoft Defender Advanced Threat Protection​
  • Microsoft web application firewall (WAF)
  • Office 365
  • Palo Alto Networks
  • Security Events
  • Threat Intelligence Platforms
  • Threat intelligence – TAXII
  • Trend Micro
  • Windows Firewall
  • Zimperium Mobile Threat Defense
  • Zscaler

If an external solution is not on data connector list, but your appliance supports saving logs as a Syslog Common Event Format (CEF), the integration with Azure Sentinel is available via CEF connector. If CEF support is not available on your appliance, but it supports calls to REST API, you can use HTTP Data Collector API to send log data to the workspace on which Azure Sentinel is enabled.

• Playbooks: A playbook is a collection of procedures that can be automatically executed upon an alert triggered by Azure Sentinel. Playbooks leverage Azure Logic Apps, which help you automate and orchestrate tasks/workflows.

• Workspace: A log Analytics workspace is a container that includes data and configuration information. Azure sentinel uses this container to store data that you collect from the different data sources.

Conclusion:

Utilizing a cloud-native SIEM will definitely reduce the integration costs and free up resources.

Ease of integration with telemetry data is the key to any SIEM success. Azure Sentinel offers a resilient and a straightforward way to connect data sources, without the need to any have server or storage infrastructure and going 100{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} serverless.

With just a few clicks you can connect Sentinel to O365, Azure AD or Azure Activities and start receiving alerts immediately and get populated on the dashboards in minutes.

Now month-long projects on integration of O365 with legacy SIEM can be implemented in a day by onboarding to Azure Sentinel. Helps specially if customers are struggling with such integration of detection use cases to address auditors concerns.

All this is also true not only for collecting data from Microsoft sources. However Azure Sentinel AWS CloudTrial connector, which is based on serverless Cloud-To-Cloud connection, provides the same benefits.

Hope this write up gives a birds eye view of what Azure Sentinel is, its core capabilities & benefits and why enterprises should be looking at Azure Sentinel as their next SOAR and SIEM solution.

Fahad, Founder & CEO, kloudynet Technologies

Microsoft Gold Partner and Experts in Azure | Cybersecurity & Governance | Intelligent Automation

• How can I control the costs associated with non-Production resources left running on Azure?
• How can I have ‘always-on’ visibility to my Azure spends?
• How can we ensure our deployments meet Azure security best practices, and how can we protect our Production workloads? How can I ensure ours or customers data on Azure is safe?
• How can we ensure a controlled deployment of resources on Azure? Resources are deployed with an approval process. And only approved resources are allowed to be deployed
• How can I reduce my time to deploy resources on Azure?
• How can I ensure that the right people have the right access to my Azure resources?
• “I’m concerned about data sovereignty; how can I ensure that my data and systems meet our regulatory requirements?”

On the Cloud (Azure in this case) the cost meter is “always-on”. Hence its important that only the required resources are always running and deployed on Azure. Cost is not the only concern for organizations who either are already running their workloads or are looking to move their workloads to Azure. The Microsoft Cloud Adoption Framework encourages organizations to take a more holistic approach and look at Cloud Governance to ensure a well-managed cloud. The five disciplines of Cloud Governance are Cost Management, Security Baseline, Resource Consistency, Identity Baseline and Deployment Acceleration

You can read more about Microsoft CAF here

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/

Our new product kloudsifu addresses the above cloud concerns aligning to Cloud Governance though the Microsoft Cloud Adoption Framework

The framework kloudsifu follows is as below

kloudsifu is a web platform which seamlessly integrates with your Azure environment and helps organizations enforce governance, limit cloud spends, and enhance security by using approval workflows and automated deployments. kloudsifu uses the Azure native blueprints and policies to ensure a cost controlled and compliant deployment even before any resources are deployed on Azure.

Below are a few benefits but not limited to we give our customers who are using kloudsifu to deploy Azure resources

–     All the deployments in Azure are controlled by approval workflows even before they are deployed. Saves cost by restricting only required resources to be deployed in the cloud environment

–     Integration with Azure Cost Management to apply advanced features like deployment not exceeding a specific budget limit

–     Auto removal of any dev/test deployments once the resources are not required, saving costs

–     100{242c517669925a073d705e22a169fb98ddbf0859d961064402a4c1a034274d1e} compliant deployments on Dev/Test and production environments with mandatory policies and security settings

–     All deployments use resource consistency so they can be easily managed, discoverable and enables repeatable deployments

–     Faster deployments to the cloud with automated processes

–     IT teams can focus on more important tasks while kloudsifu takes care of secure Azure deployment

–     All deployed resources are appropriately tagged for other reporting or chargeback purposes

–     Full visibility on who, when, why, for how long and at what cost on all resources in the environment

–     Deployments to a single or multiple Azure environment using the same deployment blueprints

The roadmap for kloudsifu is super exciting and we promise to deliver new features fast to help customers better manage their cloud costs, security and governance

Do reach out at sales@kloudynet.com for a demo and know more

Fahad, CEO, kloudynet Technologies

Moving passwordless using Windows Hello for Business is the most secured way forward and end this drama. Password-less authentications is convenient for users as well as secured.

However, there are some considerations before password-less authentication is deployed into the organizations where the devices are joined to on-premise Active directory. Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: Key trust or certificate trust. Below are the ways WHFB password-less can be deployed

• Hybrid Azure AD Joined Key Trust Deployment (Devices which are joined to on-premise AD as well as Azure AD)
• Hybrid Azure AD Joined Certificate Trust Deployment (Devices which are joined to on-premise AD as well as Azure AD)
• Azure AD Join Single Sign-on Deployment Guides (Devices which are only joined to Azure AD)
• On Premises Key Trust Deployment (Devices which are only joined to on-premise AD)
• On Premises Certificate Trust Deployment (Devices which are only joined to on-premise AD)

Hybrid Azure AD joined Key Trust Deployment is the most common trust model deployed which we will be discussing further in this article. If you want to know more about all the deployment methods and trust model, please go through the document here

However, there are some critical pre-requisites and considerations before you deploy Windows Hello for Business using Hybrid Azure AD joined Key Trust

• Hybrid Windows Hello for business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.
• The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2
• A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
• Key trust deployment needs adequate number of Windows Server 2016 domain controllers in each site where users authenticate using Windows Hello for business.

NOTE: Windows Hello for Business Key Trust based password-less will work even if you have a single Windows Server 2016 Domain Controller deployed in the entire domain. However, that would not be enough to take the authentication traffic if the numbers of users are high and a thorough sizing exercise is required.

NOTE: If you have limitations to have any Windows Server 2016 domain controllers, you can fall back to using Windows Hello for Business Certificate Trust based deployment

• The devices that will be enabled for password-less should be hybrid domain joined. For that to happen the devices should be synced to Azure AD via AD Connect

NOTE: To configure Azure AD connect for Hybrid AD join you can refer to the article here

• The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. To know more details on the certificate requirements refer to the article here
• Your Windows 10 devices should be enrolled to Intune. If the windows 10 devices are already managed by SCCM you will have to setup co-management. Co-management requires Configuration Manager version 1710 or later.

NOTE: You can still move to Intune standalone if you are not in a position to upgrade your SCCM to 1710 or later. The pros and cons of moving your devices to Intune standalone calls for a separate blog on its own.

Users will still need to fall back to passwords in a few scenarios. Like in cases the users forget their Windows Hello PIN and want to reset or they want to access other AD integrated applications in the environment. To eliminate the usage of passwords below are some of the steps to be taken:

o   Set all the users to password never expires. Password changes do more harm than good anyways. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers.

Microsoft recommends to set all users to Password never expires and use conditional access instead!

o   User should use Self Service Password Resets in case they want to fall back to passwords. In this way the users can still reset their passwords in case they forget them without calling the IT or help desk. Ensure you have password write back enabled in the environment.

o   All the applications should move to SSO so there is less or no usage of passwords. They may still need to use passwords for applications accessed from a non-corporate device.

o   Put strong conditional access policies and MFA for accessing corporate applications.

Hope this helps summarize deploying Windows Hello for Business password-less authentication using Key Trust model.

If you still have questions on Windows Hello for Business, you can refer to the FAQ or reach out to me.

Fahad, Founder and CEO, kloudynet

https://techcommunity.microsoft.com/t5/Microsoft-Kaizala-Blog/Microsoft-Kaizala-rolls-out-to-Office-365-customers-globally-and/ba-p/394298

On the field this brings in a lot of discussions with customers on Microsoft Kaizala and Teams.

Have you wondered why Microsoft introduced Kaizala when Teams already exists? Why should your organization be using Kaizala since you are already on Teams? What are the differences between the two, and when should we use what?

Read on as we clarify:

Microsoft Kaizala:

• Best alternative for WHATSAPP for organizations. Much secured and centralized administration
• Kaizala secures users that are outside the organizations directory or have any Azure Active Directory guest accounts. This enables users being added to your organizational groups even with just their mobile phones numbers. Typical users would be remote field workers only having a mobile phone with an internet connection
• Flexible group types: hub and spoke, hierarchical and public groups.
• Scales up to millions of users in a group. Typical use case is a public group that allows millions of users to join.
• Easy onboarding of users with phone numbers.
• Built-in action cards for surveys, polls and announcements, jobs, training and tasks
• Offline access, low latency, optimized for slow networks
• Simple business user deployment, admin and reporting

Customer scenarios for Kaizala:

Manage tasks and automation workflows that span outside the organization Eg: Toll booth maintenance check by remote workers in far fetched locations

Cater to scenarios where there is high turn-over of a workforce. Example a taxi drivers group where the drivers keep changing taxi companies they drive for

Phone number as a primary identity. No email address required. For users who don’t have an email address and just a mobile phone with a number

Offline scenarios like flights crews and remote locations

Simple, fast, business-led deployment and administration

Microsoft Teams:

• Teams is a hub for teamwork.
• Deep integration with office 365 – SPO, Groups, Office Apps, Microsoft Flow, Graph API
• Advanced collab & communications: Intelligent meetings, enterprise voice
• Managing shifts and task management
• Advanced IT administration

Customer scenarios for Teams:

• Digital workspace for teams across the organization, and external guests (mobile + desktop).
• In-depth communication within an organization and with federated partners
• Firstline environments with need for deep Office integration or shift management
• Purpose-built vertical solutions: e.g. Care coordination in healthcare
• Advanced IT administration

Real life scenario solved using Kaizala for a customer for Toll Plaza maintenance

• Manual Process:

1. Maintenance Team visits Toll plaza
2. Goes through the checklist and updates physical checklist
3. Checklist is then submitted to the office

• Automated process using Microsoft Kaizala:

1. Kaizala Custom Action Card is used to fill up the maintenance checklist. Card enforces to input location – to ensure technicians are at the locations during inspection
2. All information including pictures from inspection of the plazas uploaded onto SharePoint online using the same custom action card
3. Supervisor notified of Toll Inspection in real time via email
4. Productivity & efficiency of maintenance staff measured using time stamps on custom action card

Hope this helps guide you as to when you should be using Microsoft Kaizala over Microsoft Teams!

kloudynet Technologies is a High Potential Kaizala partner for Southeast Asia, and has worked on various scenarios customizing Kaizala for end users

– Fahad, Founder, kloudynet Technologies

sales@kloudynet.com